[syslog-ng]/dev/log on Linux is a datagram socket, not a stream socket
Philip J. Hollenback
syslog-ng@lists.balabit.hu
Wed, 2 Feb 2005 11:35:32 -0500
The syslog-ng reference manual (and the sample syslog-ng.conf for
RedHat) indicate that /dev/log on linux is a stream socket. However,
other utilities think that /dev/log is a datagram socket. To see
this, configure syslog-ng to open /dev/log with unix_stream and then
strace the logger command. logger tries to open /dev/log as a
datagram socket first, fails, and then falls back to opening it as a
stream socket:
socket(PF_FILE, SOCK_DGRAM, 0) = 1
fcntl64(1, F_SETFD, FD_CLOEXEC) = 0
connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
close(1) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 1
fcntl64(1, F_SETFD, FD_CLOEXEC) = 0
connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
send(1, "<13>Feb 2 11:19:50 phil: test m"..., 39, 0) = 39
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
close(1) = 0
If, however, you open /dev/log with unix_dgram and then run logger,
it's happier:
socket(PF_FILE, SOCK_DGRAM, 0) = 1
fcntl64(1, F_SETFD, FD_CLOEXEC) = 0
connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
send(1, "<13>Feb 2 11:21:28 phil: test m"..., 45, 0) = 45
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
close(1) = 0
This indicates to me that the syslog-ng documentation and sample
syslog-ng.conf files should be changed to show you should open
/dev/log with unix_dgram on linux, not with unix_stream.
This is with the 2.4.22 kernel, maybe this is something that changed
at some point?
Thanks,
P.
--
Philip J. Hollenback
Telemetry Investments
phollenback@telemetry-investments.com