Hello all! Can someone look at this bugreport: http://bugs.python.org/issue6444 In short, when multiline log messages sent via /dev/log socket they are splitted into multiple log entries. Only first entry will have proper timestamp and facility. This behavior differs from sysklogd and metalog, where multiple lines are concatenated. Even syslog-ng itself concatenates them when used via udp socket. Tested on syslog-ng-2.1.3. Thanks.
On Fri, 2009-08-21 at 19:29 +0800, Max Arnold wrote:
Hello all!
Can someone look at this bugreport: http://bugs.python.org/issue6444 In short, when multiline log messages sent via /dev/log socket they are splitted into multiple log entries. Only first entry will have proper timestamp and facility.
This behavior differs from sysklogd and metalog, where multiple lines are concatenated. Even syslog-ng itself concatenates them when used via udp socket.
Tested on syslog-ng-2.1.3.
I guess this depends on whether you are using unix-stream() or unix-dgram(). The first concatenates it, the 2nd doesn't. Simply because unix-dgram knows about the size of the datagrams whereas unix-stream doesn't. -- Bazsi
On Wed, Sep 02, 2009 at 10:55:49AM +0000, Balazs Scheidler wrote:
Can someone look at this bugreport: http://bugs.python.org/issue6444 In short, when multiline log messages sent via /dev/log socket they are splitted into multiple log entries. Only first entry will have proper timestamp and facility.
This behavior differs from sysklogd and metalog, where multiple lines are concatenated. Even syslog-ng itself concatenates them when used via udp socket.
I guess this depends on whether you are using unix-stream() or unix-dgram().
The first concatenates it, the 2nd doesn't. Simply because unix-dgram knows about the size of the datagrams whereas unix-stream doesn't.
Thank you for reply! Is it safe to use unix-dgram as a replacement (on Linux)? I've googled several mailing list messages about lesser reliability of datagram oriented sockets. Are these concerns still valid?
On Wed, 2009-09-02 at 20:47 +0800, Max Arnold wrote:
On Wed, Sep 02, 2009 at 10:55:49AM +0000, Balazs Scheidler wrote:
Can someone look at this bugreport: http://bugs.python.org/issue6444 In short, when multiline log messages sent via /dev/log socket they are splitted into multiple log entries. Only first entry will have proper timestamp and facility.
This behavior differs from sysklogd and metalog, where multiple lines are concatenated. Even syslog-ng itself concatenates them when used via udp socket.
I guess this depends on whether you are using unix-stream() or unix-dgram().
The first concatenates it, the 2nd doesn't. Simply because unix-dgram knows about the size of the datagrams whereas unix-stream doesn't.
Thank you for reply!
Is it safe to use unix-dgram as a replacement (on Linux)? I've googled several mailing list messages about lesser reliability of datagram oriented sockets. Are these concerns still valid?
Well, SOCK_DGRAM sockets in the IP protocols are not reliable (that is they are implemented using UDP), however my latest findings about the same in the UNIX socket domain is that they are indeed flow controlled and thus no packet drops occur (the sender will block if the queue is full). All syslog daemons where this option is non-configurable uses unix-dgram(), thus I guess it is not worse to use the same in syslog-ng. (this was not the case a couple of years ago) One thing is sure, unix-dgram uses less resources and as you state can handle multiple lines per message. Since there's a lot of confusion in the area (and I might be partly responsible for that), I'd recommend you to test this yourself (for example using the 'loggen' utility bundled with syslog-ng) and see whether any drops occur. And once you did that, it'd be a great service to the community to publish your results backed with facts, this way the confusion could lesten. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Max Arnold