[syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8

Fegan, Joe Joe.Fegan at hp.com
Thu May 21 12:02:52 CEST 2009 

Hi Balazs,

Thanks for the reply. Yes a regexp might solve my specific problem, which is that one of the primary services on our ExDS machines recently changed its log messages to have a space in the tag field and that is screwing up the log files in the manner outlined below. I know what the bad string will be - it's always the same - so I'll experiment with bad_hostnames()

Thanks,
Joe. 

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: 21 May 2009 07:52
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8

On Mon, 2009-05-18 at 16:13 +0000, Fegan, Joe wrote:
> And btw strace of the syslog-ng process shows that the message it receives is the following:
> 
> read(15, "<13>May 18 16:44:04 hello world: second message\0", 8192) = 48

Since the syslog message format is ambigous, it is not possible to
differentiate between the format:

$DATE $HOST $MSG

and 

$DATE $MSG

(e.g. the hostname is optional). syslog-ng assumes that the first word
is the hostname, even if the message is received from local transport
(e.g. unix domain socket or pipe).

The solution is to use bad_hostnames() regexp to match against the names
that are sure to be wrong.

>  
> 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Fegan, Joe
> Sent: 18 May 2009 17:00
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8
> 
> Syslog-ng 2.0.8
> 
> I found that logging a message with a space in the tag causes the first word of the tag to be used as the hostname. This does not happen with the standard syslogd.
> 
> Best illustrated by an example:
>  
> [root at kudos8 ~]# logger -t "hello" "here is a message"
> [root at kudos8 ~]# tail -4 /var/log/messages
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965
> May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965
> May 18 16:43:55 kudos8 notice hello: this is a message
> [root at kudos8 ~]# 
> 
> This is expected behaviour.
> Now see what happens when I put a space in the tag:
> 
> [root at kudos8 ~]# logger -t "hello world" "second message"
> [root at kudos8 ~]# tail -5 /var/log/messages
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965
> May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965
> May 18 16:43:55 kudos8 notice hello: this is a message
> May 18 16:44:04 hello notice world: second message
> [root at kudos8 ~]# 
> 
> See that "hello" was incorrectly used as the hostname.
> This is 100% reproducible.
> 
> I stopped syslog-ng and started the standard syslogd instead.
> Standard syslogd does not have this problem:
> 
> [root at kudos8 ~]# logger -t "hello" "here is a message"
> [root at kudos8 ~]# logger -t "hello world" "second message"
> [root at kudos8 ~]# service syslog-ng stop
> Stopping syslog-ng:                                        [  OK  ]
> [root at kudos8 ~]# service syslog start
> Starting system logger:                                    [  OK  ]
> Starting kernel logger:                                    [  OK  ]
> [root at kudos8 ~]# logger -t "hello world" "third message"
> [root at kudos8 ~]# tail -10 /var/log/messages
> May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:33587
> May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:46177
> May 18 16:54:25 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:46177
> May 18 16:54:30 kudos8 notice hello: here is a message
> May 18 16:54:31 hello notice world: second message
> May 18 16:54:34 kudos8 info syslog-ng[8737]: Termination requested via signal, terminating;
> May 18 16:54:34 kudos8 notice syslog-ng[8737]: syslog-ng shutting down; version=\'2.0.8\'
> May 18 16:54:38 kudos8 syslogd 1.4.1: restart.
> May 18 16:54:38 kudos8 kernel: klogd 1.4.1, log source = /proc/kmsg started.
> May 18 16:54:49 kudos8 hello world: third message
> [root at kudos8 ~]# 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Bazsi

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list