Re: syslog-ng bug: newlines in messages
If a syslogged message contains a newline, syslog-ng writes the message with the newline still embedded. This plays havoc with syslog parsing. Other syslogd implementations replace the newline with something else (ie. a space.) bind-8.2.2P5, on startup, logs a message that contains an embedded newline. The Linux kernel also occasionally logs messages that contain newlines.
I've just comitted a fix, it should be available in the next version, or apply this patch: diff -u -r1.19 log.c --- log.c 2000/03/01 22:02:47 1.19 +++ log.c 2000/08/27 13:39:32 @@ -155,6 +155,9 @@ lm->stamp = now; } + for (oldsrc = src, oldleft = left; oldleft; oldleft--, oldsrc++) { + if (*oldsrc < 32) *oldsrc = '.'; + } lm->msg = c_format_cstring("%s", left, src); } -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Sun, Aug 27, 2000 at 03:39:55PM +0200, Balazs Scheidler wrote:
I've just comitted a fix, it should be available in the next version, or apply this patch:
+ for (oldsrc = src, oldleft = left; oldleft; oldleft--, oldsrc++) { + if (*oldsrc < 32) *oldsrc = '.'; + }
Thanks! But since other syslogd implementations (IMLE) leave the other control characters alone and just replace newlines with spaces, wouldn't it be more correct to do exactly that, in the spirit of full compatibility? - Morty
Mordechai T. Abzug on Sun 27/08 16:24 -0400:
I've just comitted a fix, it should be available in the next version, or apply this patch:
+ for (oldsrc = src, oldleft = left; oldleft; oldleft--, oldsrc++) { + if (*oldsrc < 32) *oldsrc = '.'; + }
Thanks! But since other syslogd implementations (IMLE) leave the other control characters alone and just replace newlines with spaces, wouldn't it be more correct to do exactly that, in the spirit of full compatibility?
This is not true. The Linux (and I believe it is derived from BSD) syslogd turns eg ASCII 13 to a "^M" string. This screws up parsing because some programs log continuation lines delimited with tabs, and instead of incurring a split to new message, it just gets thrown in as "^I" (two chars). This contradicts Solaris' syslogd behavior, which is to put them through unchanged. Although I sort of agree that only printables 32-126 decimal should be embedded in log files. But that certainly doesn't make you i18n :) Incidentally is there any sort of RFC for syslog messages? I've not been able to locate any. The only way I can figure it out is by reading other syslogd implementations. It seems they delimit messages by ASCII NULs and prefix new messages with a "<xx>" number which when masked gives facility and priority. -- Questra Desktop and Network services (QDN) | (716) 381-0292 x525 web: http://qweb.web.roc.questra.com/srs/ | techserv@questra.com
participants (3)
-
Balazs Scheidler
-
Mordechai T. Abzug
-
Scott McDermott