[syslog-ng] Problems using the syslog-protocol flag
Balazs Scheidler
bazsi at balabit.hu
Sun Nov 14 12:47:51 CET 2010
On Fri, 2010-11-12 at 12:21 +0100, Andreas Maechler wrote:
> Hi all
>
> Running syslog-ng 3.2beta1 on FreeBSD, I'm trying to use the
> 'syslog-protocol' flag in a unix-dgram source:
>
> source s_local {
> unix-dgram("/var/run/log" flags(syslog-protocol));
> unix-dgram("/var/run/logpriv" perm(0600));
> file("/dev/klog" follow-freq(0) program-override("kernel")
> flags(no-parse));
>
> internal();
> };
>
> That option seems to be ignored though. If I force the option by
> setting it manually in afsocket_sd_init_instance(), afsocket.c, all
> works well and incoming messages get parsed according to IETF.
>
> Am I missing something or is this a bug?
It may be a bug, but it also depends on the format you are sending to
that unix domain socket.
There are two things that make up the new-style IETF logging format:
1) the transport (e.g. framing format)
2) the message format
flags(syslog-protocol) specifies the message format, e.g. once a log
record is received by unix-dgram() the new style syslog message is
parsed and accepted (starting with 3.2 it also accepts both new & old
style)
the transport format currently cannot be set for unix domain sockets,
I'd call this an omission (or a bug, depending on the context).
This means that unix-dgram will be packet terminated, unix-stream would
be NL terminated (just like with regular, old-style messages).
This means that unix-dgram(flags(syslog-protocol)) would accept both the
new/old syslog message format without any kind of framing.
I've just tested it on my development environment, and it seems to work
fine.
--
Bazsi
More information about the syslog-ng
mailing list