[syslog-ng]syslog-ng truncating pipe template output

[Balazs Scheidler]

On Fri, 2004-11-19 at 18:42, James Masson wrote:
> I've been trying to figure out an obscure problem with syslog-ng
> importing to a mysql database.
> 
> I have various types of network devices feeding syslog-ng on local3
> through local6. I can import from Cisco, UNIX servers, Windows - but not
> Netscreen firewalls!
> 
> Each device type gets it's own mysql database. The mysql INSERT INTO
> statements for the Netscreen logs are truncated and hence fail to import
> because the mysql syntax is not correct.
> 
>  I chased wild geese for a while thinking the log format of the
> Netscreen was messing with mysql - but that's not the case. Notice it's
> just truncating the last few characters of each statement - including
> the all important ")" and "\n" newline that closes the mysql statement.
> I dumped an instance or two of these to a file instead of the normal
> fifo, added a ")" and a newline at the end of each, and it imported just
> fine!


IIRC there was a problem report about NetScreen logs including a NUL
character somewhere in the middle of the message. That might cause this
problem. Can you tcpdump an incoming UDP message as it reaches
syslog-ng? I'd need the complete frame, so be sure to use the -s 
parameter for tcpdump. (specifying the maximum frame size, make sure it
is at least the size of your MTU)

-- 
Bazsi