Can't have the UNIX input to process syslog style messages on UNIX socket /dev/log
Logstash config :
input {
#stdin { }
unix {
mode => "server"
path => "/dev/log"
force_unlink => true
debug => true
}
syslog {
debug => true
}
file {
path => "/proc/kmsg"
debug => true
}
}
output {
stdout {
codec => rubydebug
}
}
Starting Logstash with : java -jar logstash-1.2.2-flatjar.jar agent -f logstash-simple.conf -vvv
Once started, the /dev/log socket is created by logstash.
Then trying to log with logger command line. Here is the strace :
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 1
connect(1, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)
close(1) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 1
connect(1, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
sendto(1, "<13>Nov 26 19:04:18 prune: chut\0", 32, MSG_NOSIGNAL, NULL, 0) = 32
close(1) = 0
You first see the socket is opened as SGRAM, giving an error message. Then it is re-opened as STREAM, the type of socket opened by Logstash.
Message is processed normaly.
On the Logstash side, I have the message :
Accepted connection {:server=>"/dev/log", :level=>:debug, :file=>"/home/prune/logstash-1.2.2-flatjar.jar!/logstash/inputs/unix.rb", :line=>"123"}
Closing connection {ath=>"/dev/log", :exception=>#<EOFError: End of file reached>, :backtrace=>["org/jruby/RubyIO.java:2856:in `readpartial'", "file:/home/prune/logstash-1.2.2-flatjar.jar!/logstash/inputs/unix.rb:77:in `handle_socket'", "org/jruby/RubyKernel.java:1517:in `loop'", "file:/home/prune/logstash-1.2.2-flatjar.jar!/logstash/inputs/unix.rb:71:in `handle_socket'", "file:/home/prune/logstash-1.2.2-flatjar.jar!/logstash/inputs/unix.rb:125:in `run'"], :level=>:debug, :file=>"/home/prune/logstash-1.2.2-flatjar.jar!/logstash/inputs/unix.rb", :line=>"91"}
There should be a setting to select DGRAM or STREAM sockets depending on what you're going to toss at it.