On Thu, 2009-12-10 at 13:28 +1100, Syslog Beginner wrote:

Hello Syslog Experts,

I have a question on the syslog-ng. I use syslog-ng 3.0.2. I tried to setup syslog-ng to forward syslog messages to other host. I tested 2 destination driver, udp() and syslog() as per below.

test 1: udp("10.x.x.x" port(514))

test 2: syslog("10.x.x.x" transport("udp") port(514));

I found that with udp() driver, syslog-ng just forwards the incoming log messages to external host. No problem. However, with the syslog() driver, I found that syslog-ng generate 2 udp packets

packet1... contains only 4 bytes in payload, I think this is message length?? packet2... is the actual syslog udp packet.

Is it possible to disable the first packet? this just create the overhead unnecessarily? Please advise. Thanks.

This was a bug in the RFC5424 driver when using the UDP transport, it sent a separate frame length packet which is only needed for TCP. This was fixed in 3.0.5 with this patch: Author: Tevesz Andras <ghost@balabit.hu> 2009-11-05 15:34:54 Committer: Balazs Scheidler <bazsi@balabit.hu> 2009-11-26 20:45:46 Parent: d25ad4f5373a6a4bf2f1f5ed37147a10412fe30d ([test_sql]: properly checks the existence of sqlite3 and libdbd-sqlite3.) Child: 1d7aafd4ebfc7c18ed4402148febb44b274e9ab9 (Fixed a possible race in file driver preemption, where wildcard driver couldn't change) Branches: master, remotes/balabit/master, remotes/origin/master Follows: v3.0.4 Precedes: v3.0.5 [afsocket] fixed syslog over udp and framing issue (fixes: #19639) syslog-ng used framing in dgram transports -- Bazsi