[syslog-ng] Losing TAG information

Evan Rempel erempel at uvic.ca
Tue Jun 20 06:31:13 CEST 2006 

Try switching back to default syslog and see if the same symptom occurs. 
That would point to a problem in the kernel handling of data destined 
for /dev/log.

My environment is Redhat AS 3 update 5 (perhaps 6). That works out to 
kernel 2.4.21.

The syslog-ng.conf is

options {
         sync(0);
         log_fifo_size(100000);
         use_fqdn(yes);
         keep_hostname(no);
         chain_hostnames(no);
         time_reap(60);
         time_reopen(5);
         use_time_recvd(no);
};

source local { unix-dgram("/dev/log");
                file("/proc/kmsg" log_prefix("kernel: "));
                internal(); };

source network { udp(port(514)); };

... a whole bunch of destinations, filters and log lines, but no flags 
or options on them.

Evan.



SOLIS, ALEX wrote:
> That is interesting.  Thinking it is a version problem, I upgraded
> syslog-ng on another machine to 1.6.9.  I attempted the same test below
> and got the same results.  A space in the tag causes the TAG information
> to disappear.
> 
> I am curious Evan, what are your syslog-ng options?
> 
> I guess now it could be my LOGHOST environment.  I am running syslog-ng
> 1.6.9 on a gentoo linux box running kernel 2.6-15.  Here is another
> example of what this box does:
> 
> # logger -t "alex" funny
> # logger -t "alex " funny
> 
> Results:
> 
> Jun 19 11:53:04 src at lookout alex: funny
> Jun 19 11:53:30 src at lookout : funny
> 
> These results are on a totally separate box running a new version of
> syslog-ng.  Since it worked in Evan's example below, syslog-ng might not
> be the one to blame.  But what other factors could cause me to lose the
> TAG information of a local syslog message other than the process
> accepting, parsing, and storing the message itself; syslog-ng?
> 
> Alex
> 
> 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Evan Rempel
> Sent: Monday, June 19, 2006 12:50 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Losing TAG information
> 
> 
> In an AIX 5.2 machine
> 
> % logger -t evan funny
> % logger -t "evan " funny
> 
> results in
> 
> Jun 19 10:47:17 casa.comp.uvic.ca casa: evan: funny
> Jun 19 10:47:25 casa.comp.uvic.ca casa: evan : funny
> 
> In AIX 4.3.3
> 
> % logger -t evan funny
> % logger -t "evan " funny
> 
> results in
> 
> Jun 19 10:48:57 casual.uvic.ca casual: evan: funny
> Jun 19 10:49:03 casual.uvic.ca casual: evan : funny
> 
> So, it would appear that the 1.6.8 syslog-ng does not suffer from the
> symptoms you describe.
> 
> Evan.
> 
> SOLIS, ALEX wrote:
> 
>>Thank you for your reply Evan.
>>
>>So, if you attempt what I did in bullet two in the previous post below
>>do you get different results?  If you do, then maybe I should consider
>>upgrading my version of syslog-ng.  Thanks again.
>>
>>
>>Alex
>>
>>
>>-----Original Message-----
>>From: syslog-ng-bounces at lists.balabit.hu
>>[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Evan Rempel
>>Sent: Monday, June 19, 2006 10:38 AM
>>To: Syslog-ng users' and developers' mailing list
>>Subject: Re: [syslog-ng] Losing TAG information
>>
>>All I can really add is that we have a mix ov AIX 4.3.3 through 5.3
> 
> that
> 
>>are logging to a linux syslog-ng 1.6.8 machine 
>>and we are not experiencing the symptoms that you describe. I have a
>>couple of applications where the tag ends up being 
>>"syslog" when it should be something else, but that is quite a bit
>>different than removing it entirely.
>>
>>Evan.
>>
>>SOLIS, ALEX wrote:
>>
>>>I appreciate your sympathy but it does not help me with my TAG
>>
>>problem.
>>
>>>:)
>>>
>>>Anyone else have any idea how to stop syslog-ng from purging the TAG
>>>information from an AIX syslogd message.  I have successfully sniffed
>>>syslog traffic between the AIX servers and my LOGHOST.  The TAG
>>
>>(Process
>>
>>>Name info) is definitely intact on the wire.  This confirms that
>>>syslog-ng is simply parsing the log message and removing the TAG
> 
> info.
> 
>>>I did some more tests on the Linux LOGHOST using the logger utility
>>
>>and
>>
>>>I found that syslog-ng does not like spaces after the TAG
> 
> information.
> 
>>>For example:
>>>
>>>1)	   Logger -p syslog.info -t "TEST_TAG" "TEST_MESSAGE"
>>>	
>>>	Generates the log:
>>>
>>>	   Jun 19 08:42:38 loghost TEST_TAG: TEST_MESSAGE
>>>
>>>	
>>>2)	   Logger -p syslog.info -t "TEST_TAG " "TEST_MESSAGE"
>>>
>>>	Generates the log:
>>>
>>>	    Jun 19 08:44:08 loghost : TEST_MESSAGE
>>>
>>>Example two lost the TAG information because of the space after
>>>TEST_TAG.  I have considered the possibility that the messages being
>>>sent from the AIX box do not conform to syslog formatting standards
>>
>>and
>>
>>>therefore syslog-ng discards the field.  But I would like to know if
>>>there is anything that can be done to stop this behavior. 
>>>
>>>Thanks for all responses, even sympathetic ones. :)
>>>
>>>Alex
>>>	
>>>
>>>-----Original Message-----
>>>From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
>>>Sent: Tuesday, June 13, 2006 9:09 PM
>>>To: SOLIS, ALEX
>>>Subject: Re: [syslog-ng] Losing TAG information
>>>
>>>On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
>>>
>>> (off-list reply)
>>>
>>>
>>>>I have about 20 or so AIX 4.3 servers that are sending syslog
>>
>>messages
>>
>>>>to a Linux desktop running syslog-ng 1.6.5. 
>>>
>>>You have my condolences.  IBM dropped support for even AIX 4.3.3
>>
>>several
>>
>>>years ago - hopefully you're not having problems keeping the software
>>>running and secure...
>>>-----Original Message-----
>>>From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
>>>Sent: Tuesday, June 13, 2006 9:09 PM
>>>To: SOLIS, ALEX
>>>Subject: Re: [syslog-ng] Losing TAG information
>>>
>>>On Tue, 13 Jun 2006 10:07:33 CDT, "SOLIS, ALEX" said:
>>>
>>> (off-list reply)
>>>
>>>
>>>>I have about 20 or so AIX 4.3 servers that are sending syslog
>>
>>messages
>>
>>>>to a Linux desktop running syslog-ng 1.6.5. 
>>>
>>>You have my condolences.  IBM dropped support for even AIX 4.3.3
>>
>>several
>>
>>>years ago - hopefully you're not having problems keeping the software
>>>running and secure...
>>>
>>>This e-mail contains Omaha Public Power District's confidential and
>>
>>proprietary information and is for use only by the intended recipient.
>>Unless explicitly stated otherwise, this e-mail is not a contract
> 
> offer,
> 
>>amendment, nor acceptance.  If you are not the intended recipient you
>>are notified that disclosing, copying, distributing or taking any
> 
> action
> 
>>in reliance on the contents of this information is strictly
> 
> prohibited.
> 
>>>_______________________________________________
>>>syslog-ng maillist  -  syslog-ng at lists.balabit.hu
>>>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>Frequently asked questions at
> 
> http://www.campin.net/syslog-ng/faq.html
> 
>>>
>>
> 
>

More information about the syslog-ng mailing list