Menu
▾
▴
Re: [Wrapper-user] wrapper with syslog host
|
From: Leland, R. <rob...@io...> - 2010-06-11 16:52:43
|
Packet length was only for the SYSLOG-NG implementation over TCP. So you are safe with the UDP spec, especially since you are only writing the client. If you can test with two different SYSLOG servers/daemons you should be pretty safe. When I mentioned SYSLOG-NG(TCP) Implementations creating compound SYSLOG entries: In that scenario the SYSLOG entry message would go into a work/message QUE. Then the Worker QUE can decide to send two or more separate SYSLOG entries from two different applications to the SYSLOG-NG server in the same TCP transaction. This confused some SYSLOG servers and resulted in two separate SYSLOG entries being grouped together. Again since you are only writing the UDP SYSLOG client your do not have to concerned with that. -----Original Message----- From: Leif Mortenson [mailto:lei...@ta...] Sent: Thursday, June 10, 2010 1:49 AM To: wra...@li... Subject: Re: [Wrapper-user] wrapper with syslog host Rob, Thank you for the feedback. I think we are set then with the implemented UDP based syslog implementation. It will be released in 3.5.0 at the end of June. The specification that we implemented to places a maximum packet size of 1024 bytes including all headers. When viewed in the syslog output on a linux server, it looks like this for a very long line. The following output was a test of a 200 byte packet length. We add "..." to the beginning and end of long wrapped lines and trim them exactly to the max packet length: --- Jun 9 04:18:26 io-2.local io testwrapper: jvm 1 : sun.boot.class.path=/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Classes/jsfd.jar:/System/Library/Frameworks/JavaVM.framework/Versions/... Jun 9 04:18:26 io-2.local io testwrapper: jvm 1 : ...1.5.0/Classes/classes.jar:/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Classes/ui.jar:/System/Library/Frameworks/JavaVM.framework/... Jun 9 04:18:26 io-2.local io testwrapper: jvm 1 : ...Versions/1.5.0/Classes/laf.jar:/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Classes/sunrsasign.jar:/System/Library/Frameworks/Java... Jun 9 04:18:26 io-2.local io testwrapper: jvm 1 : ...VM.framework/Versions/1.5.0/Classes/jsse.jar:/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Classes/jce.jar:/System/Library/Framewor... Jun 9 04:18:26 io-2.local io testwrapper: jvm 1 : ...ks/JavaVM.framework/Versions/1.5.0/Classes/charsets.jar --- We are not planning on making the packet length configurable as the specification is pretty clear. Let me know what you think. It is actually easy to make it configurable. But allowing it to be so could cause problems on the log servers or relays. Cheers, Leif On Wed, Jun 9, 2010 at 5:54 AM, Leland, Robert <rob...@io...> wrote: > My experience is as a user of several SYSLOG-NG implementation not as an implementer. Unless it is a much requested feature I would stay away from a TCP client implementation, and I have experience varying incompatibilities of servers as to how they handle things. This has resulted in Dropped logs(even in TCP), truncated logs, and multiple/compound log entries in one SYSLOG database entry. > > Even though SYSLOG is over TCP the, and a message length is in the TCP header, the SYSLOG-NG v2 protocol did not have a concept of message length and still depended on message delimiters. > I believe SYSLOG-NG V3 which is based on http://tools.ietf.org/html/rfc5424, was scheduled to make use of a message length to make implementing the Client and Server more standard. > > > This is off topic but..... > My experience is that some applications misuse SYSLOG for non events, that is better served with a application auditing. The things I look for that usually rules out SYSLOG usage (TCP or UDP) are: > Large message Size > 4K (1K). > The application wants to send a complex payload such as XML. > The desire to run real time metrics against the SYSLOG server for reports over log time periods. > The SYSLOG servers I have seen store the SYSLOG into a generic database which make sense. > To produce a report each log entry has to be first filtered by time or some other generic criteria, then parsed into an intermediated database table(s) that then is sent to a reporting tool such as Crystal Reports or OBIEE. Each time a report is generated the same process is repeated. Many SYSLOG implementations do not optimize their use of memory and choke when generating reports over long time periods(several months). Just some things to consider > > -Rob > > -----Original Message----- > From: Leif Mortenson [mailto:lei...@ta...] > Sent: Tuesday, June 08, 2010 4:03 PM > To: wra...@li... > Subject: Re: [Wrapper-user] wrapper with syslog host > > Robert, > Thank you for the extra info. I got a UDP based syslog target working > that is based on RFC3164 (http://www.ietf.org/rfc/rfc3164.txt) It > limits the message length to 1024 characters. Lines that are longer > than that will be wrapper into multiple packets. > > It still needs a lot of testing, but we will have this in the 3.5.0 > release due out by the end of June. > > Will this be sufficient? TCP based logging would be a bit more > difficult to handle because of the possibility that the outgoing > packets could block. > > Cheers, > Leif > > On Wed, Jun 9, 2010 at 3:37 AM, Leland, Robert <rob...@io...> wrote: >> It might be helpful to be specific as to the type of SYSLOG server >> support is desired. >> >> The UDP based SYSLOG is easiest to support since there is a standard. >> >> As far as the TCP SYSLOG it's been 18 months worked with that and then >> there was no SYSLOG standard over Connected TCP networks. The closest to >> that is a open source/commercial product that others seem to follow. >> The SYSLOG-TCP or SYSLOG-NG servers that exist all behave very >> differently. >> Since the pseudo standard was based on the UDP version 18 months ago >> most if not all still had a message size limit that varies from 1K to 4K >> depending on the implementation. They also vary on how they piece >> together messages. >> >> >> -----Original Message----- >> From: Leif Mortenson [mailto:lei...@ta...] >> Sent: Tuesday, June 08, 2010 11:51 AM >> To: wra...@li... >> Subject: Re: [Wrapper-user] wrapper with syslog host >> >> Gerald, >> Sorry for the delay on this. We were investigating what is possible >> at an OS level as well as the possibility of sending the remote syslog >> messages directly. The Wrapper does not currently support this. >> Please confirm that you are wanting to send the Wrapper's output to a >> remote syslog server directly, and not all of the syslog activity on >> the server. >> >> Cheers, >> Leif >> >> On Sat, Jun 5, 2010 at 12:09 AM, Gerald Schnabel >> <ger...@gm...> wrote: >>> hi, >>> I am using a syslog server, which is running on a separate machine. >> Most applications I use are configured with log4j >>> where I can use a syslog appender with the parameter SyslogHost. >>> But for the java service wrapper I can just find the properties >>> >>> wrapper.syslog.facility >>> wrapper.syslog.ident >>> wrapper.syslog.loglevel >>> >>> How can I configure the java service wrapper for using the syslog >> server? >>> >>> Thanks in advance, >>> Gerald ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Wrapper-user mailing list Wra...@li... https://lists.sourceforge.net/lists/listinfo/wrapper-user |
