| Summary: | app-admin/syslog-ng default unix-stream vs unix-dgram socket | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Max Arnold <lwarxx> |
| Component: | Current packages | Assignee: | Mr. Bones. (RETIRED) <mr_bones_> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | minor | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
"The unix-stream() driver is primarily used on Linux and uses SOCK_STREAM semantics (connection oriented, no messages are lost); while unix-dgram() is used on BSDs and uses SOCK_DGRAM semantics: this may result in lost local messages if the system is overloaded." If you need to use unix-dgram for your setup, you should modify your config to do that. The default though is to not lose messages. Thanks. This is additional comment from syslog-ng author: https://lists.balabit.hu/pipermail/syslog-ng/2009-September/013341.html > syslogd on Linux originally used SOCK_STREAM sockets, but some distributions switched to SOCK_DGRAM around 1999 to fix a possible DoS problem > unix-dgram uses less resources and as you state can handle multiple lines per message > All syslog daemons where this option is non-configurable uses unix-dgram(), thus I guess it is not worse to use the same in syslog-ng. |
Default syslog-ng configuration contains following source definition: unix-stream("/dev/log" max-connections(256)); I'm not sure about this, but probably unix-stream should be replaced with unix-dgram, because syslog-ng default behavior differs from sysklogd and metalog when logging messages containing newlines. More info: https://lists.balabit.hu/pipermail/syslog-ng/2009-September/013330.html http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s03.html#configuring_sources_unixstream Test script which produces multiline message can be found here: http://bugs.python.org/msg90510 Reproducible: Always