[syslog-ng] trailing spaces on udp messages ?

Johan Fischer jfischer at cmcrc.com
Wed Jan 17 03:06:48 CET 2007 

Hi List,

I'm using syslog-ng-2.0.1 on RHEL4 (centos4 actually) but I reproduced the same
problem on debian unstable using the debian package (currently 2.0.0).

The clients are using sysklogd 1.4.1-20

It seems that all my lines logs from udp() have one trailing space. The internal
logs and /dev/log don't have that space so I'm currently assuming either the
sender (sysklogd) or the receiver (udp module of syslog-ng) is not filtering
that space.

This also seem to happen with the internal() source.

A wireshark of the packet will show this:
Syslog message: USER.NOTICE: jfischer: blahklfdsfd\n

I can see a \n at the end of the line but no space. I don't know what to think
of this yet.

I attached the configuration used (stripped as much), and the logs created.

This problem is affecting mostly logwatch which do from time to time strict
regex on the end of the string that I cannot match because of this trailing space.

Cheers.
J.



-- 
Johan Fischer
Capital Markets Surveillance Services Pty Limited
Level 2, 9 Castlereagh Street, Sydney NSW 2000
Tel: +61 2 9233 7999   Direct: +61 2 9236 9150
Fax: +61 2 9236 9177   http://www.cmss-systems.com

Capital Markets Surveillance Services Pty Ltd (CMSS) - Confidential
Communication
The information contained in this e-mail is confidential. It is intended
solely for the addressee. If you receive this e-mail by mistake please
promptly inform us by reply e-mail and then delete the e-mail and
destroy any printed copy. You must not disclose or use in any way the
information in the e-mail. There is no warranty that this e-mail is
error or virus free. It may be a private communication, and if so, does
not represent the views of the CMCRC and its associates. If it is a
private communication, care should be taken in opening it to ensure that
undue offence is not given.
-------------- next part --------------
Jan 17 12:45:01 clamp CRON[8797]: (pam_unix) session opened for user root by (uid=0)
Jan 17 12:45:01 clamp CRON[8799]: (pam_unix) session opened for user root by (uid=0)
Jan 17 12:45:01 clamp CRON[8801]: (pam_unix) session opened for user jfischer by (uid=0)
Jan 17 12:45:01 clamp /USR/SBIN/CRON[8798]: (root) CMD ([ -x /usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" = "true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; })
Jan 17 12:45:01 clamp /USR/SBIN/CRON[8800]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ]; then env LANG=C /usr/bin/mrtg /etc/mrtg.cfg >> /var/log/mrtg/mrtg.log 2>&1; fi)
Jan 17 12:45:01 clamp /USR/SBIN/CRON[8802]: (jfischer) CMD (/home/jfischer/bin/chg_background >/dev/null)
Jan 17 12:45:01 clamp CRON[8801]: (pam_unix) session closed for user jfischer
Jan 17 12:45:01 clamp CRON[8797]: (pam_unix) session closed for user root
Jan 17 12:45:02 clamp CRON[8799]: (pam_unix) session closed for user root
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: VCore 1: +0.00 V (min = +1.14 V, max = +1.55 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: VCore 2: +0.00 V (min = +1.14 V, max = +1.55 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: +3.3V: +0.00 V (min = +2.82 V, max = +3.79 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: +5V: +5.03 V (min = +4.01 V, max = +1.10 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: +12V: +0.00 V (min = +14.29 V, max = +11.31 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: -12V: -14.91 V (min = -4.55 V, max = -10.39 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: -5V: -7.71 V (min = -3.39 V, max = +5.00 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: V5SB: +5.59 V (min = +2.93 V, max = +2.53 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: VBat: +0.00 V (min = +2.99 V, max = +1.84 V) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: fan1: 0 RPM (min = 2812 RPM, div = 2) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: fan2: 0 RPM (min = 3183 RPM, div = 2) [ALARM]
Jan 17 12:45:09 clamp sensord: Sensor alarm: Chip w83627hf-isa-0290: fan3: 0 RPM (min = 25000 RPM, div = 2) [ALARM]
Jan 17 12:45:44 clamp fetchmail[2500]: awakened at Wed 17 Jan 2007 12:45:44 EST
Jan 17 12:45:44 clamp fetchmail[2500]: Server CommonName mismatch: localhost.localdomain != pop.cmcrc.com
Jan 17 12:45:44 clamp fetchmail[2500]: Server certificate verification error: self signed certificate
Jan 17 12:45:44 clamp fetchmail[2500]: sleeping at Wed 17 Jan 2007 12:45:44 EST for 300 seconds
-------------- next part --------------
Jan 17 12:45:01 192.168.15.19 CRON[2871]: (pam_unix) session opened for user root by (uid=0) 
Jan 17 12:45:01 192.168.15.19 /USR/SBIN/CRON[2872]: (root) CMD ([ -x /usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" = "true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; }) 
Jan 17 12:45:01 192.168.15.19 CRON[2871]: (pam_unix) session closed for user root 
Jan 17 12:45:59 192.168.15.19 sshd[3586]: Accepted password for jfischer from 192.168.15.17 port 49664 ssh2 
Jan 17 12:45:59 192.168.15.19 sshd[3606]: (pam_unix) session opened for user jfischer by (uid=0) 
-------------- next part --------------
options {
        chain_hostnames(0);
        time_reopen(10);
        time_reap(360);
        log_fifo_size(2048);
        create_dirs(yes);
        group(adm);
        perm(0640);
        dir_perm(0755);
        use_dns(no);
	stats_freq(0);
};

source s_internal {
        internal();
};

source s_local {
        unix-stream("/dev/log");
        file("/proc/kmsg" log_prefix("kernel: "));
};

source s_remote {
	udp();
	tcp();
};

destination df_internal { file("/var/log/test/internal.log"); };
destination df_local { file("/var/log/test/local.log"); };
destination df_remote { file("/var/log/test/remote.log"); };

log { source(s_internal); destination(df_internal); };
log { source(s_local); destination(df_local); };
log { source(s_remote); destination(df_remote); };
-------------- next part --------------
Jan 17 12:44:30 clamp syslog-ng[8783]: syslog-ng starting up; version='2.0.0'

More information about the syslog-ng mailing list