<div dir="auto">You could use tcp(flags(syslog-protocol)) to send rfc5424 without framing.</div><div class="gmail_extra"><br><div class="gmail_quote">On Feb 3, 2018 06:16, "Declan White" <<a href="mailto:declanw@is.bbc.co.uk">declanw@is.bbc.co.uk</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, Feb 02, 2018 at 07:01:55PM +0000, Declan White wrote:<br>
> Yeah, disregard me. Sorry.<br>
> Looks like the tunnel I'm using is unclean..<br>
<br>
Well, I fixed the tunnel, but it turned out to be a red herring. It seems I've got two different problems in syslog-ng (on Solaris) :<br>
<br>
1) If I read from a unix-stream->unix-stream source, recvmsg() reliably EFAULT's the second read of a new connection. Unless I attach a library call tracer.. and then it won't. Heisenbug...<br>
10109/11: write(2, 0x00059898, 58) = 58<br>
10109/11: S e t t i n g v a l u e ; m s g = ' 4 7 b 1 0 ' , n a m e<br>
10109/11: = ' S O U R C E ' , v a l u e = ' i n _ t e s t '<br>
10109/11: write(2, "\n", 1) = 1<br>
10109/11: recvmsg(15, 0xFE66B4B4, 0) Err#14 EFAULT<br>
<br>
I think my build env may have eaten something bad. I'm recompiling all the dependant libs with GCC, and dumping libwrap, to see if that changes anything.<br>
<br>
Is any of this compiler noise relevant? :<br>
../source/syslog-ng-3.12.1/<wbr>modules/afsocket/socket-<wbr>options-inet.c:47:8: warning: unused variable 'on' [-Wunused-variable]<br>
gint on = 1;<br>
../source/syslog-ng-3.12.1/<wbr>modules/afsocket/transport-<wbr>unix-socket.c:52:35: warning: format '%d' expects argument of type 'int', but argument 4 has type 'pid_t {aka long int}' [-Wformat=]<br>
g_snprintf(buf, buflen, "/proc/%d/%s", pid, proc_file);<br>
../source/syslog-ng-3.12.1/<wbr>modules/afsocket/transport-<wbr>unix-socket.c:138:1: warning: '_add_nv_pair_proc_readlink' defined but not used [-Wunused-function]<br>
../source/syslog-ng-3.12.1/<wbr>modules/afsocket/transport-<wbr>unix-socket.c:118:1: warning: '_add_nv_pair_proc_read_argv' defined but not used [-Wunused-function<br>
../source/syslog-ng-3.12.1/<wbr>modules/afsocket/transport-<wbr>unix-socket.c:104:1: warning: '_add_nv_pair_proc_read_<wbr>unless_unset' defined but not used [-Wunused-function]<br>
../source/syslog-ng-3.12.1/<wbr>modules/afsocket/transport-<wbr>unix-socket.c:38:1: warning: '_add_nv_pair_int' defined but not used [-Wunused-function]<br>
../source/syslog-ng-3.12.1/<wbr>modules/afstreams/afstreams.c: In function 'log_transport_streams_new':<br>
../source/syslog-ng-3.12.1/<wbr>modules/afstreams/afstreams.c:<wbr>97:14: warning: assignment from incompatible pointer type [-Wincompatible-pointer-types]<br>
self->read = log_transport_streams_read;<br>
../source/syslog-ng-3.12.1/<wbr>modules/afstreams/afstreams.c: In function 'afstreams_init_door':<br>
../source/syslog-ng-3.12.1/<wbr>modules/afstreams/afstreams.c:<wbr>133:11: warning: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-<wbr>declaration]<br>
close(fd);<br>
<br>
2) If I avoid that unix-stream source and socat the client from a unix domain socket destination into a syslog port source, syslog-ng now has a mismatch of a source sending no framing, and a destination expecting it.<br>
<br>
syslog()<br>
write(5, 0x000721E8, 60) = 60<br>
5 7 < 1 3 > 1 2 0 1 8 - 0 2 - 0 3 T 0 3 : 1 1 : 2 0 + 0 0 :<br>
0 0 o p s t e s t 6 a - - - - t e s t 0 8\n<br>
<br>
unix-stream()<br>
read(6, 0x00072B00, 8192) = 57<br>
< 1 3 > 1 2 0 1 8 - 0 2 - 0 3 T 0 2 : 0 5 : 0 5 + 0 0 : 0 0<br>
o p s t e s t 6 a - - - - t e s t 0 7\n<br>
<br>
I take it that if I did something evil like faking up a length header with length() in a template() I might get unix-stream -> syslog working?<br>
<br>
<br>
> On Fri, Feb 02, 2018 at 06:48:09AM +0100, Scheidler, Bal?zs wrote:<br>
> > If the new lines at the end are ok, and the messages dont contain newlines<br>
> > themselves, you should be fine. If both destination and source is<br>
> > unix-STREAM(). Don't you hapoen to use unix-dgram() somewhere? That would<br>
> > take the datagram fragments as individual messages.<br>
> ><br>
> > Can you show me the framing errors you mention?<br>
> ><br>
> ><br>
> > On Feb 1, 2018 22:33, "Declan White" <<a href="mailto:declanw@is.bbc.co.uk">declanw@is.bbc.co.uk</a>> wrote:<br>
> ><br>
> > I have syslog-ng pumping data into a unix-stream destination<br>
> > socketfilething.<br>
> ><br>
> > Data going into this domain socket has lots of adventures, and then emerges<br>
> > as a source unix-stream on another host.<br>
> > Both have flags(syslog-protocol), but the data gets framing errors at the<br>
> > receiver.<br>
> ><br>
> > I think it's become a bytestream (instead of a message stream) enroute, and<br>
> > the recv() is relying on only getting one message at a time, because it<br>
> > can't know the message length any other way, as unix-stream gets messages<br>
> > without framing(?).<br>
> ><br>
> > Is there a way to salvage this? (I noticed TLS might add framing, but since<br>
> > the tunnel is already TLS ...)<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</blockquote></div></div>