On Fri, 2005-05-20 at 04:49, Balazs Scheidler wrote:
If your log volume is bearable, it would help if you could attach strace to the syslog-ng process with a large -s parameter while a broken message is received. e.g. something like:
strace -s 4096 -o syslog-ng.trace -p <syslog-ngpid>
That would help to identify whether syslog-ng or sendmail is at fault.
Standard syslogd uses unix-dgram sockets, but if sendmail uses the standard syslog() routines from libc it should simply work with unix-stream() as well.
Luckly it is... Attached is a trimmed down trace file with a few examples of the problem [about 200lines let me know if more would be useful...] To my [uneducated] eye it looks like sendmail is the problem but like I said sometimes it does it right sometime it doesn't. Example: read(16, "<20>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: premature EOM: unexpected close", 2048) = 93 Notice no \0 or \n Then the next read read(16, "<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on connection from [61.43.165.161], sender=<Hager@indiatimes.com>\0<22>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: from=<Hager@indiatimes.com>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\0", 1955) = 300 A null terminator That leads to the output write(22, "2005-05-20 07:48:02 quasar mail.warning sendmail[16668]: j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on connection from [61.43.165.161], sender=<Hager@indiatimes.com>\n2005-05-20 07:48:02 quasar mail.info sendmail[16668]: j4KEkWOv016668: from=<Hager@indiatimes.com>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\n", 430) = 430 So the null was caught and turned into \n but the line before it runs together. With some weird <21> [and more often <22> see trace file]. ` -- Mike Tremaine mgt@stellarcore.net http://www.stellarcore.net