[syslog-ng] [Bug 197] Characters lost when sending message over network that begins with {

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Tue Sep 25 11:15:34 CEST 2012 

https://bugzilla.balabit.com/show_bug.cgi?id=197


Gergely Nagy <algernon at balabit.hu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |algernon at balabit.hu
         AssignedTo|bazsi at balabit.hu            |algernon at balabit.hu




--- Comment #1 from Gergely Nagy <algernon at balabit.hu>  2012-09-25 11:15:33 ---
(In reply to comment #0)
> When sending a message that begins with { over the network the leading parenthesis and white space are lost.

This is not a bug in syslog-ng, but a problem with the configuration:

> --------- syslog-ng.conf ---------
> source s_src {
>    system();
> };
> 
> source s_udp { udp(ip(127.0.0.1)); };
> destination d_testfile { file("/var/log/test_json" template("$MSG\n")); };
> destination d_udp_addparen { udp("127.0.0.1" template("{ second: { $MSG\n")); };
> destination d_filedirect { file("/var/log/test_jsondirect" template("{ second: { $MSG\n")); };
> log { source(s_src); destination(d_udp_addparen); destination(d_filedirect); };
> log { source(s_udp); destination(d_testfile); }; 
> -------- end syslog-ng.conf -------
> 

With this configuration, s_udp assumes a BSD-style syslog message as input, something that looks like this:
  <13>Sep 25 11:11:04 logger: { json type message }

However, in d_udp_addparen(), you send only the message part, and none of the other stuff, therefore s_udp ends up trying to parse it badly.

The solution here is either to use a flags(no-parse) option for s_udp, if you just want to send raw json, or modify the sending part to format a proper syslog
message (that's probably best done with a rewrite rule adding the necessary stuff to MSG, instead of a template)


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list