Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#783 closed defect (duplicate)

syslog tag not properly included when writing to unix socket

Reported by: trcarden@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.8.x
Keywords: Cc:
uname -a: Linux 3.13.0-52-generic #86-Ubuntu SMP Mon May 4 04:32:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.0
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.8.0/debian/modules/ngx_http_substitutions_filter_module

Description

I am just posting this on the official nginx ticket listing so it gets fixed. Originally reported here: https://bugs.launchpad.net/nginx/+bug/1329400
http://kb.monitorware.com/nginx-logging-rsyslog-t12359.html

We are seeing it with syslong-ng as well. The problem is that nginx will dump the hostname twice when using the syslog system.

Here is the body from the launchpad bug linked above that goes into more detail:

===================================

When using unix:/dev/log to write to a socket, like so:

access_log syslog:server=unix:/dev/log,tag=nginx warn;

The tag is not used properly by syslog to write the log message. This causes the following message to be sent to syslog:

2014-06-12T15:02:09+00:00 user.notice wheezy wheezy nginx: - - localhost:8000 GET 503 206 | - unicorn=- total=0.00
0 | "curl/7.26.0" "/" "-"

wheezy is my hostname, and it's written in syslog's tag field. The tag nginx is there, but it's written in the beggining of the msg field.

My hostname is also written to syslog's app-name field.

The same faulty behaviour is observed with error_log.

This works properly when using a remote server, server=<ip>.

Change History (2)

comment:1 by vl, 9 years ago

Resolution: duplicate
Status: newclosed

closing as a duplicate of https://trac.nginx.org/nginx/ticket/677.
See details there.

With syslog-ng, just add flags(expect-hostname) to the corresponding source:

expect-hostname: If the expect-hostname flag is enabled, syslog-ng OSE will assume that the log message contains a hostname and parse the message accordingly. This is the default behavior for TCP sources. Note that pipe sources use the no-hostname flag by default.

comment:2 by Vladimir Homutov <vl@…>, 9 years ago

In 6286:a6a2016b8e31/nginx:

Syslog: added "nohostname" option.

The option disables sending hostname in the syslog message header. This is
useful with syslog daemons that do not expect it (tickets #677 and #783).

Note: See TracTickets for help on using tickets.