[syslog-ng] concatenated sendmail messages
Fran Loehmann
fran at ft.necoxmail.com
Tue Jan 30 02:58:10 CET 2007
On Mon, 29 Jan 2007, Balazs Scheidler wrote:
> On Fri, 2007-01-26 at 12:11 -0500, Fran Loehmann wrote:
> > On Fri, 26 Jan 2007, Balazs Scheidler wrote:
> >
> > > On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
> > > > Hi,
> > > >
> > > > I am new to syslog-ng and have set up a system using
> > > > eventlog-0.2.5 and syslog-ng-2.0.1
> > > >
> > > > Local sendmail messages seem to have 2 entries together. I am
> > > > not sure if something is awry with the config included below,
> > > > but it seems to only happen with the sendmail entries from
> > > > sendmail running on the log host.
> > > >
> > > > I am trying to write messages to both /var/log/maillog and
> > > > /var/log/archive/2007-01-25. Messages logged from the sending
> > > > server seem ok but sendmail running on they log server appear to
> > > > be on the same line seperated by <22>.
> > > >
> > > > Messages in maillog and 2007-01-25 look the same.
> > >
> > > can you strace sendmail (or syslog-ng) as it sends/receives a log
> > > message?
> > >
> > > on unix-stream transport syslog-ng expects messages to be NL or NUL
> > > terminated.
> >
> > In addition to my previous post with the syslog-ng strace
> > output I've attached what seems to be the relevant file from a
> > sendmail strace. (I am uncertain if you need all of the strace)
> >
> > Seeing the following in the strace...
> > connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
> >
> > ... I changed unix-stream("/dev/log"); to unix-dgram("/dev/log");
> > and the message appears as expected in the log.
>
> This is a workaround and not a solution. It just happened that sendmail
> interops with unix-dgram() better than with unix-stream().
>
> The problem with the strace dump you posted is that it does not contain
> the complete messages as sent by sendmail. You need to pass the '-s'
> paramter to strace to include longer strings (for example -s 4096)
Thank you for your guidance and patience. I traced sendmail
again and was able to see the messages sent to syslog-ng while
using unix-stream. I can send along the whole strace output if
helpful. It is ~128k in size.
I looked for the log messages below in the strace output.
Jan 29 19:41:16 secmgmt-cs02 sendmail[15692]: l0U0fGKc015692: from=<loehmanf at secmgmt-cs02.secmgmt.pvt>, size=385, class=0, nrcpts=1, msgid=<200701300041.l0U0fGWk015689 at secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]<22>Jan 29 19:41:16 sendmail[15693]: l0U0fGKc015692: to=<loehmanf at secmgmt-cs02.secmgmt.pvt>, ctladdr=<loehmanf at secmgmt-cs02.secmgmt.pvt> (1011/999), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30636, dsn=2.0.0, stat=Sent
It seems the first message does not end in \0 as does the
second.
15692 send(3, "<22>Jan 29 19:41:16 sendmail[15692]: l0U0fGKc015692: from=<loehmanf at secmgmt-cs02.secmgmt.pvt>, size=385, class=0 , nrcpts=1, msgid=<200701300041.l0U0fGWk015689 at secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]" , 238, MSG_NOSIGNAL) = -1 ENOTCONN (Transport endpoint is not connected)
15692 send(3, "<22>Jan 29 19:41:16 sendmail[15692]: l0U0fGKc015692: from=<loehmanf at secmgmt-cs02.secmgmt.pvt>, size=385, class=0 , nrcpts=1, msgid=<200701300041.l0U0fGWk015689 at secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]" , 238, MSG_NOSIGNAL) = 238
15693 send(3, "<22>Jan 29 19:41:16 sendmail[15693]: l0U0fGKc015692: to=<loehmanf at secmgmt-cs02.secmgmt.pvt>, ctladdr=<loehmanf at s ecmgmt-cs02.secmgmt.pvt> (1011/999), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30636, dsn=2.0.0, stat=Sent\0", 228, MSG_NOSIGNAL) = 228
Thanks again,
Fran
More information about the syslog-ng
mailing list