[syslog-ng] Syslog UDP extra packet?
Balazs Scheidler
bazsi at balabit.hu
Fri Dec 11 08:09:51 CET 2009
On Thu, 2009-12-10 at 13:28 +1100, Syslog Beginner wrote:
> Hello Syslog Experts,
>
> I have a question on the syslog-ng. I use syslog-ng 3.0.2. I tried to
> setup syslog-ng to forward syslog messages to other host. I tested 2
> destination driver, udp() and syslog() as per below.
>
> test 1: udp("10.x.x.x" port(514))
>
> test 2: syslog("10.x.x.x" transport("udp") port(514));
>
> I found that with udp() driver, syslog-ng just forwards the incoming
> log messages to external host. No problem. However, with the syslog()
> driver, I found that syslog-ng generate 2 udp packets
>
> packet1... contains only 4 bytes in payload, I think this is message
> length??
> packet2... is the actual syslog udp packet.
>
> Is it possible to disable the first packet? this just create the
> overhead unnecessarily? Please advise. Thanks.
This was a bug in the RFC5424 driver when using the UDP transport, it
sent a separate frame length packet which is only needed for TCP.
This was fixed in 3.0.5 with this patch:
Author: Tevesz Andras <ghost at balabit.hu> 2009-11-05 15:34:54
Committer: Balazs Scheidler <bazsi at balabit.hu> 2009-11-26 20:45:46
Parent: d25ad4f5373a6a4bf2f1f5ed37147a10412fe30d ([test_sql]: properly
checks the existence of sqlite3 and libdbd-sqlite3.)
Child: 1d7aafd4ebfc7c18ed4402148febb44b274e9ab9 (Fixed a possible race
in file driver preemption, where wildcard driver couldn't change)
Branches: master, remotes/balabit/master, remotes/origin/master
Follows: v3.0.4
Precedes: v3.0.5
[afsocket] fixed syslog over udp and framing issue (fixes: #19639)
syslog-ng used framing in dgram transports
--
Bazsi
More information about the syslog-ng
mailing list