[syslog-ng] Problems with short messages
Balazs Scheidler
bazsi at balabit.hu
Wed Feb 13 19:55:26 CET 2008
On Wed, 2008-02-13 at 15:52 +0000, Joe Fegan wrote:
> Bazsi please correct me if I'm wrong, but I interpret your earlier
> email as
> "one UDP frame = one message" therefore if Guy wants to send longer
> messages over UDP he'll have to increase the frame size on the sender
> so that the entire message fits in one frame.
Absolutely right.
>
> > Date: Wed, 13 Feb 2008 09:12:49 -0500
> > From: network.monger at gmail.com
> > To: syslog-ng at lists.balabit.hu
> > Subject: Re: [syslog-ng] Problems with short messages
> >
> > I see what you are saying...
> > I don't think the length of a packet either 1024 or 69 bytes in
> length
> > is causing the problem.
> > The problem is that the second frame (the 69 byte one) is not going
> > to the appropriate file.
Yes, because it is a separate message, lacking syslog header
information.
> > It is going to the default "catch all" file instead of the one it
> should be.
> > If you look at the actual packet code... I believe the applications
> > part of the header is missing on the 69 byte packet.
> > Would this cause syslog-ng to dump the packet into the default catch
> > all file as opposed to the one specified by IP?
> >
Yes. If you want the complete line as a single message you need to send
it in its own UDP packet or use TCP (in which case NL (ascii 10)
terminates a message).
--
Bazsi
More information about the syslog-ng
mailing list