Hi, I am using the Perl interface to syslog (called Sys::Syslog) under Solaris. A lot of people are complaining that it doesn't work, especially with the "stream" support, and I had to switch to udp(). My problem is that I am using template("$MSG\n") for logging, which seems to work for other udp sources, but produces a: "myPerlProgram: log message" instead of a simple "log message" in the logs. It is the same value as in my openlog() ident option, and if I use an empty ident, I get: "root: log message" instead. Can anyone give an example how not to insert such a prefix in my messages? I really would like to use the "stream" interface instead of udp() because Perl makes many assumptions on where and how I'd like to log. Here's my Perl init: use Sys::Syslog qw(:DEFAULT setlogsock); setlogsock('inet'); openlog('', '', 'local7'); I feel desperate, -- Loïc Minier <lool@dooz.org>
2004-03-05, p keltezéssel 13:36-kor Loic Minier ezt írta:
Hi,
I am using the Perl interface to syslog (called Sys::Syslog) under Solaris. A lot of people are complaining that it doesn't work, especially with the "stream" support, and I had to switch to udp().
My problem is that I am using template("$MSG\n") for logging, which seems to work for other udp sources, but produces a: "myPerlProgram: log message" instead of a simple "log message" in the logs.
It is the same value as in my openlog() ident option, and if I use an empty ident, I get: "root: log message" instead.
Can anyone give an example how not to insert such a prefix in my messages? I really would like to use the "stream" interface instead of udp() because Perl makes many assumptions on where and how I'd like to log.
Here's my Perl init: use Sys::Syslog qw(:DEFAULT setlogsock); setlogsock('inet'); openlog('', '', 'local7');
Perl seems to avoid the syslog() calls from libc and does everything on its own. While this is possible, it certainly has some portability problems. The message is probably not properly formatted, at least syslog-ng does not like it for some reason. Check the raw byte-stream as it is sent by the Perl module, I might help to recognize the culprit. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Balazs Scheidler <bazsi@balabit.hu> - Fri, Mar 05, 2004:
Check the raw byte-stream as it is sent by the Perl module, I might help to recognize the culprit.
I straced my standard syslogd on my Linux box and saw: recv(0, "<78>fm/logparse: F001|1078750293"..., 1022, 0) = 87 on the unix socket /dev/log. You see "fm/logparse", my program's name, and "F001|1078...", the message. I also captured some udp datagrams from the same Perl configured with 'udp' instead of unix, and got: <78>fm/logparse: F001|10785074... in the payload of the udp datagram. Then I've setup my syslogd to do udp broadcasting, and used "logger -p cron.info -t mytag tagada", captured with ethereal, and got: <78>mytag: tagada... in the udp datagram. The strace for a -p local7.info showed: recv(0, "<190>mar 8 14:02:44 mytag: taga"..., 1022, 0) = 34 sendto(18, "<190>mytag: tagada\n", 19, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("192.168.1.15")}, 16) = 19 I attach the whole udp payload of a perl generated udp datagram as "perl-udp.raw". I found no way to capture unix socket traffic, despite my attempts at using "socat", it seems it can't listen() to type 2 sockets (datagram under Linux). I also attach a syslogd generated datagram as "syslogd-udp.raw". AFAICT, it seems the beginning of an udp packet encodes the facility and priority with: - the '<' char; - the hexadecimal digits of the bits for facility and level of the message in ascii; - the '>' char. The only way I found to distinguish Perl generated datagrams from syslogd generated datagrams is the trailing zero. Do you think it is the cause of my troubles? Where could I gather additional data? Regards, -- Loïc Minier <lool@dooz.org>
Loic Minier <lool+syslog@via.ecp.fr> - Mon, Mar 08, 2004:
The only way I found to distinguish Perl generated datagrams from syslogd generated datagrams is the trailing zero.
Since my own message crashed my MUA, I here paste a simple hexdump for the non-binary readers: bee% xxd perl-udp.raw 0000000: 3c37 383e 666d 2f6c 6f67 7061 7273 653a <78>fm/logparse: 0000010: 2046 3030 317c 3130 3738 3530 3734 3636 F001|1078507466 0000020: 3030 307c 3038 3035 3d32 3237 3532 7c30 000|0805=22752|0 0000030: 3830 363d 736d 7470 647c 3038 3134 3d62 806=smtpd|0814=b 0000040: 6565 7c30 3830 303d 3139 322e 3136 382e ee|0800=192.168. 0000050: 312e 3837 7c0a 00 1.87|.. bee% xxd syslogd-udp.raw 0000000: 3c37 383e 6d79 7461 673a 2074 6167 6164 <78>mytag: tagad 0000010: 610a a. It seems to me that regular traffic ends in "0a", and Perl datagrams in "0a 00" instead. -- Loïc Minier <lool@dooz.org>
Loic Minier <lool+syslog@via.ecp.fr> - Mon, Mar 08, 2004:
It seems to me that regular traffic ends in "0a", and Perl datagrams in "0a 00" instead.
I searched for syslog udp messages standard, and could not find a definition of the line terminator. It seems to me that an UDP datagram can end in 0a, or in 0a 00, but that it is not required. Is there a way to handle such messages gracefully within syslog-ng? Regards, -- Loïc Minier <lool@dooz.org>
participants (2)
-
Balazs Scheidler
-
Loic Minier