I'm testing Untangle's remote syslog ability, and there may (or may not, I'm no expert on SysLogs) be an issue when a message is too long to fit into one syslog entry.
Here's an example of one such message from the remotely captured log:
If you scroll to the right you'll see that the first part of the message ends in "..." to indicate that it continues in the next message. The next message, however, seems to be missing its SysLogTag ("node-15" in the first part) and instead goes straight into the message continuation.
I don't know for sure if this is normal behaviour (so I hesitate to file an actual bug report), but it does seem to mess up logging to a MySQL database, because I end up with "'..."uvm[0]:'" in the SysLogTag column, and then have to include this column if I want to reconstruct the complete JSON object for examination.
David
Here's an example of one such message from the remotely captured log:
Code:
Feb 3 11:40:26 localhost node-15: [SyslogManagerImpl] <TCP91171892887683> INFO uvm[0]: {"timeStamp":"2014-02-03 11:40:26.683","vendorName":"Clam","receiver":"david.xxxxx@xxx.com","tag":"uvm[0]: ","subject":"spam test","score":0,"class":"class com.untangle.node.spam.SpamLogEvent","serverAddr":"/xxx.xxx.xxx.xxx","clientAddr":"/xxx.xxx.xxx.xxx","sender":"david.xxxxx@xxx.com","clientPort":54973,"serverPort":25,"action":"PASS","spam":false,"messageId":91171892887579,"messageInfo":{"sender":"david.xxxxx@xxx.com","timeStamp":"2014-02-03 11:40:26.676","sessionId":91171892887683,"tag":...
Feb 3 11:40:26 localhost ..."uvm[0]: ","subject":"spam test","class":"class com.untangle.node.smtp.MessageInfo","messageId":91171892887579,"sessionEvent":{"protocol":6,"timeStamp":"2014-02-03 11:40:26.618","SClientAddr":"/xxx.xxx.xxx.xxx","tag":"uvm[0]: ","CServerAddr":"/xxx.xxx.xxx.xxx","protocolName":"TCP","CClientAddr":"/xxx.xxx.xxx.xxx","class":"class com.untangle.uvm.node.SessionEvent","hostname":"xxx.xxx.xxx.xxx","SClientPort":54973,"serverIntf":2,"CServerPort":25,"clientIntf":1,"policyId":1,"sessionId":91171892887683,"SServerPort":25,"CClientPort":54973,"SServerAddr":"/xxx.xxx.xxx"},"serverType":"S"}}I don't know for sure if this is normal behaviour (so I hesitate to file an actual bug report), but it does seem to mess up logging to a MySQL database, because I end up with "'..."uvm[0]:'" in the SysLogTag column, and then have to include this column if I want to reconstruct the complete JSON object for examination.
David