[syslog-ng]syslog-ng doesn't handle builtin syslog messages correctly

Joerg Michels syslog-ng@lists.balabit.hu
Thu, 11 Dec 2003 10:59:32 +0100


On Thu, 11 Dec 2003 10:26:26 +0100
Balazs Scheidler <bazsi@balabit.hu> wrote:

> On Wed, 2003-12-10 at 15:10, Joerg Michels wrote:
> > Hello together,
> > 
> > 
> > I'm running a central syslog-ng server and about two dozens clients sending their logs to this server (all redhat). But on some clients syslog-ng doesn't catch the builtin syslog messages.
> > 
> > syslog-version: 1.6.0rc4 on all hosts
> 
> > When I execute 'logger test' the message only reaches the local /var/log/all, but not the server. When I execute 'logger -u /dev/log test' the message reaches both destinations.
> 
> The two different commands you entered should be the same. Try
> strace-ing the logger command to find out what the difference is.
> 
> 
> -- 
> Bazsi
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 


already did so, but found real no difference.

the failing:

socket(PF_UNIX, SOCK_DGRAM, 0)          = 1
fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
connect(1, {sin_family=AF_UNIX, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
close(1)                                = 0
socket(PF_UNIX, SOCK_STREAM, 0)         = 1
fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
connect(1, {sin_family=AF_UNIX, path="/dev/log"}, 16) = 0
send(1, "<13>Dez 11 10:19:32 root: agent\0", 32, 0) = 32
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
close(1)                                = 0


the working:

socket(PF_UNIX, SOCK_STREAM, 0)         = 3
connect(3, {sin_family=AF_UNIX, path="/dev/log"}, 110) = 0
...
write(3, "<5>Dec 11 10:27:21 root: agent\0", 31) = 31
close(3)                                = 0


There's the difference in the use of write other than send. hmmm


Next I tested is a simple c program to send syslog message and this one works correctly. The strace was nearly the same the the strace from the failing logger command ( internally the send command was used ).

#include <syslog.h>
int main ()
{
        openlog ( "systest", LOG_NDELAY, LOG_LOCAL0);
        syslog ( LOG_DEBUG, "%s", "agent");
        closelog ();
}


The strange thing is, that the message always reaches syslog-ng, because syslog-ng writes it to the local log file but doesn't forward it to the remote host. The problem also occurs with other programs than logger. For example I use the perl module Unix::Syslog. Messages sent by this module doens't reach the remote host either, but always the local log file.



Joerg