Default syslog-ng configuration contains following source definition: unix-stream("/dev/log" max-connections(256)); I'm not sure about this, but probably unix-stream should be replaced with unix-dgram, because syslog-ng default behavior differs from sysklogd and metalog when logging messages containing newlines. More info: https://lists.balabit.hu/pipermail/syslog-ng/2009-September/013330.html http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s03.html#configuring_sources_unixstream Test script which produces multiline message can be found here: http://bugs.python.org/msg90510 Reproducible: Always
"The unix-stream() driver is primarily used on Linux and uses SOCK_STREAM semantics (connection oriented, no messages are lost); while unix-dgram() is used on BSDs and uses SOCK_DGRAM semantics: this may result in lost local messages if the system is overloaded." If you need to use unix-dgram for your setup, you should modify your config to do that. The default though is to not lose messages. Thanks.
This is additional comment from syslog-ng author: https://lists.balabit.hu/pipermail/syslog-ng/2009-September/013341.html > syslogd on Linux originally used SOCK_STREAM sockets, but some distributions switched to SOCK_DGRAM around 1999 to fix a possible DoS problem > unix-dgram uses less resources and as you state can handle multiple lines per message > All syslog daemons where this option is non-configurable uses unix-dgram(), thus I guess it is not worse to use the same in syslog-ng.