[syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8

Mon May 18 18:13:27 CEST 2009

And btw strace of the syslog-ng process shows that the message it receives is the following:

read(15, "<13>May 18 16:44:04 hello world: second message\0", 8192) = 48

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Fegan, Joe
Sent: 18 May 2009 17:00
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8

Syslog-ng 2.0.8

I found that logging a message with a space in the tag causes the first word of the tag to be used as the hostname. This does not happen with the standard syslogd.

Best illustrated by an example:

[root at kudos8 ~]# logger -t "hello" "here is a message"
[root at kudos8 ~]# tail -4 /var/log/messages
May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757
May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965
May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965
May 18 16:43:55 kudos8 notice hello: this is a message
[root at kudos8 ~]# 

This is expected behaviour.
Now see what happens when I put a space in the tag:

[root at kudos8 ~]# logger -t "hello world" "second message"
[root at kudos8 ~]# tail -5 /var/log/messages
May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757
May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965
May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965
May 18 16:43:55 kudos8 notice hello: this is a message
May 18 16:44:04 hello notice world: second message
[root at kudos8 ~]# 

See that "hello" was incorrectly used as the hostname.
This is 100% reproducible.

I stopped syslog-ng and started the standard syslogd instead.
Standard syslogd does not have this problem:

[root at kudos8 ~]# logger -t "hello" "here is a message"
[root at kudos8 ~]# logger -t "hello world" "second message"
[root at kudos8 ~]# service syslog-ng stop
Stopping syslog-ng:                                        [  OK  ]
[root at kudos8 ~]# service syslog start
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
[root at kudos8 ~]# logger -t "hello world" "third message"
[root at kudos8 ~]# tail -10 /var/log/messages
May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:33587
May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:46177
May 18 16:54:25 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:46177
May 18 16:54:30 kudos8 notice hello: here is a message
May 18 16:54:31 hello notice world: second message
May 18 16:54:34 kudos8 info syslog-ng[8737]: Termination requested via signal, terminating;
May 18 16:54:34 kudos8 notice syslog-ng[8737]: syslog-ng shutting down; version=\'2.0.8\'
May 18 16:54:38 kudos8 syslogd 1.4.1: restart.
May 18 16:54:38 kudos8 kernel: klogd 1.4.1, log source = /proc/kmsg started.
May 18 16:54:49 kudos8 hello world: third message
[root at kudos8 ~]# 
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html