[syslog-ng] Unpredictable log output when message has many newlines
Balazs Scheidler
bazsi at balabit.hu
Sun Mar 23 22:07:58 CET 2008
On Fri, 2008-03-21 at 15:45 +0100, Jean-Baptiste Quenot wrote:
> Dear Balazs,
>
> I incorporated your patch to both 2.1 and 2.2 taken from git, and I
> could still reproduce the problem. Note that your patch did not apply
> directly on either of those branches, I had to redo by hand.
>
> These are the versions I have:
>
> libc6 2.6.1-1ubuntu10
> perl 5.8.8-7ubuntu3.1
> Linux 2.6.22-14-generic
Hmm... I seem to have been wrong. This issue has nothing to do with EOF
handling, rather it seems to be related to the fact that syslog-ng
accepts both NL and NUL as line terminators, but it prefers NUL over NL.
So if the current buffer contains a NUL character, it is used, if it
does not NL is used instead.
So if the following happens:
message1\nmessage2\nmessage3\n\0
^
|
+---- this is the read position
In this case message1 is processed normally, NL is taken as its line
terminator. Then the remainder is read and the buffer is like:
message2\nmessage3\n\0
^ read position
In this case NUL is spotted and the complete line "message2\nmessage3\n"
is taken as the log message.
This behaviour was changed in syslog-ng PE 2.1 (because of an unrelated
change), but not yet in syslog-ng OSE 2.1 & 2.0 (because the same change
was not commited to these branches).
I'm somewhat reluctant to change the 2.0 branch, as this change is right
in the middle of input processing, and I'd like to avoid regressions at
all costs.
So, I've just pushed a new change in syslog-ng 2.1, it includes the same
message parser as the PE version, which drops the NUL preference and
accepts either NUL or NL, whichever comes first.
I reran your testcase and it fixes the problem for me.
You can find the patch here:
http://git.balabit.hu/?p=bazsi/syslog-ng-2.1.git;a=commit;h=4de7f364ce8f29eb9b4cb56632060a7b0ed75acb
--
Bazsi
More information about the syslog-ng
mailing list