[syslog-ng] Writing a null character at the end of TCP payload

Balazs Scheidler bazsi77 at gmail.com
Sun Aug 10 21:19:18 CEST 2014 

Hi,

I would prefer the creation of $(format-gelf) which would solve both the
NUL issue and makes it easier for someone else to create GELF output.

Or alternatively, add an option to $(format-json) to add a suffix (and
perhaps a prefix) in front of and after the resulting string. That would be
useful for other purposes as well, and then $(format-gelf) could be
implemented by my latest patches that enable the definition of template
functions within the configuration file.

E.g.

template-function "format-gelf" "$(format-json --suffix "\x0" <format-json
arguments to produce gelf>)"

destination d_graylog {
    network("1.2.3.4" transport(tcp) template("$(format-gelf)"); };
};


What do you think?



On Thu, Aug 7, 2014 at 8:02 PM, Nicolas Fédou <nicolas.fedou at gmail.com>
wrote:

> Yes, I am pretty sure as I have tested it (I posted the answer) :
>
> http://serverfault.com/questions/591758/send-echo-message-to-graylog2-via-gelf-tcp-12201-port
> After finding a clue in Graylog's issues :
>
> https://github.com/Graylog2/graylog2-server/issues/127#issuecomment-17563306
>
>
> Now, a function like template-escape() that may be called
> "template-null-ending()" or any other may be easyer to deliver.
> Gelf has mandatory fields, a compression option and seems to read only the
> last GELF message per tcp frames as :
> { gelf 1 }\x0{ gelf 2 }\x0
> Graylog shows only "gelf  2"
> So, it forces the use of flush-lines(1).
>
>
>
>
> 2014-08-07 18:20 GMT+02:00 Balazs Scheidler <bazsi77 at gmail.com>:
>
> Hi,
>>
>> Adding a NUL via the template is difficult as the template compiler works
>> with zero terminated string, and even though the lexer allows the use of
>> \x0, this will indicate the end-of-the-string like you have seen it.
>>
>> Adding a zero byte would be possible by writing a template function
>> $(format-gelf) and that probably could sit within the json module, reusing
>> the infrastructure there.
>>
>> On the other hand, I've checked the GELF specification, and I can't see
>> the NUL byte being required.
>>
>> http://graylog2.org/gelf#specs
>>
>> Are you sure this is the issue?
>>
>> Bazsi
>>
>>
>> On Thu, Aug 7, 2014 at 11:09 AM, Nicolas Fédou <nicolas.fedou at gmail.com>
>> wrote:
>>
>>> Hello,
>>> I need to send a null character at the end of a message on a tcp
>>> output...
>>> But this null is considered to be an end of string.
>>>
>>> My use case is sending a GELF message to a graylog's tcp input.
>>> GELF message is a json syntax quite simple to comply with thanks to
>>> format-json.
>>> Graylog needs a null character at the end of a GELF message in TCP but
>>> not in UDP.
>>>
>>> I tried many combination in the template with \x0, echo \x0,
>>> `global_definition_of_null`, etc...
>>> The matter is that null character when interpreted is an end of string,
>>> and is not written in the tcp message.
>>> I see truncated messages with ngrep.
>>> Like "a\x0b" gives "a" according to ngrep.
>>>
>>> I did not find any option to actually write a null character.
>>> Do you have any options ?
>>>
>>> As Graylog already have clients and librairies I belive they won't
>>> remove the need for a null character.
>>> Shall I open an issue on syslog-ng to ask for an option in templates or
>>> in format-json ?
>>>
>>> Regards, Nicolas Fédou.
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>>
>> --
>> Bazsi
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>


-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140810/7564e565/attachment.htm

More information about the syslog-ng mailing list