Hello! I encountered some problems with syslog-ng 1.5.25, while trying to separate logs by program name. Our developers often use multiline log messages, stack traces for example. The problem is that when multiline message received via network (udp) it is logged as several lines, and only first line has program name in it. So, when i configure 'program' filter, it only catches first line. Example: We are logging this message and it is sent to loghost (in one udp packet, tested with snoop). <30>Jan 31 13:51:30 Yadda yadda[17245]: Time to die. die now! Loghost writes it in this way: Jan 31 13:42:29 host yadda[17231]: Time to die. Jan 31 13:42:29 host die now! The second line "die now!" will not match 'program' filter. I suppose it would be correct to replace all '\n', '\r', etc in log messages and log them as single line as common syslogd does in any case and as syslog-ng does when source is unix domain socket. Another problem is that first word of program name disappears. if program name is missing, the first word of log msg disappears instead. Here's script to send log message used in my example. #!/usr/bin/perl -w use strict; use Sys::Syslog; # all except setlogsock, or: use Sys::Syslog qw(:DEFAULT setlogsock); # default set, plus setlogsock my $ident = 'Yadda yadda'; my $logopt = 'pid,ndelay'; my $facility = 'daemon'; my $priority = 'info'; my $format = "Time to die.\ndie now!"; my @args; setlogsock 'unix'; openlog $ident, $logopt, $facility; syslog $priority, $format, @args; closelog; -- Dmitry Frolov, Zenon N.S.P. (095) 250-4629, http://www.zenon.net/
Hello, I found that problem described only occurs if udp packet does not end with \0. This id little test for it: #!/usr/bin/perl -w use strict; use IO::Socket::INET; my @msg = ( "<30>Jan 31 13:51:30 Yadda yadda [12345]: Time to die.\ndie now!\n\0", "<30>Jan 31 13:51:30 Yadda yadda [12345]: Time to die.\ndie now!\n", "<30>Yadda yadda [12345]: Time to die.\ndie now!\n\0" ); my $sock = IO::Socket::INET->new(PeerAddr => 'localhost', PeerPort => 514, Proto => 'udp'); foreach (@msg) { $sock->send($_); $sock->flush(); sleep(1); } Results are following: 1. Message not splitted Jan 31 13:51:30 localhost yadda[12345]: Time to die. die now! 2. No \0 at the end - message is splitted Jan 31 13:51:30 localhost yadda[12345]: Time to die. Jan 31 16:06:09 localhost die now! 3. No timestamp in packet - program name becomes correct Jan 31 16:06:10 localhost Yadda yadda[12345]: Time to die. die now! Hope this helps... On Fri, Jan 31, 2003 at 02:05:36PM +0300, Dmitry Frolov wrote:
I encountered some problems with syslog-ng 1.5.25, while trying to separate logs by program name. Our developers often use multiline log messages, stack traces for example. The problem is that when multiline message received via network (udp) it is logged as several lines, and only first line has program name in it. So, when i configure 'program' filter, it only catches first line.
-- Dmitry Frolov, Zenon N.S.P. (095) 250-4629, http://www.zenon.net/
On Fri, Jan 31, 2003 at 04:09:25PM +0300, Dmitry Frolov wrote:
Hello,
I found that problem described only occurs if udp packet does not end with \0. This id little test for it:
syslog-ng takes \n as line terminator. Generally you should not include '\n' in log messages.
Results are following:
1. Message not splitted Jan 31 13:51:30 localhost yadda[12345]: Time to die. die now!
2. No \0 at the end - message is splitted Jan 31 13:51:30 localhost yadda[12345]: Time to die. Jan 31 16:06:09 localhost die now!
3. No timestamp in packet - program name becomes correct Jan 31 16:06:10 localhost Yadda yadda[12345]: Time to die. die now!
Program names should not contain spaces either. There's no way to know whether the first word is a hostname or is part of the program. (though the option bad_hostname() added lately should help you here) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Hello Balazs, Thanks for your explanations. On Sat, Feb 01, 2003 at 12:04:36PM +0100, Balazs Scheidler wrote:
I found that problem described only occurs if udp packet does not end with \0. This id little test for it:
syslog-ng takes \n as line terminator. Generally you should not include '\n' in log messages.
In general i agree with that, using '\n' in single log message usually makes no sense since it's replaced with space (or even literal '\n' under solaris) and message loses its formatting anyway.. But i'm forced to deal with such logs, as some applications log in both local files and syslog with same calls, and messages contain newlines. I have to turn off splitting udp log messages with '\n', so single packet would be logged as single message in all cases... Hope following won't lead to something bad... --- src/sources.c.orig Wed Jan 8 12:31:37 2003 +++ src/sources.c Fri Jan 31 18:07:13 2003 @@ -110,3 +110,3 @@ eol = memchr(closure->buffer, '\0', closure->pos); - if (eol == NULL) + if (eol == NULL && !closure->dgram) eol = memchr(closure->buffer, '\n', closure->pos);
Program names should not contain spaces either. There's no way to know whether the first word is a hostname or is part of the program. (though the option bad_hostname() added lately should help you here)
I see. syslogd message format seems to be rather fuzzy. -- Dmitry Frolov, Zenon N.S.P. (095) 250-4629, http://www.zenon.net/
On Sat, Feb 01, 2003 at 06:04:46PM +0300, Dmitry Frolov wrote:
I see. syslogd message format seems to be rather fuzzy.
That's true, though an effort was made to describe syslog as traditionally used. See RFC3164: <URL:http://www.faqs.org/rfcs/rfc3164.html> It's a short, easy to read RFC and is worth the time spent reading. -- Nate Campi http://www.campin.net "Want to make your computer go really fast? Throw it out the window!" - Anonymous
participants (3)
-
Balazs Scheidler
-
Dmitry Frolov
-
Nate Campi