[syslog-ng] Syslog-NG forwarding the messages to a Remote TCP port with more than one message in a single packet

Balint Kovacs balint.kovacs at balabit.com
Wed Mar 7 09:34:18 CET 2012 

Hi Anji,

at first glance it seems as if you are using a template in your 
destination (because of the small m in mar) and are missing the "\n" 
from the end of the template. Are you sure that you have pasted the 
right config snippet?

Balint

On 03/07/2012 05:38 AM, anji prassana wrote:
> I am using syslog-ng *version *
> [root at Cypher-210 ~]# /usr/local/sbin/syslog-ng -V
> syslog-ng 3.3.3
> Installer-Version: 3.3.3
> Revision: 
> ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3#master#d199a1980be6b23fe24189e86a882812288e292c
> Compile-Date: Mar  6 2012 13:06:17
> Default-Modules: 
> affile,afprog,afsocket,afuser,basicfuncs,csvparser,parser,syslogformat
> Available-Modules: 
> afprog,convertfuncs,affile,afsocket-tls,confgen,csvparser,syslogformat,dbparser,basicfuncs,afmongodb,dummy,afuser,afsocket
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-IPv6: on
> Enable-Spoof-Source: off
> Enable-TCP-Wrapper: on
> Enable-Linux-Caps: on
> Enable-Pcre: on
>
>
> Problem:
> ------------
> Syslog-ng is forwarding the TCP packets to a Remote TCP port with More 
> than one message in a single TCP Packet.But, in between the messages 
> inside a packet, It doesn't includes any delimiter like "\n" or some 
> other.But, the receiving Program listens on TCP requires a newline as 
> a delimiter b/w messages so as to parse the messages individually. 
> But, As Syslog-ng doesn't includes a separator b/w messages in a 
> packet, The Receiver simply considering whole messages in a packet as 
> a single Message which leads to false and unacceptable parsing.
>
> Please look into the following messages exists in a single TCP 
> packet.The one I colored red is a start of new message.
>
> root : tty=unknown ; pwd=/ ; user=root ; command=/bin/grep ^shutdown: 
> /etc/shadow *<13>*mar  6 17:22:15 cypher-210 sudo:     root : 
> tty=unknown ; pwd=/ ; user=root ; command=/usr/bin/head -n 4 
> /etc/inittab *<13>*mar  6 17:22:15 cypher-210 sudo:     root : 
> tty=unknown ; pwd=/ ; user=root ; command=/usr/bin/tail -n 1 
> *<13>*mar  6 17:22:15 cypher-210 sshd[5583]: pam_unix(sshd:session): 
> session opened for user root by (uid=0) *<13>*mar  6 17:22:15 
> cypher-210 sshd[5765]: accepted password for root from 10.0.15.218 
> port 44258 ssh2 <13>mar  6 17:22:15 cypher-210 sshd[5765]: 
> pam_unix(sshd:session): session opened for user root by (uid=0) 
> *<13>*mar  6 17:22:16 cypher-210 sshd[5278]: pam_unix(sshd:session): 
> session closed for user root *<13>*mar  6 17:22:17 cypher-210 
> pam_timestamp_check: pam `/' permissions are lax <13>mar  6 17:22:17 
> cypher-210 sshd[5281]: pam_unix(sshd:session): session closed for user 
> root *<13>*mar  6 17:22:17 cypher-210 sudo:     root : tty=unknown ; 
> pwd=/ ; user=root ; command=/bin/grep ^shutdown: /etc/shad
>
> These are the settings i made in the syslog-ng.conf file:
>
> source s_test {
>   internal();
>   unix-stream("/dev/log");
>   udp();
>   file("/var/log/syslog-ng_local");
> };
>
> destination d_test {
>   tcp("10.0.15.18" port(9500)); #My Program listening on tcp port 9500 
> requires newline as a separator for each message.
> };
> log {
>   source(s_test); destination(d_test);
> };
>
> Can anyone kindly help me,
> 1. How can i limit one tcp packet to hold only one message?
>               [or]
> 2. How can I add newline as a delimiter b/w each message before the 
> packet(s) are forwarding to a destination so that it could parse properly?
>
> Your Help is really appreciate..
>
> Thanks&Regards
> Anjaneyulu P
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120307/bb3fc0ad/attachment.htm

More information about the syslog-ng mailing list