[syslog-ng] Logs after "\n" are getting truncated

Balazs Scheidler bazsi at balabit.hu
Wed Nov 9 21:29:51 CET 2011 

On Tue, 2011-11-08 at 15:02 +0100, Gergely Nagy wrote:
> Swati4 M/TVM/TCS <swati4.m at tcs.com> writes:
> 
> > Hi All,
> >
> > When logging multiline messages (simple strings with in-line newlines
> > "\n") our logs only show the first line (ie) before "\n" is
> > encountered and rest of the line after the first newline
> > character("\n") is truncated.
> 
> The main issue is that the syslog protocol is line-oriented: each line
> should be prefixed with a syslog-style header. Your logging function
> doesn't do that, I believe.
> 
> This results in syslog-ng not being able to parse the second line.
> 
> There are a few options I can think of: one is to modify your
> application to send each line as a separate log message (but then
> they'll appear as separate logs on the output aswell, so this might not
> be a desirable option).
> 
> Another option would be to modify your application to NOT send a syslog
> message header at all, and use flags(no-parse) on the syslog-ng source
> side, and a custom parser, if you want to turn the message into
> something syslog-like.
> 
> A third option would be to use an intermediate relay (a script, perhaps)
> that does some heuristics to discover where a message starts, and strips
> newlines until it finds another message, then sends the previous over to
> syslog-ng.
> 
> The third would be the easiest, but probably the least performant
> too. It's the only one that doesn't need changes on the application
> side, though.
> 
> There might be other options aswell, but these are the ones I could
> think of quickly.
> 

Are you using the syslog() API to fire off this event with an embedded
NL in it? Or HS_MAP_INFO_LOG() writes messages to a logfile and then you
are tailing that with syslog-ng?

If the first, then using unix-dgram() as the local log transport may
help you get the NLs inside syslog-ng. In that case each and every
datagram sent to /dev/log will be logged as a separate message, even if
it contains NLs.

unix-stream() doesn't work as in unix-stream NL is used as the record
terminator.

-- 
Bazsi

More information about the syslog-ng mailing list