I see what you are saying... I don't think the length of a packet either 1024 or 69 bytes in length is causing the problem. The problem is that the second frame (the 69 byte one) is not going to the appropriate file. It is going to the default "catch all" file instead of the one it should be. If you look at the actual packet code... I believe the applications part of the header is missing on the 69 byte packet. Would this cause syslog-ng to dump the packet into the default catch all file as opposed to the one specified by IP? Please advise and thanks, Chris -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Monday, February 11, 2008 4:04 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Problems with short messages On Sun, 2008-02-10 at 08:03 -0500, Guy Fleegman wrote:
The first packet is only 1066 bytes long... and the second one is 69. I thought that the default log msg size was 8192...so i was not thinking that adjusting that in either direction would make a difference.... should it?
If it's over your desired length, then you don't need to adjust that. The problem is that if you're using the UDP transport, messages terminated by the datagram borders, e.g. each message is a separate frame. Syslog-ng will happily process UDP frames over 1024 bytes (even thought the RFC says that's the limit), so change the sender to send it out with a single frame. -- Bazsi
Bazsi please correct me if I'm wrong, but I interpret your earlier email as "one UDP frame = one message" therefore if Guy wants to send longer messages over UDP he'll have to increase the frame size on the sender so that the entire message fits in one frame.> Date: Wed, 13 Feb 2008 09:12:49 -0500> From: network.monger@gmail.com> To: syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Problems with short messages> > I see what you are saying...> I don't think the length of a packet either 1024 or 69 bytes in length> is causing the problem.> The problem is that the second frame (the 69 byte one) is not going> to the appropriate file.> It is going to the default "catch all" file instead of the one it should be.> If you look at the actual packet code... I believe the applications> part of the header is missing on the 69 byte packet.> Would this cause syslog-ng to dump the packet into the default catch> all file as opposed to the one specified by IP?> > Please advise and thanks,> Chris> > -----Original Message-----> From: syslog-ng-bounces@lists.balabit.hu> [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs> Scheidler> Sent: Monday, February 11, 2008 4:04 AM> To: Syslog-ng users' and developers' mailing list> Subject: Re: [syslog-ng] Problems with short messages> > > On Sun, 2008-02-10 at 08:03 -0500, Guy Fleegman wrote:> > The first packet is only 1066 bytes long... and the second one is 69.> > I thought that the default log msg size was 8192...so i was not> > thinking that adjusting that in either direction would make a> > difference.... should it?> > If it's over your desired length, then you don't need to adjust that.> > The problem is that if you're using the UDP transport, messages> terminated by the datagram borders, e.g. each message is a separate> frame.> > Syslog-ng will happily process UDP frames over 1024 bytes (even thought> the RFC says that's the limit), so change the sender to send it out with> a single frame.> > -- > Bazsi> _______________________________________________> syslog-ng maillist - syslog-ng@lists.balabit.hu> https://lists.balabit.hu/mailman/listinfo/syslog-ng> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html> _________________________________________________________________ Windows Vista + Windows Live. Open up your digital life. Get Windows Live free. http://get.live.com
On Wed, 2008-02-13 at 15:52 +0000, Joe Fegan wrote:
Bazsi please correct me if I'm wrong, but I interpret your earlier email as "one UDP frame = one message" therefore if Guy wants to send longer messages over UDP he'll have to increase the frame size on the sender so that the entire message fits in one frame.
Absolutely right.
Date: Wed, 13 Feb 2008 09:12:49 -0500 From: network.monger@gmail.com To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Problems with short messages
I see what you are saying... I don't think the length of a packet either 1024 or 69 bytes in length is causing the problem. The problem is that the second frame (the 69 byte one) is not going to the appropriate file.
Yes, because it is a separate message, lacking syslog header information.
It is going to the default "catch all" file instead of the one it should be. If you look at the actual packet code... I believe the applications part of the header is missing on the 69 byte packet. Would this cause syslog-ng to dump the packet into the default catch all file as opposed to the one specified by IP?
Yes. If you want the complete line as a single message you need to send it in its own UDP packet or use TCP (in which case NL (ascii 10) terminates a message). -- Bazsi
participants (3)
-
Balazs Scheidler
-
Guy Fleegman
-
Joe Fegan