On 0, Balazs Scheidler <bazsi@balabit.hu> inscribed onto the electric medium...
My question is, is there somewhere in the syslog-ng code where I can easily parse the incoming syslog message and replace linefeeds with something benign, such as spaces or tabs? Or is there another solution that would be better? In the meantime we're opening a bug with the vendor since I consider this their issue, but knowing vendors I'm not confident in their addressing the problem quickly.
Vendor == cisco, perhaps?
Not to name names, but... Yes. :-) One of their acquisitions to be precise.
linefeeds take an important role in syslog messages, they terminate them. So
I disagree.
I just had to track this one down myself; the cisco vpn concentrator is logging stuff with embedded newlines. The RH linux box was logging the whole messages, but the Irix box wasn't. Hence clearly the linefeed doesn't have any true bearing on the length of the syslog message; it should be determined by the length of the incoming message. Any imbedded newlines should be ignored; translated to spaces (as the linux syslog does) or ^M (as the [patched] irix syslog does.)
Deja vu... This is exactly what we were running into. There's now an open TAC case with Cisco on it, since I call it a bug on their part. I'd tend to agree with Balazs on this point, to which end I added code to remove all but the final linefeed before processing. In 'src/sources.c' (I've included the existing line before and after for reference): closure->pos += n; start = closure->buffer; eol = closure->buffer + closure->pos; while (start++ < eol) if (start[-1] == '\n') start[-1] = ' '; eol = memchr(closure->buffer, '\0', closure->pos); It's not pretty, but so far it's gotten the job done.
"Be gracious in what you accept, and conservative in what you send." (paraphrased sendmail quotation.)
There's no RFC on syslog messages, is there? The Irix syslogd traces its route all the way back to BSD 4.2, and the check that terminated parsing when it hit a newline had been in there from the beginning.
No, but there is a task force working on one if I recall. Better late than never? Thanks for the assistance, I think this is taken care of.