[syslog-ng]Concatenated syslog messages

Vladislav Bogdanov syslog-ng@lists.balabit.hu
Thu, 03 Jun 2004 14:39:03 +0300 

Balazs Scheidler wrote:
> 2004-06-02, sze keltezéssel 17:57-kor Vladislav Bogdanov ezt írta:
> 
>>Balazs Scheidler wrote:
>>
>>>>I use redhat enterprise linux 3, syslog-ng 1.6.4 and libol 0.3.13
>>>
>>>
>>>Are these local messages or messages received from the network?
>>
>>local
> 
> 
> ok, are these received using unix-dgram() or unix-stream()?
> can you attach an strace snippet which shows this behaviour?
> 
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream 
("/dev/log"); internal(); };
hmm..
here is it
---------------
read(20, "<21>Jun  3 14:17:57 sendmail[388"..., 2048) = 330
  | 00000  3c 32 31 3e 4a 75 6e 20  20 33 20 31 34 3a 31 37  <21>Jun   3 14:17 |
  | 00010  3a 35 37 20 73 65 6e 64  6d 61 69 6c 5b 33 38 38  :57 send mail[388 |
  | 00020  35 5d 3a 20 69 35 33 42  48 73 71 30 30 30 33 38  5]: i53B Hsq00038 |
  | 00030  38 35 3a 20 6c 6f 73 74  20 69 6e 70 75 74 20 63  85: lost  input c |
  | 00040  68 61 6e 6e 65 6c 20 66  72 6f 6d 20 62 7a 71 2d  hannel f rom bzq- |
  | 00050  32 31 38 2d 31 31 35 2d  37 35 2e 72 65 64 2e 62  218-115- 75.red.b |
  | 00060  65 7a 65 71 69 6e 74 2e  6e 65 74 20 5b 38 31 2e  ezeqint. net [81. |
  | 00070  32 31 38 2e 31 31 35 2e  37 35 5d 20 74 6f 20 4d  218.115. 75] to M |
  | 00080  54 41 20 61 66 74 65 72  20 72 63 70 74 3c 32 32  TA after  rcpt<22 |
  | 00090  3e 4a 75 6e 20 20 33 20  31 34 3a 31 37 3a 35 37  >Jun  3  14:17:57 |
  | 000a0  20 73 65 6e 64 6d 61 69  6c 5b 33 38 38 35 5d 3a   sendmai l[3885]: |
  | 000b0  20 69 35 33 42 48 73 71  30 30 30 33 38 38 35 3a   i53BHsq 0003885: |
  | 000c0  20 66 72 6f 6d 3d 3c 6b  72 61 78 65 6c 62 62 79   from=<k raxelbby |
  | 000d0  40 62 6f 75 74 68 6f 72  73 2e 6f 72 67 3e 2c 20  @bouthor s.org>,  |
  | 000e0  73 69 7a 65 3d 30 2c 20  63 6c 61 73 73 3d 30 2c  size=0,  class=0, |
  | 000f0  20 6e 72 63 70 74 73 3d  31 2c 20 70 72 6f 74 6f   nrcpts= 1, proto |
  | 00100  3d 45 53 4d 54 50 2c 20  64 61 65 6d 6f 6e 3d 4d  =ESMTP,  daemon=M |
  | 00110  54 41 2c 20 72 65 6c 61  79 3d 62 7a 71 2d 32 31  TA, rela y=bzq-21 |
  | 00120  38 2d 31 31 35 2d 37 35  2e 72 65 64 2e 62 65 7a  8-115-75 .red.bez |
  | 00130  65 71 69 6e 74 2e 6e 65  74 20 5b 38 31 2e 32 31  eqint.ne t [81.21 |
  | 00140  38 2e 31 31 35 2e 37 35  5d 00                    8.115.75 ].       |
write(13, "Jun  3 14:17:57 master sendmail["..., 333) = 333
  | 00000  4a 75 6e 20 20 33 20 31  34 3a 31 37 3a 35 37 20  Jun  3 1 4:17:57  |
  | 00010  6d 61 73 74 65 72 20 73  65 6e 64 6d 61 69 6c 5b  master s endmail[ |
  | 00020  33 38 38 35 5d 3a 20 69  35 33 42 48 73 71 30 30  3885]: i 53BHsq00 |
  | 00030  30 33 38 38 35 3a 20 6c  6f 73 74 20 69 6e 70 75  03885: l ost inpu |
  | 00040  74 20 63 68 61 6e 6e 65  6c 20 66 72 6f 6d 20 62  t channe l from b |
  | 00050  7a 71 2d 32 31 38 2d 31  31 35 2d 37 35 2e 72 65  zq-218-1 15-75.re |
  | 00060  64 2e 62 65 7a 65 71 69  6e 74 2e 6e 65 74 20 5b  d.bezeqi nt.net [ |
  | 00070  38 31 2e 32 31 38 2e 31  31 35 2e 37 35 5d 20 74  81.218.1 15.75] t |
  | 00080  6f 20 4d 54 41 20 61 66  74 65 72 20 72 63 70 74  o MTA af ter rcpt |
  | 00090  3c 32 32 3e 4a 75 6e 20  20 33 20 31 34 3a 31 37  <22>Jun   3 14:17 |
  | 000a0  3a 35 37 20 73 65 6e 64  6d 61 69 6c 5b 33 38 38  :57 send mail[388 |
  | 000b0  35 5d 3a 20 69 35 33 42  48 73 71 30 30 30 33 38  5]: i53B Hsq00038 |
  | 000c0  38 35 3a 20 66 72 6f 6d  3d 3c 6b 72 61 78 65 6c  85: from =<kraxel |
  | 000d0  62 62 79 40 62 6f 75 74  68 6f 72 73 2e 6f 72 67  bby@bout hors.org |
  | 000e0  3e 2c 20 73 69 7a 65 3d  30 2c 20 63 6c 61 73 73  >, size= 0, class |
  | 000f0  3d 30 2c 20 6e 72 63 70  74 73 3d 31 2c 20 70 72  =0, nrcp ts=1, pr |
  | 00100  6f 74 6f 3d 45 53 4d 54  50 2c 20 64 61 65 6d 6f  oto=ESMT P, daemo |
  | 00110  6e 3d 4d 54 41 2c 20 72  65 6c 61 79 3d 62 7a 71  n=MTA, r elay=bzq |
  | 00120  2d 32 31 38 2d 31 31 35  2d 37 35 2e 72 65 64 2e  -218-115 -75.red. |
  | 00130  62 65 7a 65 71 69 6e 74  2e 6e 65 74 20 5b 38 31  bezeqint .net [81 |
  | 00140  2e 32 31 38 2e 31 31 35  2e 37 35 5d 0a           .218.115 .75].    |
----------
And...
I looked into sysklogd (which is known to fork fine with this) sources, they 
always open /dev/log as dgram.
If I use unix-dgram instead of unix-stream, problem disappears. :)
It is likely to be a typo in contrib/syslog-ng.conf.RedHat which I copied into 
running config without deep investigation. :)
So, I think problem is closed.

Best,
Vladislav