syslog-ng multi-line notes

multiline-notes.txt

1) transports to read multi-lines

- locally
  - unix-dgram() does it, the syslog() API in glibc is transparent to NL
    characters, so it'll be received properly
  - named pipe (multi-line support same as files, the transport does not support it without that)
  - from files 
    - regexp based: multi-line-mode(prefix-garbage) and multi-line-prefix/garbage options
    - indentation based: multi-line-mode(indented)

- network
  - udp() does it, the entire message needs to be one datagram
    - client:
  - tcp() does not support it
  - syslog(transport(tcp)) or transport(tls) does it with octet counting and
    accepts old style messages
    - client: 
      - syslog-ng: network(transport(framed)) for old style messages
      - syslog-ng: syslog(transport(tcp)) or transport(tls) works, but emits
        new style messages
  - network(transport(framed))

- sanitization on input
  - flags(no-multi-line)

2) processing in syslog-ng

- works

3) output side

- network
  - udp() works
  - tcp() does not work
  - syslog(transport(tcp)) will use octet counting and works (RFC5424)
  - network(transport(framed)) will use octet counting and works (RFC3164)

- locally
  - unix-dgram() works, unix-stream() does not
  - named-pipe can output, the other side needs to be smart as there's no
    framing
  - files
    - can output, but to ensure it can be read back, template might be
      needed
    - by default NL characters are embedded
    - indented format $(indent-multi-line)

- sanitization on output
  - flags(no-multi-line) works and is applied on the formatted output record
    (RFC5424 included)