Hi Balazs, Thanks for the reply. Yes a regexp might solve my specific problem, which is that one of the primary services on our ExDS machines recently changed its log messages to have a space in the tag field and that is screwing up the log files in the manner outlined below. I know what the bad string will be - it's always the same - so I'll experiment with bad_hostnames() Thanks, Joe. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: 21 May 2009 07:52 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8 On Mon, 2009-05-18 at 16:13 +0000, Fegan, Joe wrote:
And btw strace of the syslog-ng process shows that the message it receives is the following:
read(15, "<13>May 18 16:44:04 hello world: second message\0", 8192) = 48
Since the syslog message format is ambigous, it is not possible to differentiate between the format: $DATE $HOST $MSG and $DATE $MSG (e.g. the hostname is optional). syslog-ng assumes that the first word is the hostname, even if the message is received from local transport (e.g. unix domain socket or pipe). The solution is to use bad_hostnames() regexp to match against the names that are sure to be wrong.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fegan, Joe Sent: 18 May 2009 17:00 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8
Syslog-ng 2.0.8
I found that logging a message with a space in the tag causes the first word of the tag to be used as the hostname. This does not happen with the standard syslogd.
Best illustrated by an example:
[root@kudos8 ~]# logger -t "hello" "here is a message" [root@kudos8 ~]# tail -4 /var/log/messages May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757 May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965 May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965 May 18 16:43:55 kudos8 notice hello: this is a message [root@kudos8 ~]#
This is expected behaviour. Now see what happens when I put a space in the tag:
[root@kudos8 ~]# logger -t "hello world" "second message" [root@kudos8 ~]# tail -5 /var/log/messages May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757 May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965 May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965 May 18 16:43:55 kudos8 notice hello: this is a message May 18 16:44:04 hello notice world: second message [root@kudos8 ~]#
See that "hello" was incorrectly used as the hostname. This is 100% reproducible.
I stopped syslog-ng and started the standard syslogd instead. Standard syslogd does not have this problem:
[root@kudos8 ~]# logger -t "hello" "here is a message" [root@kudos8 ~]# logger -t "hello world" "second message" [root@kudos8 ~]# service syslog-ng stop Stopping syslog-ng: [ OK ] [root@kudos8 ~]# service syslog start Starting system logger: [ OK ] Starting kernel logger: [ OK ] [root@kudos8 ~]# logger -t "hello world" "third message" [root@kudos8 ~]# tail -10 /var/log/messages May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:33587 May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:46177 May 18 16:54:25 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:46177 May 18 16:54:30 kudos8 notice hello: here is a message May 18 16:54:31 hello notice world: second message May 18 16:54:34 kudos8 info syslog-ng[8737]: Termination requested via signal, terminating; May 18 16:54:34 kudos8 notice syslog-ng[8737]: syslog-ng shutting down; version=\'2.0.8\' May 18 16:54:38 kudos8 syslogd 1.4.1: restart. May 18 16:54:38 kudos8 kernel: klogd 1.4.1, log source = /proc/kmsg started. May 18 16:54:49 kudos8 hello world: third message [root@kudos8 ~]# ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html