Linefeed in incoming messages
We have a piece of network equipment which appears to be logging in a not entirely friendly fashion (to be politically correct), in that it is including a linefeed (0x0a ASCII hex) in log messages for formatting purposes. Unfortunately, from what I can tell syslog-ng 1.4.11 is getting confused with the linefeed, so the log message up to the linefeed is getting logged correctly but the part after the linefeed is being prepended to the next incoming message. Therefore the filter for this unit is applied to the first part, resulting in it being written to its file, but the filter for the next message is applied to the remainder (the next message plus the prepended remainder from the previous). (Yes, I know it's confusing, I've just spent a while tracking it down. I can provide additional detail if needed...) My question is, is there somewhere in the syslog-ng code where I can easily parse the incoming syslog message and replace linefeeds with something benign, such as spaces or tabs? Or is there another solution that would be better? In the meantime we're opening a bug with the vendor since I consider this their issue, but knowing vendors I'm not confident in their addressing the problem quickly. Thanks for any help... And thanks for syslog-ng! -- Michael Garvin mailto:mgarvin@carolinabroadband.com
My question is, is there somewhere in the syslog-ng code where I can easily parse the incoming syslog message and replace linefeeds with something benign, such as spaces or tabs? Or is there another solution that would be better? In the meantime we're opening a bug with the vendor since I consider this their issue, but knowing vendors I'm not confident in their addressing the problem quickly.
linefeeds take an important role in syslog messages, they terminate them. So syslog-ng takes its input packet, splits it by linefeeds and splits each of these parts as separate messages. As you see it would be difficult to skip processing linefeed characters because it would broke other syslog clients. You may try looking around the function do_read_line() in sources.c and change it the way that fits you, or wait for your vendor to fix the problem. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On 0, Balazs Scheidler <bazsi@balabit.hu> inscribed onto the electric medium...
My question is, is there somewhere in the syslog-ng code where I can easily parse the incoming syslog message and replace linefeeds with something benign, such as spaces or tabs? Or is there another solution that would be better? In the meantime we're opening a bug with the vendor since I consider this their issue, but knowing vendors I'm not confident in their addressing the problem quickly.
Vendor == cisco, perhaps?
linefeeds take an important role in syslog messages, they terminate them. So
I disagree. I just had to track this one down myself; the cisco vpn concentrator is logging stuff with embedded newlines. The RH linux box was logging the whole messages, but the Irix box wasn't. Hence clearly the linefeed doesn't have any true bearing on the length of the syslog message; it should be determined by the length of the incoming message. Any imbedded newlines should be ignored; translated to spaces (as the linux syslog does) or ^M (as the [patched] irix syslog does.) "Be gracious in what you accept, and conservative in what you send." (paraphrased sendmail quotation.) There's no RFC on syslog messages, is there? The Irix syslogd traces its route all the way back to BSD 4.2, and the check that terminated parsing when it hit a newline had been in there from the beginning. --Chan -- Information Services requires Information to Serve. // Chan Wilson cwilson@sgi.com // Enterprise Network Services +1-650-933-9515
participants (3)
-
Balazs Scheidler
-
Chan Wilson
-
Michael.Garvin@carolinabroadband.com