-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng- bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, December 11, 2008 7:21 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslog-NG, log4j, tabs, whitespace, indent
On Wed, 2008-12-10 at 16:55 -0600, John Skopis wrote:
Bazsi,
Strace: recvfrom(5, "<147> at org.jgroups.util.TimeScheduler$Loop.run(TimeScheduler.java:141)", 8192, 0, {sa_family=AF_INET, sin_port=htons(41277), sin_addr=inet_addr("1.2.3.4")}, [16]) = 75 write(14, "Dec 10 17:52:04 1.2.3.4 at org.jgroups.util.TimeScheduler$Loop.run(TimeScheduler.java:141)\n", 97) = 97 recvfrom(5, "<147> at org.jgroups.util.TimeScheduler$Loop.run(TimeScheduler.java:141)", 8192, 0, {sa_family=AF_INET, sin_port=htons(41277), sin_addr=inet_addr("1.2.3.4")}, [16]) = 75 write(14, "Dec 10 17:52:04 1.2.3.4 at org.jgroups.util.TimeScheduler$Loop.run(TimeScheduler.java:141)\n", 97) = 97
Let me know if you need tcpdump still (I started the cap but would like to anonymize it and/or send it to you off-list).
Ah, this means that there's no tab at the beginning of the message, but rather it is a space. syslog-ng skips spaces if the syslog header is not complete.
Try enabling setHeader(true) on your SyslogAppender class. This will probably make log4j emit a complete syslog header, in which case syslog-ng will not drop the preceding spaces.
Please let me know if this works for you.
Well, I tried setting Header=true but it did nothing. Actually, I think that it *is* setting the header for the first line of output, however as a stack trace is a log message spanning multiple lines it only sets the header for the first line. Can I request a feature like the one is this patch? I am not sure of the implications in keeping the whitespace. It doesn't appear to break anything for me...but then again I am only using the $HOST macro.. I admit that it is a bit of a hack...perhaps the original logic was meant to replace the first space, which acts a field separator, not trim leading whitespace chars? Also, scuse' the indentation in the patch -- clearly my vi settings don't match your indentation rules ;] Thanks diff -uar syslog-ng-2.0.9.pristine/src/cfg-lex.c syslog-ng-2.0.9/src/cfg-lex.c --- syslog-ng-2.0.9.pristine/src/cfg-lex.c 2008-03-23 15:42:01.000000000 -0500 +++ syslog-ng-2.0.9/src/cfg-lex.c 2008-12-11 09:59:44.000000000 -0600 @@ -2074,6 +2074,9 @@ return LRO_NOPARSE; if (strcmp(flag, "kernel") == 0) return LRO_KERNEL; + if (strcmp(flag, "keep-whitespace") == 0 || strcmp(flag, "keep_whitespace") == 0); + return LR_KEEP_WHITESPACE; + msg_error("Unknown parse flag", evt_tag_str("flag", flag), NULL); return 0; } diff -uar syslog-ng-2.0.9.pristine/src/cfg-lex.l syslog-ng-2.0.9/src/cfg-lex.l --- syslog-ng-2.0.9.pristine/src/cfg-lex.l 2007-12-18 09:25:14.000000000 -0600 +++ syslog-ng-2.0.9/src/cfg-lex.l 2008-12-11 09:56:06.000000000 -0600 @@ -285,6 +285,8 @@ return LRO_NOPARSE; if (strcmp(flag, "kernel") == 0) return LRO_KERNEL; + if (strcmp(flag, "keep-whitespace") == 0 || strcmp(flag, "keep_whitespace") == 0); + return LR_KEEP_WHITESPACE; msg_error("Unknown parse flag", evt_tag_str("flag", flag), NULL); return 0; } diff -uar syslog-ng-2.0.9.pristine/src/logmsg.c syslog-ng-2.0.9/src/logmsg.c --- syslog-ng-2.0.9.pristine/src/logmsg.c 2007-12-29 11:39:33.000000000 -0600 +++ syslog-ng-2.0.9/src/logmsg.c 2008-12-11 10:01:35.000000000 -0600 @@ -190,11 +190,13 @@ } - while (left && *src == ' ') - { /* Move past whitespace */ - src++; - left--; - } + if ( ! (flags & LP_KEEP_WHITESPACE) ) { + while (left && *src == ' ') + { /* Move past whitespace */ + src++; + left--; + } + }; /* If the next chars look like a date, then read them as a date. */ if (left >= 19 && src[4] == '-' && src[7] == '-' && src[10] == 'T' && src[13] == ':' && src[16] == ':') diff -uar syslog-ng-2.0.9.pristine/src/logmsg.h syslog-ng-2.0.9/src/logmsg.h --- syslog-ng-2.0.9.pristine/src/logmsg.h 2008-02-13 13:07:00.000000000 -0600 +++ syslog-ng-2.0.9/src/logmsg.h 2008-12-11 09:54:09.000000000 -0600 @@ -39,6 +39,8 @@ #define LP_CHECK_HOSTNAME 0x0008 #define LP_STRICT 0x0010 #define LP_KERNEL 0x0020 +#define LP_KEEP_WHITESPACE 0x0030 + #define LF_UNPARSED 0x0001 #define LF_INTERNAL 0x0002 diff -uar syslog-ng-2.0.9.pristine/src/logreader.c syslog-ng-2.0.9/src/logreader.c --- syslog-ng-2.0.9.pristine/src/logreader.c 2008-03-23 15:35:25.000000000 -0500 +++ syslog-ng-2.0.9/src/logreader.c 2008-12-11 10:06:22.000000000 -0600 @@ -246,6 +246,8 @@ parse_flags |= LP_INTERNAL; if (self->flags & LR_LOCAL) parse_flags |= LF_LOCAL; + if (self->options->options & LR_KEEP_WHITESPACE) + parse_flags |= LP_KEEP_WHITESPACE; if ((self->flags & LR_PKTTERM) || (!eol && (self->ofs == self->options->msg_size)) || diff -uar syslog-ng-2.0.9.pristine/src/logreader.h syslog-ng-2.0.9/src/logreader.h --- syslog-ng-2.0.9.pristine/src/logreader.h 2008-01-26 09:15:14.000000000 -0600 +++ syslog-ng-2.0.9/src/logreader.h 2008-12-11 09:55:52.000000000 -0600 @@ -36,6 +36,7 @@ #define LR_NOMREAD 0x0008 #define LR_FOLLOW 0x0010 #define LR_STRICT 0x0020 +#define LR_KEEP_WHITESPACE 0x0030 #define LR_COMPLETE_LINE 0x0100 diff -uar syslog-ng-2.0.9.pristine/syslog-ng.spec.bb syslog-ng-2.0.9/syslog-ng.spec.bb --- syslog-ng-2.0.9.pristine/syslog-ng.spec.bb 2008-03-23 15:41:57.000000000 -0500 +++ syslog-ng-2.0.9/syslog-ng.spec.bb 2008-12-11 10:05:09.000000000 -0600 @@ -14,6 +14,9 @@ BuildRoot: %{_tmppath}/%{name}-root BuildRequires: bison, flex, gcc-c++, pkgconfig, glib2-devel, libevtlog-devel Provides: syslog + +Patch1: keep_ws.patch + #BuildConflicts: #Exclusivearch: i386 @@ -30,6 +33,7 @@ %prep %setup -q -n syslog-ng-%{version} +%patch1 -p1 %build