[syslog-ng] stupid question: syslogging plaintext non-syslog-format messages unchanged (netconsole)

Balazs Scheidler bazsi at balabit.hu
Thu Nov 12 17:41:03 CET 2009 

On Wed, 2009-11-11 at 21:23 +0000, Nix wrote:
> [Sorry about the delay, reading lists intermittently right now owing to
>  far too much travel]
> 
> On 3 Nov 2009, Balazs Scheidler spake thusly:
> > On Tue, 2009-10-20 at 21:30 +0100, Nix wrote:
> >> So, what am I missing? It's probably incredibly obvious, but I've blown
> >> several hours hacking at configs and digging through the syslog-ng
> >> source and have seen nothing to indicate what's going on...
> >
> > Hmm, I guess that the kernel outputs those characters as individual UDP
> > frames, right? At least syslog-ng probably receives them as individual
> > packets, perhaps because a single line of kernel message is generated by
> > separate printk() invocations in the kernel source. /proc/kmsg is not
> > packet terminated.
> 
> You're probably right, but most of the time when this happens the
> kernel is oopsing, so it's sort of hard to get a packet dump :)
> 
> However, certainly in this case those linefeed-terminated things are
> separate printk()s, and, hm, looking at the netconsole source every
> printk() yields an immediate UDP packet, without buffering. (This makes
> sense given the last-ditch nature of netconsole: even doing this, it
> sometimes lops chunks off the ends of panics.)
> 
> > However I've personally used syslog-ng for netconsole, and I can't
> > remember having this issue.
> >
> > Can you confirm that this is the case?
> 
> Looks like it. End-of-packet shuld not imply linefeed in this case (I
> suspect real linefeeds get sent across the line, and we should never add
> linefeeds merely because a packet has ended. At least not for this
> application.)

Yeah, but the problem is that syslog-ng is assuming it is receving a
syslog protocol, where packet ending implies end of message even if
tehre's no newline character.

I've been biten with this before, although ancient syslog-ng versions
didn't behave like they do now, and it'd be possible to modify the
current logic to not use packet based termination, but to use the same
logic as when using TCP.

If you want to do that, you could change afsocket_sc_init(), not to pass
an LPPF_PKTTERM flag to the protocol implementation in this block:

      /* plain protocol */
      proto = log_proto_plain_new_server(transport, self->owner->reader_options.padding,
                   self->owner->reader_options.msg_size,
                   (self->owner->flags & AFSOCKET_DGRAM) ? (LPPF_PKTTERM + LPPF_IGNORE_EOF) : 0);


-- 
Bazsi

More information about the syslog-ng mailing list