message loss using multi-line-mode
I raised issue on an existing bug on the github tracker, but it seems to have gone unnoticed, so I'm repeating it here to try and get some attention on the issue. Using multi-line-mode without the multi-line-suffix option WILL result in message loss. When syslog-ng is running in multi-line-mode, it buffers multi-line messages until it sees the start of a new message. When it sees the start of a new message, it flushes the buffered message, and puts the first line of the new message in the buffer. However if syslog-ng shuts down, or receives a SIGHUP (reload), any lines currently buffered are discarded. Given that syslog-ng can't stay running forever, and it will get shut down or SIGHUPd eventually, using this feature will result in messages getting lost. The message on the github issue where I brought this up is: https://github.com/balabit/syslog-ng/issues/140#issuecomment-197673887 -Patrick
Anybody? Should I open a new issue? -Patrick On 2016/3/28 12:01, Patrick Hemmer wrote:
I raised issue on an existing bug on the github tracker, but it seems to have gone unnoticed, so I'm repeating it here to try and get some attention on the issue.
Using multi-line-mode without the multi-line-suffix option WILL result in message loss. When syslog-ng is running in multi-line-mode, it buffers multi-line messages until it sees the start of a new message. When it sees the start of a new message, it flushes the buffered message, and puts the first line of the new message in the buffer. However if syslog-ng shuts down, or receives a SIGHUP (reload), any lines currently buffered are discarded. Given that syslog-ng can't stay running forever, and it will get shut down or SIGHUPd eventually, using this feature will result in messages getting lost.
The message on the github issue where I brought this up is: https://github.com/balabit/syslog-ng/issues/140#issuecomment-197673887
-Patrick
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, On Mon, May 16, 2016 at 06:16:47PM -0400, Patrick Hemmer wrote:
Anybody? Should I open a new issue?
I fully support your call to this important issue. How can the community help the developers move forward?
hi, I don't think that would help, sorry. Everyone is working on other stuff as it seems. Would you try to cook up a patch? I know it might intimidating at first, but you know it's all just code and computers :) not more complicated than a shell script. * [*] ok, a bit more complicated, but everyone has to start somewhere :) -- Bazsi On Tue, May 17, 2016 at 12:16 AM, Patrick Hemmer <syslogng@stormcloud9.net> wrote:
Anybody? Should I open a new issue?
-Patrick
On 2016/3/28 12:01, Patrick Hemmer wrote:
I raised issue on an existing bug on the github tracker, but it seems to have gone unnoticed, so I'm repeating it here to try and get some attention on the issue.
Using multi-line-mode without the multi-line-suffix option WILL result in message loss. When syslog-ng is running in multi-line-mode, it buffers multi-line messages until it sees the start of a new message. When it sees the start of a new message, it flushes the buffered message, and puts the first line of the new message in the buffer. However if syslog-ng shuts down, or receives a SIGHUP (reload), any lines currently buffered are discarded. Given that syslog-ng can't stay running forever, and it will get shut down or SIGHUPd eventually, using this feature will result in messages getting lost.
The message on the github issue where I brought this up is: <https://github.com/balabit/syslog-ng/issues/140#issuecomment-197673887> https://github.com/balabit/syslog-ng/issues/140#issuecomment-197673887
-Patrick
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
That was my original intent (to write a patch), but after looking at the code, I didn't think it would be a good idea (I used to code against syslog-ng back in the around the 3.1 days, but it appears the code has gotten significantly more complex). Given that there is message loss involved here, I just thought it might raise the priority of the issue. -Patrick On 2016/5/17 08:47, Scheidler, Balázs wrote:
hi,
I don't think that would help, sorry. Everyone is working on other stuff as it seems. Would you try to cook up a patch? I know it might intimidating at first, but you know it's all just code and computers :) not more complicated than a shell script. *
[*] ok, a bit more complicated, but everyone has to start somewhere :)
-- Bazsi
On Tue, May 17, 2016 at 12:16 AM, Patrick Hemmer <syslogng@stormcloud9.net <mailto:syslogng@stormcloud9.net>> wrote:
Anybody? Should I open a new issue?
-Patrick
On 2016/3/28 12:01, Patrick Hemmer wrote:
I raised issue on an existing bug on the github tracker, but it seems to have gone unnoticed, so I'm repeating it here to try and get some attention on the issue.
Using multi-line-mode without the multi-line-suffix option WILL result in message loss. When syslog-ng is running in multi-line-mode, it buffers multi-line messages until it sees the start of a new message. When it sees the start of a new message, it flushes the buffered message, and puts the first line of the new message in the buffer. However if syslog-ng shuts down, or receives a SIGHUP (reload), any lines currently buffered are discarded. Given that syslog-ng can't stay running forever, and it will get shut down or SIGHUPd eventually, using this feature will result in messages getting lost.
The message on the github issue where I brought this up is: https://github.com/balabit/syslog-ng/issues/140#issuecomment-197673887
-Patrick
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Fabien Wernli
-
Patrick Hemmer
-
Scheidler, Balázs
-
syslogng@stormcloud9.net