[syslog-ng] a log message is output in the two line

Sandor Geller sandor.geller at ericsson.com
Fri Jun 24 16:32:24 CEST 2016


Hi,

On 06/24/2016 04:10 PM, Hirose, Shinsaku wrote:
> Hello, all,
>
> I use syslog-ng-3.2.5-4.el6.x86_64 on Centos6.
> I got it from eple epel repository.
>
> I am troubled in how to use the source file driver.
> The touble is that a log message is output in the two lines on remote syslog server.
>
> How to reproduce is followings.
>
> 1. Prepare two hosts running syslog-ng.
>
>    Host_A configuration is followings.
>    ----------------------------------------
>    source test {
>      file("/tmp/a.log");
>    };
>    destination d_remote { udp("192.168.0.2"); };
>    log { source(test); destination(d_remote); };
>    ----------------------------------------

UDP transport limits datagram size to 64k

>    Host_B(192.168.0.2) configuration is defaults.
>
> 2.Execute following command on Host_A.
>
>    $ seq 8193 | (xargs -i echo -n "a";echo "") >> /tmp/a.log
>
> 3.Check the log on Host_B.
>
>    As the result, a log message is output in the two lines on Host_B.
>
>    One line is following. The num of "a" is 8192.
>    aaaaaaaaaaaaa.......
>
>    The other line is following. The num of "a" is 1.
>    a
>
> I hope a log message is output in the one line on Host_B.
> Is my hope readily achievable?


syslog isn't rsync so the syslog standards must get taken into account. 
Original syslog was designed to work with single-line, small messages 
(up to 1k) fitting into a single UDP packet to avoid fragmentating the 
datagram.

IIRC the maximal message size in syslog-ng defaults to 8192 bytes, so 
from stream-like sources input will be splitted when this length is reached.

> Please advise me.

You can raise log_msg_size to higer value but don't expect that values 
larger than 64k will work with the udp() transport. You should switch to 
another transport driver like tcp() or even better to syslog()

Regards,

Sandor



More information about the syslog-ng mailing list