Re: [rsyslog] Uncompression of a message failed with return code -3

Mon, 20 Jan 2014 09:59:30 -0800 

> OK, let me get my thinking straight. The input in question is imsolaris?
> Not via the network?

Yes. I realized that just today.

> In that case, imsolaris is probably doing wrong.

Might be. Or is not doing enough.

> Question than, however, is how do messages get the proper syslog severity
> with the regular solaris syslogd? imsolaris should probably do the same...

Solaris is using something called 'streams' which is framework to pass
'messages' between various components. The messages can contain binary
data. In the case of 'log stream' the binary data are of type log_ctl
(described in log(7D))

       struct log_ctl {
           short mid;
           short sid;
           char  level;     /* level of message for tracing */
           short flags;     /* message disposition */
       #if defined(_LP64)  ||  defined(_I32LPx)
           clock32_t ltime; /* time in machine ticks since boot */
           time32_t ttime;  /* time in seconds since 1970 */
       #else
           clock_t ltime;
           time_t  ttime;
       #endif
           int  seq_no;     /* sequence number */
           int  pri;        /* priority = (facility|level) */
       };

The imsolaris is using getmsg(2) to pull the messages off the 'log
stream' so he is getting the priority from the 'pri' member.

207             pMsg->iFacility = LOG_FAC(hdr.pri);
208             pMsg->iSeverity = LOG_PRI(hdr.pri);

LOG_FAC and LOG_PRI are defined(or not if they are defined already?) at
rsyslog.h

83#ifndef LOG_PRI
84#     define  LOG_PRI(p)      ((p) & LOG_PRIMASK)
85#endif
86#ifndef LOG_FAC
87#     define  LOG_FAC(p)      (((p) & LOG_FACMASK) >> 3)
88#endif

That is not entirely correct though (I believe, I'm very new at all this
at the moment). Solaris syslogd is using

#define LOG_FACMASK     0x03f8  /* mask to extract facility part */
#define LOG_PRIMASK     0x0007  /* mask to extract priority part (internal) */
fac = (mp->pri & LOG_FACMASK) >> 3;
prilev = mp->pri & LOG_PRIMASK;

Solaris syslogd has also code for reading the tags <NUM>, but it uses
the code only for messages which are read from network, not for messages
which are read from 'log stream'.

I will be working at fixing this (as rsyslog is included with Solaris),
but I want to make sure that I'll write the fix so that it can be
eventually accepted to your main tree.

-- 
        Vlad
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to