[syslog-ng]bug report: unparsable UDP syslog message
Thu, 18 Sep 2003 10:48:20 +0200
First of all I'd like to say I'm impressed by syslog-ng. I think this is
a great software: powerful, configurable and elegant. Thanks for making
it free software !
That said, I hope a little bug report can improve the thing.. :)
Context: I'm using a syslog plugin written for the log4j package
(java logging) to send syslog messages to a central log host
There is one case where some messages are not properly read by syslog-ng, and
which trigger "unparsable log message" errors, though they seem to be properly
formed syslog messages.
The precise packets triggering this case [tcpdump and ethereal helped me a lot
here] are UDP syslog packets which are not terminated by a NULL byte, but
which contain one or many NEWLINE bytes inside the message, and after some of
those NEWLINES we find a '<' character (actually because log4j is used to dump
some xml formatted data) :
<xx>javaProgram: here is the dump:\n<xml stuff>\n<foo/></xml>
The same UDP datagram with a NULL byte in the end doesn't trigger the
"unparseable log message" error.
The code in src/sources.c (lines 112-120) seems to use the first newline char
as the end of line if it doesn't find a '\0', even if this newline char is not
the end of our packet. This makes the < of '<xml' be seen as the start of a
syslog message, and syslog-ng then tries to interpret '<xml stuff>' as a
syslog standard prefix, which of course fails, so we got this "unparseable log
message" error. At least, that's what I would concluded, but I'm not C expert,
nor very knowledgeable about syslog-ng.
If I read the RFC well, not terminating a syslog message by a NULL byte is
fine, so I would say this is a syslog-ng bug.
I hope the information provided can help you correct this bug.
PS: please Cc me any answer since I'm not subscribed to this mailing list.
== Thomas Morin
== PGP Id:8CEA233D Key FP:503BF6CFD3AE8719377B832A02FB94E08CEA233D