<div dir="ltr"><div><div><div><div>Hi,<br></div>It seems really good to me.<br></div><br></div>I think you have made up the answer we need.<br><br><br></div>Thank you.<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2014-08-10 21:19 GMT+02:00 Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div><div><div><div>Hi,<br><br>I would prefer the creation of $(format-gelf) which would solve both the NUL issue and makes it easier for someone else to create GELF output.<br><br></div>Or alternatively, add an option to $(format-json) to add a suffix (and perhaps a prefix) in front of and after the resulting string. That would be useful for other purposes as well, and then $(format-gelf) could be implemented by my latest patches that enable the definition of template functions within the configuration file.<br>
<br>E.g. <br><br></div>template-function "format-gelf" "$(format-json --suffix "\x0" <format-json arguments to produce gelf>)"<br><br></div>destination d_graylog {<br></div> network("1.2.3.4" transport(tcp) template("$(format-gelf)"); };<br>
<div>};<br><br><br></div><div>What do you think?<br><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 7, 2014 at 8:02 PM, Nicolas Fédou <span dir="ltr"><<a href="mailto:nicolas.fedou@gmail.com" target="_blank">nicolas.fedou@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Yes, I am pretty sure as I have tested it (I posted the answer) :<br><a href="http://serverfault.com/questions/591758/send-echo-message-to-graylog2-via-gelf-tcp-12201-port" target="_blank">http://serverfault.com/questions/591758/send-echo-message-to-graylog2-via-gelf-tcp-12201-port</a><br>
</div>After finding a clue in Graylog's issues : <br><a href="https://github.com/Graylog2/graylog2-server/issues/127#issuecomment-17563306" target="_blank">https://github.com/Graylog2/graylog2-server/issues/127#issuecomment-17563306</a><br>
<br><br></div>Now, a function like template-escape() that may be called "template-null-ending()" or any other may be easyer to deliver.<br>Gelf has mandatory fields, a compression option and seems to read only the last GELF message per tcp frames as :<br>
{ gelf 1 }\x0{ gelf 2 }\x0<br>Graylog shows only "gelf 2"<br>So, it forces the use of flush-lines(1).<br><br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-08-07 18:20 GMT+02:00 Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span>:<div>
<div><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>Adding a NUL via the template is difficult as the template compiler works with zero terminated string, and even though the lexer allows the use of \x0, this will indicate the end-of-the-string like you have seen it.<br>
<br></div>Adding a zero byte would be possible by writing a template function $(format-gelf) and that probably could sit within the json module, reusing the infrastructure there.<br><br></div>On the other hand, I've checked the GELF specification, and I can't see the NUL byte being required.<br>
<br><a href="http://graylog2.org/gelf#specs" target="_blank">http://graylog2.org/gelf#specs</a><br><br><div class="gmail_extra">Are you sure this is the issue?<br><br></div><div class="gmail_extra">Bazsi<br><br></div><div class="gmail_extra">
<br><div class="gmail_quote"><div><div>On Thu, Aug 7, 2014 at 11:09 AM, Nicolas Fédou <span dir="ltr"><<a href="mailto:nicolas.fedou@gmail.com" target="_blank">nicolas.fedou@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
<p dir="ltr">Hello,<br>
I need to send a null character at the end of a message on a tcp output...<br>
But this null is considered to be an end of string.</p>
<p dir="ltr">My use case is sending a GELF message to a graylog's tcp input.<br>
GELF message is a json syntax quite simple to comply with thanks to format-json.<br>
Graylog needs a null character at the end of a GELF message in TCP but not in UDP.</p>
<p dir="ltr">I tried many combination in the template with \x0, echo \x0, `global_definition_of_null`, etc...<br>
The matter is that null character when interpreted is an end of string, and is not written in the tcp message.<br>
I see truncated messages with ngrep.<br>
Like "a\x0b" gives "a" according to ngrep.</p>
<p dir="ltr">I did not find any option to actually write a null character.<br>
Do you have any options ?</p>
<p dir="ltr">As Graylog already have clients and librairies I belive they won't remove the need for a null character.<br>
Shall I open an issue on syslog-ng to ask for an option in templates or in format-json ?</p>
<p dir="ltr">Regards, Nicolas Fédou.</p>
<br></div></div>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><br>-- <br>Bazsi
</font></span></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div></div></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Bazsi
</div>
</div></div><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>