[syslog-ng] log4j

Matthew Hall mhall at mhcomputing.net
Tue Mar 8 17:29:32 CET 2011


On Fri, Mar 04, 2011 at 11:27:37AM +0100, Peter Czanik wrote:
> Hello,
> 
> As I don't code in Java, I don't have any personal experiences with
> log4j. But from e-mail and forum messages, and also from discussions at
> FOSDEM I know, that log4j is often used together with syslog-ng.
> 
> I ran into this log4j related question this morning:
> http://serverfault.com/questions/242972/getting-syslog-ng-to-recognize-a-java-stacktrace
> 
> I'd like to ask, if there is anybody who already has a solution for the
> above question or any other useful tips about log4j & syslog-ng to share.

The problem is we don't know whether the user and log4j were smart about 
how they generated and sent the message to syslog-ng.

A Java stack trace is multiple lines (one Java stack frame per line).

We need to learn exactly how they have configured it, with a packet 
capture of the problematic message, before we can say if it can be made 
to work.

If they have sent their multiline message via TCP with \n, all hope is 
lost, because the RFC says this must be interpreted as separate syslog 
messages. If they have sent it in separate UDP datagrams, same problem. 
If they sent all of it in one UDP datagram with \n, there are ways 
syslog-ng can decode that already if you set it up right.

Unfortunately almost nobody reads the manual of syslog-ng to set up this 
stuff, and even fewer people read the RFCs. This stuff is not magic and 
it does not automatically read the user's mind and do everything they 
want. People need to go step by step and put their pants on one leg at a 
time.

Matthew.


More information about the syslog-ng mailing list