[syslog-ng] concatenated sendmail messages
Balazs Scheidler
bazsi at balabit.hu
Mon Jan 29 09:29:59 CET 2007
On Fri, 2007-01-26 at 12:11 -0500, Fran Loehmann wrote:
> On Fri, 26 Jan 2007, Balazs Scheidler wrote:
>
> > On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
> > > Hi,
> > >
> > > I am new to syslog-ng and have set up a system using
> > > eventlog-0.2.5 and syslog-ng-2.0.1
> > >
> > > Local sendmail messages seem to have 2 entries together. I am
> > > not sure if something is awry with the config included below,
> > > but it seems to only happen with the sendmail entries from
> > > sendmail running on the log host.
> > >
> > > I am trying to write messages to both /var/log/maillog and
> > > /var/log/archive/2007-01-25. Messages logged from the sending
> > > server seem ok but sendmail running on they log server appear to
> > > be on the same line seperated by <22>.
> > >
> > > Messages in maillog and 2007-01-25 look the same.
> >
> > can you strace sendmail (or syslog-ng) as it sends/receives a log
> > message?
> >
> > on unix-stream transport syslog-ng expects messages to be NL or NUL
> > terminated.
>
> In addition to my previous post with the syslog-ng strace
> output I've attached what seems to be the relevant file from a
> sendmail strace. (I am uncertain if you need all of the strace)
>
> Seeing the following in the strace...
> connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
>
> ... I changed unix-stream("/dev/log"); to unix-dgram("/dev/log");
> and the message appears as expected in the log.
This is a workaround and not a solution. It just happened that sendmail
interops with unix-dgram() better than with unix-stream().
The problem with the strace dump you posted is that it does not contain
the complete messages as sent by sendmail. You need to pass the '-s'
paramter to strace to include longer strings (for example -s 4096)
--
Bazsi
More information about the syslog-ng
mailing list