default-network-drivers()tries to guess the log format and parse accordingly. This error message might be caused by an invalid classification of the log format. I think it would be better to continue the investigation on GitHub's issues page (https://github.com/syslog-ng/syslog-ng/issues/new/choose). There are couple of ways to move forward, the easiest would be if you could send us the output of
syslog-ng -Fedtv, or at least a couple more lines before the error line. Or if you can determine which incoming log message caused this error, and which port did it arrive to, we could try to replicate it ourselves.
ewmm()source can be used directly, until we find out what's wrong with your
syslog-ng()source, only a destination; and it is intentional, see the comment in the SCL snippet: https://github.com/syslog-ng/syslog-ng/blob/c999529f5215cfeb238ff24d771807c968197b62/scl/ewmm/ewmm.conf#L61-L78)
Yeah, I think ewmm() as a source is not even documented, it's more of a building block for
ewmm-parser() and the
$(format-ewmm) template function are the documented bits for custom EWMM-based source and destination-side processing:
For general use,
default-network-drivers() and the
syslog-ng() destination are a good combination.
LogMessage::keys()method of the Python binding. I will open an issue (or a pull request) soon.
@sai Is any other kind of log storing service available to you? Like ElasticSearch, MongoDB, Kafka, SQL, ...? syslog-ng can send logs to all of these, and they can handle multiple syslog-ng connections in the same time, so there won't be any resource allocation problems. Alternatively, as you said, you can write to different files on the NFS, and merge them with a script. I have found an old mailing list thread about this exact situation, it might help you a bit: https://lists.balabit.com/pipermail/syslog-ng/2005-January/006954.html
thanks for the reply !!
for my use casse, i don't need to send syslog-ng to any other destination, these logs are used for nagios monitoring at this time