[syslog-ng] stupid question: syslogging plaintext non-syslog-format messages unchanged (netconsole)
Balazs Scheidler
bazsi at balabit.hu
Tue Nov 3 17:01:36 CET 2009
On Tue, 2009-10-20 at 21:30 +0100, Nix wrote:
> So I'm trying to get the Linux kernel netconsole working, to diagnose
> some nasty persistent panics... and after some struggle I've got most of
> it working, but I can't make syslog-ng (3.0 from git as of tonight)
> cooperate. The problem seems to be that netconsole is handing syslog-ng
> completely bare text lines over UDP, and syslog-ng is persistently
> trying to linebreak them at apparently random space characters, even
> with the no-parse flag turned on.
>
> Some specifics.
>
> I'm receiving the netconsole messages with the following (trimmed down
> from the real 500-line-long config, all global options preserved in this
> trim, I'm pretty sure this is everything relevant but I haven't tested
> this on its own yet 'cos it would break syslogging for a fairly large
> network to actually replace the syslog-ng config with this):
>
> ,----
> | options
> | {
> | keep_hostname(no);
> | create_dirs(1);
> | perm(0644);
> | dir_perm(0755);
> | log_fifo_size(1000);
> | use_dns(yes);
> | dns_cache(yes);
> | use_fqdn(no);
> | log_iw_size(5192);
> | flush_lines(100);
> | flush_timeout(1000);
> | stats_freq(3600);
> | chain_hostnames(yes);
> | };
> |
> | source netconsole
> | {
> | udp(ip(0.0.0.0) port(24183) log_fetch_limit(100) flags(no-parse no-multi-line));
> | };
> |
> | # A bare template, for netconsole messages.
> | template bare
> | {
> | template("$MSG\n");
> | template_escape(no);
> | };
> |
> | destination netconsole
> | {
> | file("/var/log/$HOST-netconsole.log"
> | template(bare));
> | };
> |
> | log
> | {
> | source(netconsole);
> | destination(netconsole);
> | };
> `----
>
> but this is not enough. Most of the time the same message is received
> over an ordinary syslog source, too, so I can compare the two. If the
> syslogged message reads:
>
> ,----
> | Oct 20 21:17:53 mutilate warning: : [ 6783.237435] pktcdvd: Fixed packets, 32 blocks, Mode-2 disc
> | Oct 20 21:17:53 mutilate warning: : [ 6783.238541] pktcdvd: write caching control failed
> | Oct 20 21:17:53 mutilate warning: : [ 6783.238547] pktcdvd: 55 10 00 00 00 00 00 00 14 00 00 00 - sense 05.00.00 (Illegal request)
> `----
>
> the netconsole message that's logged using the configuration above reads
>
> ,----
> | [ 6783.237435] pktcdvd: Fixed packets,
> | 32 blocks,
> | Mode-2 disc
> | [ 6783.238541] pktcdvd: write caching control failed
> | [ 6783.238547] pktcdvd:
> | 55
> | 10
> | 00
> | 00
> | 00
> | 00
> | 00
> | 00
> | 14
> | 00
> | 00
> | 00
> | -
> | sense 05.00.00
> | (Illegal request)
> `----
>
> This is obviously not sane. Removing the no-multi-line flag doesn't
> change anything at all (I only added it in desperation, because I *want*
> linebreaks in the original message to be reproduced in the output: I
> just don't want *more* linebreaks than are present in the original
> output), so that's not it either. I'm logging kernel messages using
>
> ,----
> | source local
> | {
> | unix-stream("/dev/log" flags(no-multi-line));
> | internal();
> | file("/proc/kmsg" program_override("kernel: ") flags(kernel no-multi-line));
> | };
> `----
>
> and things hanging off that, without incident: no random linebreaks or
> anything.
>
> So, what am I missing? It's probably incredibly obvious, but I've blown
> several hours hacking at configs and digging through the syslog-ng
> source and have seen nothing to indicate what's going on...
Hmm, I guess that the kernel outputs those characters as individual UDP
frames, right? At least syslog-ng probably receives them as individual
packets, perhaps because a single line of kernel message is generated by
separate printk() invocations in the kernel source. /proc/kmsg is not
packet terminated.
However I've personally used syslog-ng for netconsole, and I can't
remember having this issue.
Can you confirm that this is the case?
--
Bazsi
More information about the syslog-ng
mailing list