[syslog-ng] Syslog-NG forwarding the messages to a Remote TCP port with more than one message in a single packet
Balazs Scheidler
bazsi at balabit.hu
Sun Mar 18 19:39:58 CET 2012
On Sat, 2012-03-17 at 19:48 +0530, anji prassana wrote:
> Hi Balint,
>
> Thanks for your kind reply and sorry for the delay.As i was on
> leave till today, My reply is delayed.However, I didn't use any
> template.The Packet data which i had pasted in my previous message is
> what i received from the application running at the destination end
> "10.0.15.18" with port 9500;Might be this application is displaying as
> small letter 'm'. But,Syslog-ng is forwarding with 'M' only to the
> Destination with multiple messages in a single TCP packet.This is been
> confirmed through WireShark.Please look into the attached image file
> captured from Packet Analyzer tool wireshark.
>
>
> I have attached a file which was captured through wireshark to show
> you the multiple events forwarded by syslog-ng to the Destination.But,
> unfortunately it was rejected as it's not under the size limits of
> Syslog-ng pipermail.
>
> Kindly assist me on How can i configure syslog-ng in order to send
> only one message per single tcp packet or else having a new line
> character '\n' at the end of each message.
>
> Please let me know if you need any further information.
syslog-ng doesn't really care about packet boundaries when using TCP, as
it is against the spirit of TCP itself, however it must correctly
delimit messages using \n, especially if you are not using templates.
Are you sure you correctly diagnosed the problem and the '\n' are not
there? It might very well happen that the same packet holds two (or more
messages), but that's not an issue in itself.
The configuration file didn't have a template specification, so this
code should apply to your case (quoted from logwriter.c,
log_writer_format_log function):
const gchar *p;
gssize len;
if (self->flags & LW_FORMAT_FILE)
{
log_stamp_format(stamp, result, self->options->template_options.ts_format,
time_zone_info_get_offset(self->options->template_options.time_zone_info[LTZ_SEND], stamp->tv_sec),
self->options->template_options.frac_digits);
}
else if (self->flags & LW_FORMAT_PROTO)
{
g_string_append_c(result, '<');
format_uint32_padded(result, 0, 0, 10, lm->pri);
g_string_append_c(result, '>');
/* always use BSD timestamp by default, the use can override this using a custom template */
log_stamp_append_format(stamp, result, TS_FMT_BSD,
time_zone_info_get_offset(self->options->template_options.time_zone_info[LTZ_SEND], stamp->tv_sec),
self->options->template_options.frac_digits);
}
g_string_append_c(result, ' ');
p = log_msg_get_value(lm, LM_V_HOST, &len);
g_string_append_len(result, p, len);
g_string_append_c(result, ' ');
if ((lm->flags & LF_LEGACY_MSGHDR))
{
p = log_msg_get_value(lm, LM_V_LEGACY_MSGHDR, &len);
g_string_append_len(result, p, len);
}
else
{
p = log_msg_get_value(lm, LM_V_PROGRAM, &len);
if (len > 0)
{
g_string_append_len(result, p, len);
p = log_msg_get_value(lm, LM_V_PID, &len);
if (len > 0)
{
g_string_append_c(result, '[');
g_string_append_len(result, p, len);
g_string_append_c(result, ']');
}
g_string_append_len(result, ": ", 2);
}
}
p = log_msg_get_value(lm, LM_V_MESSAGE, &len);
g_string_append_len(result, p, len);
g_string_append_c(result, '\n');
log_writer_do_padding(self, result);
As you can see, the '\n' marker is unconditionally appended at the end
of the function.
--
Bazsi
More information about the syslog-ng
mailing list