Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 283511

Summary: app-admin/syslog-ng default unix-stream vs unix-dgram socket
Product: Gentoo Linux Reporter: Max Arnold <lwarxx>
Component: Current packagesAssignee: Mr. Bones. (RETIRED) <mr_bones_>
Status: RESOLVED WONTFIX    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Max Arnold 2009-09-02 13:27:10 UTC
Default syslog-ng configuration contains following source definition:
unix-stream("/dev/log" max-connections(256));

I'm not sure about this, but probably unix-stream should be replaced with unix-dgram, because syslog-ng default behavior differs from sysklogd and metalog when logging messages containing newlines.

More info:
https://lists.balabit.hu/pipermail/syslog-ng/2009-September/013330.html
http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s03.html#configuring_sources_unixstream

Test script which produces multiline message can be found here: http://bugs.python.org/msg90510

Reproducible: Always
Comment 1 Mr. Bones. (RETIRED) gentoo-dev 2009-09-04 15:56:27 UTC
"The unix-stream() driver is primarily used on Linux and uses SOCK_STREAM semantics (connection oriented, no messages are lost); while unix-dgram() is used on BSDs and uses SOCK_DGRAM semantics: this may result in lost local messages if the system is overloaded."

If you need to use unix-dgram for your setup, you should modify your config to do that.  The default though is to not lose messages.

Thanks.
Comment 2 Max Arnold 2009-09-05 02:54:24 UTC
This is additional comment from syslog-ng author:
https://lists.balabit.hu/pipermail/syslog-ng/2009-September/013341.html

> syslogd on Linux originally used SOCK_STREAM sockets, but some distributions switched to SOCK_DGRAM around 1999 to fix a possible DoS problem
> unix-dgram uses less resources and as you state can handle multiple lines per message
> All syslog daemons where this option is non-configurable uses
unix-dgram(), thus I guess it is not worse to use the same in syslog-ng.