#783 closed defect (duplicate)
syslog tag not properly included when writing to unix socket
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.8.x |
| Keywords: | Cc: | ||
| uname -a: | Linux 3.13.0-52-generic #86-Ubuntu SMP Mon May 4 04:32:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.8.0
built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.8.0/debian/modules/ngx_http_substitutions_filter_module |
||
Description
I am just posting this on the official nginx ticket listing so it gets fixed. Originally reported here: https://bugs.launchpad.net/nginx/+bug/1329400
http://kb.monitorware.com/nginx-logging-rsyslog-t12359.html
We are seeing it with syslong-ng as well. The problem is that nginx will dump the hostname twice when using the syslog system.
Here is the body from the launchpad bug linked above that goes into more detail:
===================================
When using unix:/dev/log to write to a socket, like so:
access_log syslog:server=unix:/dev/log,tag=nginx warn;
The tag is not used properly by syslog to write the log message. This causes the following message to be sent to syslog:
2014-06-12T15:02:09+00:00 user.notice wheezy wheezy nginx: - - localhost:8000 GET 503 206 | - unicorn=- total=0.00
0 | "curl/7.26.0" "/" "-"
wheezy is my hostname, and it's written in syslog's tag field. The tag nginx is there, but it's written in the beggining of the msg field.
My hostname is also written to syslog's app-name field.
The same faulty behaviour is observed with error_log.
This works properly when using a remote server, server=<ip>.
closing as a duplicate of https://trac.nginx.org/nginx/ticket/677.
See details there.
With syslog-ng, just add flags(expect-hostname) to the corresponding source:
expect-hostname: If the expect-hostname flag is enabled, syslog-ng OSE will assume that the log message contains a hostname and parse the message accordingly. This is the default behavior for TCP sources. Note that pipe sources use the no-hostname flag by default.