[syslog-ng] Messages concatenated on one line in log file.

G.W. Haywood ged at jubileegroup.co.uk
Sat Sep 2 00:04:58 CEST 2006 

Hi folks,

Using 2.0rc1 I find lines like this in /var/log/messages:

Sep  1 22:18:32 mail3 	by lists.balabit.hu (Postfix) with ESMTP id 83E8A4C117
Sep  1 22:18:32 mail3 	for <ged at jubileegroup.co.uk>; Fri,  1 Sep 2006 23:18:17 +0200 (CEST)')<31>Sep  1 22:18:32 milter-regex[20073]: 212.92.18.33: cb_header('MIME-Version', '1.0')
Sep  1 22:18:32 mail3 	<syslog-ng.lists.balabit.hu>')<31>Sep  1 22:18:32 milter-regex[20073]: 212.92.18.33: cb_header('X-List-Administrivia', 'yes')

Sorry if the three lines above wrap for you.  I haven't attempted to
break them.  They are imported using an editor, not copy-n-paste, so
that non-printing characters are reproduced correctly in the mail.
Each line above has a tab character after the string "mail3 ", which
is the hostname followed by a single space.

There are two problems.  First, these lines shouldn't be written to
this log at all.  Second, some of the lines are being concatenated
onto a single line instead of being written to two lines.  Instead of
three lines above, there should have been five lines.  The <facility,
priority> info is visible at the points where the lines are joined.

The lines that you see here are produced by a sendmail milter called
'milter-regex' which is supposed to be logging with facility 'daemon'
and according to the syslog-ng configuration messages from this milter
should not appear in the 'messages' file at all.  Most of them don't
(milter-regex is producing a _lot_ of output), but mail message header
continuation lines do.  A log message following a header continuation
line is concatenated to it, and the filter doesn't seem to notice it.
The lines that incorrectly appear in 'messages' do not appear in the
correct file, which is 'mail.milter-regex' in the config below.

Any ideas?

--

73,
Ged.

===========================================================================
# Relevant extracts from configuration:
===========================================================================
options {long_hostnames(off);sync(0);perm(0640);stats(3600);mark_freq(0);};
source src { internal(); unix-dgram("/dev/log"); };
...
# output from milter-regex is facility daemon
filter f_mailmrx     { facility(daemon); };
# facility daemon should not go to 'messages'
filter f_messages    { not facility(news, mail, daemon) and not ...  };
# most facility daemon messages are correctly written to 'mail.milter-regex'
destination mailmrx  { file("/var/log/mail.milter-regex"); };
# but some make it to 'messages'
destination messages { file("/var/log/messages");          };
...
log { source(src); filter(f_mailmrx);    destination(mailmrx);   };
log { source(src); filter(f_messages);   destination(messages);  };
...

More information about the syslog-ng mailing list