Hello,
Peter Valdemar Mørch wrote via RT:
Show quoted text> This generates no output to terminal, but sends two UDP packets:
> perl -w -e 'use Sys::Syslog qw(:DEFAULT setlogsock); setlogsock("udp",
> $remotehost); openlog("hello", "ndelay", "LOG_USER"); sleep 5;
> syslog("alert", "foo")'
>
> A tshark on the other end shows this:
> 0.000000 127.0.0.1 -> 127.0.0.1 Syslog [Malformed Packet]
> 5.000601 127.0.0.1 -> 127.0.0.1 Syslog USER.ALERT: May 31
> 10:40:44 hello: foo\n\000
>
> Isn't that first packet a bug?
No, if you look at the function connect_udp(), you'll see this is normal, this first packet being used to check if the remote port is actually listening.
»
https://github.com/maddingue/Sys-Syslog/blob/master/Syslog.pm#L653
I think thsark shows the first packet as malformed because it has no data, but I think it's harmless to remote syslog daemons, as they won't receive any data. You can test this with the following commands, each in a separate shell, on a single machine:
$ nc -klu 1234 | hexdump -C
$ sudo tshark -i lo0 -x
$ perl -MSys::Syslog=:DEFAULT,setlogsock -e 'setlogsock({ type => "udp", host => "localhost", port => 1234 }); openlog("perl", "ndelay,pid", "user"); sleep 2; syslog(info => "plonk")'
Show quoted text> I realize I'm violating both the first and second rules of
> Sys::Syslog: "You do not call setlogsock". How do I send syslog to a
> remote machine without setlogsock and without violating "THE RULES OF
> SYS::SYSLOG"? I realize this is a reference to Fight Club, but
> although comical, it is confusing to have reference documentation say
> not to do something, have it documented, even in an example, and not
> provide another way of doing it. Is sending to $remotehost over UDP
> supported or not? If setlogsock is the supported way of doing it, I
> humbly ask for removing/rewording "THE RULES OF SYS::SYSLOG", rules 1
> and 2, sacrificing humor for clarity. Perhaps to 'You do not call
> setlogsock("unix")' or whatever is correct.
As you guessed, "the rules of Sys::Syslog" are a comical reference to Fight Club. I wrote them because for most users, they are the reasonable choice. I had to review a lot of random Perl code to see how people were using Sys::Syslog, and saw that many used the cargo cult setlogsock("unix"). The annoying part being that when I added the way more efficient "native" mechanism, all the code already using "unix" could not benefit from it.
setlogsock() is a complex function, the documentation is nearly as long as the other functions combined. Most users shouldn't use it at all because they want to use their local syslog facility, which is what Sys::Syslog will do by default. In a sense, there's an implicit "unless you know what you are doing" addendum to the first and second rules, because obviously, advanced users can and will use setlogsock().
It's after the serious documentation, but I just realized that there's a line in the DESCRIPTION pointing to it, which I can remove to avoid the highlight.
--
Sébastien Aperghis-Tramoni
Close the world, txEn eht nepO.
