[syslog-ng] [Bug 215] New: syslog-ng v3 - tcp() does not support no-multi-line as docs reference.

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Wed Jan 2 19:14:31 CET 2013 

https://bugzilla.balabit.com/show_bug.cgi?id=215

           Summary: syslog-ng v3 - tcp() does not support no-multi-line as
                    docs reference.
           Product: syslog-ng
           Version: 3.3.x
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: balabit at 32ths.com
Type of the Report: ---
   Estimated Hours: 0.0


So after doing some test cases, I've noticed that on no-multi-line is not stripping newlines on v3.3.7. I've not tested previous versions yet.

Here is my syslog-ng config:

source s_net_tcp {
        tcp(ip(0.0.0.0) port(514) flags(no-multi-line));
};

destination all { file("/var/log/all"); };

log {
        source(s_net_tcp);
        destination(all);
        flags(final);
};

I've also attempted to do this with no-parse flags passed in to no avail. 
When using the udp() source, it works just fine.


My test case:

# cat blah
line1
line2
line3

# cat blah | nc -r -n myhost 514

And on "myhost"
Jan  2 12:25:16 192.2.0.1 line1
Jan  2 12:25:16 192.2.0.1 line2
Jan  2 12:25:16 192.2.0.1 line3

So I assume this has something to do with it:

https://bugzilla.balabit.com/show_bug.cgi?id=74

Particularly about newlines being message terminators over tcp(), however, why do the docs even say tcp() supports the no-multi-line flag?

Maybe there is a way to adjust the terminator if this is the case? I must admit, I was curious what syslog-ng would do if the message size exceeded the mtu of
the network. With UDP, I assume the end of the packet is the end of the message so any messages large enough to span two udp packets would actually be two log
entries. I assumed it would also be the case with TCP, even if it is stream based.

So the potential problems I see are:
1. tcp() doesn't really support no-multi-line (bug) or
2. the docs should be updated to not say it supports no-multi-line (bug) or
3. I've overlooked the doc references or
4. I'm missing some option (terminator?) in order to get tcp() to work with no-multi-line. (env)

Thanks as always,

- Mike


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list