[syslog-ng] Syslog-NG forwarding the messages to a Remote TCP port with more than one message in a single packet

anji prassana anji.it26 at gmail.com
Wed Mar 7 05:38:10 CET 2012 

I am using syslog-ng *version *
[root at Cypher-210 ~]# /usr/local/sbin/syslog-ng -V
syslog-ng 3.3.3
Installer-Version: 3.3.3
Revision: ssh+git://bazsi@git.balabit
//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3#master#d199a1980be6b23fe24189e86a882812288e292c
Compile-Date: Mar  6 2012 13:06:17
Default-Modules:
affile,afprog,afsocket,afuser,basicfuncs,csvparser,parser,syslogformat
Available-Modules:
afprog,convertfuncs,affile,afsocket-tls,confgen,csvparser,syslogformat,dbparser,basicfuncs,afmongodb,dummy,afuser,afsocket
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on


Problem:
------------
Syslog-ng is forwarding the TCP packets to a Remote TCP port with More than
one message in a single TCP Packet.But, in between the messages inside a
packet, It doesn't includes any delimiter like "\n" or some other.But, the
receiving Program listens on TCP requires a newline as a delimiter b/w
messages so as to parse the messages individually. But, As Syslog-ng
doesn't includes a separator b/w messages in a packet, The Receiver simply
considering whole messages in a packet as a single Message which leads to
false and unacceptable parsing.

Please look into the following messages exists in a single TCP packet.The
one I colored red is a start of new message.

root : tty=unknown ; pwd=/ ; user=root ; command=/bin/grep ^shutdown:
/etc/shadow *<13>*mar  6 17:22:15 cypher-210 sudo:     root : tty=unknown ;
pwd=/ ; user=root ; command=/usr/bin/head -n 4 /etc/inittab *<13>*mar  6
17:22:15 cypher-210 sudo:     root : tty=unknown ; pwd=/ ; user=root ;
command=/usr/bin/tail -n 1 *<13>*mar  6 17:22:15 cypher-210 sshd[5583]:
pam_unix(sshd:session): session opened for user root by (uid=0) *<13>*mar
6 17:22:15 cypher-210 sshd[5765]: accepted password for root from
10.0.15.218 port 44258 ssh2 <13>mar  6 17:22:15 cypher-210 sshd[5765]:
pam_unix(sshd:session): session opened for user root by (uid=0) *<13>*mar
6 17:22:16 cypher-210 sshd[5278]: pam_unix(sshd:session): session closed
for user root *<13>*mar  6 17:22:17 cypher-210 pam_timestamp_check: pam `/'
permissions are lax <13>mar  6 17:22:17 cypher-210 sshd[5281]:
pam_unix(sshd:session): session closed for user root *<13>*mar  6 17:22:17
cypher-210 sudo:     root : tty=unknown ; pwd=/ ; user=root ;
command=/bin/grep ^shutdown: /etc/shad

These are the settings i made in the syslog-ng.conf file:

source s_test {
  internal();
  unix-stream("/dev/log");
  udp();
  file("/var/log/syslog-ng_local");
};

destination d_test {
  tcp("10.0.15.18" port(9500)); #My Program listening on tcp port 9500
requires newline as a separator for each message.
};
log {
  source(s_test); destination(d_test);
};

Can anyone kindly help me,
1. How can i limit one tcp packet to hold only one message?
              [or]
2. How can I add newline as a delimiter b/w each message before the
packet(s) are forwarding to a destination so that it could parse properly?

Your Help is really appreciate..

Thanks&Regards
Anjaneyulu P
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120307/06d3c85d/attachment-0001.htm

More information about the syslog-ng mailing list