[syslog-ng]bug report: unparsable UDP syslog message

Thomas Morin syslog-ng@lists.balabit.hu
Mon, 22 Sep 2003 13:29:04 +0200

Quote Thomas Morin <thomas.morin@ago.fr>:
 | The precise packets triggering this case [tcpdump and ethereal helped me a
 | lot here] are UDP syslog packets which are not terminated by a NULL byte, 
 | but which contain one or many NEWLINE bytes inside the message, and after 
 | some of those NEWLINES we find a '<' character (actually because log4j is 
 | used to dump some xml formatted data) :
 | <xx>javaProgram: here is the dump:\n<xml stuff>\n<foo/></xml>
 | The same UDP datagram with a NULL byte in the end doesn't trigger the
 | "unparseable log message" error.

I actually have another case where this happens : if the UDP syslog message
size exceeds the configured log_msg_size, then the same problem happens :
message boudaries are not well understood by syslog-ng, and if a "<" appears
after a newline, an "unparseable log message" error is triggered.



== Thomas Morin 
== Ingénieur Consultant Atlantide - www.ago.fr - thomas.morin@ago.fr
== PGP Id:8CEA233D   Key FP:503BF6CFD3AE8719377B832A02FB94E08CEA233D