best way to handle multi-line kernel messages

[david]

a query was made on the rsyslog mailing list about the possibility of 
rsyslog handling kernel messages better. Currently each line of logs is a 
separate log entry (and as log entries traverse networks there are thigns 
taht can cause them to get re-ordered). It would be nice to be able to 
combine multi-line logs into one log entry.

The problem is figuring out how to tell when one log entry finishes and 
the next starts.

> From examining logs it looks like follow-up lines are frequently (but not 
always) indented with some form of whitespace (this indentation taking 
place after the timestamp if that's enabled)

but this is not consistantly the case.

I suspect that there is not currently any good way for something to really 
tell when one log entry has finished and another is starting, but I wanted 
to ask here if there is anything that I should be able to rely on (with 
the thought that fixing log messages that don't work that way coudl be 
somethign for -janitors or newbes to work on)

or is this a completely hopeless task that people receiving logs should 
not even try to do?

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/