[syslog-ng] Syslog-NG 3.0.5 incorrectly parsing messages without program names
Larry Low
llow at telesphere.com
Tue Dec 15 18:01:30 CET 2009
> On Tue, 2009-12-15 at 08:06 -0800, Larry Low wrote:
> > > On Mon, 2009-12-14 at 08:21 -0800, Larry Low wrote:
> > > > > On Fri, 2009-12-11 at 12:12 -0800, Larry Low wrote:
> > > > > > > > In the past I used the MSG macro to get the full syslog
> > > message.
> > > > > Now
> > > > > > > > MSG is broken into MSG and MSGHDR.
> > > > > > > >
> > > > > > > > If a message comes in without a program name such as
> "exiting
> > > on
> > > > > > > signal
> > > > > > > > 15" or "last message repeated 20 times", syslog-ng
> > > incorrectly
> > > > > takes
> > > > > > > > the first word as the program name. Trying to rebuild it
> > > with
> > > > > > > > $MSGHDR$MSG causes an erroneous : to be placed on these
> > > messages
> > > > > > > since
> > > > > > > > $MSGHDR is filled in with "exiting" and "last".
> > > > > > >
> > > > > > > I found a previous post and tried adding store-legacy-
> msghdr.
> > > The
> > > > > > > problem now is that MSGHDR still includes the first word
> such
> > > as
> > > > > > > "exiting" and "last" but no colon but on messages like
> "kernel
> > > :
> > > > > Kernel
> > > > > > > logging (proc) stopped.", "kernel: " is put in MSGHDR but
> then
> > > also
> > > > > > > placed in MSG and MSGONLY.
> > > > > >
> > > > > > Noticed one more thing, if the PID is included in the syslog
> > > message
> > > > > then MSG and MSGONLY do not repeat process and pid when store-
> > > legacy-
> > > > > msghdr on.
> > > > >
> > > > > if you enable 'store-legacy-msghdr' syslog-ng will not try hard
> to
> > > > > properly parse program/pid information from the incoming
> message,
> > > > > rather
> > > > > it simply stores all the characters up to the first space/colon
> > > > > character in MSGHDR.
> > > > >
> > > > > But still $MSG will _not_ contain any of that. In order to get
> the
> > > full
> > > > > message you need to use
> > > > >
> > > > > $MSGHDR$MSG
> > > > >
> > > > Yes but does not work when parsing "program: ". When this
> happens
> > > both MSGHDR and MSG include "program: ". Both "program " and
> > > "program[pid]: ", however, do get placed in MSGHDR and not repeated
> in
> > > MSG.
> > >
> > > I really try to understand, but I can't. Can you please post an
> example
> > > log message, how you feel it should be processed and why syslog-ng
> > > doesn't do the right thing?
> > >
> > > Thanks.
> > >
> >
> > With 'store-legacy-msghdr' on.
> >
> > Message = "program: I am logging something."
> > $MSGHDR = "program: "
> > $MSG = "program: I am logging something."
> > $MSGHDR$MSG = "program: program: I am logging something."
>
> I can't reproduce with either the flag set, or unset. What I did was
> the
> following:
>
> I've sent "program: I am logging something." to the UDP port opened by
> syslog-ng (without a full syslog header, but you didn't include that
> information either), the result was:
The exact payload is "<6>kernel: Kernel logging (proc) stopped."
>
> MSGHDR = [program: ], MSG = [I am logging something.]
> MSGHDR = [program: ], MSG = [I am logging something.]
>
> Then I tried to add a complete syslog header, but it again worked:
>
> Dec 15 15:55:55 bzorp program: I am logging something.
>
> So, I'm out of ideas what the difference might be.
>
> Ah... one idea: did you mark your configuration as '@version: 3.0'
> properly?
Yes.
For now I am sticking with the 2.1.4 but will come back to this later when I have some time.
>
> --
> Bazsi
More information about the syslog-ng
mailing list