[syslog-ng]Linefeed in incoming messages

Michael.Garvin@carolinabroadband.com Michael.Garvin@carolinabroadband.com
Wed, 18 Apr 2001 17:27:49 -0400 


> On  0, Balazs Scheidler <bazsi@balabit.hu> inscribed onto the electric
medium...
> > My question is, is there somewhere in the syslog-ng code where I can
> > easily parse the incoming syslog message and replace linefeeds with
> > something benign, such as spaces or tabs?  Or is there another solution
> > that would be better?  In the meantime we're opening a bug with the
> > vendor since I consider this their issue, but knowing vendors I'm not
> > confident in their addressing the problem quickly.
>
> Vendor == cisco, perhaps?

Not to name names, but...  Yes.  :-)  One of their acquisitions to be
precise.

> > linefeeds take an important role in syslog messages, they terminate
them. So
>
> I disagree.
>
> I just had to track this one down myself; the cisco vpn concentrator
> is logging stuff with embedded newlines.  The RH linux box was logging
> the whole messages, but the Irix box wasn't.  Hence clearly the
> linefeed doesn't have any true bearing on the length of the syslog
> message; it should be determined by the length of the incoming
> message.  Any imbedded newlines should be ignored; translated to
> spaces (as the linux syslog does) or ^M (as the [patched] irix syslog
> does.)

Deja vu...  This is exactly what we were running into.  There's now an
open TAC case with Cisco on it, since I call it a bug on their part.  I'd
tend to agree with Balazs on this point, to which end I added code to
remove all but the final linefeed before processing.  In 'src/sources.c'
(I've included the existing line before and after for reference):

     closure->pos += n;

     start = closure->buffer;
     eol = closure->buffer + closure->pos;
     while (start++ < eol)
          if (start[-1] == '\n')
               start[-1] = ' ';

     eol = memchr(closure->buffer, '\0', closure->pos);

It's not pretty, but so far it's gotten the job done.

> "Be gracious in what you accept, and conservative in what you send."
>          (paraphrased sendmail quotation.)
>
> There's no RFC on syslog messages, is there?  The Irix syslogd traces
> its route all the way back to BSD 4.2, and the check that terminated
> parsing when it hit a newline had been in there from the beginning.

No, but there is a task force working on one if I recall.  Better late
than never?

Thanks for the assistance, I think this is taken care of.