<p class="shortdesc">通常情况下，使用FTP及Agent发送的日志，一条日志对应一行信息。但是一些特殊类型日志的发送方式不同，一条日志对应发送的多行信息。对于这种情况，可以配置多行日志规则将多行信息组合成一条日志，便于解析。</p> <section class="section prereq" id="Multi-lineLogRule__prereq_ulc_kwk_rsb"><div class="tasklabel"><h2 class="doc-tairway">前提条件</h2></div> <p class="p">您已创建安全日志审计实例。</p> </section> <section><div class="tasklabel"><h2 class="doc-tairway">操作步骤</h2></div><ol class="ol steps"><li class="li step stepexpand"> <span class="ph cmd">登录<a class="xref" href="https://www.ocftcloud.com/console/log-audit" target="_blank" rel="external noopener">安全日志审计SLA控制台</a>，进入<span class="keyword wintitle">实例列表</span>页面。</span> </li><li class="li step stepexpand"> <span class="ph cmd">单击目标实例<span class="ph uicontrol"> 操作</span>列的<span class="ph uicontrol">管理</span>，进入安全日志审计控制台。</span> <div class="itemgroup info"> <img class="image" id="Multi-lineLogRule__d80e53" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112057-1ecc508f988a.png" width="830"> </div> </li><li class="li step stepexpand"> <span class="ph cmd">在页面上边栏选择<span class="ph uicontrol">规则库</span>，在左侧菜单栏选择<span class="ph menucascade"><span class="ph uicontrol">规则库</span><abbr> > </abbr><span class="ph uicontrol">多行日志规则</span></span>，进入<span class="ph uicontrol">多行日志规则</span>页面。</span> <div class="itemgroup info"> <div class="p"> <img class="image" id="Multi-lineLogRule__image_aym_s3t_4sb" width="600" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112056-1e71d38e92bf.png"> </div> </div> </li><li class="li step stepexpand"> <span class="ph cmd">单击<span class="ph uicontrol">新增</span>，根据以下信息新增多行日志规则，单击<span class="ph uicontrol">确定</span>。</span> <div class="itemgroup info"> <div class="p"> <img class="image" id="Multi-lineLogRule__image_eg3_t3t_4sb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112056-1aeba7359a58.png" width="300"> </div> <table class="table" id="Multi-lineLogRule__table_tld_wx2_4sb"><caption></caption><colgroup><col><col></colgroup><thead class="thead"> <tr class="row"> <th class="entry colsep-1 rowsep-1" id="Multi-lineLogRule__table_tld_wx2_4sb__entry__1"> <p class="p"> 配置项 </p> </th> <th class="entry colsep-1 rowsep-1" id="Multi-lineLogRule__table_tld_wx2_4sb__entry__2"> <p class="p"> 说明 </p> </th> </tr> </thead><tbody class="tbody"> <tr class="row"> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__1 "> <p class="p"> 类型 </p> </td> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__2 "> <p class="p"> 产生日志的设备类型。 </p> </td> </tr> <tr class="row"> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__1 "> <p class="p"> 名称 </p> </td> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__2 "> <p class="p"> 多行日志规则名称。 </p> </td> </tr> <tr class="row"> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__1 "> <p class="p"> 开始表达式 </p> </td> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__2 "> <p class="p"> 待处理日志开始表达式，从开始表达式至结束开始表达式之间的内容为一条日志。 </p> </td> </tr> <tr class="row"> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__1 "> <p class="p"> 结束表达式 </p> </td> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__2 "> <p class="p"> 待处理日志结束表达式，从开始表达式至结束开始表达式之间的内容为一条日志。 </p> </td> </tr> <tr class="row"> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__1 "> <p class="p"> 排除表达式 </p> </td> <td class="entry colsep-1 rowsep-1" headers="Multi-lineLogRule__table_tld_wx2_4sb__entry__2 "> <p class="p"> 待处理日志排除表达式，匹配排除表达式的内容不作为日志内容。 </p> </td> </tr> </tbody></table> </div> </li></ol></section>