Subject: Re: syslog-ng truncating pipe template output - msg#00060

Previous Message by Date: click to view message preview

Re: syslog-ng truncating pipe template output

I've been trying to figure out an obscure problem with syslog-ng importing to a mysql database. This seems to be the same problem I posted about last week, with SpamAssassin. No answer yet. As per http://www.campin.net/syslog-ng/faq.html#message_length - is this the same issue? I don't see how it can be an input buffer length issue as each is way less than the 1k or 8k. Or a system library issue, as each log entry still has its INSERT statement (or timestamp in my case, with plaintext logs) which only syslog-ng adds, so it's obviously getting each line intact and separate. 2004-11-20T16:41:00+1000 chloe spamd[704]: connection from localhost [127.0.0.1] at port 33809 2004-11-20T16:41:01+1000 chloe spamd[23149]: info: setuid to slittle succeeded 2004-11-20T16:41:01+1000 chloe spamd[23149]: processing message <419ED8F2.3010106@xxxxxxxxxxx> for slittle:1000. 2004-11-20T16:41:01+1000 chloe spamd[23149]: clean message (-34.6/5.0) for slittle:1000 in 0.2 seconds, 562 bytes. 2004-11-20T16:41:01+1000 chloe qmail: 1100929261.295433 delivery 6355: success: did_2+0+1/ All one line. _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Next Message by Date: click to view message preview

Michael J. Bock/NetServ/DST/US is out of the office.

I will be out of the office starting 11/18/2004 and will not return until 11/22/2004. I will respond to your message when I return. ----------------------------------------- This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Previous Message by Thread: click to view message preview

Re: syslog-ng truncating pipe template output

I've been trying to figure out an obscure problem with syslog-ng importing to a mysql database. This seems to be the same problem I posted about last week, with SpamAssassin. No answer yet. As per http://www.campin.net/syslog-ng/faq.html#message_length - is this the same issue? I don't see how it can be an input buffer length issue as each is way less than the 1k or 8k. Or a system library issue, as each log entry still has its INSERT statement (or timestamp in my case, with plaintext logs) which only syslog-ng adds, so it's obviously getting each line intact and separate. 2004-11-20T16:41:00+1000 chloe spamd[704]: connection from localhost [127.0.0.1] at port 33809 2004-11-20T16:41:01+1000 chloe spamd[23149]: info: setuid to slittle succeeded 2004-11-20T16:41:01+1000 chloe spamd[23149]: processing message <419ED8F2.3010106@xxxxxxxxxxx> for slittle:1000. 2004-11-20T16:41:01+1000 chloe spamd[23149]: clean message (-34.6/5.0) for slittle:1000 in 0.2 seconds, 562 bytes. 2004-11-20T16:41:01+1000 chloe qmail: 1100929261.295433 delivery 6355: success: did_2+0+1/ All one line. _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Next Message by Thread: click to view message preview

Re: syslog-ng truncating pipe template output

On Fri, 2004-11-19 at 18:42, James Masson wrote: > I've been trying to figure out an obscure problem with syslog-ng > importing to a mysql database. > > I have various types of network devices feeding syslog-ng on local3 > through local6. I can import from Cisco, UNIX servers, Windows - but not > Netscreen firewalls! > > Each device type gets it's own mysql database. The mysql INSERT INTO > statements for the Netscreen logs are truncated and hence fail to import > because the mysql syntax is not correct. > > I chased wild geese for a while thinking the log format of the > Netscreen was messing with mysql - but that's not the case. Notice it's > just truncating the last few characters of each statement - including > the all important ")" and "\n" newline that closes the mysql statement. > I dumped an instance or two of these to a file instead of the normal > fifo, added a ")" and a newline at the end of each, and it imported just > fine! IIRC there was a problem report about NetScreen logs including a NUL character somewhere in the middle of the message. That might cause this problem. Can you tcpdump an incoming UDP message as it reaches syslog-ng? I'd need the complete frame, so be sure to use the -s parameter for tcpdump. (specifying the maximum frame size, make sure it is at least the size of your MTU) -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html