[syslog-ng] log4j
Matthew Hall
mhall at mhcomputing.net
Tue Mar 8 17:29:32 CET 2011
On Fri, Mar 04, 2011 at 11:27:37AM +0100, Peter Czanik wrote:
> Hello,
>
> As I don't code in Java, I don't have any personal experiences with
> log4j. But from e-mail and forum messages, and also from discussions at
> FOSDEM I know, that log4j is often used together with syslog-ng.
>
> I ran into this log4j related question this morning:
> http://serverfault.com/questions/242972/getting-syslog-ng-to-recognize-a-java-stacktrace
>
> I'd like to ask, if there is anybody who already has a solution for the
> above question or any other useful tips about log4j & syslog-ng to share.
The problem is we don't know whether the user and log4j were smart about
how they generated and sent the message to syslog-ng.
A Java stack trace is multiple lines (one Java stack frame per line).
We need to learn exactly how they have configured it, with a packet
capture of the problematic message, before we can say if it can be made
to work.
If they have sent their multiline message via TCP with \n, all hope is
lost, because the RFC says this must be interpreted as separate syslog
messages. If they have sent it in separate UDP datagrams, same problem.
If they sent all of it in one UDP datagram with \n, there are ways
syslog-ng can decode that already if you set it up right.
Unfortunately almost nobody reads the manual of syslog-ng to set up this
stuff, and even fewer people read the RFCs. This stuff is not magic and
it does not automatically read the user's mind and do everything they
want. People need to go step by step and put their pants on one leg at a
time.
Matthew.
More information about the syslog-ng
mailing list