On 02/10/2014 04:12 PM, David Lang wrote:
On Mon, 10 Feb 2014, Assaf Gordon wrote:
2. When using UDP servers or Unix sockets, the limitation is worse:
400 bytes for the message (This is related, I assume, to the inherit
limit of 576 bytes per atomic UDP datagram).
huh??? I've sent much larger logs via UDP without a problem, and
/dev/log is a Unix socket, so if this was true then logger would be
limited to 400 bytes.
Perhaps there are different implementation issues (or perhaps I missed
something), but this is what I've observed (on Ubuntu and Debian).
1. Ubuntu and Debian use "logger" from "bsdutils", which has the
following line when logging through Unix/UDP sockets:
snprintf(buf, sizeof(buf), "<%d>%.15s %.200s%s: %.400s",
pri, tp, cp, pid, msg);
Where "msg" is truncated to "%.400s" .
Same is in "mlogger" ( https://github.com/nbrownus/mlogger ).
2. "/dev/log" is indeed a unix-socket, but the default invocation of
"logger" doesn't write to it directly, but instead uses "syslog(3)" call.
Do a "sudo tail -f /var/log/messages", and compare the output of the
followings:
# Send this many characters
$ seq 300 | paste -s -d, | wc -c
1092
# Send with syslog(3)
$ seq 300 | paste -s -d, | logger
# Send directly to Unix-Socket
$ seq 300 | paste -s -d, | logger -u /dev/log -d
When sending with syslog(3), I observed that the numbers written to the
log go all the way up to 283 (totaling in 1024 characters), then the
next message starts with 284.
When sending to "/dev/log", the first lines goes from "1" to "127"
(totaling in 400 characters), then the next message starts with "284".
The reason that the numbers between "128" and "283" are lost with this
method, is because "logger" used a 1024 bytes buffer to read the input,
but truncated it to 400 characters when sending the message.
3. When using a unix-socket, it should be possible to reliably send
larger messages, as the kernel guarantees some atomicity.
I could not find an authoritative number, but to the best of my
understanding, opening a unix socket with
"socket(AF_LOCAL,SOCK_DGRAM,...)" you can send messages that are upto
"SO_SNDBUF" in size, commonly ~120KB on linux.
(if someone knows differently, please correct me).
4. When using a UDP socket, the maximum size you can use and still
guarantee that there will be no IP fragmentation is about 576 bytes
(which, counting IP header and syslog headers, brings it down to a safe
"ball-park" value of 400 bytes, which is what the limit is in the C
source files).
regards,
-gordon
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
