On Fri, 2010-11-12 at 12:21 +0100, Andreas Maechler wrote:

Hi all

Running syslog-ng 3.2beta1 on FreeBSD, I'm trying to use the 'syslog-protocol' flag in a unix-dgram source:

source s_local { unix-dgram("/var/run/log" flags(syslog-protocol)); unix-dgram("/var/run/logpriv" perm(0600)); file("/dev/klog" follow-freq(0) program-override("kernel") flags(no-parse));

internal(); };

That option seems to be ignored though. If I force the option by setting it manually in afsocket_sd_init_instance(), afsocket.c, all works well and incoming messages get parsed according to IETF.

Am I missing something or is this a bug?

It may be a bug, but it also depends on the format you are sending to that unix domain socket. There are two things that make up the new-style IETF logging format: 1) the transport (e.g. framing format) 2) the message format flags(syslog-protocol) specifies the message format, e.g. once a log record is received by unix-dgram() the new style syslog message is parsed and accepted (starting with 3.2 it also accepts both new & old style) the transport format currently cannot be set for unix domain sockets, I'd call this an omission (or a bug, depending on the context). This means that unix-dgram will be packet terminated, unix-stream would be NL terminated (just like with regular, old-style messages). This means that unix-dgram(flags(syslog-protocol)) would accept both the new/old syslog message format without any kind of framing. I've just tested it on my development environment, and it seems to work fine. -- Bazsi