[syslog-ng] multiline messages via unix socket

[Balazs Scheidler]

On Wed, 2009-09-02 at 20:47 +0800, Max Arnold wrote:
> On Wed, Sep 02, 2009 at 10:55:49AM +0000, Balazs Scheidler wrote:
> > > Can someone look at this bugreport: http://bugs.python.org/issue6444
> > > In short, when multiline log messages sent via /dev/log socket they are splitted into
> > > multiple log entries. Only first entry will have proper timestamp and facility.
> > > 
> > > This behavior differs from sysklogd and metalog, where multiple lines are concatenated.
> > > Even syslog-ng itself concatenates them when used via udp socket.
> > > 
> > I guess this depends on whether you are using unix-stream() or
> > unix-dgram().
> > 
> > The first concatenates it, the 2nd doesn't. Simply because unix-dgram
> > knows about the size of the datagrams whereas unix-stream doesn't.
> 
> Thank you for reply!
> 
> Is it safe to use unix-dgram as a replacement (on Linux)?  I've googled several mailing 
> list messages about lesser reliability of datagram oriented sockets.  Are these concerns
> still valid?

Well, SOCK_DGRAM sockets in the IP protocols are not reliable (that is
they are implemented using UDP), however my latest findings about the
same in the UNIX socket domain is that they are indeed flow controlled
and thus no packet drops occur (the sender will block if the queue is
full).

All syslog daemons where this option is non-configurable uses
unix-dgram(), thus I guess it is not worse to use the same in syslog-ng.
(this was not the case a couple of years ago)

One thing is sure, unix-dgram uses less resources and as you state can
handle multiple lines per message.

Since there's a lot of confusion in the area (and I might be partly
responsible for that), I'd recommend you to test this yourself (for
example using the 'loggen' utility bundled with syslog-ng) and see
whether any drops occur. And once you did that, it'd be a great service
to the community to publish your results backed with facts, this way the
confusion could lesten.

-- 
Bazsi