Hi, I'm using syslog-ng 1.5.15 and sometimes (probably during message burst), messages lost their facility/level and are logged with user/notice. Message format becomes: Mar 29 11:35:50 w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Mar 29 11:35:50 w3search[19816]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434 instead of: Mar 29 11:32:07 w3search3 w3search[19817]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434 General log_fifo_size is set to 1000 and is set to 10000 for appropriate filter of this message: destination d_applicatif { file("/ke/logs/ke.log" owner(test) group(test) log_fifo_size(10000) ); }; filter f_applicatif { facility(local0); }; log { source(s_sys); filter(f_applicatif); destination(d_applicatif); destination(d_loghost_applicatif); flags(final); }; Any Idea ? -- Jerome Peducasse
On Tue, Apr 02, 2002 at 11:32:54AM +0100, Jerome Peducasse wrote:
Hi,
I'm using syslog-ng 1.5.15 and sometimes (probably during message burst), messages lost their facility/level and are logged with user/notice. Message format becomes: Mar 29 11:35:50 w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Mar 29 11:35:50 w3search[19816]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
instead of:
Mar 29 11:32:07 w3search3 w3search[19817]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
General log_fifo_size is set to 1000 and is set to 10000 for appropriate filter of this message:
destination d_applicatif { file("/ke/logs/ke.log" owner(test) group(test) log_fifo_size(10000) ); }; filter f_applicatif { facility(local0); }; log { source(s_sys); filter(f_applicatif); destination(d_applicatif); destination(d_loghost_applicatif); flags(final); };
maybe the end of line is lost somehow. are your logs terminated with a single '\n' or a '\r\n' pair? Looking into the code, this might be the cause of the problem, and if it is the following patch fixes it. Can you please test this? Index: sources.c =================================================================== RCS file: /var/cvs/syslog-ng/src/sources.c,v retrieving revision 1.31 diff -u -r1.31 sources.c --- sources.c 2002/03/19 09:26:16 1.31 +++ sources.c 2002/04/02 09:59:32 @@ -123,7 +123,7 @@ if (length) do_handle_line(closure, length, start, salen ? (abstract_addr *) &sabuf : NULL , salen); - start = end + 1; + start = eol + 1; eol = memchr(start, '\0', &closure->buffer[closure->pos] - start); if (eol == NULL) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, Apr 02, 2002 at 12:06:48PM +0200, Balazs Scheidler wrote:
On Tue, Apr 02, 2002 at 11:32:54AM +0100, Jerome Peducasse wrote:
Hi,
I'm using syslog-ng 1.5.15 and sometimes (probably during message burst), messages lost their facility/level and are logged with user/notice. Message format becomes: Mar 29 11:35:50 w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Mar 29 11:35:50 w3search[19816]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
instead of:
Mar 29 11:32:07 w3search3 w3search[19817]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
General log_fifo_size is set to 1000 and is set to 10000 for appropriate filter of this message:
destination d_applicatif { file("/ke/logs/ke.log" owner(test) group(test) log_fifo_size(10000) ); }; filter f_applicatif { facility(local0); }; log { source(s_sys); filter(f_applicatif); destination(d_applicatif); destination(d_loghost_applicatif); flags(final); };
maybe the end of line is lost somehow. are your logs terminated with a single '\n' or a '\r\n' pair?
This is code of MACRO: #include <syslog.h> /* usage : KELOG_RELEASE(( priority, "%m while calling read()" WHERE, HERE)); */ #define KELOG_RELEASE(fmt) syslog fmt
Looking into the code, this might be the cause of the problem, and if it is the following patch fixes it. Can you please test this?
In 1.5.15, version of sources.c is 1.30 (2002-02-28). The patch will be apply on version 1.31 (2002-03-19). How can I get version 1.31 ? CVS ? Thx.
Index: sources.c =================================================================== RCS file: /var/cvs/syslog-ng/src/sources.c,v retrieving revision 1.31 diff -u -r1.31 sources.c --- sources.c 2002/03/19 09:26:16 1.31 +++ sources.c 2002/04/02 09:59:32 @@ -123,7 +123,7 @@ if (length) do_handle_line(closure, length, start, salen ? (abstract_addr *) &sabuf : NULL , salen);
- start = end + 1; + start = eol + 1;
eol = memchr(start, '\0', &closure->buffer[closure->pos] - start); if (eol == NULL)
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-- Jerome Peducasse Wanadoo Portails - Sophia Antipolis
On Tue, Apr 02, 2002 at 04:22:08PM +0100, Jerome Peducasse wrote:
On Tue, Apr 02, 2002 at 12:06:48PM +0200, Balazs Scheidler wrote:
On Tue, Apr 02, 2002 at 11:32:54AM +0100, Jerome Peducasse wrote:
maybe the end of line is lost somehow. are your logs terminated with a single '\n' or a '\r\n' pair?
This is code of MACRO:
#include <syslog.h>
/* usage : KELOG_RELEASE(( priority, "%m while calling read()" WHERE, HERE)); */ #define KELOG_RELEASE(fmt) syslog fmt
And what OS does this code run on? Linux sends a single \n but other Unices might send complete \r\n pairs.
Looking into the code, this might be the cause of the problem, and if it is the following patch fixes it. Can you please test this?
In 1.5.15, version of sources.c is 1.30 (2002-02-28). The patch will be apply on version 1.31 (2002-03-19).
How can I get version 1.31 ? CVS ?
CVS is not public, sorry. The patch should apply to an 1.30 version as well. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, Apr 02, 2002 at 04:45:25PM +0200, Balazs Scheidler wrote:
On Tue, Apr 02, 2002 at 04:22:08PM +0100, Jerome Peducasse wrote:
On Tue, Apr 02, 2002 at 12:06:48PM +0200, Balazs Scheidler wrote:
On Tue, Apr 02, 2002 at 11:32:54AM +0100, Jerome Peducasse wrote:
maybe the end of line is lost somehow. are your logs terminated with a single '\n' or a '\r\n' pair?
This is code of MACRO:
#include <syslog.h>
/* usage : KELOG_RELEASE(( priority, "%m while calling read()" WHERE, HERE)); */ #define KELOG_RELEASE(fmt) syslog fmt
And what OS does this code run on? Linux sends a single \n but other Unices might send complete \r\n pairs.
On Linux.
Looking into the code, this might be the cause of the problem, and if it is the following patch fixes it. Can you please test this?
In 1.5.15, version of sources.c is 1.30 (2002-02-28). The patch will be apply on version 1.31 (2002-03-19).
How can I get version 1.31 ? CVS ?
CVS is not public, sorry. The patch should apply to an 1.30 version as well.
I apply this patch and I inform you as soon as the next message burst occurs. Thank you. -- Jerome Peducasse
On Tue, Apr 02, 2002 at 05:50:23PM +0100, Jerome Peducasse wrote:
Looking into the code, this might be the cause of the problem, and if it is the following patch fixes it. Can you please test this? In 1.5.15, version of sources.c is 1.30 (2002-02-28). The patch will be apply on version 1.31 (2002-03-19).
How can I get version 1.31 ? CVS ?
CVS is not public, sorry. The patch should apply to an 1.30 version as well. I apply this patch and I inform you as soon as the next message burst occurs.
I had an amazing compilation error when I apply your patch because sources.c.x is older than sources.c. make[2]: Entering directory `/usr/local/syslog-ng/src/syslog-ng-1.5.15/src' /usr/local/syslog-ng/src/libol-0.3.1/utils/make_class <sources.c >sources.c.xT /bin/sh: /usr/local/syslog-ng/src/libol-0.3.1/utils/make_class: No such file or directory make[2]: *** [sources.c.x] Error 126 make[2]: Leaving directory `/usr/local/syslog-ng/src/syslog-ng-1.5.15/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/syslog-ng/src/syslog-ng-1.5.15/src' make: *** [all-recursive-am] Error 2 With "touch sources.c.x" after apply patch, compilation is good. I'm running syslog-ng on 80 servers and 1 loghost and since I've applied your patch, I don't actually report log problem. Thank you very much. -- Jerome Peducasse
Hi, I have applied your patch since one week and I already report some errors such as: Apr 11 14:49:32 w3search3/w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Apr 11 14:49:32 frontatlas[9192]: read Context failed on socket=6 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434 Both embedded messages come with facility user instead of local0 (on localhost and on loghost). Any idea? On Tue, Apr 02, 2002 at 12:06:48PM +0200, Balazs Scheidler wrote:
On Tue, Apr 02, 2002 at 11:32:54AM +0100, Jerome Peducasse wrote:
Hi,
I'm using syslog-ng 1.5.15 and sometimes (probably during message burst), messages lost their facility/level and are logged with user/notice. Message format becomes: Mar 29 11:35:50 w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Mar 29 11:35:50 w3search[19816]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
instead of:
Mar 29 11:32:07 w3search3 w3search[19817]: read Context failed on socket=3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
General log_fifo_size is set to 1000 and is set to 10000 for appropriate filter of this message:
destination d_applicatif { file("/ke/logs/ke.log" owner(test) group(test) log_fifo_size(10000) ); }; filter f_applicatif { facility(local0); }; log { source(s_sys); filter(f_applicatif); destination(d_applicatif); destination(d_loghost_applicatif); flags(final); };
maybe the end of line is lost somehow. are your logs terminated with a single '\n' or a '\r\n' pair?
Looking into the code, this might be the cause of the problem, and if it is the following patch fixes it. Can you please test this?
Index: sources.c =================================================================== RCS file: /var/cvs/syslog-ng/src/sources.c,v retrieving revision 1.31 diff -u -r1.31 sources.c --- sources.c 2002/03/19 09:26:16 1.31 +++ sources.c 2002/04/02 09:59:32 @@ -123,7 +123,7 @@ if (length) do_handle_line(closure, length, start, salen ? (abstract_addr *) &sabuf : NULL , salen);
- start = end + 1; + start = eol + 1;
eol = memchr(start, '\0', &closure->buffer[closure->pos] - start); if (eol == NULL)
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-- Jerome Peducasse
On Thu, Apr 11, 2002 at 04:31:03PM +0100, Jerome Peducasse wrote:
Hi,
I have applied your patch since one week and I already report some errors such as: Apr 11 14:49:32 w3search3/w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Apr 11 14:49:32 frontatlas[9192]: read Context failed on socket=6 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
Both embedded messages come with facility user instead of local0 (on localhost and on loghost).
can you strace syslog-ng (with -s <high number> specified) or tcpdump the syslog traffic to see whether syslog-ng or your device is at fault? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Thu, Apr 11, 2002 at 04:39:44PM +0200, Balazs Scheidler wrote:
On Thu, Apr 11, 2002 at 04:31:03PM +0100, Jerome Peducasse wrote:
Hi,
I have applied your patch since one week and I already report some errors such as: Apr 11 14:49:32 w3search3/w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Apr 11 14:49:32 frontatlas[9192]: read Context failed on socket=6 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
Both embedded messages come with facility user instead of local0 (on localhost and on loghost).
can you strace syslog-ng (with -s <high number> specified) or tcpdump the syslog traffic to see whether syslog-ng or your device is at fault? I don't think it's a device fault because I have 2 destinations (local and loghost) and error appears on both. I launch strace on some computer and I wait ...
Thanks. -- Jerome Peducasse
It seems, it occurs errors with long messages. With this code: KELOG_RELEASE(( LOG_ERR, \ "not enougth space to make result ouput! \n varlen=%d len=%d max_len=%d \n result is '%s'\n" WHERE, \ varlen, len, max_len, result, \ HERE )); messages come in user.notice instead of local0.err: Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] varlen=19 varlen=19 len=2048 max_len=2048 Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] result result is \'<SP TYPE=\'L\'> / 406 / Safrane / BMW série 5 145 </SP><SP TYPE=\'W\'>x</SP><SP TYPE=\'L\'> 80 </SP><SP TYPE=\'W\'>x</SP><SP TYPE=\'L\'> 13 145 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 155 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 </SP><SP TYPE=\'W\'>165</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 175 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 185 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 </SP><SP TYPE=\'W\'>165</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> ! </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>14<131>Apr 16 11:18:43 w3search[2495]: not enougth space to make result ouput! Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] varlen=6 varlen=6 len=2048 max_len=2048 Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] <131>Apr 16 11:18:43 w3search[2495]: SmartPreview failed for ip=159884415 in enum echo::keret echo::ThalieClient::getDoc(uint32 &, echo::ThalieDocument *, const echo::Query &, const echo::Answer *, const char (*)[255]):ThalieClient.cc:642 Attached file contains result output of strace. Thanks On Thu, Apr 11, 2002 at 05:56:57PM +0100, Jerome Peducasse wrote:
On Thu, Apr 11, 2002 at 04:39:44PM +0200, Balazs Scheidler wrote:
On Thu, Apr 11, 2002 at 04:31:03PM +0100, Jerome Peducasse wrote:
Hi,
I have applied your patch since one week and I already report some errors such as: Apr 11 14:49:32 w3search3/w3search3 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:427 <130>Apr 11 14:49:32 frontatlas[9192]: read Context failed on socket=6 in void echo::AtlasClient::onRead(void *):AtlasClient.cc:434
Both embedded messages come with facility user instead of local0 (on localhost and on loghost).
can you strace syslog-ng (with -s <high number> specified) or tcpdump the syslog traffic to see whether syslog-ng or your device is at fault? I don't think it's a device fault because I have 2 destinations (local and loghost) and error appears on both. I launch strace on some computer and I wait ...
Thanks.
-- Jerome Peducasse
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-- Jerome Peducasse Wanadoo Portails - Sophia Antipolis
On Tue, Apr 16, 2002 at 12:50:31PM +0200, Jerome Peducasse wrote:
It seems, it occurs errors with long messages. With this code: KELOG_RELEASE(( LOG_ERR, \ "not enougth space to make result ouput! \n varlen=%d len=%d max_len=%d \n result is '%s'\n" WHERE, \ varlen, len, max_len, result, \ HERE )); messages come in user.notice instead of local0.err:
Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] varlen=19 varlen=19 len=2048 max_len=2048 Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] result result is \'<SP TYPE=\'L\'> / 406 / Safrane / BMW série 5 145 </SP><SP TYPE=\'W\'>x</SP><SP TYPE=\'L\'> 80 </SP><SP TYPE=\'W\'>x</SP><SP TYPE=\'L\'> 13 145 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 155 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 </SP><SP TYPE=\'W\'>165</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 175 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 185 </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> 13 </SP><SP TYPE=\'W\'>165</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>70</SP><SP TYPE=\'L\'!
! </SP><SP TYPE=\'W\'>X</SP><SP TYPE=\'L\'> </SP><SP TYPE=\'W\'>14<131>Apr 16 11:18:43 w3search[2495]: not enougth space to make result ouput! Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] varlen=6 varlen=6 len=2048 max_len=2048 Apr 16 11:18:43 w3search1.search.fr.ke.echo [user.notice] <131>Apr 16 11:18:43 w3search[2495]: SmartPreview failed for ip=159884415 in enum echo::keret echo::ThalieClient::getDoc(uint32 &, echo::ThalieDocument *, const echo::Query &, const echo::Answer *, const char (*)[255]):ThalieClient.cc:642
I see, syslog-ng supports maximum 1024 long messages. You can raise this limit, by increasing a constant in syslog-ng.h and recompile. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, Apr 16, 2002 at 01:47:39PM +0200, Balazs Scheidler wrote:
I see, syslog-ng supports maximum 1024 long messages. You can raise this limit, by increasing a constant in syslog-ng.h and recompile.
OK, thanks. In 1.5.15, MAX_LOG_LINE is set to 2048, but seems never used (contrary to 1.5.16) What is difference beetween MAX_LOG_LINE and LONG_STRING ? -- Jerome Peducasse
On Tue, Apr 16, 2002 at 02:41:33PM +0200, Jerome Peducasse wrote:
On Tue, Apr 16, 2002 at 01:47:39PM +0200, Balazs Scheidler wrote:
I see, syslog-ng supports maximum 1024 long messages. You can raise this limit, by increasing a constant in syslog-ng.h and recompile.
OK, thanks.
In 1.5.15, MAX_LOG_LINE is set to 2048, but seems never used (contrary to 1.5.16)
What is difference beetween MAX_LOG_LINE and LONG_STRING ?
yes, I changed this in r1.30 of sources.c, which is included in 1.5.16. (earlier the constant MAX_LINE was used from libol) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, Apr 16, 2002 at 01:47:39PM +0200, Balazs Scheidler wrote:
I see, syslog-ng supports maximum 1024 long messages. You can raise this limit, by increasing a constant in syslog-ng.h and recompile.
-- Bazsi
I find another case which create error: a log message is concatenate with second part of previous message. Apr 17 09:59:13 crawler2.crawl.fr.ke.echo [user.notice] root@crawler2.crawl.fr.ke.echo root@crawler2.crawl.fr.ke.echo:/usr/local/src/bind-8.2.2-P7/src/bin/named<28>Apr 17 09:59:13 named[1029]: limit files set to fdlimit (8192) Attached file contains output of strace. Thanks. -- Jerome Peducasse
On Wed, Apr 17, 2002 at 10:34:14AM +0200, Jerome Peducasse wrote:
On Tue, Apr 16, 2002 at 01:47:39PM +0200, Balazs Scheidler wrote:
I see, syslog-ng supports maximum 1024 long messages. You can raise this limit, by increasing a constant in syslog-ng.h and recompile.
-- Bazsi
I find another case which create error: a log message is concatenate with second part of previous message.
Apr 17 09:59:13 crawler2.crawl.fr.ke.echo [user.notice] root@crawler2.crawl.fr.ke.echo root@crawler2.crawl.fr.ke.echo:/usr/local/src/bind-8.2.2-P7/src/bin/named<28>Apr 17 09:59:13 named[1029]: limit files set to fdlimit (8192)
there's a newline in the log message, which terminates a message.
read(3, "<29>Apr 17 09:59:13 named[1029]: starting. named 8.2.2-P7 Wed Jul 11 10:49:47 CEST 2001\n\troot@crawler2.crawl.fr.ke.echo:/usr/local/src/bind-8.2.2-P7/src/bin/named", 2048) = 163 ^^^^^ -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Wed, Apr 17, 2002 at 10:52:50AM +0200, Balazs Scheidler wrote:
I find another case which create error: a log message is concatenate with second part of previous message.
Apr 17 09:59:13 crawler2.crawl.fr.ke.echo [user.notice] root@crawler2.crawl.fr.ke.echo root@crawler2.crawl.fr.ke.echo:/usr/local/src/bind-8.2.2-P7/src/bin/named<28>Apr 17 09:59:13 named[1029]: limit files set to fdlimit (8192)
there's a newline in the log message, which terminates a message.
read(3, "<29>Apr 17 09:59:13 named[1029]: starting. named 8.2.2-P7 Wed Jul 11 10:49:47 CEST 2001\n\troot@crawler2.crawl.fr.ke.echo:/usr/local/src/bind-8.2.2-P7/src/bin/named", 2048) = 163 ^^^^^ -- Bazsi
Isn't possible to use '\n' inside log message with syslog-ng without second part is logged with default facility/level (i.e user.notice) ? Thanks. -- Jerome Peducasse
participants (2)
-
Balazs Scheidler
-
Jerome Peducasse