[syslog-ng] Problems using the syslog-protocol flag

Balazs Scheidler

2010-11-14 11:47:51 UTC

Post by Andreas Maechler
Hi all
Running syslog-ng 3.2beta1 on FreeBSD, I'm trying to use the
source s_local {
unix-dgram("/var/run/log" flags(syslog-protocol));
unix-dgram("/var/run/logpriv" perm(0600));
file("/dev/klog" follow-freq(0) program-override("kernel")
flags(no-parse));
internal();
};
That option seems to be ignored though. If I force the option by
setting it manually in afsocket_sd_init_instance(), afsocket.c, all
works well and incoming messages get parsed according to IETF.
Am I missing something or is this a bug?

It may be a bug, but it also depends on the format you are sending to
that unix domain socket.

There are two things that make up the new-style IETF logging format:

1) the transport (e.g. framing format)
2) the message format

flags(syslog-protocol) specifies the message format, e.g. once a log
record is received by unix-dgram() the new style syslog message is
parsed and accepted (starting with 3.2 it also accepts both new & old
style)

the transport format currently cannot be set for unix domain sockets,
I'd call this an omission (or a bug, depending on the context).

This means that unix-dgram will be packet terminated, unix-stream would
be NL terminated (just like with regular, old-style messages).

This means that unix-dgram(flags(syslog-protocol)) would accept both the
new/old syslog message format without any kind of framing.

I've just tested it on my development environment, and it seems to work
fine.

--
Bazsi