[syslog-ng] TCP recv bug in syslog-ng v2.09?

Clayton Dukes cdukes at gmail.com
Thu Sep 2 18:45:23 CEST 2010


Thanks Bazsi,
Just as a final follow-up to this, we did end up using 12.4(24)T code and
the problem did go away. IOS 12.4(24)T also has the \n delimiter enabled by
default when you enable tcp logging.

Thanks Matt!
______________________________________________________________

Clayton Dukes
______________________________________________________________


On Thu, Sep 2, 2010 at 11:17 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:

> On Thu, 2010-08-19 at 09:29 -0600, syslogng at feystorm.net wrote:
> > I explained it already :-)
> > When the message comes in over TCP and doesnt end with a newline,
> > syslog-ng assumes the message is going to be continued in another
> > packet. When the cumulative total of all the messages exceeds the max
> > message size it flushes the buffer out and you get all the messages
> > mashed together at once.
> > You can try filing a bug report on bugzilla.balabit.com and request a
> > new flag or something that treats each packet on a tcp source as a
> > separate message, but I'd say the problem is more cisco than syslog-ng
> > since syslog-ng works fine with all other sources except cisco
> > devices :-/
> > Look at it this way, every thing that sends logs out to tcp expects
> > the receiving syslog daemon to treat a packet without a newline as a
> > message to be continued in a later packet. If syslog-ng changed that
> > default behavior, all these other things that expect the behavior
> > would break.
>
> Also, the tcp stack doesn't inform syslog-ng where packets terminate. It
> only receives a stream of bytes, and potentially two packets can be
> concatenated or split when receiving.
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100902/dfa2bd37/attachment.htm 


More information about the syslog-ng mailing list