if there is no exact match of start and stop of multiline message you have to create own attitude:
- either use some script to consolidate input from log into one line output and configure log km to use script's output instead of log scan
- write own log scan km
another question is if all these lines are required for event creation, maybe information you need for notification is only in single line
Still in Sheffers ?
I've gone down the same road as you for this. First of all you can configure the LOG KM to send you more than one line once its found the string you're searching for. I search for the strings "scsi:" and "Warning". I'm using version 2.6 (from memory).
This will send the no. of lines into the IM as one event. Cool.
I actually have a IM rule that correlates these noisy scsi alerts into one event. What I've done is to use the STD:11 event to say I've found an error and then take all the resulting LOG:General events and populate the STD:11 (LOGErrorLvl) event with all the acutal lines (%1-) that caused the error. (Using new rules and a timing trigger)
This results in just one event ( and one INC) thats populated with all the lines the UNIX SA needs to resolve the issue.
Defo have a poke around the LOG km. This allows you to send more than one line.
Hope that makes sense.