[syslog-ng]bug report: unparsable UDP syslog message
Thomas Morin
syslog-ng@lists.balabit.hu
Mon, 22 Sep 2003 13:29:04 +0200
Quote Thomas Morin <thomas.morin@ago.fr>:
| The precise packets triggering this case [tcpdump and ethereal helped me a
| lot here] are UDP syslog packets which are not terminated by a NULL byte,
| but which contain one or many NEWLINE bytes inside the message, and after
| some of those NEWLINES we find a '<' character (actually because log4j is
| used to dump some xml formatted data) :
|
| <xx>javaProgram: here is the dump:\n<xml stuff>\n<foo/></xml>
|
| The same UDP datagram with a NULL byte in the end doesn't trigger the
| "unparseable log message" error.
I actually have another case where this happens : if the UDP syslog message
size exceeds the configured log_msg_size, then the same problem happens :
message boudaries are not well understood by syslog-ng, and if a "<" appears
after a newline, an "unparseable log message" error is triggered.
Regards,
-Thomas
--
== Thomas Morin
== Ingénieur Consultant Atlantide - www.ago.fr - thomas.morin@ago.fr
== PGP Id:8CEA233D Key FP:503BF6CFD3AE8719377B832A02FB94E08CEA233D
--