OSE 3.12 Network Multi-Line Issue

[matador555]

Hi All,
I'm having an issue with multi-line-* running on a network source. When running multi-line-* on a file as source this works fine but not through the network as a source.

Any help would greatly appreciated as the specific device I am having issues with doesn't seem to fix with no-multi-line as flags and would need the availability of utilizing regex on the network stack.

Example of a non working Networking Source:
source hosts {
network(port(1999)
transport("tcp")
multi-line-mode("regexp")
multi-line-prefix("[0-9]{4}.[0-9]{2}.[0-9]{2}.")
flags(no-parse,no-multi-line,validate-utf8));
};
destination logs
{
file("/opt/data/syslogs/michael_test/${HOST}.log"
create_dirs(yes) dir_owner("elkuser") dir_group("users") dir_perm(0700)
owner("elkuser") group("users") perm(0600)
#template("${RCPTID}--$FACILITY--$PRIORITY--$FULLHOST--$PROGRAM--$ISODATE--${MSGHDR}${MESSAGE}\n")
template("${ISODATE} ${HOST} $(indent-multi-line ${MESSAGE})\n")
);
}

Example of a WORKING file source with multi-line-:
source s_multiline {
file("/path/to/file" multi-line-mode(regexp)
multi-line-prefix("^prefix")
multi-line-garbage(" garbage$"));
};

Version of syslog-ng

syslog-ng 3 (3.12.1)
Installer-Version: 3.12.1
Revision:
Compile-Date: Nov 3 2017 12:59:16
Module-Directory: /usr/local/lib/syslog-ng
Module-Path: /usr/local/lib/syslog-ng
Available-Modules: syslogformat,afsocket,affile,afprog,afuser,afamqp,afmongodb,csvparser,confgen,system-source,linux-kmsg-format,basicfuncs,cryptofuncs,dbparser,json-plugin,afstomp,pseudofile,graphite,sdjournal,kvformat,date,cef,disk-buffer,add-contextual-data,tfgetent,map-value-pairs,stardate,snmptrapd-parser,tags-parser,xml
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-Linux-Caps: off
Enable-Systemd: off

Platform

Red Hat Enterprise Linux Server release 7.3 (Maipo)

Debug bundle

Create a debug bundle on your system with the syslog-ng-debun script which is included in the syslog-ng package.

Overwiew of the CLI options of syslog-ng-debun:
-r: run actual information gathering
-d: run syslog-ng in debug mode
-p: perform packet capture
-s: do strace
-t: timeout period for running debug/pcap/strace
-w: wait period before starting debug mode
-l: light information gathering (respects privacy)
-R: alternate installation directory for syslog-ng

$ syslog-ng-debun -r

Issue

With any multi-line-* on Network as a source E.G multi-line-mode, multi-line-prefix will not work.

Failure

Steps to reproduce

[2017-11-08T18:07:43.291160] WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode Please update it to use the syslog-ng 3.12 format at your time of convenience, compatibility mode can operate less efficiently in some cases. To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @Version header at the top of the configuration file.;
Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting KW_NORMALIZE_HOSTNAMES or KW_USE_DNS or KW_USE_FQDN or KW_DNS_CACHE in /etc/syslog-ng/syslog-ng.conf at line 33, column 11:

      multi-line-mode("regexp")
      ^^^^^^^^^^^^^^^

syslog-ng documentation: https://www.balabit.com/support/documentation?product=syslog-ng-ose
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

Configuration

This is pretty much a default config to display the issue at hand

@version: 3.11
@include "scl.conf"

# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.

# First, set some global options.
options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
      owner("root"); group("adm"); perm(0640); stats_freq(0);
          bad_hostname("^gconfd$");
};

########################
# Sources
########################
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source s_src {
           system();
           internal();
};
###################################################################
#
source random_hosts {
           network(port(1999)
           transport("tcp")
#          multi-line-mode("regexp")
#          multi-line-prefix("[0-9]{4}\.[0-9]{2}\.[0-9]{2}\.")
           flags(no-parse,no-multi-line,validate-utf8));
 };
  destination random_logs
      {
             file("/opt/data/syslogs/random_test/${HOST}.log"
             create_dirs(yes) dir_owner("random") dir_group("users") dir_perm(0700)
              owner("elkuser") group("users") perm(0600)
              #template("${RCPTID}--$FACILITY--$PRIORITY--$FULLHOST--$PROGRAM--$ISODATE--${MSGHDR}${MESSAGE}\n")
              template("${ISODATE} ${HOST} $(indent-multi-line ${MESSAGE})\n")
                 );
};

source s_file{file("/var/log/messages" follow-freq(0) multi-line-mode(regexp) multi-line-prefix("[0-9]{4}\.[0-9]{2}\.[0-9]{2}\.") flags(no-parse));};


#source s_multiline {
# file("/path/to/file" multi-line-mode(regexp)
#                      multi-line-prefix("^prefix")
#                      multi-line-garbage(" garbage$"));
#};

# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
#source s_net { tcp(ip(192.168.1.132) port(555)); };

########################
# Destinations
########################
# First some standard logfile
#
destination d_auth { file("/var/log/auth.log"); };
destination d_cron { file("/var/log/cron.log"); };
destination d_daemon { file("/var/log/daemon.log"); };
destination d_kern { file("/var/log/kern.log"); };
destination d_lpr { file("/var/log/lpr.log"); };
destination d_mail { file("/var/log/mail.log"); };
destination d_syslog { file("/var/log/syslog"); };
destination d_user { file("/var/log/user.log"); };
destination d_uucp { file("/var/log/uucp.log"); };

# This files are the log come from the mail subsystem.
#
destination d_mailinfo { file("/var/log/mail.info"); };
destination d_mailwarn { file("/var/log/mail.warn"); };
destination d_mailerr { file("/var/log/mail.err"); };

# Logging for INN news system
#
destination d_newscrit { file("/var/log/news/news.crit"); };
destination d_newserr { file("/var/log/news/news.err"); };
destination d_newsnotice { file("/var/log/news/news.notice"); };

# Some 'catch-all' logfiles.
#
destination d_debug { file("/var/log/debug"); };
destination d_error { file("/var/log/error"); };
destination d_messages { file("/var/log/messages"); };

# The root's console.
#
destination d_console { usertty("root"); };

# Virtual console.
#
#destination d_console_all { file(`tty10`); };

# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
# you must invoke nsole' with the -file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
destination d_xconsole { pipe("/dev/xconsole"); };

# Send the messages to an other host
#
#destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); };

# Debian only
destination d_ppp { file("/var/log/ppp.log"); };

########################
# Filters
########################
# Here's come the filter options. With this rules, we can set which
# message go where.

filter f_dbg { level(debug); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_err { level(err); };
filter f_crit { level(crit .. emerg); };

filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
filter f_error { level(err .. emerg) ; };
filter f_messages { level(info,notice,warn) and
                    not facility(auth,authpriv,cron,daemon,mail,news); };

                    filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
                    filter f_cron { facility(cron) and not filter(f_debug); };
                    filter f_daemon { facility(daemon) and not filter(f_debug); };
                    filter f_kern { facility(kern) and not filter(f_debug); };
                    filter f_lpr { facility(lpr) and not filter(f_debug); };
                    filter f_local { facility(local0, local1, local3, local4, local5,
                                            local6, local7) and not filter(f_debug); };
                                            filter f_mail { facility(mail) and not filter(f_debug); };
                                            filter f_news { facility(news) and not filter(f_debug); };
                                            filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
                                            filter f_user { facility(user) and not filter(f_debug); };
                                            filter f_uucp { facility(uucp) and not filter(f_debug); };

                                            filter f_cnews { level(notice, err, crit) and facility(news); };
                                            filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

                                            filter f_ppp { facility(local2) and not filter(f_debug); };
                                            filter f_console { level(warn .. emerg); };

########################
# Log paths
########################
log { source(s_src); filter(f_auth); destination(d_auth); };
log { source(s_src); filter(f_cron); destination(d_cron); };
log { source(s_src); filter(f_daemon); destination(d_daemon); };
log { source(s_src); filter(f_kern); destination(d_kern); };
log { source(s_src); filter(f_lpr); destination(d_lpr); };
log { source(s_src); filter(f_syslog3); destination(d_syslog); };
log { source(s_src); filter(f_user); destination(d_user); };
log { source(s_src); filter(f_uucp); destination(d_uucp); };

log { source(s_src); filter(f_mail); destination(d_mail); };
#log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
#log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
#log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };

log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
#log { source(s_src); filter(f_cnews); destination(d_console_all); };
#log { source(s_src); filter(f_cother); destination(d_console_all); };

#log { source(s_src); filter(f_ppp); destination(d_ppp); };

log { source(s_src); filter(f_debug); destination(d_debug); };
log { source(s_src); filter(f_error); destination(d_error); };
log { source(s_src); filter(f_messages); destination(d_messages); };
log{source(random_hosts);destination(random_logs);};
#log { source(s_src); filter(f_console); destination(d_console_all);
#                    destination(d_xconsole); };
#                    log { source(s_src); filter(f_crit); destination(d_console); };

# All messages send to a remote site
#
#log { source(s_src); destination(d_net); };

###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include "/etc/syslog-ng/conf.d/*.conf"

(or gist URL)

Input and output logs (if possible)

[Kokan]

Hello,

Please check the following issuse for more information: #1744 and #1747

[Kokan]

Please track those issues, and share additional information in those.