[syslog-ng] Logs after "\n" are getting truncated

Swati4 M/TVM/TCS swati4.m at tcs.com
Thu Nov 10 11:18:13 CET 2011


Hi ,

Thanks for your response.
Modifying the transport unix-dgram fixes my issue.The logs are no longer getting truncated after \n.However,just wanted to clarify would changing the unix logging facility affect the remote logging or traffic in any way.I am using UDP ports for logging into remote.

Thanks & Regards
Swati


----- Original Message -----
From: "Balazs Scheidler" <bazsi at balabit.hu>
To: "Syslog-ng users' and developers' mailing list" <syslog-ng at lists.balabit.hu>
Sent: Thursday, November 10, 2011 1:59:51 AM
Subject: Re: [syslog-ng] Logs after "\n" are getting truncated

On Tue, 2011-11-08 at 15:02 +0100, Gergely Nagy wrote:
> Swati4 M/TVM/TCS <swati4.m at tcs.com> writes:
> 
> > Hi All,
> >
> > When logging multiline messages (simple strings with in-line newlines
> > "\n") our logs only show the first line (ie) before "\n" is
> > encountered and rest of the line after the first newline
> > character("\n") is truncated.
> 
> The main issue is that the syslog protocol is line-oriented: each line
> should be prefixed with a syslog-style header. Your logging function
> doesn't do that, I believe.
> 
> This results in syslog-ng not being able to parse the second line.
> 
> There are a few options I can think of: one is to modify your
> application to send each line as a separate log message (but then
> they'll appear as separate logs on the output aswell, so this might not
> be a desirable option).
> 
> Another option would be to modify your application to NOT send a syslog
> message header at all, and use flags(no-parse) on the syslog-ng source
> side, and a custom parser, if you want to turn the message into
> something syslog-like.
> 
> A third option would be to use an intermediate relay (a script, perhaps)
> that does some heuristics to discover where a message starts, and strips
> newlines until it finds another message, then sends the previous over to
> syslog-ng.
> 
> The third would be the easiest, but probably the least performant
> too. It's the only one that doesn't need changes on the application
> side, though.
> 
> There might be other options aswell, but these are the ones I could
> think of quickly.
> 

Are you using the syslog() API to fire off this event with an embedded
NL in it? Or HS_MAP_INFO_LOG() writes messages to a logfile and then you
are tailing that with syslog-ng?

If the first, then using unix-dgram() as the local log transport may
help you get the NLs inside syslog-ng. In that case each and every
datagram sent to /dev/log will be logged as a separate message, even if
it contains NLs.

unix-stream() doesn't work as in unix-stream NL is used as the record
terminator.

-- 
Bazsi


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you




More information about the syslog-ng mailing list