[syslog-ng] TCP recv bug in syslog-ng v2.09?
Balazs Scheidler
bazsi at balabit.hu
Thu Sep 2 17:17:28 CEST 2010
On Thu, 2010-08-19 at 09:29 -0600, syslogng at feystorm.net wrote:
> I explained it already :-)
> When the message comes in over TCP and doesnt end with a newline,
> syslog-ng assumes the message is going to be continued in another
> packet. When the cumulative total of all the messages exceeds the max
> message size it flushes the buffer out and you get all the messages
> mashed together at once.
> You can try filing a bug report on bugzilla.balabit.com and request a
> new flag or something that treats each packet on a tcp source as a
> separate message, but I'd say the problem is more cisco than syslog-ng
> since syslog-ng works fine with all other sources except cisco
> devices :-/
> Look at it this way, every thing that sends logs out to tcp expects
> the receiving syslog daemon to treat a packet without a newline as a
> message to be continued in a later packet. If syslog-ng changed that
> default behavior, all these other things that expect the behavior
> would break.
Also, the tcp stack doesn't inform syslog-ng where packets terminate. It
only receives a stream of bytes, and potentially two packets can be
concatenated or split when receiving.
--
Bazsi
More information about the syslog-ng
mailing list