[prev in list] [next in list] [prev in thread] [next in thread]
List: syslog-ng
Subject: Re: [syslog-ng] syslog-ng 3.0.2 issues: Extraneous colon (:) in
From: Marvin Nipper <Marvin.Nipper () stream ! com>
Date: 2009-05-29 18:52:40
Message-ID: AE8FF32FA72E2C41B2CFA317199C2B4807024A3F52 () mailrsn02 ! Americas ! Stream ! Corp
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Sorry for a second message, but I've just noticed a third issue with 3.0.2. Same \
test scenario as already described.
Here's a messaged logged on my production 2.0.9 server, and also forwarded to my test \
server (I've removed some of the trailing noise):
May 29 16:15:09 fwmil01 [LOG_WARNING] ipsrd[213]: igmp_recv_leave_group: \
<truncated.....>
When it arrives on my test server, and a 2.0.9 daemon catches it (and writes it to a \
file), it looks exactly as above, but when 3.0.2 catches it, this is \
the result:
May 29 16:15:09 fwmil01 ipsrd[213]: igmp_recv_leave_group: <truncated.....>
In short, the Severity information has been stripped. Again, in looking at the 3.0 \
docs, I'm not clear as to any change that would cause this to be stripped out. (It \
might not be that big a deal to lose that, except that there are subsequent filters \
in my system that are looking for that "translated severity" as part of their \
search.)
Anyway, again, I would appreciate any input as to why 3.x would be doing this, and \
what configuration change might restore the original content.
THANKS for your help.
_____________________________________________
From: Marvin Nipper
Sent: Friday, May 29, 2009 12:08 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: syslog-ng 3.0.2 issues: Extraneous colon (:) in forwarded log; two instances \
of syslog-ng
Hi. I'm been running syslog-ng 2.0.9 for eons, and wanted to get 3.0.2 in place, but \
have run into two issues.
First, the prerequisite info:
This is on Solaris 10 x86, and I'm running the eventlog-0.2.9 component. It has all \
compiled cleanly. I'm using the same script to initialize syslog-ng as I was using \
before. In the conf file, added in some value() parameters on my filters, in \
accordance with the 3.0 "warnings", and added in the @version directive, but other \
than that, it's essentially the same (reasonably simple) conf file I was using with \
my 2.0.9 version of the code.
For reference, I've appended my conf file at the end of the email.
"Generally" syslog-ng, seems to start-up fine, and does feed the output files that \
I've indicated in the conf file. If I didn't "look too closely", I would have \
thought it was all fine, but...
My problems:
As part of my test environment, I'm forwarding data from another (production 2.0.9) \
server, to my test server, so that I can see how things are working. Here are some \
(truncated) messages, showing both the original message (as it looks in the output \
file on the 2.0.9 server), and the second message being what gets written to the file \
by the 3.0.2 component: Original:
May 29 09:15:05 10.132.240.25 id=firewall sn=0006B10B2E88 <truncated>
Received and written by 3.0.2:
May 29 09:15:05 10.132.240.25 id=firewall: sn=0006B10B2E88 <truncated>
So the "bug" (I assume it to be a bug) is that "colon" that is now sitting just \
behind the word "firewall". When my test server is running a 2.0.9 daemon, these two \
lines match, but the 3.0.2 daemon has inserted that colon. I can only assume that \
this is tied to a bug in the filtering activity, because if you look at my conf file, \
you will see these lines: filter SonicWallNoise {
match("id=firewall" value("MSG")) and filter(SonicWallMsgs);
};
Bottom line, I am doing a filter that happens to "match on" that exact "firewall" \
string, and it seems like more than just coincidence that this is the exact location \
where that unwanted colon now appears. It seems like that filtering process has \
somehow injected that character into the output. (Maybe I'm just missing some "new \
functionality or feature" in the 3.0 docs, that would intentionally cause this?)
Anyway... I'm obviously looking for any input as to why this is different, and/or how \
to fix it (or even just work-around the problem until it is fixed).
And secondly, as my subject line implies, when I run my "/etc/init.d/syslog-ng start" \
scripting (the same one I've always used), I find, right away, that I now have two \
instances of syslog-ng running. I saw a bug report from back in 2006, mentioning a \
similar behavior that was related to (I think) syslog-ng restarting itself, but that \
was supposedly fixed. I'm ass-u-me-ing that something is now causing the daemon to \
restart itself, but again, when I run my 2.0.9 code on place of the 3.0.2 code, I get \
just the one copy running.
Again, I'm looking for any guidance as to something that might be driving that \
behavior (and as I said, maybe it's just something stupid on my part, because I'm \
missing something "new" in the 3.0 behavior).
Thanks, in advance, for any help and/or guidance as to what these issues might be. \
I'm glad to provide further information if it will help.
Marvin Nipper
syslog-ng.conf:
@version:3.0
options { dir_perm(0755); perm(0600); chain_hostnames(no);
keep_hostname(yes); log_fifo_size(1000);
dns_cache_size(5000); dns_cache_expire(86400);
dns_cache_expire_failed(86400); };
source any_udp { udp(); };
source any_tcp { tcp(port(601)); };
destination SEC {pipe("/tmp/sec"); };
destination routers_log {
file("/var/adm/log/routers.log" create_dirs(yes));
};
destination ravlin_log {
file("/var/adm/log/ravlin.log" create_dirs(yes));
};
destination windows_log {
file("/var/adm/log/windows.log" create_dirs(yes));
};
destination workstation_log {
file("/var/adm/log/workstation.log" create_dirs(yes));
};
destination catch-all_log {
file("/var/adm/log/catch-all.log" create_dirs(yes));
};
destination test {
file("/var/adm/log/test.log" create_dirs(yes));
};
destination dev_null {};
filter f_4 { facility(syslog) and level(info..emerg); };
log { source(any_udp); filter(f_4); destination(windows_log); flags(final); };
filter f_1 { facility(local5) and level(debug..emerg); };
log { source(any_udp); filter(f_1); destination(routers_log); flags(final); };
filter SonicWallNoise {
match("id=firewall" value("MSG")) and filter(SonicWallMsgs);
};
filter SonicWallMsgs {
match("m=97" value("MSG")) or match("m=98" value("MSG")) or match("m=537" \
value("MSG")); };
log { source(any_udp); filter(SonicWallNoise); destination(dev_null); flags(final); \
};
filter f_3 { facility(local0) and level(debug..emerg); };
log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final); };
log { source(any_tcp); destination(workstation_log); flags(final); };
log { source(any_udp); destination(catch-all_log); flags(final); };
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.
[Attachment #5 (unknown)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style>.EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px \
solid; }</style> </head>
<body>
<font face="Calibri, sans-serif" size="2">
<div><font color="#1F497D">Sorry for a second message, but I’ve just noticed a \
third issue with 3.0.2. Same test scenario as already described.</font></div> \
<div><font color="#1F497D"> </font></div> <div><font \
color="#1F497D">Here’s a messaged logged on my production 2.0.9 server, and \
also forwarded to my test server (I’ve removed some of the trailing \
noise):</font></div> <div><font color="#1F497D">May 29 16:15:09 fwmil01 [LOG_WARNING] \
ipsrd[213]: igmp_recv_leave_group: <truncated…..></font></div> <div><font \
face="Calibri, sans-serif" color="#1F497D"> </font></div> <div><font \
color="#1F497D">When it arrives on my test server, and a 2.0.9 daemon catches it (and \
writes it to a file), it looks exactly as above, but when 3.0.2 catches it, this is \
the result:</font></div> <div><font color="#1F497D">May 29 16:15:09 fwmil01 \
ipsrd[213]: igmp_recv_leave_group: <truncated…..></font></div> <div><font \
face="Calibri, sans-serif" color="#1F497D"> </font></div> <div><font \
color="#1F497D">In short, the Severity information has been stripped. Again, in \
looking at the 3.0 docs, I’m not clear as to any change that would cause this \
to be stripped out. (It might not be that big a deal to lose that, except that \
there are subsequent filters in my system that are looking for that “translated \
severity” as part of their search.)</font></div> <div><font \
color="#1F497D"> </font></div> <div><font color="#1F497D">Anyway, again, I would \
appreciate any input as to why 3.x would be doing this, and what configuration change \
might restore the original content.</font></div> <div><font \
color="#1F497D"> </font></div> <div><font color="#1F497D">THANKS for your \
help.</font></div> <div><font face="Calibri, sans-serif" \
color="#1F497D"> </font></div> <div><font face="Tahoma, sans-serif" \
size="2">_____________________________________________<br>
<b>From:</b> Marvin Nipper <br>
<b>Sent:</b> Friday, May 29, 2009 12:08 PM<br>
<b>To:</b> 'syslog-ng@lists.balabit.hu'<br>
<b>Subject:</b> syslog-ng 3.0.2 issues: Extraneous colon (:) in forwarded log; two \
instances of syslog-ng</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">Hi. \
I’m been running syslog-ng 2.0.9 for eons, and wanted to get 3.0.2 in place, \
but have run into two issues.</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">First, the \
prerequisite info:</font></div> <div><font face="Calibri, sans-serif">This is on \
Solaris 10 x86, and I’m running the eventlog-0.2.9 component. It has all \
compiled cleanly. I’m using the same script to initialize syslog-ng as I \
was using before. In the conf file, added in some value() parameters on my \
filters, in accordance with the 3.0 “warnings”, and added in the @version \
directive, but other than that, it’s essentially the same (reasonably simple) \
conf file I was using with my 2.0.9 version of the code.</font></div> <div><font \
face="Calibri, sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif">For reference, I’ve appended my conf file at the end of the \
email.</font></div> <div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">“Generally” syslog-ng, seems to \
start-up fine, and does feed the output files that I’ve indicated in the conf \
file. If I didn’t “look too closely”, I would have thought it \
was all fine, but…</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">My \
problems:</font></div> <div><font face="Calibri, sans-serif">As part of my test \
environment, I’m forwarding data from another (production 2.0.9) server, to my \
test server, so that I can see how things are working. Here are some \
(truncated) messages, showing both the original message (as it looks in the output \
file on the 2.0.9 server), and the second message being what gets written to the file \
by the 3.0.2 component:</font></div> <div><font face="Calibri, \
sans-serif">Original:</font></div> <div><font face="Calibri, sans-serif">May 29 \
09:15:05 10.132.240.25 id=firewall sn=0006B10B2E88 <truncated></font></div> \
<div><font face="Calibri, sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif">Received and written by 3.0.2:</font></div> <div><font face="Calibri, \
sans-serif">May 29 09:15:05 10.132.240.25 id=firewall: sn=0006B10B2E88 \
<truncated></font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">So the \
“bug” (I assume it to be a bug) is that “colon” that is now \
sitting just behind the word “firewall”. When my test server is \
running a 2.0.9 daemon, these two lines match, but the 3.0.2 daemon has inserted that \
colon. I can only assume that this is tied to a bug in the filtering activity, \
because if you look at my conf file, you will see these lines:</font></div> \
<div><font face="Calibri, sans-serif">filter SonicWallNoise {</font></div> <div><font \
face="Calibri, sans-serif"> \
match("id=firewall" value("MSG")) and \
filter(SonicWallMsgs);</font></div> <div><font face="Calibri, \
sans-serif">};</font></div> <div><font face="Calibri, sans-serif">Bottom line, I am \
doing a filter that happens to “match on” that exact \
“firewall” string, and it seems like more than just coincidence that this \
is the exact location where that unwanted colon now appears. It seems like that \
filtering process has somehow injected that character into the output. (Maybe \
I’m just missing some “new functionality or feature” in the 3.0 \
docs, that would intentionally cause this?)</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">Anyway… \
I’m obviously looking for any input as to why this is different, and/or how to \
fix it (or even just work-around the problem until it is fixed).</font></div> \
<div><font face="Calibri, sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">And secondly, \
as my subject line implies, when I run my “/etc/init.d/syslog-ng start” \
scripting (the same one I’ve always used), I find, right away, that I now have \
two instances of syslog-ng running. I saw a bug report from back in 2006, \
mentioning a similar behavior that was related to (I think) syslog-ng restarting \
itself, but that was supposedly fixed. I’m ass-u-me-ing that something is \
now causing the daemon to restart itself, but again, when I run my 2.0.9 code on \
place of the 3.0.2 code, I get just the one copy running.</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">Again, I’m looking for any guidance as to \
something that might be driving that behavior (and as I said, maybe it’s just \
something stupid on my part, because I’m missing something “new” in \
the 3.0 behavior).</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">Thanks, in \
advance, for any help and/or guidance as to what these issues might be. \
I’m glad to provide further information if it will help.</font></div> \
<div><font face="Calibri, sans-serif"> </font></div> <div><font face="Arial, \
sans-serif" size="2">Marvin Nipper</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif">syslog-ng.conf:</font></div> <div><font face="Calibri, \
sans-serif">@version:3.0</font></div> <div><font face="Calibri, sans-serif">options { \
dir_perm(0755); perm(0600); chain_hostnames(no);</font></div> <div><font \
face="Calibri, sans-serif"> \
keep_hostname(yes); log_fifo_size(1000);</font></div> <div><font face="Calibri, \
sans-serif"> \
dns_cache_size(5000); dns_cache_expire(86400);</font></div> <div><font face="Calibri, \
sans-serif"> \
dns_cache_expire_failed(86400); };</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">source any_udp \
{ udp(); };</font></div> <div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">source any_tcp { tcp(port(601)); \
};</font></div> <div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination SEC {pipe("/tmp/sec"); \
};</font></div> <div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination routers_log {</font></div>
<div><font face="Calibri, sans-serif"> \
file("/var/adm/log/routers.log" create_dirs(yes));</font></div> <div><font \
face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">destination \
ravlin_log {</font></div> <div><font face="Calibri, \
sans-serif"> \
file("/var/adm/log/ravlin.log" create_dirs(yes));</font></div> <div><font \
face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">destination \
windows_log {</font></div> <div><font face="Calibri, \
sans-serif"> \
file("/var/adm/log/windows.log" create_dirs(yes));</font></div> <div><font \
face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">destination \
workstation_log {</font></div> <div><font face="Calibri, \
sans-serif"> \
file("/var/adm/log/workstation.log" create_dirs(yes));</font></div> \
<div><font face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">destination \
catch-all_log {</font></div> <div><font face="Calibri, \
sans-serif"> \
file("/var/adm/log/catch-all.log" create_dirs(yes));</font></div> \
<div><font face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">destination \
test {</font></div> <div><font face="Calibri, \
sans-serif"> \
file("/var/adm/log/test.log" create_dirs(yes));</font></div> <div><font \
face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">destination \
dev_null {};</font></div> <div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">filter f_4 { facility(syslog) and \
level(info..emerg); };</font></div> <div><font face="Calibri, sans-serif">log { \
source(any_udp); filter(f_4); destination(windows_log); flags(final); };</font></div> \
<div><font face="Calibri, sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif">filter f_1 { facility(local5) and level(debug..emerg); };</font></div> \
<div><font face="Calibri, sans-serif">log { source(any_udp); filter(f_1); \
destination(routers_log); flags(final); };</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> <div><font face="Calibri, sans-serif">filter \
SonicWallNoise {</font></div> <div><font face="Calibri, \
sans-serif"> match("id=firewall" \
value("MSG")) and filter(SonicWallMsgs);</font></div> <div><font \
face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, \
sans-serif">filter SonicWallMsgs {</font></div> <div><font face="Calibri, \
sans-serif"> match("m=97" \
value("MSG")) or match("m=98" value("MSG")) or \
match("m=537" value("MSG"));</font></div> <div><font \
face="Calibri, sans-serif">};</font></div> <div><font face="Calibri, sans-serif">log \
{ source(any_udp); filter(SonicWallNoise); destination(dev_null); flags(final); \
};</font></div> <div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">filter f_3 { facility(local0) and \
level(debug..emerg); };</font></div> <div><font face="Calibri, sans-serif">log { \
source(any_udp); filter(f_3); destination(ravlin_log); flags(final); };</font></div> \
<div><font face="Calibri, sans-serif"> </font></div> <div><font face="Calibri, \
sans-serif">log { source(any_tcp); destination(workstation_log); flags(final); \
};</font></div> <div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">log { source(any_udp); \
destination(catch-all_log); flags(final); };</font></div> <div><font face="Calibri, \
sans-serif"> </font></div> </font>
</body>
</html>
<pre>
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic