Change the facility of forwarded message using syslog-ng is it = possible?

From syslog-ng@lists.balabit.hu Mon May 2 17:43:24 2005 From: syslog-ng@lists.balabit.hu (Subodh Nijsure) Date: Mon, 2 May 2005 09:43:24 -0700 Subject: [syslog-ng]Change the facility of forwarded message using syslog-ng is it possible? Message-ID: This is a multi-part message in MIME format. ------_=_NextPart_001_01C54F36.0E94B638 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I have system where lot of different machines are forwarding me messages = with facility of local6 what I want to do is forward them on but change = the=20 facility to say local1 when sending it to an udp destination.=20 Is this possible using syslog-ng. I have gone through all the log but = couldn't find any of doing this, is it possible to change facility of = incoming message using syslog-ng? /Subodh Nijsure ------_=_NextPart_001_01C54F36.0E94B638 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Change the facility of forwarded message using syslog-ng is it = possible?

Hello,

I have system where lot of different machines are forwarding me messages = with facility of local6 what I want to do is forward them on but change = the
facility to say local1 when sending it to an udp destination.

Is this possible using syslog-ng. I have gone through all the log but = couldn't find any of doing this, is it possible to change facility of = incoming
message using syslog-ng?

/Subodh Nijsure

------_=_NextPart_001_01C54F36.0E94B638-- From syslog-ng@lists.balabit.hu Mon May 2 17:44:25 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: 2 May 2005 16:44:25 -0000 Subject: [syslog-ng]Change the facility of forwarded message using syslog-ng is it possible? Message-ID: <20050502164425.26583.qmail@secure.hummer5.net> I will be out of the office with no access to email or voicemail until May 11, 2005. I will attend to your email promptly upon my return. Thank you, James Brunke Crystal Technology Solutions Group Inc From syslog-ng@lists.balabit.hu Mon May 2 18:18:20 2005 From: syslog-ng@lists.balabit.hu (SheBang) Date: Mon, 2 May 2005 10:18:20 -0700 Subject: [syslog-ng]Change the facility of forwarded message using syslog-ng is it possible? In-Reply-To: <20050502164425.26583.qmail@secure.hummer5.net> References: <20050502164425.26583.qmail@secure.hummer5.net> Message-ID: <3a8a1f1405050210182f81a0f9@mail.gmail.com> There's not a built in feature to do this. You can always log to a file that's processed by a script and forwarded on directly over UDP (or maybe into the local syslog-ng if you want to use it's buffering feature and make it a TCP destination). You could also feed directly into the script via program(). On 2 May 2005 16:44:25 -0000, jbrunke@ctsgi.com wrote: > I will be out of the office with no access to email or voicemail until Ma= y 11, 2005. I will attend to your email promptly upon my return. >=20 > Thank you, >=20 > James Brunke > Crystal Technology Solutions Group Inc >=20 > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html >=20 > From syslog-ng@lists.balabit.hu Mon May 2 19:15:56 2005 From: syslog-ng@lists.balabit.hu (Jerry Bell) Date: Mon, 2 May 2005 14:15:56 -0400 (EDT) Subject: [syslog-ng]Change the facility of forwarded message using syslog-ng is it possible? In-Reply-To: References: Message-ID: <2521.209.134.164.17.1115057756.squirrel@209.134.164.17> Hello, If you look in the Makefile for most of the ports, you will find a MAINTAINER line. For clamav, it is listed as rob -at- debank.tv I also look forward to the updated port! Jerry http://www.syslog.org > > Hello, > > I have system where lot of different machines are forwarding me messages > with facility of local6 what I want to do is forward them on but change > the > facility to say local1 when sending it to an udp destination. > > Is this possible using syslog-ng. I have gone through all the log but > couldn't find any of doing this, is it possible to change facility of > incoming > message using syslog-ng? > > /Subodh Nijsure > From syslog-ng@lists.balabit.hu Mon May 2 19:19:18 2005 From: syslog-ng@lists.balabit.hu (Jerry Bell) Date: Mon, 2 May 2005 14:19:18 -0400 (EDT) Subject: [syslog-ng]Change the facility of forwarded message using syslog-ng is it possible? In-Reply-To: <2521.209.134.164.17.1115057756.squirrel@209.134.164.17> References: <2521.209.134.164.17.1115057756.squirrel@209.134.164.17> Message-ID: <2547.209.134.164.17.1115057958.squirrel@209.134.164.17> Well, that's embarrassing. I really need to go to remedial email school to learn to watch where I'm typing my response. Very sorry to the list for the spam. Jerry > Hello, > > If you look in the Makefile for most of the ports, you will find a > MAINTAINER line. For clamav, it is listed as rob -at- debank.tv > > I also look forward to the updated port! > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From syslog-ng@lists.balabit.hu Mon May 2 19:27:57 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Mon, 2 May 2005 20:27:57 +0200 Subject: [syslog-ng]syslog-ng 1.6.7 on solaris10 Message-ID: This is a multi-part message in MIME format. ------_=_NextPart_001_01C54F44.A9CF5803 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Im having some compilation issues with Solaris 10: =20 bash-3.00# ./configure --disable-tcp-wrapper --disable-spoof-source -- snip--=20 checking for TCP wrapper library... -lwrap checking pthread.h usability... yes checking pthread.h presence... yes checking for pthread.h... yes checking for pthread_create in -lpthread... yes checking whether to enable Sun STREAMS support... yes checking whether to enable Sun door support... yes checking whether to enable TCP wrapper support... no checking whether to enable spoof_source support... no checking libol version >=3D 0.3.14... ok configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating src/tests/Makefile config.status: creating doc/Makefile config.status: creating doc/sgml/Makefile config.status: creating contrib/Makefile config.status: creating syslog-ng.spec config.status: creating src/config.h config.status: executing depfiles commands bash-3.00# which make /usr/ccs/bin/make gcc -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o syslog-ng main.o sources.o center.o filters.o destinations.o log.o cfgfile.o cfg-grammar.o cfg-lex.o affile.o afsocket.o afunix.o afinet.o afinter.o afuser.o afstreams.o afprogram.o afremctrl.o nscache.o utils.o syslog-names.o macros.o -lpthread -lnsl -lsocket -ldoor -lresolv /usr/local/lib/libol.a -lsocket -lnsl -lxnet -Wl,-Bstatic -ll -lwrap -Wl,-Bdynamic ld: fatal: library -ll: not found ld: fatal: library -lwrap: not found ld: fatal: File processing errors. No output written to syslog-ng =20 if i change where -ll and -lwrap is located on the line to: bash-3.00# gcc -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o syslog-ng main.o sources.o center.o filters.o destinations.o log.o cfgfile.o cfg-grammar.o cfg-lex.o affile.o afsocket.o afunix.o afinet.o afinter.o afuser.o afstreams.o afprogram.o afremctrl.o nscache.o utils.o syslog-names.o macros.o -lpthread -lnsl -lsocket -ldoor -lresolv -ll -lwrap /usr/local/lib/libol.a -lsocket -lnsl -lxnet -Wl,-Bstatic -Wl,-Bdynamic =20 I instead get: Undefined first referenced symbol in file deny_severity /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/../../../libwrap.so allow_severity /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/../../../libwrap.so ld: fatal: Symbol referencing errors. No output written to syslog-ng collect2: ld returned 1 exit status =20 I got around that with editing config.h and changed the TCP wrapper lib line to: #undef ENABLE_TCP_WRAPPER =20 and fiddled around in the src/tests Makefile and .c file =20 Perhaps something missing in the configure scripts? =20 =20 =20 =20 ------_=_NextPart_001_01C54F44.A9CF5803 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Meddelande

Im = having some=20 compilation issues with Solaris 10:

bash-3.00#=20 ./configure --disable-tcp-wrapper = --disable-spoof-source

-- = snip--=20

checking for TCP=20 wrapper library... -lwrap
checking pthread.h usability... = yes
checking=20 pthread.h presence... yes
checking for pthread.h... yes
checking = for=20 pthread_create in -lpthread... yes
checking whether to enable Sun = STREAMS=20 support... yes
checking whether to enable Sun door support... = yes
checking=20 whether to enable TCP wrapper support... no
checking whether to = enable=20 spoof_source support... no
checking libol version >=3D 0.3.14...=20 ok
configure: creating ./config.status
config.status: creating=20 Makefile
config.status: creating src/Makefile
config.status: = creating=20 src/tests/Makefile
config.status: creating = doc/Makefile
config.status:=20 creating doc/sgml/Makefile
config.status: creating=20 contrib/Makefile
config.status: creating = syslog-ng.spec
config.status:=20 creating src/config.h
config.status: executing depfiles=20 commands

bash-3.00# which=20 make
/usr/ccs/bin/make

gcc -g -O2=20 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o = syslog-ng =20 main.o sources.o center.o filters.o destinations.o log.o = cfgfile.o=20 cfg-grammar.o cfg-lex.o affile.o afsocket.o afunix.o = afinet.o=20 afinter.o afuser.o afstreams.o afprogram.o afremctrl.o = nscache.o=20 utils.o syslog-names.o macros.o -lpthread -lnsl -lsocket = -ldoor=20 -lresolv /usr/local/lib/libol.a -lsocket -lnsl -lxnet -Wl,-Bstatic = -ll=20 -lwrap -Wl,-Bdynamic
ld: fatal: library -ll: not=20 found
ld: fatal: library -lwrap: not found
ld: fatal: File = processing=20 errors. No output written to syslog-ng

if i = change where=20 -ll and -lwrap is located on the line to:

bash-3.00# gcc =20 -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o=20 syslog-ng main.o sources.o center.o filters.o destinations.o = log.o cfgfile.o cfg-grammar.o cfg-lex.o affile.o afsocket.o=20 afunix.o afinet.o afinter.o afuser.o afstreams.o afprogram.o = afremctrl.o nscache.o utils.o syslog-names.o macros.o =20 -lpthread -lnsl -lsocket -ldoor -lresolv -ll -lwrap = /usr/local/lib/libol.a=20 -lsocket -lnsl -lxnet -Wl,-Bstatic -Wl,-Bdynamic

I = instead=20 get:

Undefined         &= nbsp;           &n= bsp;=20 first=20 referenced
symbol        = ;            =         =20 in=20 file
deny_severity        &nbs= p;            = ; =20 /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/../../../libwrap.so
allow= _severity          &nbs= p;          =20 /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/../../../libwrap.so
ld: = fatal:=20 Symbol referencing errors. No output written to syslog-ng
collect2: = ld=20 returned 1 exit status

I got around that with editing config.h and = changed the=20 TCP wrapper lib line to:

#undef=20 ENABLE_TCP_WRAPPER

and = fiddled around=20 in the src/tests Makefile and .c file

Perhaps something=20 missing in the configure scripts?

=00 ------_=_NextPart_001_01C54F44.A9CF5803-- From syslog-ng@lists.balabit.hu Mon May 2 20:23:05 2005 From: syslog-ng@lists.balabit.hu (Stephen Tanner) Date: Mon, 2 May 2005 15:23:05 -0400 Subject: [syslog-ng]Issues with HP-UX Message-ID: <2667F108392A8245A6FD9A1353C984D50481D01C@ntservexch1.leeclerk.org> This is a multi-part message in MIME format. ------_=_NextPart_001_01C54F4C.5D4DC269 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have recently started using syslog-ng so that I can use stunnel to log to a central loghost. I have gotten syslog-ng working on a linux box, and everything works fine, but my HP-UX boxes won't even log locally, much less log to a loghost. Below, I have included the syslog-ng.conf for one of the hosts. =20 =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D Stephen Tanner HP-UX Systems Administrator Network Support Services Lee County Clerk of Courts =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D =20 options { use_fqdn(no); keep_hostname(no); use_dns(no); long_hostnames(off); sync(3); log_fifo_size(300); }; =20 # # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # source src { unix-dgram("/dev/log.un"); internal(); }; =20 # After that set destinations. =20 # First some standard logfile # destination lpr { file("/var/adm/lpr.log"); }; destination mail { file("/var/adm/mail.log"); }; =20 # Some `catch-all' logfiles. # destination syslog { file("/var/adm/syslog/syslog.log"); }; =20 # The root's console. # destination console { usertty("root"); }; =20 # Virtual console. # destination console_all { file("/dev/tty8"); }; =20 # Here's come the filter options. With this rules, we can set which # message go where. =20 filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_messages { level(info .. warn)and not facility(auth, cron, daemon, mail, news); }; filter f_emergency { level(emerg); }; =20 ############################################################### =20 log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_messages); destination(syslog); }; log { source(src); filter(f_emergency); destination(console); }; #log { source(src); destination(messages); }; =20 ############################################################### ## set up logging to a loghost forwarded from localhost via stunnel destination loghost {tcp("127.0.0.1" port(514));}; =20 # send everything to loghost, too log { source(src); destination(loghost); }; ############################################################### ------_=_NextPart_001_01C54F4C.5D4DC269 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have recently started using syslog-ng so that I can = use stunnel to log to a central loghost. I have gotten syslog-ng = working on a linux box, and everything works fine, but my HP-UX boxes won’t = even log locally, much less log to a loghost. Below, I have included the = syslog-ng.conf for one of the hosts.

=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D

Stephen = Tanner

HP-UX Systems = Administrator

Network Support Services

Lee County Clerk = of Courts

=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D

options { use_fqdn(no); keep_hostname(no); use_dns(no); long_hostnames(off); sync(3); log_fifo_size(300); = };

# This is the default behavior of sysklogd = package

# Logs may come from unix stream, but not from another = machine.

source src { unix-dgram("/dev/log.un"); internal(); = };

# After that set destinations.

# First some standard logfile

destination lpr { file("/var/adm/lpr.log"); = };

destination mail { file("/var/adm/mail.log"); = };

# Some `catch-all' logfiles.

destination syslog { = file("/var/adm/syslog/syslog.log"); = };

# The root's console.

destination console { usertty("root"); = };

# Virtual console.

destination console_all { file("/dev/tty8"); = };

# Here's come the filter options. With this rules, we can set = which

# message go where.

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_messages { level(info .. warn)and not facility(auth, = cron, daemon, mail, news); };

filter f_emergency { level(emerg); = };

###############################################################

log { source(src); filter(f_lpr); destination(lpr); = };

log { source(src); filter(f_mail); destination(mail); = };

log { source(src); filter(f_messages); destination(syslog); = };

log { source(src); filter(f_emergency); destination(console); = };

#log { source(src); destination(messages); = };

###############################################################

## set up logging to a loghost forwarded from localhost via = stunnel

destination loghost {tcp("127.0.0.1" = port(514));};

# send everything to loghost, too

log { source(src); destination(loghost); = };

###############################################################

------_=_NextPart_001_01C54F4C.5D4DC269-- From syslog-ng@lists.balabit.hu Tue May 3 02:40:52 2005 From: syslog-ng@lists.balabit.hu (Shane Presley) Date: Mon, 2 May 2005 21:40:52 -0400 Subject: [syslog-ng]RE: Recommended windows event logger products to work with syslog-ng In-Reply-To: <3E061654BA925846A7FAFE98BA3603B70EF2F6AD@SEPEX04.oppd.oppd-ds.com> References: <3E061654BA925846A7FAFE98BA3603B70EF2F6AD@SEPEX04.oppd.oppd-ds.com> Message-ID: <27ae921605050218402d000a50@mail.gmail.com> I installed nt-syslog (http://ntsyslog.sorceforge.net), but it seems the messages coming from it do not contain the date/time field? Is that just somethind I did wrong? Also, in general, with these EventLog -> Syslog products, do they capture the entire event log message? For example the sometimes verbose "Description" field? Thanks Shane On 4/21/05, SOLIS, ALEX wrote: >=20 > I use nt-syslog (http://ntsyslog.sorceforge.net). It seems to work fine = although I too get corrupt event logs on the windows boxes every now and th= en. I am not 100 percent convinced that it is caused by nt-syslog but it s= eems to be a posibility. >=20 > Alex From syslog-ng@lists.balabit.hu Tue May 3 12:59:10 2005 From: syslog-ng@lists.balabit.hu (Stephan Hendl) Date: Tue, 03 May 2005 13:59:10 +0200 Subject: [syslog-ng]Issues with HP-UX Message-ID: your source should look the following source s_sys { pipe("/dev/log" pad_size(2048)); internal(); }; the pad_size ist very important. BTW, it is included in the doku as well = as in the faq I think. regards Stephan >>> stanner@leeclerk.org 05/02/05 9:23 >>> I have recently started using syslog-ng so that I can use stunnel to log to a central loghost. I have gotten syslog-ng working on a linux box, and everything works fine, but my HP-UX boxes won't even log locally, much less log to a loghost. Below, I have included the syslog-ng.conf for one of the hosts. =20 =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D Stephen Tanner HP-UX Systems Administrator Network Support Services Lee County Clerk of Courts =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D =20 options { use_fqdn(no); keep_hostname(no); use_dns(no); long_hostnames(off); sync(3); log_fifo_size(300); }; =20 # # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # source src { unix-dgram("/dev/log.un"); internal(); }; =20 # After that set destinations. =20 # First some standard logfile # destination lpr { file("/var/adm/lpr.log"); }; destination mail { file("/var/adm/mail.log"); }; =20 # Some `catch-all' logfiles. # destination syslog { file("/var/adm/syslog/syslog.log"); }; =20 # The root's console. # destination console { usertty("root"); }; =20 # Virtual console. # destination console_all { file("/dev/tty8"); }; =20 # Here's come the filter options. With this rules, we can set which # message go where. =20 filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_messages { level(info .. warn)and not facility(auth, cron, daemon, mail, news); }; filter f_emergency { level(emerg); }; =20 ############################################################### =20 log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_messages); destination(syslog); }; log { source(src); filter(f_emergency); destination(console); }; #log { source(src); destination(messages); }; =20 ############################################################### ## set up logging to a loghost forwarded from localhost via stunnel destination loghost {tcp("127.0.0.1" port(514));}; =20 # send everything to loghost, too log { source(src); destination(loghost); }; ############################################################### From syslog-ng@lists.balabit.hu Tue May 3 13:00:21 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: 3 May 2005 12:00:21 -0000 Subject: [syslog-ng]Issues with HP-UX Message-ID: <20050503120021.9584.qmail@secure.hummer5.net> I will be out of the office with no access to email or voicemail until May 11, 2005. I will attend to your email promptly upon my return. Thank you, James Brunke Crystal Technology Solutions Group Inc From syslog-ng@lists.balabit.hu Tue May 3 13:47:40 2005 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 03 May 2005 14:47:40 +0200 Subject: [syslog-ng]syslog-ng 1.6.7 on solaris10 In-Reply-To: References: Message-ID: <1115124460.4566.12.camel@bzorp.balabit> On Mon, 2005-05-02 at 20:27 +0200, kenneth.gullberg@foreningssparbanken.se wrote: > Im having some compilation issues with Solaris 10: > > bash-3.00# ./configure --disable-tcp-wrapper --disable-spoof-source > -- snip-- > checking for TCP wrapper library... -lwrap > checking pthread.h usability... yes > checking pthread.h presence... yes > checking for pthread.h... yes > checking for pthread_create in -lpthread... yes > checking whether to enable Sun STREAMS support... yes > checking whether to enable Sun door support... yes > checking whether to enable TCP wrapper support... no > checking whether to enable spoof_source support... no > checking libol version >= 0.3.14... ok > configure: creating ./config.status > config.status: creating Makefile > config.status: creating src/Makefile > config.status: creating src/tests/Makefile > config.status: creating doc/Makefile > config.status: creating doc/sgml/Makefile > config.status: creating contrib/Makefile > config.status: creating syslog-ng.spec > config.status: creating src/config.h > config.status: executing depfiles commands > bash-3.00# which make > /usr/ccs/bin/make > gcc -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o > syslog-ng main.o sources.o center.o filters.o destinations.o log.o > cfgfile.o cfg-grammar.o cfg-lex.o affile.o afsocket.o afunix.o > afinet.o afinter.o afuser.o afstreams.o afprogram.o afremctrl.o > nscache.o utils.o syslog-names.o macros.o -lpthread -lnsl -lsocket > -ldoor -lresolv /usr/local/lib/libol.a -lsocket -lnsl -lxnet > -Wl,-Bstatic -ll -lwrap -Wl,-Bdynamic > ld: fatal: library -ll: not found > ld: fatal: library -lwrap: not found > ld: fatal: File processing errors. No output written to syslog-ng Well spotted. Sometimes syslog-ng included -lwrap even if that was not needed. The other problem is that you don't have a static -ll library installed which syslog-ng links to by default. -- Bazsi From syslog-ng@lists.balabit.hu Tue May 3 14:09:18 2005 From: syslog-ng@lists.balabit.hu (Stephen Tanner) Date: Tue, 3 May 2005 09:09:18 -0400 Subject: [syslog-ng]Issues with HP-UX Message-ID: <2667F108392A8245A6FD9A1353C984D50481D01F@ntservexch1.leeclerk.org> This does not work. Syslog-ng still does not log anything. -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Stephan Hendl Sent: Tuesday, May 03, 2005 7:59 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Issues with HP-UX your source should look the following source s_sys { pipe("/dev/log" pad_size(2048)); internal(); }; the pad_size ist very important. BTW, it is included in the doku as well as in the faq I think. regards Stephan >>> stanner@leeclerk.org 05/02/05 9:23 >>> I have recently started using syslog-ng so that I can use stunnel to log to a central loghost. I have gotten syslog-ng working on a linux box, and everything works fine, but my HP-UX boxes won't even log locally, much less log to a loghost. Below, I have included the syslog-ng.conf for one of the hosts. =20 =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D Stephen Tanner HP-UX Systems Administrator Network Support Services Lee County Clerk of Courts =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D =20 options { use_fqdn(no); keep_hostname(no); use_dns(no); long_hostnames(off); sync(3); log_fifo_size(300); }; =20 # # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # source src { unix-dgram("/dev/log.un"); internal(); }; =20 # After that set destinations. =20 # First some standard logfile # destination lpr { file("/var/adm/lpr.log"); }; destination mail { file("/var/adm/mail.log"); }; =20 # Some `catch-all' logfiles. # destination syslog { file("/var/adm/syslog/syslog.log"); }; =20 # The root's console. # destination console { usertty("root"); }; =20 # Virtual console. # destination console_all { file("/dev/tty8"); }; =20 # Here's come the filter options. With this rules, we can set which # message go where. =20 filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_messages { level(info .. warn)and not facility(auth, cron, daemon, mail, news); }; filter f_emergency { level(emerg); }; =20 ############################################################### =20 log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_messages); destination(syslog); }; log { source(src); filter(f_emergency); destination(console); }; #log { source(src); destination(messages); }; =20 ############################################################### ## set up logging to a loghost forwarded from localhost via stunnel destination loghost {tcp("127.0.0.1" port(514));}; =20 # send everything to loghost, too log { source(src); destination(loghost); }; ############################################################### _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue May 3 14:48:53 2005 From: syslog-ng@lists.balabit.hu (SOLIS, ALEX) Date: Tue, 3 May 2005 08:48:53 -0500 Subject: [syslog-ng]RE: Recommended windows event logger products to work with syslog-ng Message-ID: <3E061654BA925846A7FAFE98BA3603B71064E54F@SEPEX04.oppd.oppd-ds.com> =0D=0AI don't think you did anything wrong. When I installed my ntsyslog, = it=0D=0Aworked fine. You might want to try ntsyslog in debug mode. You ca= n do=0D=0Athis by running ntsyslog -debug at the command line. This will s= how=0D=0Awhat is being sent over the wire on your console. If your time-st= amps=0D=0Aare missing during the debug output then ntsyslog might be parsin= g=0D=0Aincorrectly. If they show in the debug output but are missing at th= e=0D=0Asyslog-ng server, then maybe the syslog-ng config should be looked a= t.=0D=0A=0D=0AThere are patches available at the sourceforge project site. = I believe=0D=0Aone of them is specifically designed to fix "incomplete mes= sages"; Its=0D=0Aworth a try if you are out of ideas but like I said before= , I did not=0D=0Aexperience missing timestamps when I deployed.=0D=0A=0D=0A= In my experience with NTsyslog, most messages fit in the message buffer=0D=0A= ntsyslog sets aside for transmission. I believe the buffer size is set=0D=0A= around 1024 so it should accommodate most WinNT eventlog messages.=0D=0A=0D= =0AGood luck troubleshooting!=0D=0A=0D=0AAlex=0D=0A=0D=0A=0D=0A-----Origina= l Message-----=0D=0AFrom: syslog-ng-admin@lists.balabit.hu=0D=0A[mailto:sys= log-ng-admin@lists.balabit.hu] On Behalf Of Shane Presley=0D=0ASent: Monday= , May 02, 2005 8:41 PM=0D=0ATo: syslog-ng@lists.balabit.hu=0D=0ASubject: Re= : [syslog-ng]RE: Recommended windows event logger products to=0D=0Awork wit= h syslog-ng=0D=0A=0D=0AI installed nt-syslog (http://ntsyslog.sorceforge.ne= t), but it seems=0D=0Athe messages coming from it do not contain the date/t= ime field=3F Is=0D=0Athat just somethind I did wrong=3F=0D=0A=0D=0AAlso, i= n general, with these EventLog -> Syslog products, do they=0D=0Acapture the= entire event log message=3F For example the sometimes=0D=0Averbose "Descr= iption" field=3F=0D=0A=0D=0AThanks=0D=0AShane=0D=0A=0D=0AOn 4/21/05, SOLIS,= ALEX wrote:=0D=0A>=20=0D=0A> I use nt-syslog (http://nts= yslog.sorceforge.net). It seems to work=0D=0Afine although I too get corru= pt event logs on the windows boxes every=0D=0Anow and then. I am not 100 p= ercent convinced that it is caused by=0D=0Ant-syslog but it seems to be a p= osibility.=0D=0A>=20=0D=0A> Alex=0D=0A_____________________________________= __________=0D=0Asyslog-ng maillist - syslog-ng@lists.balabit.hu=0D=0Ahttp= s://lists.balabit.hu/mailman/listinfo/syslog-ng=0D=0AFrequently asked quest= ions at http://www.campin.net/syslog-ng/faq.html=0D=0A=0D=0A=0D=0A=0D=0A

This e-mail contains Omah= a Public Power District's confidential and proprietary information and is f= or use only by the intended recipient. Unless explicitly stated otherwise,= this e-mail is not a contract offer, amendment, nor acceptance. If you ar= e not the intended recipient you are notified that disclosing, copying, dis= tributing or taking any action in reliance on the contents of this informat= ion is strictly prohibited.

=0D=0A=0D=0A From syslog-ng@lists.balabit.hu Tue May 3 17:03:01 2005 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 03 May 2005 18:03:01 +0200 Subject: [syslog-ng]Possible segmentation fault in syslog-ng Message-ID: <1115136181.4566.41.camel@bzorp.balabit> Hi, I have finally been able to track down a nasty segmentation fault/abort problem. The fix can be found in libol 0.3.16, which is statically linked into syslog-ng. Therefore to grab the fix, you need to recompile syslog-ng with the new libol. The problem occurs when: * internal() messages were directed to a file which had a name with macros in it * you had one or more TCP sources which close their connections from time to time (Kiwi syslogd is such a program) * the volume of the log messages is very low in this destination, in fact it might be required that nothing else but TCP connection close messages are received here, and less often than the interval time_reap() specifies. How to reproduce: * Use the following configuration: options { time_reap(1); gc_idle_threshold(1); }; source src { unix-stream("log"); internal(); }; source net { tcp(port(2000)); }; destination d_local { file("logs/messages.$YEAR.$HOST.$DAY"); }; destination d_net { file("logs/net.log"); }; log { source(src); destination(d_local); }; log { source(net); destination(d_net); }; * Create the directory containing the log files "logs" * Start syslog-ng * Connect to port 2000 using telnet, wait somewhat more than 1 second * Wait while garbage collection starts (should be immediately as gc_idle_threshold() is set to 1) Syslog-ng will crash with Segmentation fault or an Abort. Thanks go to Janos Lajos who has reported and helped me to track down the issue. Libol 0.3.16 is available at: http://www.balabit.hu/downloads/syslog-ng/libol/0.3/libol-0.3.16.tar.gz PGP signature: http://www.balabit.hu/downloads/syslog-ng/libol/0.3/libol-0.3.16.tar.gz.asc -- Bazsi From syslog-ng@lists.balabit.hu Tue May 3 17:03:01 2005 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 03 May 2005 18:03:01 +0200 Subject: [syslog-ng]Possible segmentation fault in syslog-ng Message-ID: <1115136181.4566.41.camel@bzorp.balabit> Hi, I have finally been able to track down a nasty segmentation fault/abort problem. The fix can be found in libol 0.3.16, which is statically linked into syslog-ng. Therefore to grab the fix, you need to recompile syslog-ng with the new libol. The problem occurs when: * internal() messages were directed to a file which had a name with macros in it * you had one or more TCP sources which close their connections from time to time (Kiwi syslogd is such a program) * the volume of the log messages is very low in this destination, in fact it might be required that nothing else but TCP connection close messages are received here, and less often than the interval time_reap() specifies. How to reproduce: * Use the following configuration: options { time_reap(1); gc_idle_threshold(1); }; source src { unix-stream("log"); internal(); }; source net { tcp(port(2000)); }; destination d_local { file("logs/messages.$YEAR.$HOST.$DAY"); }; destination d_net { file("logs/net.log"); }; log { source(src); destination(d_local); }; log { source(net); destination(d_net); }; * Create the directory containing the log files "logs" * Start syslog-ng * Connect to port 2000 using telnet, wait somewhat more than 1 second * Wait while garbage collection starts (should be immediately as gc_idle_threshold() is set to 1) Syslog-ng will crash with Segmentation fault or an Abort. Thanks go to Janos Lajos who has reported and helped me to track down the issue. Libol 0.3.16 is available at: http://www.balabit.hu/downloads/syslog-ng/libol/0.3/libol-0.3.16.tar.gz PGP signature: http://www.balabit.hu/downloads/syslog-ng/libol/0.3/libol-0.3.16.tar.gz.asc -- Bazsi From syslog-ng@lists.balabit.hu Tue May 3 20:36:16 2005 From: syslog-ng@lists.balabit.hu (Julio Kriger) Date: Tue, 3 May 2005 16:36:16 -0300 (ART) Subject: [syslog-ng]a weird configuration Message-ID: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> Hi! I a need to setup a weird configuration of syslog-ng and I don't know how to do it. Please help me!!! So, here is my problem. I have 2 programs, say A and B. I have metalog configure so that program A write logs a file called log_A, and program B write logs to log_B. This is the easy part. Now the real problem. I have a kernel module K that is used by both programs that also write some logs. I want that the logs written by kernel module K when used by program A go to log_A file. The same with program B, logs should go log_B. How can I do this? TIA. Regards, Julio -- ------------------------ Julio Kriger mailto:julio@cwazy.co.uk From syslog-ng@lists.balabit.hu Tue May 3 20:56:04 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Tue, 3 May 2005 15:56:04 -0400 Subject: [syslog-ng]Multi-line log entries Message-ID: Are you aware of any issues where on the local host the multi-line messages include the hostname and syslog-ng does not include the hostname, is there a configuration option to resolve this problem ? Apr 23 00:00:05 img4s012.svr.bankone.net/img4s012.svr.bankone.net scsi: [ID 107833 kern.warning] WARNING: /pci@8,700000/pci@2/ lpfc@5/sd@0,de (sd98): Apr 23 00:00:05 img4s012.svr.bankone.net/img4s012.svr.bankone.net corrupt label - wrong magic number This is how the event shows in syslog-ng: Apr 23 00:00:05 img4s012.svr.bankone.net/img4s012.svr.bankone.net scsi: [ID 107833 kern.warning] WARNING: /pci@8,700000/pci@2/ lpfc@5/sd@0,de (sd98): Apr 23 00:00:05 corrupt label - wrong magic number Regards, Jessie This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. From syslog-ng@lists.balabit.hu Tue May 3 21:05:22 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Tue, 03 May 2005 16:05:22 -0400 Subject: [syslog-ng]a weird configuration In-Reply-To: Your message of "Tue, 03 May 2005 16:36:16 -0300." <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> References: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> Message-ID: <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> --==_Exmh_1115150721_3418P Content-Type: text/plain; charset=us-ascii On Tue, 03 May 2005 16:36:16 -0300, Julio Kriger said: > I want that the logs written by kernel module K when used by program A go > to log_A file. The same with program B, logs should go log_B. Does the kernel module indicate in any way which program it was? In other words, given the output from K *by itself*, is there a way to tell if A or B was using it? If so, you should be able to use 'match' to sort things out... --==_Exmh_1115150721_3418P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFCd9mBcC3lWbTT17ARAniEAKDx274No2W66z3iPY3R5KNqB4NvbgCg/NPX wAplFY/ge2N6+FETXpP8kpc= =6/G8 -----END PGP SIGNATURE----- --==_Exmh_1115150721_3418P-- From syslog-ng@lists.balabit.hu Wed May 4 15:11:10 2005 From: syslog-ng@lists.balabit.hu (Julio Kriger) Date: Wed, 4 May 2005 11:11:10 -0300 (ART) Subject: [syslog-ng]a weird configuration In-Reply-To: <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> References: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> Message-ID: <33684.200.51.94.194.1115215870.squirrel@200.51.94.194> No, there are no ways that the kernel module (it's sctp) know from with program is was called. Not that I know :) On Tue, May 3, 2005 5:05 pm, Valdis.Kletnieks@vt.edu said: > On Tue, 03 May 2005 16:36:16 -0300, Julio Kriger said: > >> I want that the logs written by kernel module K when used by program A >> go >> to log_A file. The same with program B, logs should go log_B. > > Does the kernel module indicate in any way which program it was? In other > words, given the output from K *by itself*, is there a way to tell if A or > B > was using it? If so, you should be able to use 'match' to sort things > out... > -- ------------------------ Julio Kriger mailto:julio@cwazy.co.uk From syslog-ng@lists.balabit.hu Wed May 4 15:12:20 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: 4 May 2005 14:12:20 -0000 Subject: [syslog-ng]a weird configuration Message-ID: <20050504141220.9910.qmail@secure.hummer5.net> I will be out of the office with no access to email or voicemail until May 11, 2005. I will attend to your email promptly upon my return. Thank you, James Brunke Crystal Technology Solutions Group Inc From syslog-ng@lists.balabit.hu Wed May 4 17:37:01 2005 From: syslog-ng@lists.balabit.hu (Erwin Middelberg) Date: Wed, 4 May 2005 18:37:01 +0200 Subject: [syslog-ng]Cisco formatting Message-ID: <4DAD8EAD28A25D4CAFCD895A942739A7131681@ENNLMAIL01.easynet.nl.local> Hi All, I'm rather new to syslog-ng and have a question I couldn't find answers for, searching on the web. We're using syslog-ng (1.5.15) as a central relay server for several Cisco devices, were the devices sent their syslogs to the syslog-ng server and syslog-ng forwards them to my Netcool monitoring environment. A problem I'm running into, is that some Cisco messages contain carriage returns, splitting one message over 2 or more lines. I could do some tricks on the Netcool side, but it would be much cleaner if I could filter those CR's within syslog-ng. Is this possible ? TIA, Erwin From syslog-ng@lists.balabit.hu Wed May 4 17:50:57 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Wed, 04 May 2005 12:50:57 -0400 Subject: [syslog-ng]a weird configuration In-Reply-To: Your message of "Wed, 04 May 2005 11:11:10 -0300." <33684.200.51.94.194.1115215870.squirrel@200.51.94.194> References: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> <33684.200.51.94.194.1115215870.squirrel@200.51.94.194> Message-ID: <200505041650.j44Govo2015570@turing-police.cc.vt.edu> --==_Exmh_1115225457_4721P Content-Type: text/plain; charset=us-ascii On Wed, 04 May 2005 11:11:10 -0300, Julio Kriger said: > No, there are no ways that the kernel module (it's sctp) know from with > program is was called. Not that I know :) Checking the Linux 2.6.12-rc2-mm3 net/sctp source, none of the printk() calls from the module even *care* what program they were called from, and in some cases it's bottom-half code running on somebody else's context (on its own task queue or similar) so there's no actual way to associate the activity with a given program. In fact, most of the printk() calls are some variant on "This is bogus and we can't tell who it belongs to". Can you explain (a) what kernel/system you're using and (b) what sctp messages you're trying to classify, and (c) what you're trying to accomplish by doing it? (I'm suspecting the answer will be "If the sctp kernel module doesn't know, how is syslog-ng supposed to tell? But there's another approach to get the info you wanted. All you do is.....") --==_Exmh_1115225457_4721P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFCeP1xcC3lWbTT17ARAvmjAKDW1Z0JgZ6r36dDMmyiCO05PoIrewCePyVE 0rTevg4fppNtCZRhi+VUKC0= =QMxR -----END PGP SIGNATURE----- --==_Exmh_1115225457_4721P-- From syslog-ng@lists.balabit.hu Wed May 4 18:34:01 2005 From: syslog-ng@lists.balabit.hu (Julio Kriger) Date: Wed, 4 May 2005 14:34:01 -0300 (ART) Subject: [syslog-ng]a weird configuration In-Reply-To: <200505041650.j44Govo2015570@turing-police.cc.vt.edu> References: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> <33684.200.51.94.194.1115215870.squirrel@200.51.94.194> <200505041650.j44Govo2015570@turing-police.cc.vt.edu> Message-ID: <55543.200.51.94.194.1115228041.squirrel@200.51.94.194> Yes, exactly. a) I'm using Linux Gentoo 2.6.11-rc6 (gentoo-sources if you know about gentoo) b) Any debug message, I've done some modifications and I'm testing them, I've added my own messages c) It will help understand why this modifcation I made don't work :) TIA Regards, Julio On Wed, May 4, 2005 1:50 pm, Valdis.Kletnieks@vt.edu said: > On Wed, 04 May 2005 11:11:10 -0300, Julio Kriger said: >> No, there are no ways that the kernel module (it's sctp) know from with >> program is was called. Not that I know :) > > Checking the Linux 2.6.12-rc2-mm3 net/sctp source, none of the printk() > calls > from the module even *care* what program they were called from, and in > some > cases it's bottom-half code running on somebody else's context (on its own > task queue or similar) so there's no actual way to associate the activity > with > a given program. In fact, most of the printk() calls are some variant on > "This > is bogus and we can't tell who it belongs to". > > Can you explain (a) what kernel/system you're using and (b) what sctp > messages > you're trying to classify, and (c) what you're trying to accomplish by > doing it? > > (I'm suspecting the answer will be "If the sctp kernel module doesn't > know, how > is syslog-ng supposed to tell? But there's another approach to get the > info you > wanted. All you do is.....") > -- ------------------------ Julio Kriger mailto:julio@cwazy.co.uk From syslog-ng@lists.balabit.hu Wed May 4 18:47:58 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Wed, 04 May 2005 13:47:58 -0400 Subject: [syslog-ng]a weird configuration In-Reply-To: Your message of "Wed, 04 May 2005 14:34:01 -0300." <55543.200.51.94.194.1115228041.squirrel@200.51.94.194> References: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> <33684.200.51.94.194.1115215870.squirrel@200.51.94.194> <200505041650.j44Govo2015570@turing-police.cc.vt.edu> <55543.200.51.94.194.1115228041.squirrel@200.51.94.194> Message-ID: <200505041748.j44HlwbP018258@turing-police.cc.vt.edu> --==_Exmh_1115228877_4721P Content-Type: text/plain; charset=us-ascii On Wed, 04 May 2005 14:34:01 -0300, Julio Kriger said: > Yes, exactly. > > a) I'm using Linux Gentoo 2.6.11-rc6 (gentoo-sources if you know about > gentoo) > b) Any debug message, I've done some modifications and I'm testing them, > I've added my own messages > c) It will help understand why this modifcation I made don't work :) OK.. then it's actually pretty easy, sort of, for a partial solution. ;) Basically, at any given printk(), you're either running on the current-> that got you there or you're not (and if you don't know, and can't figure out how to tell, you shouldn't be playing in that code. :) So if you're in code where current-> make sense(*), just do something like: printk(KERN_DEBUG "sctp: cur=%d(%s) this=%d that=%x\n", current->pid, current->exe, thing1, thing2); and then filter in syslog-ng on the program name the %s outputs... (*) There's places where current-> is defined, just not the process you thought it was, at those places you can safely dereference current-> if you're willing to put up with odd output values. net/sctp/* shouldn't hit any cases where current-> is totally bogus - most of that code is in drivers/ and deals with the interrupt and IRQ level code). --==_Exmh_1115228877_4721P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFCeQrMcC3lWbTT17ARAgPXAKDTGRht/yuk13DV4vSg/Fj+zBwkaQCfS2l8 zygQA19NOss1UAIaU4F+/tY= =u3ba -----END PGP SIGNATURE----- --==_Exmh_1115228877_4721P-- From syslog-ng@lists.balabit.hu Wed May 4 19:14:13 2005 From: syslog-ng@lists.balabit.hu (Julio Kriger) Date: Wed, 4 May 2005 15:14:13 -0300 (ART) Subject: [syslog-ng]a weird configuration In-Reply-To: <200505041748.j44HlwbP018258@turing-police.cc.vt.edu> References: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> <33684.200.51.94.194.1115215870.squirrel@200.51.94.194> <200505041650.j44Govo2015570@turing-police.cc.vt.edu> <55543.200.51.94.194.1115228041.squirrel@200.51.94.194> <200505041748.j44HlwbP018258@turing-police.cc.vt.edu> Message-ID: <60826.200.51.94.194.1115230453.squirrel@200.51.94.194> Hi, I will try it. It sounds good!!! Thank you very much for you help. Regards, Julio On Wed, May 4, 2005 2:47 pm, Valdis.Kletnieks@vt.edu said: > On Wed, 04 May 2005 14:34:01 -0300, Julio Kriger said: >> Yes, exactly. >> >> a) I'm using Linux Gentoo 2.6.11-rc6 (gentoo-sources if you know about >> gentoo) >> b) Any debug message, I've done some modifications and I'm testing them, >> I've added my own messages >> c) It will help understand why this modifcation I made don't work :) > > OK.. then it's actually pretty easy, sort of, for a partial solution. ;) > > Basically, at any given printk(), you're either running on the current-> > that got you there or you're not (and if you don't know, and can't figure > out > how to tell, you shouldn't be playing in that code. :) So if you're in > code > where current-> make sense(*), just do something like: > > printk(KERN_DEBUG "sctp: cur=%d(%s) this=%d that=%x\n", > current->pid, current->exe, thing1, thing2); > > and then filter in syslog-ng on the program name the %s outputs... > > (*) There's places where current-> is defined, just not the process you > thought > it was, at those places you can safely dereference current-> if you're > willing > to put up with odd output values. net/sctp/* shouldn't hit any cases where > current-> is totally bogus - most of that code is in drivers/ and deals > with > the interrupt and IRQ level code). > -- ------------------------ Julio Kriger mailto:julio@cwazy.co.uk From syslog-ng@lists.balabit.hu Wed May 4 19:40:39 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Wed, 04 May 2005 14:40:39 -0400 Subject: [syslog-ng]a weird configuration In-Reply-To: Your message of "Wed, 04 May 2005 15:14:13 -0300." <60826.200.51.94.194.1115230453.squirrel@200.51.94.194> References: <55074.200.51.94.194.1115148976.squirrel@200.51.94.194> <200505032005.j43K5NRx023044@turing-police.cc.vt.edu> <33684.200.51.94.194.1115215870.squirrel@200.51.94.194> <200505041650.j44Govo2015570@turing-police.cc.vt.edu> <55543.200.51.94.194.1115228041.squirrel@200.51.94.194> <200505041748.j44HlwbP018258@turing-police.cc.vt.edu> <60826.200.51.94.194.1115230453.squirrel@200.51.94.194> Message-ID: <200505041840.j44IeiFh021062@turing-police.cc.vt.edu> --==_Exmh_1115232038_4721P Content-Type: text/plain; charset=us-ascii On Wed, 04 May 2005 15:14:13 -0300, Julio Kriger said: > Hi, I will try it. It sounds good!!! > Thank you very much for you help. Oh, if your kernel OOPS'es on the printk(), it probably means you managed to find code where current-> doesn't point at a valid 'struct task_struct'. ;) --==_Exmh_1115232038_4721P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFCeRclcC3lWbTT17ARAl7SAJ0ZvRv6YBpjNuJzG+ZdOv2A6C7JHwCgym6o XcyerflJ9OX//crGbiwLa9s= =eDvF -----END PGP SIGNATURE----- --==_Exmh_1115232038_4721P-- From syslog-ng@lists.balabit.hu Wed May 4 21:01:51 2005 From: syslog-ng@lists.balabit.hu (Shiming Yang) Date: Wed, 4 May 2005 16:01:51 -0400 Subject: [syslog-ng]Shiming Yang/OCIO_CorpDataSecurity/Planning_Office/HQ_for_the_Americas/BTMNA is out of the office. Message-ID: I will be out of the office starting 05/03/2005 and will not return until 05/05/2005. I will respond to your message when I return. If there is problem about Proxy or IBM web hosting facility, please call my backup Will at 8380. ----------------------------------------- The information contained in this electronic mail message, and any and all accompanying documents, constitutes confidential information. If you are not the intended recipient of this information, any disclosure, copying, distribution, or the taking of any action in reliance on it is strictly prohibited. If you received this information in error, please notify the sender immediately and destroy this communication. Messages sent via this medium may be subject to delays and/or unauthorized alteration. Neither The Bank of Tokyo-Mitsubishi, Ltd. nor any of its affiliates shall be held liable for the contents of this message. From syslog-ng@lists.balabit.hu Wed May 4 22:00:18 2005 From: syslog-ng@lists.balabit.hu (Dave Johnson) Date: Wed, 4 May 2005 16:00:18 -0500 Subject: [syslog-ng]Multi-line log entries In-Reply-To: References: Message-ID: <90cdf79a05050414005a6420ac@mail.gmail.com> * Do you sepecify a message templates in logging? * Have you tried setting the following in options: keep_hostname(yes); use_dns(no); long_hostnames(off); * That looks like a Solaris machine, do you have it setup as a proper sourc= e? IE: source local { sun-streams("/dev/log" door("/etc/.syslog_door"));}; On 5/3/05, yesenia_rincon@bankone.com wrote: > Are you aware of any issues where on the local host the multi-line messag= es > include the hostname and syslog-ng does not include the hostname, is ther= e > a configuration option to resolve this problem ? >=20 > Apr 23 00:00:05 img4s012.svr.bankone.net/img4s012.svr.bankone.net scsi: [= ID > 107833 kern.warning] WARNING: /pci@8,700000/pci@2/ > lpfc@5/sd@0,de (sd98): > Apr 23 00:00:05 img4s012.svr.bankone.net/img4s012.svr.bankone.net > corrupt label - wrong magic number >=20 > This is how the event shows in syslog-ng: >=20 > Apr 23 00:00:05 img4s012.svr.bankone.net/img4s012.svr.bankone.net scsi: [= ID > 107833 kern.warning] WARNING: /pci@8,700000/pci@2/ > lpfc@5/sd@0,de (sd98): > Apr 23 00:00:05 corrupt label - wrong magic number >=20 > Regards, > Jessie >=20 > This transmission may contain information that is privileged, confidentia= l and/or exempt from disclosure under applicable law. If you are not the in= tended recipient, you are hereby notified that any disclosure, copying, dis= tribution, or use of the information contained herein (including any relian= ce thereon) is STRICTLY PROHIBITED. If you received this transmission in er= ror, please immediately contact the sender and destroy the material in its = entirety, whether in electronic or hard copy format. Thank you. >=20 > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html >=20 > From syslog-ng@lists.balabit.hu Thu May 5 02:43:25 2005 From: syslog-ng@lists.balabit.hu (Jenny-Lou Sequeira) Date: Wed, 4 May 2005 21:43:25 -0400 Subject: [syslog-ng]RE: Issues with HP-UX Message-ID: <200505050143.j451hQd8919478@power.unx.cpqcorp.net> I have used the following syslog-ng config file on HP-UX 11.23 (syslog-ng 1.6.6) and have not seen any problem : options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; # Source source s_sys { pipe("/dev/log" pad_size(2048)); internal(); }; # Destination destination d_mesg { file("/var/adm/syslog/syslog-ng/syslog.log"); }; destination d_mail { file("/var/adm/syslog/syslog-ng/mail.log"); }; destination d_cons { file("/dev/console"); }; destination d_mail { file("/var/adm/syslog/syslog-ng/mail.log"); }; destination d_cons { file("/dev/console"); }; destination d_mlrt { usertty("root"); }; destination d_mlal { usertty("*"); }; # Filter filter f_filter1 { facility(mail) and level(debug .. emerg); }; filter f_filter2 { level(info .. emerg) and not facility(mail); }; filter f_filter3 { level(alert .. emerg); }; filter f_filter4 { level(emerg); }; # Log log { source(s_sys); filter(f_filter1); destination(d_mail); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_cons); destination(d_mlrt); }; log { source(s_sys); filter(f_filter4); destination(d_mlal); }; Note : If your destination directories do not exist you need the "create_dirs (yes);" in the options. Also, make sure that syslogd is stopped. I used the following test program, and all messages show up in /var/adm/syslog-ng/mail.log and /var/adm/syslog/syslog.log resp. ( #!/usr/bin/sh echo "Testing mail" logger -p mail.debug "test mail debug" logger -p mail.info "test mail info" logger -p mail.notice "test mail notice" logger -p mail.warning "test mail warning" logger -p mail.err "test mail err" logger -p mail.crit "test mail crit" logger -p mail.alert "test mail alert" logger -p mail.emerg "test mail emerg" echo "Testing syslog" logger -p auth.debug "test syslog debug" logger -p user.info "test syslog info" logger -p auth.notice "test syslog notice" logger -p news.warning "test syslog warning" logger -p daemon.err "test syslog err" logger -p lpr.crit "test syslog crit" logger -p cron.alert "test syslog alert" logger -p kern.emerg "test syslog emerg" Jenny-Lou Sequeira From syslog-ng@lists.balabit.hu Thu May 5 17:01:11 2005 From: syslog-ng@lists.balabit.hu (J. Meub) Date: Thu, 05 May 2005 18:01:11 +0200 Subject: [syslog-ng]Syntax error in default config? Message-ID: <427A4347.6080708@t-online.de> Hello, i'm new to syslog-ng and recently compiled and installed it (version 1.9.4) on my system (LFS, Kernel 2.6.11.7). The problem i have is that even with the default configuiration file it claims to have syntax errors. The lines causing the errors are: destination user { file("/var/log/user.log"); }; and filter f_auth { facility(auth); }; Whereas the first problem is generated due to the fact the the identifier is called "user". If i call it "user_" it works fine. With the second line the problem is "auth" because facility(authpriv) is accepted. But why not auth?! I'm really at a loss with that. I hope someone here has an idea what might be the problem. Thanks in advance. Regards, J. Meub From syslog-ng@lists.balabit.hu Thu May 5 17:01:21 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: 5 May 2005 16:01:21 -0000 Subject: [syslog-ng]Syntax error in default config? Message-ID: <20050505160121.7097.qmail@secure.hummer5.net> I will be out of the office with no access to email or voicemail until May 11, 2005. I will attend to your email promptly upon my return. Thank you, James Brunke Crystal Technology Solutions Group Inc From syslog-ng@lists.balabit.hu Thu May 5 17:12:20 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Thu, 05 May 2005 12:12:20 -0400 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: Your message of "Thu, 05 May 2005 18:01:11 +0200." <427A4347.6080708@t-online.de> References: <427A4347.6080708@t-online.de> Message-ID: <200505051612.j45GCKHW016238@turing-police.cc.vt.edu> --==_Exmh_1115309540_3889P Content-Type: text/plain; charset="us-ascii" Content-Id: <16228.1115309540.1@turing-police.cc.vt.edu> On Thu, 05 May 2005 18:01:11 +0200, "J. Meub" said: > Whereas the first problem is generated due to the fact > the the identifier is called "user". If i call it "user_" > it works fine. > With the second line the problem is "auth" because > facility(authpriv) is accepted. But why not auth?! >From /usr/include/sys/syslog.h on my Linux box: /* facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ #define LOG_FTP (11<<3) /* ftp daemon */ Note that user, auth, and authpriv are all facility codes. You can probably guess the rest of the dont-call-them-that list. Oh, and I omitted local0-local7 to save space..... --==_Exmh_1115309540_3889P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFCekXkcC3lWbTT17ARAoLVAKCkFh/Il/MNSXvoIAakZ5fmEAgVxACcCP3z r6yeT07n5aSf2BMx3chxPug= =dT4x -----END PGP SIGNATURE----- --==_Exmh_1115309540_3889P-- From syslog-ng@lists.balabit.hu Thu May 5 17:23:11 2005 From: syslog-ng@lists.balabit.hu (J. Meub) Date: Thu, 05 May 2005 18:23:11 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <200505051612.j45GCKHW016238@turing-police.cc.vt.edu> References: <427A4347.6080708@t-online.de> <200505051612.j45GCKHW016238@turing-police.cc.vt.edu> Message-ID: <427A486F.3080302@t-online.de> Valdis.Kletnieks@vt.edu schrieb: >>From /usr/include/sys/syslog.h on my Linux box: > > /* facility codes */ > #define LOG_KERN (0<<3) /* kernel messages */ > #define LOG_USER (1<<3) /* random user-level messages */ > #define LOG_MAIL (2<<3) /* mail system */ > #define LOG_DAEMON (3<<3) /* system daemons */ > #define LOG_AUTH (4<<3) /* security/authorization messages */ > #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ > #define LOG_LPR (6<<3) /* line printer subsystem */ > #define LOG_NEWS (7<<3) /* network news subsystem */ > #define LOG_UUCP (8<<3) /* UUCP subsystem */ > #define LOG_CRON (9<<3) /* clock daemon */ > #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ > #define LOG_FTP (11<<3) /* ftp daemon */ It looks the same on my system. From syslog-ng@lists.balabit.hu Thu May 5 19:58:58 2005 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 05 May 2005 20:58:58 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <427A4347.6080708@t-online.de> References: <427A4347.6080708@t-online.de> Message-ID: <1115319538.13884.1.camel@bzorp.balabit> On Thu, 2005-05-05 at 18:01 +0200, J. Meub wrote: > Hello, > > i'm new to syslog-ng and recently compiled and > installed it (version 1.9.4) on my system (LFS, Kernel 2.6.11.7). > The problem i have is that even with the default > configuiration file it claims to have syntax errors. > The lines causing the errors are: > destination user { file("/var/log/user.log"); }; > and > filter f_auth { facility(auth); }; I've tried this configuration file: source s_udp { unix-stream("log" log_iw_size(5)); udp(port(2000)); internal(); }; destination d_file { file("/home/bazsi/zwa/install/syslog-ng-2.0/messages" template("/var/log/messages/$HOST/$FACILITY.log\n") log_fifo_size(10)); }; destination user { file("user.log"); }; filter f_auth { facility(auth); }; log { source(s_udp); destination(d_file); destination(user); flags(flow-control); }; It was parsed fine. -- Bazsi From syslog-ng@lists.balabit.hu Thu May 5 20:19:31 2005 From: syslog-ng@lists.balabit.hu (J. Meub) Date: Thu, 05 May 2005 21:19:31 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <1115319538.13884.1.camel@bzorp.balabit> References: <427A4347.6080708@t-online.de> <1115319538.13884.1.camel@bzorp.balabit> Message-ID: <427A71C3.4080807@t-online.de> Balazs Scheidler schrieb: > I've tried this configuration file: > > source s_udp { unix-stream("log" log_iw_size(5)); udp(port(2000)); internal(); }; > > destination d_file { file("/home/bazsi/zwa/install/syslog-ng-2.0/messages" template("/var/log/messages/$HOST/$FACILITY.log\n") log_fifo_size(10)); }; > destination user { file("user.log"); }; > > filter f_auth { facility(auth); }; > > log { source(s_udp); destination(d_file); destination(user); flags(flow-control); }; > > > It was parsed fine. On my system this gives: gateway:/etc # syslog-ng syntax error at 4 So again the problem with naming a destination "user". Any ideas? Regards, J. Meub From syslog-ng@lists.balabit.hu Fri May 6 10:53:12 2005 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 06 May 2005 11:53:12 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <427A71C3.4080807@t-online.de> References: <427A4347.6080708@t-online.de> <1115319538.13884.1.camel@bzorp.balabit> <427A71C3.4080807@t-online.de> Message-ID: <1115373192.3865.7.camel@bzorp.balabit> On Thu, 2005-05-05 at 21:19 +0200, J. Meub wrote: > Balazs Scheidler schrieb: > > I've tried this configuration file: > > > > source s_udp { unix-stream("log" log_iw_size(5)); udp(port(2000)); internal(); }; > > > > destination d_file { file("/home/bazsi/zwa/install/syslog-ng-2.0/messages" template("/var/log/messages/$HOST/$FACILITY.log\n") log_fifo_size(10)); }; > > destination user { file("user.log"); }; > > > > filter f_auth { facility(auth); }; > > > > log { source(s_udp); destination(d_file); destination(user); flags(flow-control); }; > > > > > > It was parsed fine. > > > On my system this gives: > > gateway:/etc # syslog-ng > syntax error at 4 > > So again the problem with naming a destination "user". try compiling syslog-ng with YYDEBUG in CPPFLAGS and run syslog-ng with --yydebug option and send the output. -- Bazsi From syslog-ng@lists.balabit.hu Fri May 6 10:56:51 2005 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: 6 May 2005 09:56:51 -0000 Subject: [syslog-ng]Syntax error in default config? Message-ID: <20050506095651.25572.qmail@secure.hummer5.net> I will be out of the office with no access to email or voicemail until May 11, 2005. I will attend to your email promptly upon my return. Thank you, James Brunke Crystal Technology Solutions Group Inc From syslog-ng@lists.balabit.hu Fri May 6 11:28:01 2005 From: syslog-ng@lists.balabit.hu (J. Meub) Date: Fri, 06 May 2005 12:28:01 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <1115373192.3865.7.camel@bzorp.balabit> References: <427A4347.6080708@t-online.de> <1115319538.13884.1.camel@bzorp.balabit> <427A71C3.4080807@t-online.de> <1115373192.3865.7.camel@bzorp.balabit> Message-ID: <427B46B1.4090703@t-online.de> Balazs Scheidler schrieb: >>On my system this gives: >> >>gateway:/etc # syslog-ng >>syntax error at 4 >> >>So again the problem with naming a destination "user". > > > try compiling syslog-ng with YYDEBUG in CPPFLAGS and run syslog-ng with > --yydebug option and send the output. Starting parse Entering state 0 Reading a token: Next token is token KW_SOURCE () Shifting token KW_SOURCE, Entering state 1 Reading a token: Next token is token IDENTIFIER () Shifting token IDENTIFIER, Entering state 10 Reducing stack by rule 239 (line 819), IDENTIFIER -> string Stack now 0 1 Entering state 13 Reading a token: Next token is token '{' () Shifting token '{', Entering state 26 Reading a token: Next token is token KW_UNIX_STREAM () Shifting token KW_UNIX_STREAM, Entering state 72 Reading a token: Next token is token '(' () Shifting token '(', Entering state 151 Reading a token: Next token is token STRING () Shifting token STRING, Entering state 11 Reducing stack by rule 240 (line 820), STRING -> string Stack now 0 1 13 26 72 151 Entering state 231 Reducing stack by rule 40 (line 296), -> @5 Stack now 0 1 13 26 72 151 231 Entering state 322 Reading a token: Next token is token KW_LOG_IW_SIZE () Shifting token KW_LOG_IW_SIZE, Entering state 328 Reading a token: Next token is token '(' () Shifting token '(', Entering state 400 Reading a token: Next token is token NUMBER () Shifting token NUMBER, Entering state 465 Reading a token: Next token is token ')' () Shifting token ')', Entering state 530 Reducing stack by rule 84 (line 411), KW_LOG_IW_SIZE '(' NUMBER ')' -> source_reader_option Stack now 0 1 13 26 72 151 231 322 Entering state 396 Reducing stack by rule 48 (line 317), source_reader_option -> source_afunix_option Stack now 0 1 13 26 72 151 231 322 Entering state 394 Reading a token: Next token is token ')' () Reducing stack by rule 43 (line 309), -> source_afunix_options Stack now 0 1 13 26 72 151 231 322 394 Entering state 462 Reducing stack by rule 42 (line 308), source_afunix_option source_afunix_options -> source_afunix_options Stack now 0 1 13 26 72 151 231 322 Entering state 393 Reducing stack by rule 41 (line 295), string @5 source_afunix_options -> source_afunix_stream_params Stack now 0 1 13 26 72 151 Entering state 230 Next token is token ')' () Shifting token ')', Entering state 321 Reducing stack by rule 35 (line 277), KW_UNIX_STREAM '(' source_afunix_stream_params ')' -> source_afsocket Stack now 0 1 13 26 Entering state 81 Reducing stack by rule 25 (line 242), source_afsocket -> source_item Stack now 0 1 13 26 Entering state 78 Reading a token: Next token is token ';' () Shifting token ';', Entering state 157 Reading a token: Next token is token KW_UDP () Shifting token KW_UDP, Entering state 74 Reading a token: Next token is token '(' () Shifting token '(', Entering state 153 Reducing stack by rule 49 (line 322), -> @6 Stack now 0 1 13 26 78 157 74 153 Entering state 235 Reading a token: Next token is token KW_PORT () Shifting token KW_PORT, Entering state 337 Reading a token: Next token is token '(' () Shifting token '(', Entering state 409 Reading a token: Next token is token NUMBER () Shifting token NUMBER, Entering state 477 Reading a token: Next token is token ')' () Shifting token ')', Entering state 541 Reducing stack by rule 58 (line 345), KW_PORT '(' NUMBER ')' -> source_afinet_option Stack now 0 1 13 26 78 157 74 153 235 Entering state 340 Reducing stack by rule 53 (line 337), source_afinet_option -> source_afinet_udp_option Stack now 0 1 13 26 78 157 74 153 235 Entering state 339 Reading a token: Next token is token ')' () Reducing stack by rule 52 (line 333), -> source_afinet_udp_options Stack now 0 1 13 26 78 157 74 153 235 339 Entering state 410 Reducing stack by rule 51 (line 332), source_afinet_udp_option source_afinet_udp_options -> source_afinet_udp_options Stack now 0 1 13 26 78 157 74 153 235 Entering state 338 Reducing stack by rule 50 (line 322), @6 source_afinet_udp_options -> source_afinet_udp_params Stack now 0 1 13 26 78 157 74 153 Entering state 234 Next token is token ')' () Shifting token ')', Entering state 325 Reducing stack by rule 36 (line 278), KW_UDP '(' source_afinet_udp_params ')' -> source_afsocket Stack now 0 1 13 26 78 157 Entering state 81 Reducing stack by rule 25 (line 242), source_afsocket -> source_item Stack now 0 1 13 26 78 157 Entering state 78 Reading a token: Next token is token ';' () Shifting token ';', Entering state 157 Reading a token: Next token is token KW_INTERNAL () Shifting token KW_INTERNAL, Entering state 69 Reading a token: Next token is token '(' () Shifting token '(', Entering state 148 Reading a token: Next token is token ')' () Shifting token ')', Entering state 225 Reducing stack by rule 27 (line 247), KW_INTERNAL '(' ')' -> source_afinter Stack now 0 1 13 26 78 157 78 157 Entering state 79 Reducing stack by rule 23 (line 240), source_afinter -> source_item Stack now 0 1 13 26 78 157 78 157 Entering state 78 Reading a token: Next token is token ';' () Shifting token ';', Entering state 157 Reading a token: Next token is token '}' () Reducing stack by rule 22 (line 236), -> source_items Stack now 0 1 13 26 78 157 78 157 78 157 Entering state 240 Reducing stack by rule 21 (line 235), source_item ';' source_items -> source_items Stack now 0 1 13 26 78 157 78 157 Entering state 240 Reducing stack by rule 21 (line 235), source_item ';' source_items -> source_items Stack now 0 1 13 26 78 157 Entering state 240 Reducing stack by rule 21 (line 235), source_item ';' source_items -> source_items Stack now 0 1 13 26 Entering state 77 Next token is token '}' () Shifting token '}', Entering state 156 Reducing stack by rule 10 (line 196), string '{' source_items '}' -> source_stmt Stack now 0 1 Entering state 12 Reducing stack by rule 4 (line 187), KW_SOURCE source_stmt -> stmt Stack now 0 Entering state 9 Reading a token: Next token is token ';' () Shifting token ';', Entering state 25 Reading a token: Next token is token KW_DESTINATION () Shifting token KW_DESTINATION, Entering state 2 Reading a token: Next token is token IDENTIFIER () Shifting token IDENTIFIER, Entering state 10 Reducing stack by rule 239 (line 819), IDENTIFIER -> string Stack now 0 9 25 2 Entering state 15 Reading a token: Next token is token '{' () Shifting token '{', Entering state 27 Reading a token: Next token is token KW_FILE () Shifting token KW_FILE, Entering state 83 Reading a token: Next token is token '(' () Shifting token '(', Entering state 158 Reading a token: Next token is token STRING () Shifting token STRING, Entering state 11 Reducing stack by rule 240 (line 820), STRING -> string Stack now 0 9 25 2 15 27 83 158 Entering state 242 Reducing stack by rule 101 (line 447), -> @9 Stack now 0 9 25 2 15 27 83 158 242 Entering state 357 Reading a token: Next token is token KW_TEMPLATE () Shifting token KW_TEMPLATE, Entering state 436 Reading a token: Next token is token '(' () Shifting token '(', Entering state 505 Reading a token: Next token is token STRING () Shifting token STRING, Entering state 11 Reducing stack by rule 240 (line 820), STRING -> string Stack now 0 9 25 2 15 27 83 158 242 357 436 505 Entering state 567 Reading a token: Next token is token ')' () Shifting token ')', Entering state 598 Reducing stack by rule 158 (line 620), KW_TEMPLATE '(' string ')' -> dest_writer_option Stack now 0 9 25 2 15 27 83 158 242 357 Entering state 440 Reducing stack by rule 105 (line 462), dest_writer_option -> dest_affile_option Stack now 0 9 25 2 15 27 83 158 242 357 Entering state 439 Reading a token: Next token is token KW_LOG_FIFO_SIZE () Shifting token KW_LOG_FIFO_SIZE, Entering state 427 Reading a token: Next token is token '(' () Shifting token '(', Entering state 496 Reading a token: Next token is token NUMBER () Shifting token NUMBER, Entering state 556 Reading a token: Next token is token ')' () Shifting token ')', Entering state 588 Reducing stack by rule 156 (line 618), KW_LOG_FIFO_SIZE '(' NUMBER ')' -> dest_writer_option Stack now 0 9 25 2 15 27 83 158 242 357 439 Entering state 440 Reducing stack by rule 105 (line 462), dest_writer_option -> dest_affile_option Stack now 0 9 25 2 15 27 83 158 242 357 439 Entering state 439 Reading a token: Next token is token ')' () Reducing stack by rule 104 (line 458), -> dest_affile_options Stack now 0 9 25 2 15 27 83 158 242 357 439 439 Entering state 507 Reducing stack by rule 103 (line 457), dest_affile_option dest_affile_options -> dest_affile_options Stack now 0 9 25 2 15 27 83 158 242 357 439 Entering state 507 Reducing stack by rule 103 (line 457), dest_affile_option dest_affile_options -> dest_affile_options Stack now 0 9 25 2 15 27 83 158 242 357 Entering state 438 Reducing stack by rule 102 (line 446), string @9 dest_affile_options -> dest_affile_params Stack now 0 9 25 2 15 27 83 158 Entering state 241 Next token is token ')' () Shifting token ')', Entering state 356 Reducing stack by rule 100 (line 442), KW_FILE '(' dest_affile_params ')' -> dest_affile Stack now 0 9 25 2 15 27 Entering state 93 Reducing stack by rule 95 (line 434), dest_affile -> dest_item Stack now 0 9 25 2 15 27 Entering state 92 Reading a token: Next token is token ';' () Shifting token ';', Entering state 167 Reading a token: Next token is token '}' () Reducing stack by rule 94 (line 430), -> dest_items Stack now 0 9 25 2 15 27 92 167 Entering state 256 Reducing stack by rule 93 (line 429), dest_item ';' dest_items -> dest_items Stack now 0 9 25 2 15 27 Entering state 91 Next token is token '}' () Shifting token '}', Entering state 166 Reducing stack by rule 11 (line 200), string '{' dest_items '}' -> dest_stmt Stack now 0 9 25 2 Entering state 14 Reducing stack by rule 5 (line 188), KW_DESTINATION dest_stmt -> stmt Stack now 0 9 25 Entering state 9 Reading a token: Next token is token ';' () Shifting token ';', Entering state 25 Reading a token: Next token is token KW_DESTINATION () Shifting token KW_DESTINATION, Entering state 2 Reading a token: Next token is token KW_USER () syntax error at 4 Error: popping token KW_DESTINATION () Stack now 0 9 25 9 25 Error: popping token ';' () Stack now 0 9 25 9 Error: popping nterm stmt () Stack now 0 9 25 Error: popping token ';' () Stack now 0 9 Error: popping nterm stmt () Stack now 0 Regards, J. Meub From syslog-ng@lists.balabit.hu Fri May 6 11:38:43 2005 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 06 May 2005 12:38:43 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <427B46B1.4090703@t-online.de> References: <427A4347.6080708@t-online.de> <1115319538.13884.1.camel@bzorp.balabit> <427A71C3.4080807@t-online.de> <1115373192.3865.7.camel@bzorp.balabit> <427B46B1.4090703@t-online.de> Message-ID: <1115375923.3865.32.camel@bzorp.balabit> On Fri, 2005-05-06 at 12:28 +0200, J. Meub wrote: > Balazs Scheidler schrieb: > >>On my system this gives: > >> > >>gateway:/etc # syslog-ng > >>syntax error at 4 > >> > >>So again the problem with naming a destination "user". > > > > > > try compiling syslog-ng with YYDEBUG in CPPFLAGS and run syslog-ng with > > --yydebug option and send the output. > > Reading a token: Next token is token ';' () > Shifting token ';', Entering state 25 > Reading a token: Next token is token KW_DESTINATION () > Shifting token KW_DESTINATION, Entering state 2 > Reading a token: Next token is token KW_USER () ^^^^^^^ That's strange, the KW_USER keyword corresponds to a string named "usertty" and not "user": bazsi@bzorp:~/zwa/work/syslog-ng-2.0/syslog-ng/src$ grep KW_USER cfg-lex.l { "usertty", KW_USER }, -- Bazsi From syslog-ng@lists.balabit.hu Fri May 6 12:09:03 2005 From: syslog-ng@lists.balabit.hu (J. Meub) Date: Fri, 06 May 2005 13:09:03 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <1115375923.3865.32.camel@bzorp.balabit> References: <427A4347.6080708@t-online.de> <1115319538.13884.1.camel@bzorp.balabit> <427A71C3.4080807@t-online.de> <1115373192.3865.7.camel@bzorp.balabit> <427B46B1.4090703@t-online.de> <1115375923.3865.32.camel@bzorp.balabit> Message-ID: <427B504F.8020301@t-online.de> Balazs Scheidler schrieb: > > That's strange, the KW_USER keyword corresponds to a string named > "usertty" and not "user": > > bazsi@bzorp:~/zwa/work/syslog-ng-2.0/syslog-ng/src$ grep KW_USER cfg-lex.l > { "usertty", KW_USER }, > Looks exactly the same here: suud@gateway:/packages/src/syslog-ng-1.9.4/src> grep KW_USER cfg-lex.l { "usertty", KW_USER }, Regards, J. Meub From syslog-ng@lists.balabit.hu Fri May 6 12:22:55 2005 From: syslog-ng@lists.balabit.hu (J. Meub) Date: Fri, 06 May 2005 13:22:55 +0200 Subject: [syslog-ng]Syntax error in default config? In-Reply-To: <1115375923.3865.32.camel@bzorp.balabit> References: <427A4347.6080708@t-online.de> <1115319538.13884.1.camel@bzorp.balabit> <427A71C3.4080807@t-online.de> <1115373192.3865.7.camel@bzorp.balabit> <427B46B1.4090703@t-online.de> <1115375923.3865.32.camel@bzorp.balabit> Message-ID: <427B538F.90104@t-online.de> Balazs Scheidler schrieb: >>>try compiling syslog-ng with YYDEBUG in CPPFLAGS and run syslog-ng with >>>--yydebug option and send the output. >> >>Reading a token: Next token is token ';' () >>Shifting token ';', Entering state 25 >>Reading a token: Next token is token KW_DESTINATION () >>Shifting token KW_DESTINATION, Entering state 2 >>Reading a token: Next token is token KW_USER () > > ^^^^^^^ This is what happens if i comment out the line containing "user" so it reaches filter f_auth { facility(auth); }; [...] Reading a token: Next token is token ';' () Shifting token ';', Entering state 25 Reading a token: Next token is token KW_FILTER () Shifting token KW_FILTER, Entering state 5 Reading a token: Next token is token IDENTIFIER () Shifting token IDENTIFIER, Entering state 10 Reducing stack by rule 239 (line 819), IDENTIFIER -> string Stack now 0 9 25 9 25 5 Entering state 21 Reading a token: Next token is token '{' () Shifting token '{', Entering state 66 Reading a token: Next token is token KW_FACILITY () Shifting token KW_FACILITY, Entering state 139 Reading a token: Next token is token '(' () Shifting token '(', Entering state 211 Reading a token: Next token is token KW_AUTH () syntax error at 6 Error: popping token '(' () Stack now 0 9 25 9 25 5 21 66 139 Error: popping token KW_FACILITY () Stack now 0 9 25 9 25 5 21 66 Error: popping token '{' () Stack now 0 9 25 9 25 5 21 Error: popping nterm string () Stack now 0 9 25 9 25 5 Error: popping token KW_FILTER () Stack now 0 9 25 9 25 Error: popping token ';' () Stack now 0 9 25 9 Error: popping nterm stmt () Stack now 0 9 25 Error: popping token ';' () Stack now 0 9 Error: popping nterm stmt () Stack now 0 Regards, J. Meub From syslog-ng@lists.balabit.hu Sun May 8 06:32:10 2005 From: syslog-ng@lists.balabit.hu (Sven Wegener) Date: Sun, 8 May 2005 07:32:10 +0200 Subject: [syslog-ng][PATCH] use_fqdn with gethostname() not returning fqdn Message-ID: <20050508053210.GC14501@lightning.stealer.net> --Hf61M2y+wYpnELGG Content-Type: multipart/mixed; boundary="ncSAzJYg3Aa9+CRW" Content-Disposition: inline --ncSAzJYg3Aa9+CRW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all! I came across this issue while I was setting up a central syslog-ng server that collects logs from several hosts in different domains. I wanted to use the use_fqdn option to distinguish every host in my logs better, but all I saw was just the plain hostname. Please find attached two patches, one against 1.6.7 and one against 1.9.4 that add support for fqdns. If gethostname() returns a name without dots it tries to lookup the fqdn of the host. Cheers, Sven --=20 Sven Wegener Gentoo Linux Developer http://www.gentoo.org/ --ncSAzJYg3Aa9+CRW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="syslog-ng-1.6.7-fqdn.patch" diff -Nur syslog-ng-1.6.7/src/sources.c syslog-ng-1.6.7-fqdn/src/sources.c --- syslog-ng-1.6.7/src/sources.c 2005-02-03 12:08:11.000000000 +0100 +++ syslog-ng-1.6.7-fqdn/src/sources.c 2005-05-08 04:01:19.167140941 +0200 @@ -229,6 +229,16 @@ if (usefqdn) { gethostname(buf, sizeof(buf) - 1); buf[127] = 0; + // Check if hostname includes a . else do a fqdn lookup + if (NULL == strchr(buf, '.')) { + struct addrinfo *result, hints; + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_CANONNAME; + if (0 == getaddrinfo(buf, NULL, &hints, &result)) { + strncpy(buf, result->ai_canonname, sizeof(buf) - 1); + freeaddrinfo(result); + } + } } else { getshorthostname(buf, sizeof(buf)); --ncSAzJYg3Aa9+CRW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="syslog-ng-1.9.4-fqdn.patch" Content-Transfer-Encoding: quoted-printable diff -Nur syslog-ng-1.9.4/src/misc.c syslog-ng-1.9.4-fqdn/src/misc.c --- syslog-ng-1.9.4/src/misc.c 2004-12-27 23:45:41.000000000 +0100 +++ syslog-ng-1.9.4-fqdn/src/misc.c 2005-05-08 07:04:04.392031522 +0200 @@ -45,6 +45,24 @@ } =20 char * +getlonghostname(char *buf, size_t bufsize) +{ + gethostname(buf, bufsize - 1); + if (NULL =3D=3D strchr(buf, '.')) + { + struct addrinfo *result, hints; + memset(&hints, 0, sizeof(hints)); + hints.ai_flags =3D AI_CANONNAME; + if (0 =3D=3D getaddrinfo(buf, NULL, &hints, &result)) + { + strncpy(buf, result->ai_canonname, bufsize - 1); + freeaddrinfo(result); + } + } + return buf; +} + +char * getshorthostname(char *buf, size_t bufsize) { char *s; @@ -96,9 +114,16 @@ } else=20 { - if (!local_hostname[0])=20 + if (!local_hostname[0]) { - getshorthostname(local_hostname, sizeof(local_hostname)); + if (usefqdn) + { + getlonghostname(local_hostname, sizeof(local_hostname)); + } + else + { + getshorthostname(local_hostname, sizeof(local_hostname)); + } } =20 hname =3D local_hostname; diff -Nur syslog-ng-1.9.4/src/misc.h syslog-ng-1.9.4-fqdn/src/misc.h --- syslog-ng-1.9.4/src/misc.h 2004-12-27 23:48:02.000000000 +0100 +++ syslog-ng-1.9.4-fqdn/src/misc.h 2005-05-08 07:00:54.731289603 +0200 @@ -33,6 +33,7 @@ GString *g_string_assign_len(GString *s, gchar *val, gint len); =20 char *getshorthostname(char *buf, size_t buflen); +char *getlonghostname(char *buf, size_t buflen); GString *resolve_hostname(GSockAddr *saddr, int usedns, int usefqdn); gboolean g_fd_set_nonblock(int fd, gboolean enable); =20 --ncSAzJYg3Aa9+CRW-- --Hf61M2y+wYpnELGG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCfaRaAXomK8S72HoRAj1VAJ9WTRYks8QaZk3gnjB8tBSzCXdRiwCdFTEN yKHE0bLRCaYH+93j3l4fwtY= =vFx6 -----END PGP SIGNATURE----- --Hf61M2y+wYpnELGG-- From syslog-ng@lists.balabit.hu Tue May 10 11:29:57 2005 From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?Andr=E9_Bonh=F4te?=) Date: Tue, 10 May 2005 12:29:57 +0200 Subject: [syslog-ng]Logging to Oracle - Quoting issue Message-ID: <96B5542E-867E-455B-8DB4-575F11998F22@colt.net> Hi! I have already written a mail to info@balabit.hu today, but I am =20 impatient. Forgive me please! We have an issue when logging to Oracle. Obviously, Oracle requires a =20= single quote to be quoted by a single quote. I have found this [1] =20 article about it. Since it's 2005 now, I'd like to know whether this =20 one is fixed in the latest version or not. I have 1.6.2 running in =20 production now on a few machines. I didn't find anything in the =20 Changelog about this, unfortunately. Could someone give me a hint? Thanks IA Andr=E9 [1] https://lists.balabit.hu/pipermail/syslog-ng/2003-November/=20 005510.html ___ ___ ___ ___ \C/ \O/ \L/ \T/ Andre Bonhote t: +41 (0)44 5 600 600 V V V V Platform Infrastructure f: +41 (0)44 5 630 501 we make business Senior IP Engineer straight.forward COLT Telecom e: andre@colt.net From syslog-ng@lists.balabit.hu Tue May 10 11:55:14 2005 From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?Andr=E9_Bonh=F4te?=) Date: Tue, 10 May 2005 12:55:14 +0200 Subject: [syslog-ng]Logging to Oracle - Quoting issue In-Reply-To: <96B5542E-867E-455B-8DB4-575F11998F22@colt.net> References: <96B5542E-867E-455B-8DB4-575F11998F22@colt.net> Message-ID: <53AA0F60-C462-45F1-AA0D-6C2124B6BCD1@colt.net> Just found another one: &'s don't get quoted at all. It looks like =20 sqlplus will wait for a user entry (variable substitution). Example: 'mc2.fra.qmail-send: [ID 748625 mail.info] 1115721654.581305 starting =20= delivery 6475704: msg 932402 to remote M&E@xxxxx.com' ... Enter value for e: In the meantime, I have found macros.c where all that gets defined. =20 Unfortunately I don't know much C. Any hints? TIA Andr=E9 On May 10, 2005, at 12:29, Andr=E9 Bonh=F4te wrote: > Hi! > > I have already written a mail to info@balabit.hu today, but I am =20 > impatient. Forgive me please! > > We have an issue when logging to Oracle. Obviously, Oracle requires =20= > a single quote to be quoted by a single quote. I have found this =20 > [1] article about it. Since it's 2005 now, I'd like to know whether =20= > this one is fixed in the latest version or not. I have 1.6.2 =20 > running in production now on a few machines. I didn't find anything =20= > in the Changelog about this, unfortunately. > > Could someone give me a hint? > > Thanks IA > > Andr=E9 > > [1] https://lists.balabit.hu/pipermail/syslog-ng/2003-November/=20 > 005510.html > ___ ___ ___ ___ > \C/ \O/ \L/ \T/ Andre Bonhote t: +41 (0)44 5 600 600 > V V V V Platform Infrastructure f: +41 (0)44 5 630 501 > we make business Senior IP Engineer > straight.forward COLT Telecom e: andre@colt.net > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > ___ ___ ___ ___ \C/ \O/ \L/ \T/ Andre Bonhote t: +41 (0)44 5 600 600 V V V V Platform Infrastructure f: +41 (0)44 5 630 501 we make business Senior IP Engineer straight.forward COLT Telecom e: andre@colt.net From syslog-ng@lists.balabit.hu Tue May 10 12:05:16 2005 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 10 May 2005 13:05:16 +0200 Subject: [syslog-ng]Logging to Oracle - Quoting issue In-Reply-To: <53AA0F60-C462-45F1-AA0D-6C2124B6BCD1@colt.net> References: <96B5542E-867E-455B-8DB4-575F11998F22@colt.net> <53AA0F60-C462-45F1-AA0D-6C2124B6BCD1@colt.net> Message-ID: <1115723116.4906.1.camel@bzorp.balabit> On Tue, 2005-05-10 at 12:55 +0200, Andr� Bonh�te wrote: > Just found another one: &'s don't get quoted at all. It looks like > sqlplus will wait for a user entry (variable substitution). > > Example: > > 'mc2.fra.qmail-send: [ID 748625 mail.info] 1115721654.581305 starting > delivery 6475704: msg 932402 to remote M&E@xxxxx.com' > > ... > Enter value for e: > > In the meantime, I have found macros.c where all that gets defined. > Unfortunately I don't know much C. No, this has not yet been solved. You have to modify macros.c:append_string() function, add support for Oracle style escaping. I'm sorry but I currently have no time to do that myself. -- Bazsi From syslog-ng@lists.balabit.hu Tue May 10 12:08:59 2005 From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?Andr=E9_Bonh=F4te?=) Date: Tue, 10 May 2005 13:08:59 +0200 Subject: [syslog-ng]Logging to Oracle - Quoting issue In-Reply-To: <1115723116.4906.1.camel@bzorp.balabit> References: <96B5542E-867E-455B-8DB4-575F11998F22@colt.net> <53AA0F60-C462-45F1-AA0D-6C2124B6BCD1@colt.net> <1115723116.4906.1.camel@bzorp.balabit> Message-ID: On May 10, 2005, at 13:05, Balazs Scheidler wrote: >> >> In the meantime, I have found macros.c where all that gets defined. >> Unfortunately I don't know much C. >> > > No, this has not yet been solved. You have to modify > macros.c:append_string() function, add support for Oracle style > escaping. I'm sorry but I currently have no time to do that myself. > Ok, I will try. The one with & can be solved using SET DEFINE OFF in =20 sqlplus Cheers Andr=E9 ___ ___ ___ ___ \C/ \O/ \L/ \T/ Andre Bonhote t: +41 (0)44 5 600 600 V V V V Platform Infrastructure f: +41 (0)44 5 630 501 we make business Senior IP Engineer straight.forward COLT Telecom e: andre@colt.net From syslog-ng@lists.balabit.hu Tue May 10 14:01:52 2005 From: syslog-ng@lists.balabit.hu (Damien Michau) Date: Tue, 10 May 2005 15:01:52 +0200 Subject: [syslog-ng]Pix problem Message-ID: <001301c55560$6faa2490$280a3c0a@leslilas> This is a multi-part message in MIME format. ------=_NextPart_000_0010_01C55571.33270DB0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi All !=20 I have some probleme ta log my pix's log into my syslog-ng server . i have mounted a Syslog-ng server to store my pix's log . But there is = nothing in my pix.log=20 i'have put this lines in my syslog-ng.conf source pix { udp(ip(10.60.10.111) port());}; destination pix { file("/var/log/pix.log"); }; log { source(pix);destination(pix); }; Have you one idea ? Thx Damien Michau Paris ------=_NextPart_000_0010_01C55571.33270DB0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi All !

I have some probleme ta log my pix's = log into my=20 syslog-ng server .

i have mounted a Syslog-ng server to = store my pix's=20 log . But there is nothing in my pix.log

i'have put this lines in my=20 syslog-ng.conf

source pix { udp(ip(10.60.10.111)=20 port());};
destination pix {=20 file("/var/log/pix.log"); };
log { source(pix);destination(pix);=20 };

Have you one idea ?

Thx

Damien Michau

Paris

------=_NextPart_000_0010_01C55571.33270DB0-- From syslog-ng@lists.balabit.hu Tue May 10 15:45:16 2005 From: syslog-ng@lists.balabit.hu (Ben Whittaker) Date: Tue, 10 May 2005 07:45:16 -0700 (PDT) Subject: [syslog-ng]Pix problem In-Reply-To: 6667 Message-ID: <20050510144516.43681.qmail@web41202.mail.yahoo.com> This is from my config. # PIX # source network { udp () ; tcp (); }; log{source(net);filter(f_pix);destination(pixlog);}; destination pixlog { file("/var/log/pix.log"); }; filter f_pix { facility(local4); }; And on my PIX logging on logging timestamp logging buffered notifications logging trap notifications logging queue 1024 logging host inside 10.x.x.x no logging message 106001 no logging message 106023 --- Damien Michau wrote: > Hi All ! > I have some probleme ta log my pix's log into my > syslog-ng server . > i have mounted a Syslog-ng server to store my pix's > log . But there is nothing in my pix.log > i'have put this lines in my syslog-ng.conf > > > source pix { udp(ip(10.60.10.111) port());}; > destination pix { file("/var/log/pix.log"); }; > log { source(pix);destination(pix); }; > > > Have you one idea ? > > Thx > > Damien Michau > Paris Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/ From syslog-ng@lists.balabit.hu Tue May 10 16:12:56 2005 From: syslog-ng@lists.balabit.hu (Damien Michau) Date: Tue, 10 May 2005 17:12:56 +0200 Subject: [syslog-ng]Pix problem References: <20050510144516.43681.qmail@web41202.mail.yahoo.com> Message-ID: <000401c55572$c1e39f40$280a3c0a@leslilas> Thx but don't work on my pix there is logging facility 21 and i have put on my syslog-ng source network { udp();tcp();}; destination pixlog {file("/var/log/pix.log");}; filter f_pix { facility(local5); }; log {source(network);filter(f_pix);destination(pixlog);}; when i listen my network i see some packets on the network put my pix.log il always empty ----- Original Message ----- From: "Ben Whittaker" To: Sent: Tuesday, May 10, 2005 4:45 PM Subject: Re: [syslog-ng]Pix problem > This is from my config. > > # PIX > # source network { udp () ; tcp (); }; > > log{source(net);filter(f_pix);destination(pixlog);}; > > destination pixlog { file("/var/log/pix.log"); }; > > filter f_pix { facility(local4); }; > > > And on my PIX > > logging on > logging timestamp > logging buffered notifications > logging trap notifications > logging queue 1024 > logging host inside 10.x.x.x > no logging message 106001 > no logging message 106023 > > --- Damien Michau wrote: >> Hi All ! >> I have some probleme ta log my pix's log into my >> syslog-ng server . >> i have mounted a Syslog-ng server to store my pix's >> log . But there is nothing in my pix.log >> i'have put this lines in my syslog-ng.conf >> >> >> source pix { udp(ip(10.60.10.111) port());}; >> destination pix { file("/var/log/pix.log"); }; >> log { source(pix);destination(pix); }; >> >> >> Have you one idea ? >> >> Thx >> >> Damien Michau >> Paris > > > > Discover Yahoo! > Use Yahoo! to plan a weekend, have fun online and more. Check it out! > http://discover.yahoo.com/ > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From morrisa at telusplanet.net Tue May 10 18:12:23 2005 From: morrisa at telusplanet.net (Andrew Morris) Date: Tue May 10 23:05:26 2005 Subject: [syslog-ng] More fun with hostnames.... Message-ID: <4280DD67.4000209@telusplanet.net> I've been using syslog-ng for a little while and so far I like what I see, but I'm confused over the hostname options in the config file. Yes, I've read the man pages/FAQ, but I guess I'm still not getting it. I'm going to send each issue as a separate message so the answers can easily be tracked in the archives for others... From morrisa at telusplanet.net Tue May 10 18:12:58 2005 From: morrisa at telusplanet.net (Andrew Morris) Date: Tue May 10 23:05:32 2005 Subject: [syslog-ng] Minor Compile Issue Message-ID: <4280DD8A.3060006@telusplanet.net> Just a minor compiling issue for version 1.6.7 (actually it's been there for a while...). If I want to put the syslog-ng.conf file in a different location, I use the --sysconfdir option to configure. The problem is the configure.in file automatically adds "/syslog-ng" on to the end of whatever I put in. I have no problem with it doing this by default, but if I go through the effort of using --sysconfdir, then the configure script should do what it's told (even if that's thought to be wrong by some). Since syslog-ng only uses one conf file, I'd rather put it directly under /etc... My fix so far is to go and comment out that line before I run configure, but that's just a quick hack. Oh, and just before someone says otherwise, configure modifies some .h files and there's no way (that I know of anyways - please correct me if I'm wrong) to override those settings via make. I'm not asking anyone to change the defaults, but is it possible to either: 1) Add another option to configure to handle the subdirectory? eg: --sysconfsubdir or something like this? (eg: the default would end up being $PREFIX/$SYSCONFDIR/$SYSCONFSUBDIR/syslog-ng.conf) 2) If --sysconfdir is specified, use whatever it is set to. Otherwise use $PREFIX/etc/syslog-ng From morrisa at telusplanet.net Tue May 10 18:12:49 2005 From: morrisa at telusplanet.net (Andrew Morris) Date: Tue May 10 23:05:38 2005 Subject: [syslog-ng] "above message repeats" Message-ID: <4280DD81.1010300@telusplanet.net> One of the messages I'm getting (I'm sorting messages by hostname) is the "above message repeats n times" message, but syslog-ng is logging this under the host "above". Shouldn't syslog-ng decide what the hostname is by the ip address it is connected from? eg: host A connects, syslog-ng looks up the host by it's connecting ip address and uses that name resolution as the $HOST variable? (Note, in this case all hosts are in a local hosts file) So, why would it ever write to the file "above"? Is this a bug, or am I missing something? As per my previous messages, here's a quick rundown of the config: (used with 1.6.7) options { # Don't trust the sender to supply a hostname. keep_hostname(no); # Don't track relayed messages. chain_hostnames(no); # Make sure the hostnames have valid characters. check_hostname(yes); # Since we're only tracking local hosts, don't worry about the fqdn. use_fqdn(no); # As soon as we get the log entry, write it to disk. sync(0); # Set the fifo size to 1024 lines. log_fifo_size(1024); # Increase the log_msg_size to 8192 bytes. log_msg_size(8192); # If we need a directory and it doesn't exist, create it and use # the permissions shown below. create_dirs(yes); perm(0644); dir_perm(0755); # Use an internal dns cache, but don't use any dns lookups. dns_cache(yes); use_dns(no); }; source localsyslog {unix-stream("/dev/log");}; source kernellog {file("/proc/kmsg");}; source intsyslog {internal();}; source extsyslog {udp();}; destination syslog-ng {file("/logs/syslog-ng");}; destination messages {file("/var/log/messages");}; destination kernmessages {file("/var/log/kernel");}; destination hosts { file("/logs/hosts/$YEAR-$MONTH/$HOST" template("$DATE $HOST $MESSAGE\n") template_escape(yes) ); } ; destination services { file("/logs/services/$YEAR-$MONTH/$PROGRAM" template("$DATE $HOST $MESSAGE\n") template_escape(yes) ); }; filter levelfilter { level(info..emerg); }; log { source(intsyslog); destination(syslog-ng); }; log { source(localsyslog); filter(levelfilter); destination(messages);}; log { source(kernellog); destination(kernmessages);}; log { source(extsyslog); source(localsyslog); destination(hosts); }; log { source(extsyslog); source(localsyslog); destination(services); }; From jbell at stelesys.com Tue May 10 21:23:36 2005 From: jbell at stelesys.com (Jerry Bell) Date: Tue May 10 23:19:15 2005 Subject: [syslog-ng]Pix problem In-Reply-To: <000401c55572$c1e39f40$280a3c0a@leslilas> References: <20050510144516.43681.qmail@web41202.mail.yahoo.com> <000401c55572$c1e39f40$280a3c0a@leslilas> Message-ID: <1890.209.134.164.17.1115753016.squirrel@209.134.164.17> Can you verify that syslog-ng is listening on udp 514? Jerry http://www.syslog.org > Thx but don't work > > on my pix there is > logging facility 21 > > and i have put on my syslog-ng > > source network { udp();tcp();}; > destination pixlog {file("/var/log/pix.log");}; > filter f_pix { facility(local5); }; > log {source(network);filter(f_pix);destination(pixlog);}; > > > when i listen my network i see some packets on the network put my pix.log > il > always empty From billn at billn.net Tue May 10 19:20:01 2005 From: billn at billn.net (Bill Nash) Date: Tue May 10 23:25:46 2005 Subject: [syslog-ng]Pix problem In-Reply-To: <001301c55560$6faa2490$280a3c0a@leslilas> References: <001301c55560$6faa2490$280a3c0a@leslilas> Message-ID: On Tue, 10 May 2005, Damien Michau wrote: > Hi All ! > I have some probleme ta log my pix's log into my syslog-ng server . > i have mounted a Syslog-ng server to store my pix's log . But there is nothing in my pix.log > i'have put this lines in my syslog-ng.conf > > > source pix { udp(ip(10.60.10.111) port());}; > destination pix { file("/var/log/pix.log"); }; > log { source(pix);destination(pix); }; > Your source declaration shouldn't be the IP of your pix, it should be the IP on your syslog server you wish your udp socket to listen on. In most cases, this should just be 0.0.0.0 or your servers actual IP. - billn From bazsi at balabit.hu Wed May 11 09:00:51 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Wed May 11 09:00:54 2005 Subject: [syslog-ng] "above message repeats" In-Reply-To: <4280DD81.1010300@telusplanet.net> References: <4280DD81.1010300@telusplanet.net> Message-ID: <1115794851.3703.2.camel@bzorp.balabit> On Tue, 2005-05-10 at 10:12 -0600, Andrew Morris wrote: > One of the messages I'm getting (I'm sorting messages by hostname) is > the "above message repeats n times" message, but syslog-ng is logging > this under the host "above". Shouldn't syslog-ng decide what the > hostname is by the ip address it is connected from? eg: host A > connects, syslog-ng looks up the host by it's connecting ip address and > uses that name resolution as the $HOST variable? (Note, in this case > all hosts are in a local hosts file) > > So, why would it ever write to the file "above"? there is a separate macro for that, $HOST is the value as received in the original log message. always using the sender IP's resolved value would not be good for others using log relays. So try using $HOST_FROM or $FULLHOST_FROM -- Bazsi From bazsi at balabit.hu Wed May 11 09:03:29 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Wed May 11 09:03:35 2005 Subject: [syslog-ng] Minor Compile Issue In-Reply-To: <4280DD8A.3060006@telusplanet.net> References: <4280DD8A.3060006@telusplanet.net> Message-ID: <1115795009.3703.6.camel@bzorp.balabit> On Tue, 2005-05-10 at 10:12 -0600, Andrew Morris wrote: > My fix so far is to go and comment out that line before I run configure, > but that's just a quick hack. > > Oh, and just before someone says otherwise, configure modifies some .h > files and there's no way (that I know of anyways - please correct me if > I'm wrong) to override those settings via make. Can you go into some more details? What do you want to accomplish exactly? > > I'm not asking anyone to change the defaults, but is it possible to either: > > 1) Add another option to configure to handle the subdirectory? eg: > --sysconfsubdir or something like this? (eg: the default would end up > being $PREFIX/$SYSCONFDIR/$SYSCONFSUBDIR/syslog-ng.conf) > 2) If --sysconfdir is specified, use whatever it is set to. Otherwise > use $PREFIX/etc/syslog-ng Although I agree with you, I'd rather not change it for the current tree. The 2.0 tree behaves correctly in this regard (e.g. uses plain $sysconfdir) -- Bazsi From d.michau at ag.com Wed May 11 09:12:00 2005 From: d.michau at ag.com (Damien Michau) Date: Wed May 11 09:12:03 2005 Subject: [syslog-ng]Pix problem References: <20050510144516.43681.qmail@web41202.mail.yahoo.com><000401c55572$c1e39f40$280a3c0a@leslilas> <1890.209.134.164.17.1115753016.squirrel@209.134.164.17> Message-ID: <001601c555f8$ba029930$280a3c0a@leslilas> i have scan the port of the computer but not open. and when pix is sending the log he send it on different port on udp ----- Original Message ----- From: "Jerry Bell" To: Cc: Sent: Tuesday, May 10, 2005 9:23 PM Subject: Re: [syslog-ng]Pix problem Can you verify that syslog-ng is listening on udp 514? Jerry http://www.syslog.org > Thx but don't work > > on my pix there is > logging facility 21 > > and i have put on my syslog-ng > > source network { udp();tcp();}; > destination pixlog {file("/var/log/pix.log");}; > filter f_pix { facility(local5); }; > log {source(network);filter(f_pix);destination(pixlog);}; > > > when i listen my network i see some packets on the network put my pix.log > il > always empty _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From d.michau at ag.com Wed May 11 09:12:41 2005 From: d.michau at ag.com (Damien Michau) Date: Wed May 11 09:12:44 2005 Subject: [syslog-ng]Pix problem References: <001301c55560$6faa2490$280a3c0a@leslilas> Message-ID: <001b01c555f8$d2241e80$280a3c0a@leslilas> this is the server actual ip ----- Original Message ----- From: "Bill Nash" To: Sent: Tuesday, May 10, 2005 7:20 PM Subject: Re: [syslog-ng]Pix problem > On Tue, 10 May 2005, Damien Michau wrote: > >> Hi All ! >> I have some probleme ta log my pix's log into my syslog-ng server . >> i have mounted a Syslog-ng server to store my pix's log . But there is >> nothing in my pix.log >> i'have put this lines in my syslog-ng.conf >> >> >> source pix { udp(ip(10.60.10.111) port());}; >> destination pix { file("/var/log/pix.log"); }; >> log { source(pix);destination(pix); }; >> > > Your source declaration shouldn't be the IP of your pix, it should be the > IP on your syslog server you wish your udp socket to listen on. In most > cases, this should just be 0.0.0.0 or your servers actual IP. > > - billn > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > > From gator_ml at yahoo.de Wed May 11 13:32:16 2005 From: gator_ml at yahoo.de (Peter Daum) Date: Wed May 11 13:34:05 2005 Subject: [syslog-ng] Reliable tcp logging Message-ID: I am trying to send all important messages from a bunch of other machines to a central syslog-ng server via tcp. I chose tcp partly, because the same log server gets all kinds of less important stuff via udp from other machines, which can easily be distinguished that way, but partially also because I expected tcp to be more reliable. Unfortunately, this does not seem to be the case: When the connection has died for any reason, the client will only discover this when it is trying to send the next message to the server. Only then it starts to wait until "time_reopen" is over and establishes a new connection - the message that originally triggered this and whatever comes in between is lost. Is there any way to get syslog-ng (v 1.6.5) to check more often whether a tcp connection to a log host still exists and re-establish it otherwise? I did not see any reference to this in the documentation, but this seems to happen every 2 hours. Setting "tcp-keep-alive(yes)" does not seem to make it any better. I also discovered that version 1.6.7 has a new option "log_fifo_size" which sounded promising but setting this to a higher value also does not seem to have any influence on this issue. Regards, Peter Daum From jbell at stelesys.com Wed May 11 14:11:29 2005 From: jbell at stelesys.com (Jerry Bell) Date: Wed May 11 14:11:34 2005 Subject: [syslog-ng]Pix problem In-Reply-To: <001601c555f8$ba029930$280a3c0a@leslilas> References: <20050510144516.43681.qmail@web41202.mail.yahoo.com><000401c55572$c1e39f40$280a3c0a@leslilas> <1890.209.134.164.17.1115753016.squirrel@209.134.164.17> <001601c555f8$ba029930$280a3c0a@leslilas> Message-ID: <3746.209.134.164.17.1115813489.squirrel@209.134.164.17> > i have scan the port of the computer but not open. > and when pix is sending the log he send it on different port on udp What port is the pix sending the logs out on? Also, if syslog-ng isn't listening, it won't be able to get any logs from your PIX. I'm not sure what you used to scan the open ports, but you may want to double check with a "sockstat |grep 514". If there really is nothing listening, then that is probably going to be your problem, unless there is also a problem with the PIX sending on the wrong port. Jerry http://www.syslog.org From d.michau at ag.com Wed May 11 14:31:01 2005 From: d.michau at ag.com (Damien Michau) Date: Wed May 11 14:31:13 2005 Subject: [syslog-ng]Pix problem References: <20050510144516.43681.qmail@web41202.mail.yahoo.com><000401c55572$c1e39f40$280a3c0a@leslilas><1890.209.134.164.17.1115753016.squirrel@209.134.164.17><001601c555f8$ba029930$280a3c0a@leslilas> <3746.209.134.164.17.1115813489.squirrel@209.134.164.17> Message-ID: <000c01c55625$4aaa7170$280a3c0a@leslilas> pix is using different port to send logs 132,141 .. and syslog listen on 514 Damien ----- Original Message ----- From: "Jerry Bell" To: "Syslog-ng users' and developers' mailing list" Sent: Wednesday, May 11, 2005 2:11 PM Subject: Re: [syslog-ng]Pix problem > i have scan the port of the computer but not open. > and when pix is sending the log he send it on different port on udp What port is the pix sending the logs out on? Also, if syslog-ng isn't listening, it won't be able to get any logs from your PIX. I'm not sure what you used to scan the open ports, but you may want to double check with a "sockstat |grep 514". If there really is nothing listening, then that is probably going to be your problem, unless there is also a problem with the PIX sending on the wrong port. Jerry http://www.syslog.org _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From ratz at tac.ch Wed May 11 17:10:16 2005 From: ratz at tac.ch (Roberto Nibali) Date: Wed May 11 17:10:27 2005 Subject: [syslog-ng] Reliable tcp logging In-Reply-To: References: Message-ID: <42822058.5020406@tac.ch> > I am trying to send all important messages from a bunch of > other machines to a central syslog-ng server via tcp. I chose > tcp partly, because the same log server gets all kinds of less > important stuff via udp from other machines, which can easily > be distinguished that way, but partially also because I expected > tcp to be more reliable. Unfortunately, this does not seem to be > the case: When the connection has died for any reason, the client > will only discover this when it is trying to send the next message > to the server. Only then it starts to wait until "time_reopen" is > over and establishes a new connection - the message that originally > triggered this and whatever comes in between is lost. Related if not exactly matching to (IHMO): https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006974.html Only the first message is lost, however. > Is there any way to get syslog-ng (v 1.6.5) to check more often > whether a tcp connection to a log host still exists and re-establish > it otherwise? I did not see any reference to this in the documentation, > but this seems to happen every 2 hours. The problem is rather that the packet is now available anymore. > Setting "tcp-keep-alive(yes)" does not seem to make it any better. > I also discovered that version 1.6.7 has a new option "log_fifo_size" > which sounded promising but setting this to a higher value also does > not seem to have any influence on this issue. Correct. If your problem matches the archive's email, you could start off Bazsi's last reply and find a solution to that ;). Regards, Roberto Nibali, ratz -- ------------------------------------------------------------- addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355 http://www.terreactive.com fax://++41 62 823 9356 ------------------------------------------------------------- terreActive AG Wir sichern Ihren Erfolg ------------------------------------------------------------- From micaho at gmail.com Wed May 11 17:53:24 2005 From: micaho at gmail.com (micah milano) Date: Wed May 11 17:53:29 2005 Subject: [syslog-ng] klogctl: Invalid argument Message-ID: <70fda32050511085365f3d679@mail.gmail.com> Hello, Whenever I stop/start/restart syslog-ng, I see the entirity of my kernel buffer spit onto the screen, as well as the following message sent to STDERR: klogctl: Invalid argument I cannot figure out where this comes from, I do not have a program called klogctl on my system, and I've looked through the syslog-ng sources to see if I could find anything there, and I can only find an item in the NEWS file: ChangeLog: * utils/klogctl.c: New file to control kernel log level NEWS: * Added klogctl program to control kernel logging level on Linux but there is no utils/ folder at all, nor is there anything else related to klogctl. Thanks! micah From bazsi at balabit.hu Wed May 11 18:08:15 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Wed May 11 18:08:19 2005 Subject: [syslog-ng] klogctl: Invalid argument In-Reply-To: <70fda32050511085365f3d679@mail.gmail.com> References: <70fda32050511085365f3d679@mail.gmail.com> Message-ID: <1115827695.31853.4.camel@bzorp.balabit> On Wed, 2005-05-11 at 10:53 -0500, micah milano wrote: > Hello, > > Whenever I stop/start/restart syslog-ng, I see the entirity of my > kernel buffer spit onto the screen, as well as the following message > sent to STDERR: > > klogctl: Invalid argument > > I cannot figure out where this comes from, I do not have a program > called klogctl on my system, and I've looked through the syslog-ng > sources to see if I could find anything there, and I can only find an > item in the NEWS file: > > ChangeLog: * utils/klogctl.c: New file to control kernel log level > NEWS: * Added klogctl program to control kernel logging level on Linux > > but there is no utils/ folder at all, nor is there anything else > related to klogctl. klogctl has been removed as the same functionality can be achieved by using "dmesg -n" The error message above is probably caused by some kind of packaging problem as syslog-ng itself does not touch kernel log settings. -- Bazsi From micaho at gmail.com Wed May 11 18:29:13 2005 From: micaho at gmail.com (micah milano) Date: Wed May 11 18:29:16 2005 Subject: [syslog-ng] klogctl: Invalid argument In-Reply-To: <1115827695.31853.4.camel@bzorp.balabit> References: <70fda32050511085365f3d679@mail.gmail.com> <1115827695.31853.4.camel@bzorp.balabit> Message-ID: <70fda320505110929198c6be6@mail.gmail.com> It appears you are right, the init script provided with debian is doing a dmesg -n 0, and for some reason dmesg -n 0 is spitting out that error, when it should not. Thanks, micah On 5/11/05, Balazs Scheidler wrote: > On Wed, 2005-05-11 at 10:53 -0500, micah milano wrote: > > Hello, > > > > Whenever I stop/start/restart syslog-ng, I see the entirity of my > > kernel buffer spit onto the screen, as well as the following message > > sent to STDERR: > > > > klogctl: Invalid argument > > > > I cannot figure out where this comes from, I do not have a program > > called klogctl on my system, and I've looked through the syslog-ng > > sources to see if I could find anything there, and I can only find an > > item in the NEWS file: > > > > ChangeLog: * utils/klogctl.c: New file to control kernel log level > > NEWS: * Added klogctl program to control kernel logging level on Linux > > > > but there is no utils/ folder at all, nor is there anything else > > related to klogctl. > > klogctl has been removed as the same functionality can be achieved by > using "dmesg -n" > > The error message above is probably caused by some kind of packaging > problem as syslog-ng itself does not touch kernel log settings. > > -- > Bazsi > > From morrisa at telusplanet.net Wed May 11 20:50:56 2005 From: morrisa at telusplanet.net (Andrew Morris) Date: Wed May 11 20:49:58 2005 Subject: [syslog-ng] Minor Compile Issue In-Reply-To: <1115795009.3703.6.camel@bzorp.balabit> References: <4280DD8A.3060006@telusplanet.net> <1115795009.3703.6.camel@bzorp.balabit> Message-ID: <42825410.1020102@telusplanet.net> Balazs Scheidler wrote: > On Tue, 2005-05-10 at 10:12 -0600, Andrew Morris wrote: > >>My fix so far is to go and comment out that line before I run configure, >>but that's just a quick hack. >> >>Oh, and just before someone says otherwise, configure modifies some .h >>files and there's no way (that I know of anyways - please correct me if >>I'm wrong) to override those settings via make. > > > Can you go into some more details? What do you want to accomplish > exactly? > In my case I just want the syslog-ng.conf file in /etc. The only way I could get this done is to specify a conf file on the command line or to comment out the line in the configure.in file that adds the syslog-ng directory to the sysconfdir variable. > >>I'm not asking anyone to change the defaults, but is it possible to either: >> >>1) Add another option to configure to handle the subdirectory? eg: >>--sysconfsubdir or something like this? (eg: the default would end up >>being $PREFIX/$SYSCONFDIR/$SYSCONFSUBDIR/syslog-ng.conf) >>2) If --sysconfdir is specified, use whatever it is set to. Otherwise >>use $PREFIX/etc/syslog-ng > > > Although I agree with you, I'd rather not change it for the current > tree. The 2.0 tree behaves correctly in this regard (e.g. uses plain > $sysconfdir) > Ok, I need this for strict production systems, so I opted for the 1.6 tree as it was listed as "stable" on the web page. For now, my "hack" works and doesn't cause any major issues. If it's handled in the 2.0 tree, I agree with you in not changing anything with the 1.6 tree. From morrisa at telusplanet.net Wed May 11 20:52:03 2005 From: morrisa at telusplanet.net (Andrew Morris) Date: Wed May 11 20:51:02 2005 Subject: [syslog-ng] "above message repeats" In-Reply-To: <1115794851.3703.2.camel@bzorp.balabit> References: <4280DD81.1010300@telusplanet.net> <1115794851.3703.2.camel@bzorp.balabit> Message-ID: <42825453.9070802@telusplanet.net> Balazs Scheidler wrote: > On Tue, 2005-05-10 at 10:12 -0600, Andrew Morris wrote: > >>One of the messages I'm getting (I'm sorting messages by hostname) is >>the "above message repeats n times" message, but syslog-ng is logging >>this under the host "above". Shouldn't syslog-ng decide what the >>hostname is by the ip address it is connected from? eg: host A >>connects, syslog-ng looks up the host by it's connecting ip address and >>uses that name resolution as the $HOST variable? (Note, in this case >>all hosts are in a local hosts file) >> >>So, why would it ever write to the file "above"? > > > there is a separate macro for that, $HOST is the value as received in > the original log message. always using the sender IP's resolved value > would not be good for others using log relays. > > So try using $HOST_FROM or $FULLHOST_FROM > Thanks! That's exactly what I've been looking for. You might want to add those to the 1.6 documentation... From gator_ml at yahoo.de Wed May 11 21:39:30 2005 From: gator_ml at yahoo.de (Peter Daum) Date: Wed May 11 21:42:20 2005 Subject: [syslog-ng] Re: Reliable tcp logging In-Reply-To: <42822058.5020406@tac.ch> References: <42822058.5020406@tac.ch> Message-ID: Roberto Nibali wrote: > Related if not exactly matching to (IHMO): > > https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006974.html > > Only the first message is lost, however. Well, yes, it is exactly the same issue and it is indeed only one line that gets lost (which in my case, where typically every host sends about 1 line/hour does not really make a difference). Unfortunately, the previous discussion does not sound very promising. Obviously there is no hope to get this fixed in 1.6.x... How far from being ready for production use is 1.9.x? Maybe I should go back to using udp instead, which is by definition unrealiable, but in this case probably would still yield a higher success rate? Regards, Peter Daum From davejjohnson at gmail.com Thu May 12 01:06:43 2005 From: davejjohnson at gmail.com (Dave Johnson) Date: Thu May 12 01:06:47 2005 Subject: [syslog-ng] Re: Reliable tcp logging In-Reply-To: References: <42822058.5020406@tac.ch> Message-ID: <90cdf79a050511160658eaedae@mail.gmail.com> Assuming you already tried to find out what was causing the drop on the remote side (firewall/remote server/unknown?), and this can't be tuned, some other random ideas: 1) send udp and tcp to the central server, compare files at end of day (assuming you rotate them every day) 2) run a keepalive message sender: [make sure your sync is (0) for the connection(s)]: a) cronjob every couple minutes to logger a "keepalive" - Filter the message out at the central server. b) have syslog-ng send stats every couple minutes and send it to the central server. On 5/11/05, Peter Daum wrote: > Roberto Nibali wrote: > > > Related if not exactly matching to (IHMO): > > > > https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006974.html > > > > Only the first message is lost, however. > > Well, yes, it is exactly the same issue and it is indeed only one line > that gets lost (which in my case, where typically every host sends about > 1 line/hour does not really make a difference). > > Unfortunately, the previous discussion does not sound very promising. > Obviously there is no hope to get this fixed in 1.6.x... > > How far from being ready for production use is 1.9.x? > > Maybe I should go back to using udp instead, which is by definition > unrealiable, but in this case probably would still yield a higher > success rate? > > Regards, > Peter Daum > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From ratz at drugphish.ch Thu May 12 08:35:41 2005 From: ratz at drugphish.ch (Roberto Nibali) Date: Thu May 12 08:35:51 2005 Subject: [syslog-ng] Re: Reliable tcp logging In-Reply-To: References: <42822058.5020406@tac.ch> Message-ID: <4282F93D.7060804@drugphish.ch> > Well, yes, it is exactly the same issue and it is indeed only one line > that gets lost (which in my case, where typically every host sends about > 1 line/hour does not really make a difference). You mean 1 line/hour that is lost, right? > Unfortunately, the previous discussion does not sound very promising. > Obviously there is no hope to get this fixed in 1.6.x... There's always hope :). But someone knowledgable with how sockets work in various Unices and a lot of time needs to address this. > How far from being ready for production use is 1.9.x? I couldn't tell, the broad tester base is found to be wanting. > Maybe I should go back to using udp instead, which is by definition > unrealiable, but in this case probably would still yield a higher > success rate? What is your failure rate exactly? What is your rate of log messages per second? What's the average message size per log packet? Do you have macro expansion configured? How many regexp's are in your config? ... With TCP based syslog'ing you can reliably (at least in my test conducts) send and receive about 15'000 messages per second with an average size of 128 bytes. This is already quite a lot for a production environment. I don't recall the number for UDP but if memory serves me well, it was something around 3000 messages per second. HTH and best regards, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc From gator_ml at yahoo.de Thu May 12 10:48:12 2005 From: gator_ml at yahoo.de (Peter Daum) Date: Thu May 12 10:49:48 2005 Subject: [syslog-ng] Re: Reliable tcp logging In-Reply-To: <4282F93D.7060804@drugphish.ch> References: <42822058.5020406@tac.ch> <4282F93D.7060804@drugphish.ch> Message-ID: Roberto Nibali wrote: >> Well, yes, it is exactly the same issue and it is indeed only one line >> that gets lost (which in my case, where typically every host sends about >> 1 line/hour does not really make a difference). > > > You mean 1 line/hour that is lost, right? I guess, my description was ambiguous. My problem is _not_ excessive packet loss because syslog-ng couldn't handle the volume but really just the contrary: Per host there is typically maybe than one line/hour and if that line gets lost, this is a significant percentage. I have a "classical" loghost where all kinds of machinery sends their log messages to via udp, That loghost runs syslog-ng and sorts all the messages neatly into different files. I didn't systematically investigate, but I don't have any reason to believe that much gets lost. Because everything works so nicely (I switched to syslog-ng fairly recently and am very thrilled; my thanks to everybody who contributed to it:-), I decided to extend the central logging: There is a bunch of server machines, which in maintain their own local logfiles and in general this is fine. What I am trying to do now, is collect (in addition to the "normal" logging) everything that is important enough to require immediate attention in one location at the loghost. For this, I switched completely to syslog-ng and configured all boxes to forward everything beyond a certain priority via tcp to the loghost. Because I am still fine-tuning the setup (weeding out messages that are sent with a far-to-high priority), I occasionally have to reload the configuration (which also results in all network connections being dropped). This is where I discovered, that if the loghost is restarted for any reason, it takes up to 2 hours for the clients to notice and if they try to send anything during this time it is lost. In my case this is fatal because the hole idea is to normally only watch one log file and rely on everything important showing up there. I guess, for me currently the best option would be to switch to udp instead (maybe on a different port to keep the important stuff separate from printers telling about being out of paper), or get really daring and try 1.9.x ... Regards and Thanks, Peter Daum From bazsi at balabit.hu Thu May 12 11:36:34 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Thu May 12 11:36:38 2005 Subject: [syslog-ng] Re: Reliable tcp logging In-Reply-To: References: <42822058.5020406@tac.ch> <4282F93D.7060804@drugphish.ch> Message-ID: <1115890594.3862.6.camel@bzorp.balabit> On Thu, 2005-05-12 at 10:48 +0200, Peter Daum wrote: > Roberto Nibali wrote: > >> Well, yes, it is exactly the same issue and it is indeed only one line > >> that gets lost (which in my case, where typically every host sends about > >> 1 line/hour does not really make a difference). > > > > > > You mean 1 line/hour that is lost, right? > > I guess, my description was ambiguous. > My problem is _not_ excessive packet loss because syslog-ng couldn't handle > the volume but really just the contrary: Per host there is typically maybe > than one line/hour and if that line gets lost, this is a significant > percentage. Please note that a single message is dropped whenever the TCP connection is closed. syslog-ng never closes that by default, only when restarted or when reloaded when keep-alive() is no. (it is no by default for TCP sockets) You can work around this by enabling keep-alive (then HUP is a non-issue) and maybe send periodical keep-alive messages that will trigger reconnections when the central server is indeed restarted. > > I guess, for me currently the best option would be to switch to udp > instead (maybe on a different port to keep the important stuff separate > from printers telling about being out of paper), or get really daring > and try 1.9.x ... Although some lab testing would be very welcome, I'd not suggest using it in production environment. By the way, are there anyone on this list using syslog-ng 1.9.x in either production or non-production environments? Feedback was very limited until now. -- Bazsi From krechtorik at vocollect.com Wed May 11 14:39:02 2005 From: krechtorik at vocollect.com (Rechtorik, Keith) Date: Thu May 12 11:48:13 2005 Subject: [syslog-ng] syslog-ng not starting Message-ID: I am attempting to install syslog-ng on SUSE Linux and having issues starting the service. Port 514 is not listening and I assume it because the syslog-ng service is not starting. Does the syslog service start the syslog-ng service? If not how do I start the service? Thanks. Keith Rechtorik Network Administrator From d.michau at ag.com Thu May 12 12:59:12 2005 From: d.michau at ag.com (Damien Michau) Date: Thu May 12 12:59:16 2005 Subject: [syslog-ng] syslog-ng not starting References: Message-ID: <000a01c556e1$a1a7b480$280a3c0a@leslilas> look your process ----- Original Message ----- From: "Rechtorik, Keith" To: Sent: Wednesday, May 11, 2005 2:39 PM Subject: [syslog-ng] syslog-ng not starting >I am attempting to install syslog-ng on SUSE Linux and having issues > starting the service. Port 514 is not listening and I assume it because > the > syslog-ng service is not starting. Does the syslog service start the > syslog-ng service? If not how do I start the service? > > Thanks. > > Keith Rechtorik > Network Administrator > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From gator_ml at yahoo.de Thu May 12 13:19:00 2005 From: gator_ml at yahoo.de (Peter Daum) Date: Thu May 12 13:28:38 2005 Subject: [syslog-ng] Re: syslog-ng not starting In-Reply-To: References: Message-ID: Rechtorik, Keith wrote: > I am attempting to install syslog-ng on SUSE Linux and having issues > starting the service. Port 514 is not listening and I assume it because the > syslog-ng service is not starting. Does the syslog service start the > syslog-ng service? If not how do I start the service? Suse allows syslog and syslog-ng to be installed at the same time and uses the same startup script ("/etc/init.d/syslog") and service name for both. Which one is actually used is controlled by "/etc/sysconfig/syslog" (set SYSLOG_DAEMON="syslog-ng"). If you start it by hand ("/etc/init.d/syslog start") and there is any problem, you should see an error message. Regards, Peter Daum From anandshankar.email at gmail.com Thu May 12 14:26:25 2005 From: anandshankar.email at gmail.com (Anand Shankar) Date: Thu May 12 14:26:29 2005 Subject: [syslog-ng] Subsys Dead, syslog-ng and SELinux Message-ID: I recently installed syslog-ng successfully on a FC3-SELinux enabled box. Everything is fine except that: # service syslog-ng status syslog-ng dead but subsys locked # ls --context /var/lock/subsys/syslog-ng -rw------- root root root:object_r:var_lock_t syslog-ng The root:object_r:var_lock_t should have been user_u:object_r:var_lock_t, and that is what is causing syslog-ng daemon to die. Also, the file permissions generally are 666. One easy way is to switch off SELinux for syslog-ng, but is there a better way?? Why are the permissions wrong?? ---- Anand Shankar From jpo at di.uminho.pt Thu May 12 15:44:40 2005 From: jpo at di.uminho.pt (=?ISO-8859-1?Q?Jos=E9_Pedro_Oliveira?=) Date: Thu May 12 15:44:30 2005 Subject: [syslog-ng] Subsys Dead, syslog-ng and SELinux In-Reply-To: References: Message-ID: <42835DC8.6090107@di.uminho.pt> Anand, Which SELinux policy are you using: targeted or strict? If you are using the targeted policy, check this message: https://lists.balabit.hu/pipermail/syslog-ng/2005-April/007347.html jpo Anand Shankar wrote: > I recently installed syslog-ng successfully on a FC3-SELinux enabled > box. Everything is fine except that: > > # service syslog-ng status > > syslog-ng dead but subsys locked > > # ls --context /var/lock/subsys/syslog-ng > > -rw------- root root root:object_r:var_lock_t syslog-ng > > The root:object_r:var_lock_t should have been > user_u:object_r:var_lock_t, and that is what is causing syslog-ng > daemon to die. Also, the file permissions generally are 666. > > One easy way is to switch off SELinux for syslog-ng, but is there a > better way?? Why are the permissions wrong?? -- Jos? Pedro Oliveira * mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B * -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050512/d8afa53c/signature.pgp From morrisa at telusplanet.net Thu May 12 17:19:18 2005 From: morrisa at telusplanet.net (Andrew Morris) Date: Thu May 12 17:18:15 2005 Subject: [syslog-ng] syslog-ng not starting In-Reply-To: References: Message-ID: <428373F6.4000609@telusplanet.net> In general the standard syslog service provided by the OS vendor needs to be shutdown and disabled before syslog-ng may be used. The reason is that both of these tools use the same port number and whichever tool is started first will lock down the port and not allow the other to start. I don't work with SUSE, but I'm guessing the startup script may be found under /etc/init.d or /etc/rc.d/init.d. You may also want to take a look at http://www.syslog.org as they have a few howto/guides on replacing your syslog service with replacements. Rechtorik, Keith wrote: > I am attempting to install syslog-ng on SUSE Linux and having issues > starting the service. Port 514 is not listening and I assume it because the > syslog-ng service is not starting. Does the syslog service start the > syslog-ng service? If not how do I start the service? > > Thanks. > > Keith Rechtorik > Network Administrator > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From zeb.fletcher at gmail.com Fri May 13 03:37:21 2005 From: zeb.fletcher at gmail.com (Zeb Fletcher) Date: Fri May 13 03:37:23 2005 Subject: [syslog-ng] Subsys Dead, syslog-ng and SELinux In-Reply-To: References: Message-ID: <428404D1.7020105@gmail.com> Anand Shankar wrote: >I recently installed syslog-ng successfully on a FC3-SELinux enabled > box. Everything is fine except that: > > # service syslog-ng status > > syslog-ng dead but subsys locked > > # ls --context /var/lock/subsys/syslog-ng > > -rw------- root root root:object_r:var_lock_t syslog-ng > > The root:object_r:var_lock_t should have been > user_u:object_r:var_lock_t, and that is what is causing syslog-ng > daemon to die. Also, the file permissions generally are 666. > > One easy way is to switch off SELinux for syslog-ng, but is there a > better way?? Why are the permissions wrong?? > > ---- > > > Anand Shankar >_______________________________________________ >syslog-ng maillist - syslog-ng@lists.balabit.hu >https://lists.balabit.hu/mailman/listinfo/syslog-ng >Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > > > Check the context of the file the error is telling you that the file is in the root context and should be user_u. look at the command chcon to fix this. Zeb From Valdis.Kletnieks at vt.edu Fri May 13 05:08:22 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Fri May 13 05:08:34 2005 Subject: [syslog-ng] Subsys Dead, syslog-ng and SELinux In-Reply-To: Your message of "Thu, 12 May 2005 20:37:21 CDT." <428404D1.7020105@gmail.com> References: <428404D1.7020105@gmail.com> Message-ID: <200505130308.j4D38MrP009652@turing-police.cc.vt.edu> On Thu, 12 May 2005 20:37:21 CDT, Zeb Fletcher said: > > -rw------- root root root:object_r:var_lock_t syslog-ng > > > > The root:object_r:var_lock_t should have been > > user_u:object_r:var_lock_t, and that is what is causing syslog-ng > > daemon to die. Also, the file permissions generally are 666. > Check the context of the file the error is telling you that the file is > in the root context and should be user_u. look at the command chcon to > fix this. If you're using the 'strict' policy from FC4, then it should be system_u:object_r:var_lock_t for /var/lock/subsys/* The 'targeted' policy from RHEL4 doesn't seem to care if it's root: or user_u: but the file_contexts file wants to relabel it as system_u: anyhow - /var/lock(/.*)? system_u:object_r:var_lock_t (Same for both FC4 'strict' and RHEL4 'targeted' (which is almost the same as the FC3 'targeted'). (And if you're crazy enough to be using the MLS policy, it is: /var/lock(/.*)? system_u:object_r:var_lock_t:s0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050512/e7bc0794/attachment.pgp From sarfrazr at gmail.com Sat May 14 13:58:16 2005 From: sarfrazr at gmail.com (Sarfraz Rustam) Date: Sat May 14 13:58:20 2005 Subject: [syslog-ng] help about multiple files in syslog-ng Message-ID: Hi; I want some information regarding to multiple files in syslog-ng; The scenerio is that i have 4 devices normally router and i want information of each device but with same facility (local7) and this information must be in each seperate file say router1, router2 .... so on. How i can do this; I have attached a router via console and trying to access its log but not succeeded. Plz guide me to the solution. -- Sarfraz -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050514/08d8ebd3/attachment.htm From jbell at stelesys.com Sun May 15 19:10:45 2005 From: jbell at stelesys.com (Jerry Bell) Date: Sun May 15 19:10:51 2005 Subject: [syslog-ng] help about multiple files in syslog-ng In-Reply-To: References: Message-ID: <2642.24.98.86.57.1116177045.squirrel@24.98.86.57> You would do something like this: source s_net {udp();}; destination files {file(/var/log/$HOST.log); }; log {source(s_net); destination(files); }; The value of $HOST is set to the name of the host that the log came from, so you would get your router1.log, router2.log and router3.log. Jerry http://www.syslog.org > Hi; > I want some information regarding to multiple files in syslog-ng; The > scenerio is that i have 4 devices normally router and i want information > of > each device but with same facility (local7) and this information must be > in > each seperate file say router1, router2 .... so on. > How i can do this; I have attached a router via console and trying to > access > its log but not succeeded. > > Plz guide me to the solution. > > -- > Sarfraz > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From finattack at gmail.com Mon May 16 11:59:40 2005 From: finattack at gmail.com (Metal Gear) Date: Mon May 16 11:59:49 2005 Subject: [syslog-ng] Program Filters Message-ID: <110c784405051602595e349b58@mail.gmail.com> Hi all, i m having too much noise in my syslog-ng logs both in mysql db and in text logs. For that i tried program filters like . filter f_auth { facility(auth); }; filter f_ftp {program(ftp);}; filter f_ssh {program(pam_unix);}; log {source(stunnel); filter(f_syslog); filter(f_auth); filter(f_ftp); filter(f_ssh); destination(d_mysql);}; what actually i want to log messages from program 'vsftp', 'wsftpd' and 'sshd' for that i tried regexp like '*ftp*', *ssh*, but its not working can someone refine the filters for just logging traffic having program 'ftp' or 'ssh' in them. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050516/70b7501e/attachment.html From nate at campin.net Mon May 16 17:01:34 2005 From: nate at campin.net (Nate Campi) Date: Mon May 16 17:01:43 2005 Subject: [syslog-ng] Program Filters In-Reply-To: <110c784405051602595e349b58@mail.gmail.com> References: <110c784405051602595e349b58@mail.gmail.com> Message-ID: <20050516150134.GZ26013@campin.net> On Mon, May 16, 2005 at 03:59:40PM +0600, Metal Gear wrote: > i m having too much noise in my syslog-ng logs both in mysql db and in text > logs. For that i tried program filters > like . > > filter f_auth { facility(auth); }; > filter f_ftp {program(ftp);}; > filter f_ssh {program(pam_unix);}; > log {source(stunnel); filter(f_syslog); filter(f_auth); filter(f_ftp); > filter(f_ssh); destination(d_mysql);}; > > what actually i want to log messages from program 'vsftp', 'wsftpd' and > 'sshd' for that i tried regexp like '*ftp*', *ssh*, but its not working can > someone refine the filters for just logging traffic having program 'ftp' or > 'ssh' in them. It's an issue with the way log{} statements read. What yours says is to log the source "stunnel" if all your filters match, i.e. the messages has program "ftp" and program "pam_unix" and facility "auth" and whatever your filter called "f_syslog" does. Since syslog-ng essentially AND's them, you need to OR them yourself. You can just do one large filter, something like: filter kitchensink { facility(auth) and ( program(ftp) or program(pam_unix) ) ; }; I think you want facility auth and one of those two programs, so this is probably what you're looking for. Hope this helps. -- Nate It used to be said [...] that AIX looks like one space alien discovered Unix, and described it to another different space alien who then implemented AIX. But their universal translators were broken and they'd had to gesture a lot. From krechtorik at vocollect.com Tue May 17 14:39:36 2005 From: krechtorik at vocollect.com (Rechtorik, Keith) Date: Tue May 17 14:39:45 2005 Subject: [syslog-ng] Logs rotate and compress but still log to compressed file Message-ID: I am running SUSE 9.1 and I have syslog-ng logging information from our PIX. After a rotate is done the file is compressed and rotated but syslog-ng keeps logging to the compressed file instead of the newly created file. Any help would be greatly appreciated. Here are my conifgs. If you need anymore information I will gladly send it. /etc/logrotate.d/syslog /var/log/pix/voclog { rotate 4 daily compress delaycompress postrotate # kill -HUP `cat /var/run/syslog-ng.pid` # /bin/kill -HUP `cat /var/run/syslog-ng.pid 2> /dev/null` 2> /dev/null ||true /etc/init.d/syslog reload /etc/init.d/apache2 reload endscript } /etc/syslog-ng/syslog-ng.conf source src { # # include internal syslog-ng messages # note: the internal() soure is required! # unix-stream("/dev/log"); internal(); tcp(); udp(); # # the following line will be replaced by the # socket list generated by SuSEconfig using # variables from /etc/sysconfig/syslog: # #@SuSEconfig_SOCKETS@ # # # uncomment to process log messages from network: # #udp(ip("0.0.0.0") port(514)); }; # # filter definitions # filter voclog { facility(local5); }; filter vpnlog { facility(local7); }; destination voclog { file("/var/log/pix/voclog"); }; log { source(src); filter(voclog); destination(voclog); }; destination vpnlog { file("/var/log/vpnlog"); }; log { source(src); filter(vpnlog); destination(vpnlog); }; Keith Rechtorik Network Administrator Information Systems and Technology krechtorik@vocollect.com * CONFIDENTIAL, PRIVILEGED COMMUNICATION * This e-mail transmission is private and intended for the addressee(s) only. It may contain information that is privileged and/or confidential. If you have received this transmission in error, you are not authorized to read, copy, disclose or disseminate it in any manner. If you have received it in error, please delete it and all copies (including backup copies) that have been made, and transmit a reply message informing the sender that it was misdirected. From Valdis.Kletnieks at vt.edu Tue May 17 18:29:27 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Tue May 17 18:29:31 2005 Subject: [syslog-ng] Logs rotate and compress but still log to compressed file In-Reply-To: Your message of "Tue, 17 May 2005 08:39:36 EDT." References: Message-ID: <200505171629.j4HGTR38018110@turing-police.cc.vt.edu> On Tue, 17 May 2005 08:39:36 EDT, "Rechtorik, Keith" said: > I am running SUSE 9.1 and I have syslog-ng logging information from our PIX. > After a rotate is done the file is compressed and rotated but syslog-ng > keeps logging to the compressed file instead of the newly created file. Any > help would be greatly appreciated. Here are my conifgs. If you need anymore > information I will gladly send it. > /var/log/pix/voclog { > rotate 4 > daily > compress > delaycompress > postrotate > # kill -HUP `cat /var/run/syslog-ng.pid` > # /bin/kill -HUP `cat /var/run/syslog-ng.pid 2> /dev/null` 2> /dev/null > ||true Umm.. does it work if you take those '#' comment chars out? Remember, whatever is between 'postrotate' and 'endscript' gets fed to /bin/sh essentially as is. And without the kill -HUP, syslog won't close and re-open the FD, so it keeps appending to the now-compressed file.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050517/b4b04102/attachment.pgp From krechtorik at vocollect.com Tue May 17 19:11:22 2005 From: krechtorik at vocollect.com (Rechtorik, Keith) Date: Tue May 17 19:11:33 2005 Subject: [syslog-ng] Logs rotate and compress but still log to compres sed file Message-ID: I was testing things out at that point. Sorry for the confusion. Even when those lines are uncommented the logs still do not rotate. I guess I do not know how to kill the process. The syslog-ng pid never 'resets' itself when issuing the kill -HUP command. -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, May 17, 2005 12:29 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Logs rotate and compress but still log to compressed file _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From morrisa at telusplanet.net Tue May 17 22:13:40 2005 From: morrisa at telusplanet.net (Andrew Morris) Date: Tue May 17 22:12:10 2005 Subject: [syslog-ng] Logs rotate and compress but still log to compressed file In-Reply-To: References: Message-ID: <428A5074.60908@telusplanet.net> I'm going to take a guess here (I've seen this before with other applications), but the HUP signal is just telling syslog-ng to reread it's config file. If the config doesn't change, syslog-ng doesn't close the file descriptors (and most likely only closes them if it needs a different file name), and thus the file stays open. I see two options. 1) Stop and start the syslog-ng server. This could lead to possibly missed logs during the ever so short outage. 2) Use syslog-ng to rotate your logs daily for you. Then rotate the logs from previous days. Rechtorik, Keith wrote: > I was testing things out at that point. Sorry for the confusion. Even when > those lines are uncommented the logs still do not rotate. I guess I do not > know how to kill the process. The syslog-ng pid never 'resets' itself when > issuing the kill -HUP command. > > -----Original Message----- > From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] > Sent: Tuesday, May 17, 2005 12:29 PM > To: Syslog-ng users' and developers' mailing list > Subject: Re: [syslog-ng] Logs rotate and compress but still log to > compressed file > > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From Valdis.Kletnieks at vt.edu Tue May 17 22:24:49 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Tue May 17 22:24:57 2005 Subject: [syslog-ng] Logs rotate and compress but still log to compressed file In-Reply-To: Your message of "Tue, 17 May 2005 14:13:40 MDT." <428A5074.60908@telusplanet.net> References: <428A5074.60908@telusplanet.net> Message-ID: <200505172024.j4HKOoH7029331@turing-police.cc.vt.edu> On Tue, 17 May 2005 14:13:40 MDT, Andrew Morris said: > 2) Use syslog-ng to rotate your logs daily for you. Then rotate the > logs from previous days. I use: destination n_messages { file("/logs/$HOST/$YEAR/$MONTH/messages-$YEAR-$MONTH$DAY"); } find /logs -type f -mtime +30 ! -name '*.gz' -exec gzip {} \; find /logs -type f -mtime +180 -exec rm {} \; Or whatever floats your boat... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050517/539e69a7/attachment.pgp From d.michau at ag.com Wed May 18 09:34:30 2005 From: d.michau at ag.com (Damien Michau) Date: Wed May 18 09:34:37 2005 Subject: [syslog-ng] Always pixs ... ;) References: Message-ID: <002701c55b7c$09b29ce0$540a3c0a@leslilas> Hi All ! I use FreeBsd and i always have some problemes ! Somebdy can post his syslog-ng.conf ? Thx ! Damien From bazsi at balabit.hu Wed May 18 09:59:39 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Wed May 18 09:59:43 2005 Subject: [syslog-ng] Logs rotate and compress but still log to compressed file In-Reply-To: <428A5074.60908@telusplanet.net> References: <428A5074.60908@telusplanet.net> Message-ID: <1116403179.3839.7.camel@bzorp.balabit> On Tue, 2005-05-17 at 14:13 -0600, Andrew Morris wrote: > I'm going to take a guess here (I've seen this before with other > applications), but the HUP signal is just telling syslog-ng to reread > it's config file. > > If the config doesn't change, syslog-ng doesn't close the file > descriptors (and most likely only closes them if it needs a different > file name), and thus the file stays open. Syslog-ng _always_ reopens files if it receives a HUP signal. -- Bazsi From bazsi at balabit.hu Wed May 18 12:25:11 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Wed May 18 12:25:15 2005 Subject: [syslog-ng][PATCH] use_fqdn with gethostname() not returning fqdn In-Reply-To: <20050508053210.GC14501@lightning.stealer.net> References: <20050508053210.GC14501@lightning.stealer.net> Message-ID: <1116411911.3839.85.camel@bzorp.balabit> Hi, Thanks for the contribution to syslog-ng and sorry for not answering so long. The problem I have with your patches that I'd prefer not to rely on getaddrinfo() functions as I'm a bit afraid of portability issues. Are there any other way (with gethostbyaddr for example) to determine network local name? On Sun, 2005-05-08 at 07:32 +0200, Sven Wegener wrote: > Hi all! > > I came across this issue while I was setting up a central syslog-ng > server that collects logs from several hosts in different domains. I > wanted to use the use_fqdn option to distinguish every host in my logs > better, but all I saw was just the plain hostname. Please find attached > two patches, one against 1.6.7 and one against 1.9.4 that add support > for fqdns. If gethostname() returns a name without dots it tries to > lookup the fqdn of the host. -- Bazsi From swegener at gentoo.org Wed May 18 12:40:20 2005 From: swegener at gentoo.org (Sven Wegener) Date: Wed May 18 12:40:24 2005 Subject: [syslog-ng][PATCH] use_fqdn with gethostname() not returning fqdn In-Reply-To: <1116411911.3839.85.camel@bzorp.balabit> References: <20050508053210.GC14501@lightning.stealer.net> <1116411911.3839.85.camel@bzorp.balabit> Message-ID: <20050518104020.GI16992@lightning.stealer.net> On Wed, May 18, 2005 at 12:25:11PM +0200, Balazs Scheidler wrote: > Hi, > > Thanks for the contribution to syslog-ng and sorry for not answering so > long. > > The problem I have with your patches that I'd prefer not to rely on > getaddrinfo() functions as I'm a bit afraid of portability issues. Are > there any other way (with gethostbyaddr for example) to determine > network local name? Hi, gethostbyaddr is fine too. It does the same thing as getaddrinfo. We could also use gethostname and append the result from getdomainname to it, but POSIX does not specify the *domainname functions. I'll modify the patch to use gethostbyaddr instead of getaddrinfo when I'm back at home. Cheers, Sven -- Sven Wegener Gentoo Linux Developer http://www.gentoo.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050518/db74975f/attachment.pgp From swegener at gentoo.org Wed May 18 20:20:54 2005 From: swegener at gentoo.org (Sven Wegener) Date: Wed May 18 20:21:02 2005 Subject: [syslog-ng][PATCH] use_fqdn with gethostname() not returning fqdn In-Reply-To: <1116411911.3839.85.camel@bzorp.balabit> References: <20050508053210.GC14501@lightning.stealer.net> <1116411911.3839.85.camel@bzorp.balabit> Message-ID: <20050518182053.GJ16992@lightning.stealer.net> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050518/7ac6ac74/attachment.pgp From mgt at stellarcore.net Thu May 19 02:53:32 2005 From: mgt at stellarcore.net (Mike Tremaine) Date: Thu May 19 02:53:46 2005 Subject: [syslog-ng] No line break every so often Message-ID: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> I just converted a Redhat 9 machine to syslog-ng yesterday and I'm having a littel problem with 2 lines running together. Here are the specs in question. mgt@quasar ~ [1] rpm -q syslog-ng syslog-ng-1.6.7-2 mgt@quasar ~ [2] rpm -q sendmail sendmail-8.13.3-2.rhl9 mgt@quasar ~ [3] rpm -q libol libol-0.3.16-1 mgt@quasar ~ [4] uname -a Linux quasar 2.4.20-37.9.legacy #1 Mon Sep 27 19:40:23 EDT 2004 i686 i686 i386 GNU/Linux The problem I'm seeing is every so often sendmail will log like so... May 18 17:45:46 quasar sendmail[30415]: j4J0jdNg030415: from=, size=2520, class=0, nrcpts=1, msgid=<2.2.32.2004051809282400312642@southtrust.com>, proto=ESMTP, daemon=MTA, relay=[220.80.216.171]<22>May 18 17:45:46 sendmail[30415]: j4J0jdNg030415: Milter add: header: Received-SPF: none (quasar.stellarcore.net: 220.80.216.171 is neither permitted nor denied by domain of southtrust.com) receiver=quasar.stellarcore.net; client-ip=220.80.216.171; helo=localhost; envelope-from=millie.zuniga_om@southtrust.com; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/; Notice the 22 that should be a line break between the 2 log lines. Has anyone noticed something like this? -- Mike Tremaine mgt@stellarcore.net http://www.stellarcore.net From bazsi at balabit.hu Thu May 19 08:49:09 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Thu May 19 08:49:16 2005 Subject: [syslog-ng][PATCH] use_fqdn with gethostname() not returning fqdn In-Reply-To: <20050518182053.GJ16992@lightning.stealer.net> References: <20050508053210.GC14501@lightning.stealer.net> <1116411911.3839.85.camel@bzorp.balabit> <20050518182053.GJ16992@lightning.stealer.net> Message-ID: <1116485349.3801.4.camel@bzorp.balabit> On Wed, 2005-05-18 at 20:20 +0200, Sven Wegener wrote: > On Wed, May 18, 2005 at 12:25:11PM +0200, Balazs Scheidler wrote: > > Hi, > > > > Thanks for the contribution to syslog-ng and sorry for not answering so > > long. > > > > The problem I have with your patches that I'd prefer not to rely on > > getaddrinfo() functions as I'm a bit afraid of portability issues. Are > > there any other way (with gethostbyaddr for example) to determine > > network local name? > > Hi again! > > Well, actualy gethostbyname is the function to go for. What I said in my > last email is wrong, I was thinking about gethostbyname but I wrote > gethostbyaddr. Please find attached two patches against latest snapshot > from the 1.6 and 1.9 series. > > Downside of using gethostbyname is that it uses static memory for the > result. We're copying the result to our own buffer so this is safe, but > from what I saw in the source the 1.6 series seems to or has the ability > to use threads. 1.9 does not to use threads itself, but eventlog does. > Is there the chance of having two or more threads calling the hostname > functions synchronously? I guess you can tell this better than me. Syslog-ng does not really use threads in neither 1.6 nor 1.9, it is needed by door support on Solaris, but the function running in the separate thread does nothing but acknowledge the message. (door_return) EventLog does not use threads on its own, it only allows using threads in an application using EventLog. I've committed a slightly changed patch to both syslog-ng 1.6 and 1.9. Thanks for your contribution. -- Bazsi From bazsi at balabit.hu Thu May 19 08:51:57 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Thu May 19 08:52:00 2005 Subject: [syslog-ng] No line break every so often In-Reply-To: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> References: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> Message-ID: <1116485517.3801.7.camel@bzorp.balabit> On Wed, 2005-05-18 at 17:53 -0700, Mike Tremaine wrote: > I just converted a Redhat 9 machine to syslog-ng yesterday and I'm > having a littel problem with 2 lines running together. Here are the > specs in question. > > mgt@quasar ~ [1] rpm -q syslog-ng > syslog-ng-1.6.7-2 > mgt@quasar ~ [2] rpm -q sendmail > sendmail-8.13.3-2.rhl9 > mgt@quasar ~ [3] rpm -q libol > libol-0.3.16-1 > mgt@quasar ~ [4] uname -a > Linux quasar 2.4.20-37.9.legacy #1 Mon Sep 27 19:40:23 EDT 2004 i686 > i686 i386 GNU/Linux > > The problem I'm seeing is every so often sendmail will log like so... > > May 18 17:45:46 quasar sendmail[30415]: j4J0jdNg030415: from=, size=2520, class=0, nrcpts=1, msgid=<2.2.32.2004051809282400312642@southtrust.com>, proto=ESMTP, daemon=MTA, relay=[220.80.216.171]<22>May 18 17:45:46 sendmail[30415]: j4J0jdNg030415: Milter add: header: Received-SPF: none (quasar.stellarcore.net: 220.80.216.171 is neither permitted nor denied by domain of southtrust.com) receiver=quasar.stellarcore.net; client-ip=220.80.216.171; helo=localhost; envelope-from=millie.zuniga_om@southtrust.com; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/; > > Notice the 22 that should be a line break between the 2 log lines. Has > anyone noticed something like this? There used to be problems like this, but I haven't encountered this for a time now. What is your configuration, are you using unix-dgram or unix-stream to get local messages? -- Bazsi From mgt at stellarcore.net Thu May 19 17:12:56 2005 From: mgt at stellarcore.net (Mike Tremaine) Date: Thu May 19 17:13:10 2005 Subject: [syslog-ng] No line break every so often In-Reply-To: <1116485517.3801.7.camel@bzorp.balabit> References: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> <1116485517.3801.7.camel@bzorp.balabit> Message-ID: <1116515576.3393.10.camel@dwarfstar.stellarcore.net> On Wed, 2005-05-18 at 23:51, Balazs Scheidler wrote: > On Wed, 2005-05-18 at 17:53 -0700, Mike Tremaine wrote: > > I just converted a Redhat 9 machine to syslog-ng yesterday and I'm > > having a littel problem with 2 lines running together. Here are the > > specs in question. > > > > mgt@quasar ~ [1] rpm -q syslog-ng > > syslog-ng-1.6.7-2 > > mgt@quasar ~ [2] rpm -q sendmail > > sendmail-8.13.3-2.rhl9 > > mgt@quasar ~ [3] rpm -q libol > > libol-0.3.16-1 > > mgt@quasar ~ [4] uname -a > > Linux quasar 2.4.20-37.9.legacy #1 Mon Sep 27 19:40:23 EDT 2004 i686 > > i686 i386 GNU/Linux > > > > The problem I'm seeing is every so often sendmail will log like so... > > > > May 18 17:45:46 quasar sendmail[30415]: j4J0jdNg030415: from=, size=2520, class=0, nrcpts=1, msgid=<2.2.32.2004051809282400312642@southtrust.com>, proto=ESMTP, daemon=MTA, relay=[220.80.216.171]<22>May 18 17:45:46 sendmail[30415]: j4J0jdNg030415: Milter add: header: Received-SPF: none (quasar.stellarcore.net: 220.80.216.171 is neither permitted nor denied by domain of southtrust.com) receiver=quasar.stellarcore.net; client-ip=220.80.216.171; helo=localhost; envelope-from=millie.zuniga_om@southtrust.com; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/; > > > > Notice the 22 that should be a line break between the 2 log lines. Has > > anyone noticed something like this? > > There used to be problems like this, but I haven't encountered this for > a time now. > > What is your configuration, are you using unix-dgram or unix-stream to > get local messages? unix-stream ("/dev/log"); I kept the standard syslog-ng.conf file that was packaged in the rpm with very few changes. [ log_fifo_size (64000); and 1 extra destination ] In looking through yesterdays logs I can confirm that this is only happening to sendmail logs. But like I said I just installed syslog-ng 2 days ago and was not having this issue with the standard syslog. -- Mike Tremaine mgt@stellarcore.net http://www.stellarcore.net From mgt at stellarcore.net Thu May 19 20:01:04 2005 From: mgt at stellarcore.net (Mike Tremaine) Date: Thu May 19 20:01:18 2005 Subject: [syslog-ng] No line break every so often In-Reply-To: <1116515576.3393.10.camel@dwarfstar.stellarcore.net> References: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> <1116485517.3801.7.camel@bzorp.balabit> <1116515576.3393.10.camel@dwarfstar.stellarcore.net> Message-ID: <1116525664.3393.46.camel@dwarfstar.stellarcore.net> On Thu, 2005-05-19 at 08:12, Mike Tremaine wrote: > On Wed, 2005-05-18 at 23:51, Balazs Scheidler wrote: > > On Wed, 2005-05-18 at 17:53 -0700, Mike Tremaine wrote: > > > I just converted a Redhat 9 machine to syslog-ng yesterday and I'm > > > having a littel problem with 2 lines running together. Here are the > > > specs in question. > > > > > > mgt@quasar ~ [1] rpm -q syslog-ng > > > syslog-ng-1.6.7-2 > > > mgt@quasar ~ [2] rpm -q sendmail > > > sendmail-8.13.3-2.rhl9 > > > mgt@quasar ~ [3] rpm -q libol > > > libol-0.3.16-1 > > > mgt@quasar ~ [4] uname -a > > > Linux quasar 2.4.20-37.9.legacy #1 Mon Sep 27 19:40:23 EDT 2004 i686 > > > i686 i386 GNU/Linux > > > > > > The problem I'm seeing is every so often sendmail will log like so... > > > > > > May 18 17:45:46 quasar sendmail[30415]: j4J0jdNg030415: from=, size=2520, class=0, nrcpts=1, msgid=<2.2.32.2004051809282400312642@southtrust.com>, proto=ESMTP, daemon=MTA, relay=[220.80.216.171]<22>May 18 17:45:46 sendmail[30415]: j4J0jdNg030415: Milter add: header: Received-SPF: none (quasar.stellarcore.net: 220.80.216.171 is neither permitted nor denied by domain of southtrust.com) receiver=quasar.stellarcore.net; client-ip=220.80.216.171; helo=localhost; envelope-from=millie.zuniga_om@southtrust.com; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/; > > > > > > Notice the 22 that should be a line break between the 2 log lines. Has > > > anyone noticed something like this? > > > > There used to be problems like this, but I haven't encountered this for > > a time now. > > > > What is your configuration, are you using unix-dgram or unix-stream to > > get local messages? > > unix-stream ("/dev/log"); > > I kept the standard syslog-ng.conf file that was packaged in the rpm > with very few changes. [ log_fifo_size (64000); and 1 extra destination > ] > > In looking through yesterdays logs I can confirm that this is only > happening to sendmail logs. But like I said I just installed syslog-ng 2 > days ago and was not having this issue with the standard syslog. Just to follow up a little. I tried tweaking a few configuration options [sync, fifo, max connections] but with out success. I also tried two older version syslog-ng-1.6.5-4 and syslog-1.6.5-2. The problem [for me atleast] exists under these version also. Very odd, almost like sendmail is not giving a proper EOL. I looked in sources.c [do_read_line] but my c is weak and nothing jumped out at me. I'm open to suggestions, I'm also willing to move up to 1.9 if this is not worth debugging. Thanks for listening to me, -- Mike Tremaine mgt@stellarcore.net http://www.stellarcore.net From bazsi at balabit.hu Fri May 20 13:49:39 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Fri May 20 13:49:46 2005 Subject: [syslog-ng] No line break every so often In-Reply-To: <1116525664.3393.46.camel@dwarfstar.stellarcore.net> References: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> <1116485517.3801.7.camel@bzorp.balabit> <1116515576.3393.10.camel@dwarfstar.stellarcore.net> <1116525664.3393.46.camel@dwarfstar.stellarcore.net> Message-ID: <1116589780.10684.12.camel@bzorp.balabit> On Thu, 2005-05-19 at 11:01 -0700, Mike Tremaine wrote: > On Thu, 2005-05-19 at 08:12, Mike Tremaine wrote: > > On Wed, 2005-05-18 at 23:51, Balazs Scheidler wrote: > > > On Wed, 2005-05-18 at 17:53 -0700, Mike Tremaine wrote: > > > > In looking through yesterdays logs I can confirm that this is only > > happening to sendmail logs. But like I said I just installed syslog-ng 2 > > days ago and was not having this issue with the standard syslog. > > Just to follow up a little. I tried tweaking a few configuration options > [sync, fifo, max connections] but with out success. I also tried two > older version syslog-ng-1.6.5-4 and syslog-1.6.5-2. The problem [for me > atleast] exists under these version also. > > Very odd, almost like sendmail is not giving a proper EOL. I looked in > sources.c [do_read_line] but my c is weak and nothing jumped out at me. > > I'm open to suggestions, I'm also willing to move up to 1.9 if this is > not worth debugging. > If your log volume is bearable, it would help if you could attach strace to the syslog-ng process with a large -s parameter while a broken message is received. e.g. something like: strace -s 4096 -o syslog-ng.trace -p That would help to identify whether syslog-ng or sendmail is at fault. Standard syslogd uses unix-dgram sockets, but if sendmail uses the standard syslog() routines from libc it should simply work with unix-stream() as well. -- Bazsi From syang at btmna.com Fri May 20 14:49:40 2005 From: syang at btmna.com (Shiming Yang) Date: Fri May 20 14:48:41 2005 Subject: [syslog-ng] Shiming Yang/OCIO_CorpDataSecurity/Planning_Office/HQ_for_the_Americas/BTMNA is out of the office. Message-ID: I will be out of the office starting 05/20/2005 and will not return until 05/21/2005. I will respond to your message when I return. If there is problem about Proxy or IBM web hosting facility, please call my backup Will at 8380. ----------------------------------------- The information contained in this electronic mail message, and any and all accompanying documents, constitutes confidential information. If you are not the intended recipient of this information, any disclosure, copying, distribution, or the taking of any action in reliance on it is strictly prohibited. If you received this information in error, please notify the sender immediately and destroy this communication. Messages sent via this medium may be subject to delays and/or unauthorized alteration. Neither The Bank of Tokyo-Mitsubishi, Ltd. nor any of its affiliates shall be held liable for the contents of this message. From infosec at gmail.com Fri May 20 20:02:56 2005 From: infosec at gmail.com (SheBang) Date: Fri May 20 20:03:02 2005 Subject: [syslog-ng] syslog-ng not starting In-Reply-To: <428373F6.4000609@telusplanet.net> References: <428373F6.4000609@telusplanet.net> Message-ID: <3a8a1f14050520110254814d78@mail.gmail.com> I hate to state the obvious but this statement is way off: "Port 514 is not listening and I assume it because the syslog-ng service is not starting." syslog-ng could be running and not configured to listen on (TCP or UDP) port 514. You need to see which syslog daemon is configured (as the other ppl on this thread already said) then make sure it's running, the make sure it's configured to listen on the port you want, then make sure no packet filters are blocking your traffic to it. On 5/12/05, Andrew Morris wrote: > In general the standard syslog service provided by the OS vendor needs > to be shutdown and disabled before syslog-ng may be used. The reason is > that both of these tools use the same port number and whichever tool is > started first will lock down the port and not allow the other to start. > > I don't work with SUSE, but I'm guessing the startup script may be found > under /etc/init.d or /etc/rc.d/init.d. You may also want to take a look > at http://www.syslog.org as they have a few howto/guides on replacing > your syslog service with replacements. > > Rechtorik, Keith wrote: > > > I am attempting to install syslog-ng on SUSE Linux and having issues > > starting the service. Port 514 is not listening and I assume it because the > > syslog-ng service is not starting. Does the syslog service start the > > syslog-ng service? If not how do I start the service? > > > > Thanks. > > > > Keith Rechtorik > > Network Administrator > > _______________________________________________ > > syslog-ng maillist - syslog-ng@lists.balabit.hu > > https://lists.balabit.hu/mailman/listinfo/syslog-ng > > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From nate at campin.net Sat May 21 07:56:10 2005 From: nate at campin.net (Nate Campi) Date: Sat May 21 07:56:26 2005 Subject: [syslog-ng] Logs rotate and compress but still log to compressed file In-Reply-To: References: Message-ID: <20050521055610.GB9477@campin.net> On Tue, May 17, 2005 at 08:39:36AM -0400, Rechtorik, Keith wrote: > I am running SUSE 9.1 and I have syslog-ng logging information from our PIX. > After a rotate is done the file is compressed and rotated but syslog-ng > keeps logging to the compressed file instead of the newly created file. Any > help would be greatly appreciated. Here are my conifgs. If you need anymore > information I will gladly send it. > > /etc/logrotate.d/syslog > > /var/log/pix/voclog { > rotate 4 > daily > compress > delaycompress > postrotate > # kill -HUP `cat /var/run/syslog-ng.pid` > # /bin/kill -HUP `cat /var/run/syslog-ng.pid 2> /dev/null` 2> /dev/null > ||true > /etc/init.d/syslog reload > /etc/init.d/apache2 reload > endscript > } You need to run logrotate by hand and look for errors, like maybe /var/run/syslog-ng.pid doesn't have the right PID for some reason (though you should make it NOT redirect STDERR to /dev/null - ignoring error output is rarely good) or some other shouldn't-happen-but-apparently-is-in-your-case error. Move onto syslog-ng once you're sure logrotate is really HUP'ing it (check logs from syslog-ng, make sure it's logging the internal() source somewhere). -- Nate "Get your facts first, and then you can distort them as much as you please." - Samuel Clemens From mgt at stellarcore.net Fri May 20 21:14:11 2005 From: mgt at stellarcore.net (Mike Tremaine) Date: Mon May 23 09:51:50 2005 Subject: [syslog-ng] No line break every so often In-Reply-To: <1116589780.10684.12.camel@bzorp.balabit> References: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> <1116485517.3801.7.camel@bzorp.balabit> <1116515576.3393.10.camel@dwarfstar.stellarcore.net> <1116525664.3393.46.camel@dwarfstar.stellarcore.net> <1116589780.10684.12.camel@bzorp.balabit> Message-ID: <1116616451.25635.23.camel@dwarfstar.stellarcore.net> On Fri, 2005-05-20 at 04:49, Balazs Scheidler wrote: > If your log volume is bearable, it would help if you could attach strace > to the syslog-ng process with a large -s parameter while a broken > message is received. e.g. something like: > > strace -s 4096 -o syslog-ng.trace -p > > That would help to identify whether syslog-ng or sendmail is at fault. > > Standard syslogd uses unix-dgram sockets, but if sendmail uses the > standard syslog() routines from libc it should simply work with > unix-stream() as well. Luckly it is... Attached is a trimmed down trace file with a few examples of the problem [about 200lines let me know if more would be useful...] To my [uneducated] eye it looks like sendmail is the problem but like I said sometimes it does it right sometime it doesn't. Example: read(16, "<20>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: premature EOM: unexpected close", 2048) = 93 Notice no \0 or \n Then the next read read(16, "<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on connection from [61.43.165.161], sender=\0<22>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: from=, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\0", 1955) = 300 A null terminator That leads to the output write(22, "2005-05-20 07:48:02 quasar mail.warning sendmail[16668]: j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on connection from [61.43.165.161], sender=\n2005-05-20 07:48:02 quasar mail.info sendmail[16668]: j4KEkWOv016668: from=, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\n", 430) = 430 So the null was caught and turned into \n but the line before it runs together. With some weird <21> [and more often <22> see trace file]. ` -- Mike Tremaine mgt@stellarcore.net http://www.stellarcore.net -------------- next part -------------- read(16, "", 2048) = 0 time(NULL) = 1116600407 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN, revents=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 21, 100) = 2 read(8, "<86>May 20 07:46:47 xinetd[616]: EXIT: pop3 pid=16672 duration=0(sec)\0", 2048) = 70 time(NULL) = 1116600407 time(NULL) = 1116600407 time(NULL) = 1116600407 time(NULL) = 1116600407 close(16) = 0 poll([{fd=22, events=POLLOUT, revents=POLLOUT}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=POLLOUT, revents=POLLOUT}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 2 write(22, "2005-05-20 07:46:47 quasar authpriv.info xinetd[616]: EXIT: pop3 pid=16672 duration=0(sec)\n", 91) = 91 write(11, "May 20 07:46:47 quasar xinetd[616]: EXIT: pop3 pid=16672 duration=0(sec)\n", 73) = 73 time(NULL) = 1116600407 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 0 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 4000) = 0 time(NULL) = 1116600411 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 0 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 0) = 0 time(NULL) = 1116600412 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 0 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 55000) = 0 time(NULL) = 1116600467 close(23) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 0) = 0 time(NULL) = 1116600467 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 450000) = 1 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 16 fcntl64(16, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(16, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600482 close(22) = 0 poll([{fd=16, events=POLLIN, revents=POLLIN}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 1 read(16, "<20>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: premature EOM: unexpected close", 2048) = 93 time(NULL) = 1116600482 poll([{fd=16, events=POLLIN, revents=POLLIN}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 1 read(16, "<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on connection from [61.43.165.161], sender=\0<22>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: from=, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\0", 1955) = 300 time(NULL) = 1116600482 time(NULL) = 1116600482 open("/home/centrilog/logs/rawlog_20050520-0748.logs", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0640) = 22 chown32(0x8074a90, 0x20c, 0x20e) = 0 chmod("/home/centrilog/logs/rawlog_20050520-0748.logs", 0640) = 0 fcntl64(22, F_GETFL) = 0x8c01 (flags O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) fcntl64(22, F_SETFL, O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) = 0 fcntl64(22, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600482 time(NULL) = 1116600482 time(NULL) = 1116600482 time(NULL) = 1116600482 time(NULL) = 1116600482 time(NULL) = 1116600482 poll([{fd=22, events=POLLOUT, revents=POLLOUT}, {fd=16, events=POLLIN}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 write(22, "2005-05-20 07:48:02 quasar mail.warning sendmail[16668]: j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on connection from [61.43.165.161], sender=\n2005-05-20 07:48:02 quasar mail.info sendmail[16668]: j4KEkWOv016668: from=, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\n", 430) = 430 time(NULL) = 1116600482 poll([{fd=22, events=0}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 read(16, "", 2048) = 0 time(NULL) = 1116600482 poll([{fd=22, events=0}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 time(NULL) = 1116600482 close(16) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 60000) = 0 time(NULL) = 1116600542 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 0) = 0 time(NULL) = 1116600542 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 375000) = 1 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 16 fcntl64(16, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(16, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600600 close(22) = 0 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 2 read(16, "<78>May 20 07:50:00 CROND[16677]: (root) CMD (/usr/lib/sa/sa1 1 1)\n", 2048) = 67 time(NULL) = 1116600600 time(NULL) = 1116600600 open("/home/centrilog/logs/rawlog_20050520-0750.logs", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0640) = 22 chown32(0x80745b0, 0x20c, 0x20e) = 0 chmod("/home/centrilog/logs/rawlog_20050520-0750.logs", 0640) = 0 fcntl64(22, F_GETFL) = 0x8c01 (flags O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) fcntl64(22, F_SETFL, O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) = 0 fcntl64(22, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600600 time(NULL) = 1116600600 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 23 fcntl64(23, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(23, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(23, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600600 poll([{fd=23, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=POLLOUT, revents=POLLOUT}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=POLLOUT, revents=POLLOUT}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 21, 100) = 4 read(23, "<78>May 20 07:50:00 CROND[16680]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg)\n", 2048) = 80 time(NULL) = 1116600600 time(NULL) = 1116600600 time(NULL) = 1116600600 write(22, "2005-05-20 07:50:00 quasar cron.info CROND[16677]: (root) CMD (/usr/lib/sa/sa1 1 1)\n2005-05-20 07:50:00 quasar cron.info CROND[16680]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg)\n", 181) = 181 read(16, "", 2048) = 0 write(13, "May 20 07:50:00 quasar CROND[16677]: (root) CMD (/usr/lib/sa/sa1 1 1)\nMay 20 07:50:00 quasar CROND[16680]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg)\n", 153) = 153 time(NULL) = 1116600600 poll([{fd=23, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 21, 100) = 2 read(23, "", 2048) = 0 time(NULL) = 1116600600 close(16) = 0 poll([{fd=23, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 time(NULL) = 1116600600 close(23) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 1 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 16 fcntl64(16, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(16, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN, revents=POLLIN}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 read(16, "<78>May 20 07:50:00 CROND[16684]: (centrilog) CMD (/home/centrilog/bin/centrilog_roller.sh)\n", 2048) = 92 time(NULL) = 1116600600 time(NULL) = 1116600600 time(NULL) = 1116600600 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN}, {fd=22, events=POLLOUT, revents=POLLOUT}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=POLLOUT, revents=POLLOUT}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 2 write(22, "2005-05-20 07:50:00 quasar cron.info CROND[16684]: (centrilog) CMD (/home/centrilog/bin/centrilog_roller.sh)\n", 109) = 109 write(13, "May 20 07:50:00 quasar CROND[16684]: (centrilog) CMD (/home/centrilog/bin/centrilog_roller.sh)\n", 95) = 95 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 read(16, "", 2048) = 0 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 time(NULL) = 1116600600 close(16) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 60000) = 1 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 16 fcntl64(16, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(16, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN, revents=POLLIN}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 read(16, "<78>May 20 07:50:00 CROND[16682]: (mailman) CMD (/usr/bin/python -S /var/mailman/cron/gate_news)\n", 2048) = 97 time(NULL) = 1116600600 time(NULL) = 1116600600 time(NULL) = 1116600600 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN}, {fd=22, events=POLLOUT, revents=POLLOUT}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=POLLOUT, revents=POLLOUT}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 2 write(22, "2005-05-20 07:50:00 quasar cron.info CROND[16682]: (mailman) CMD (/usr/bin/python -S /var/mailman/cron/gate_news)\n", 114) = 114 write(13, "May 20 07:50:00 quasar CROND[16682]: (mailman) CMD (/usr/bin/python -S /var/mailman/cron/gate_news)\n", 100) = 100 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 read(16, "", 2048) = 0 time(NULL) = 1116600600 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 time(NULL) = 1116600600 close(16) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 60000) = 1 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 16 fcntl64(16, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(16, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600612 poll([{fd=16, events=POLLIN, revents=POLLIN}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 read(16, "<21>May 20 07:50:12 sendmail[16723]: j4KEo4tn016723: ... No such user here", 2048) = 104 time(NULL) = 1116600612 poll([{fd=16, events=POLLIN}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 0 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 48000) = 1 read(16, "<22>May 20 07:50:12 sendmail[16723]: j4KEo4tn016723: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[84.73.23.126]\0", 1944) = 150 time(NULL) = 1116600612 time(NULL) = 1116600612 time(NULL) = 1116600612 time(NULL) = 1116600612 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=POLLOUT, revents=POLLOUT}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=POLLOUT, revents=POLLOUT}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 3 read(16, "", 2048) = 0 write(22, "2005-05-20 07:50:12 quasar mail.notice sendmail[16723]: j4KEo4tn016723: ... No such user here<22>May 20 07:50:12 sendmail[16723]: j4KEo4tn016723: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[84.73.23.126]\n", 273) = 273 write(9, "May 20 07:45:41 quasar MailScanner[16099]: Spam Checks: Found 1 spam messages\nMay 20 07:45:43 quasar MailScanner[16099]: Virus and Content Scanning: Starting\nMay 20 07:45:51 quasar ipop3d[16596]: pop3 service init from 172.31.42.5\nMay 20 07:45:51 quasar ipop3d[16596]: Login user=mgt host=dwarfstar.stellarcore.net [172.31.42.5] nmsgs=0/0\nMay 20 07:45:51 quasar ipop3d[16596]: Logout user=mgt host=dwarfstar.stellarcore.net [172.31.42.5] nmsgs=0 ndele=0\nMay 20 07:46:47 quasar ipop3d[16672]: pop3 service init from 172.31.42.5\nMay 20 07:46:47 quasar ipop3d[16672]: Login user=mgt host=dwarfstar.stellarcore.net [172.31.42.5] nmsgs=0/0\nMay 20 07:46:47 quasar ipop3d[16672]: Logout user=mgt host=dwarfstar.stellarcore.net [172.31.42.5] nmsgs=0 ndele=0\nMay 20 07:48:02 quasar sendmail[16668]: j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on connection from [61.43.165.161], sender=\nMay 20 07:48:02 quasar sendmail[16668]: j4KEkWOv016668: from=, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\nMay 20 07:50:12 quasar sendmail[16723]: j4KEo4tn016723: ... No such user here<22>May 20 07:50:12 sendmail[16723]: j4KEo4tn016723: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[84.73.23.126]\n", 1406) = 1406 time(NULL) = 1116600612 poll([{fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 time(NULL) = 1116600612 close(16) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 60000) = 0 time(NULL) = 1116600672 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 0) = 0 time(NULL) = 1116600672 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 245000) = 1 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 16 fcntl64(16, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(16, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600764 close(22) = 0 poll([{fd=16, events=POLLIN, revents=POLLIN}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 1 read(16, "<22>May 20 07:52:44 sendmail[16726]: j4KEqWxt016726: from=, size=1042, class=0, nrcpts=1, msgid=<45b501c55dd4$9d5eadda$7c0dbf53@cin.nl>, proto=SMTP, daemon=MTA, relay=[210.77.106.9]<22>May 20 07:52:44 sendmail[16726]: j4KEqWxt016726: Milter add: header: Received-SPF: none (quasar.stellarcore.net: 210.77.106.9 is neither permitted nor denied by domain of tvt-postproduction.de) receiver=quasar.stellarcore.net; client-ip=210.77.106.9; helo=cin.nl; envelope-from=bmorse_ai@tvt-postproduction.de; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/;\0<22>May 20 07:52:44 sendmail[16726]: j4KEqWxt016726: to=, delay=00:00:01, mailer=smtp, pri=31042, stat=queued\0", 2048) = 729 time(NULL) = 1116600764 time(NULL) = 1116600764 open("/home/centrilog/logs/rawlog_20050520-0752.logs", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0640) = 22 chown32(0x8074b60, 0x20c, 0x20e) = 0 chmod("/home/centrilog/logs/rawlog_20050520-0752.logs", 0640) = 0 fcntl64(22, F_GETFL) = 0x8c01 (flags O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) fcntl64(22, F_SETFL, O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) = 0 fcntl64(22, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600764 time(NULL) = 1116600764 time(NULL) = 1116600764 time(NULL) = 1116600764 time(NULL) = 1116600764 time(NULL) = 1116600764 poll([{fd=22, events=POLLOUT, revents=POLLOUT}, {fd=16, events=POLLIN}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 write(22, "2005-05-20 07:52:44 quasar mail.info sendmail[16726]: j4KEqWxt016726: from=, size=1042, class=0, nrcpts=1, msgid=<45b501c55dd4$9d5eadda$7c0dbf53@cin.nl>, proto=SMTP, daemon=MTA, relay=[210.77.106.9]<22>May 20 07:52:44 sendmail[16726]: j4KEqWxt016726: Milter add: header: Received-SPF: none (quasar.stellarcore.net: 210.77.106.9 is neither permitted nor denied by domain of tvt-postproduction.de) receiver=quasar.stellarcore.net; client-ip=210.77.106.9; helo=cin.nl; envelope-from=bmorse_ai@tvt-postproduction.de; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/;\n2005-05-20 07:52:44 quasar mail.info sendmail[16726]: j4KEqWxt016726: to=, delay=00:00:01, mailer=smtp, pri=31042, stat=queued\n", 763) = 763 time(NULL) = 1116600764 poll([{fd=22, events=0}, {fd=16, events=POLLIN}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 0 poll([{fd=22, events=0}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 60000) = 1 read(16, "", 2048) = 0 time(NULL) = 1116600768 poll([{fd=22, events=0}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 time(NULL) = 1116600768 close(16) = 0 poll([{fd=22, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN, revents=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 1 read(19, "<22>MailScanner[16106]: New Batch: Scanning 1 messages, 1774 bytes\n\0", 2048) = 68 time(NULL) = 1116600768 time(NULL) = 1116600973 close(16) = 0 poll([{fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 19, 100) = 0 poll([{fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=3, events=POLLIN}], 19, 38000) = 1 accept(5, {sa_family=AF_UNIX, path=@}, [2]) = 16 fcntl64(16, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(16, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(16, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600983 poll([{fd=16, events=POLLIN, revents=POLLIN}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 1 read(16, "<22>May 20 07:56:22 sendmail[16786]: j4KEuFrl016786: from=, size=4649, class=0, nrcpts=1, msgid=<851499361789.KIS78503@anyone.1010010.org>, proto=SMTP, daemon=MTA, relay=d033069.adsl.hansenet.de [80.171.33.69]<22>May 20 07:56:23 sendmail[16786]: j4KEuFrl016786: Milter add: header: Received-SPF: neutral (quasar.stellarcore.net: 80.171.33.69 is neither permitted nor denied by domain of arcitekt.com) receiver=quasar.stellarcore.net; client-ip=80.171.33.69; helo=d033069.adsl.hansenet.de; envelope-from=aliaqldfkzqmk@arcitekt.com; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/;\0", 2048) = 626 time(NULL) = 1116600983 time(NULL) = 1116600983 open("/home/centrilog/logs/rawlog_20050520-0756.logs", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0640) = 22 chown32(0x807e028, 0x20c, 0x20e) = 0 chmod("/home/centrilog/logs/rawlog_20050520-0756.logs", 0640) = 0 fcntl64(22, F_GETFL) = 0x8c01 (flags O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) fcntl64(22, F_SETFL, O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) = 0 fcntl64(22, F_SETFD, FD_CLOEXEC) = 0 time(NULL) = 1116600983 time(NULL) = 1116600983 time(NULL) = 1116600983 poll([{fd=22, events=POLLOUT, revents=POLLOUT}, {fd=16, events=POLLIN}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 21, 100) = 1 write(22, "2005-05-20 07:56:22 quasar mail.info sendmail[16786]: j4KEuFrl016786: from=, size=4649, class=0, nrcpts=1, msgid=<851499361789.KIS78503@anyone.1010010.org>, proto=SMTP, daemon=MTA, relay=d033069.adsl.hansenet.de [80.171.33.69]<22>May 20 07:56:23 sendmail[16786]: j4KEuFrl016786: Milter add: header: Received-SPF: neutral (quasar.stellarcore.net: 80.171.33.69 is neither permitted nor denied by domain of arcitekt.com) receiver=quasar.stellarcore.net; client-ip=80.171.33.69; helo=d033069.adsl.hansenet.de; envelope-from=aliaqldfkzqmk@arcitekt.com; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/;\n", 643) = 643 time(NULL) = 1116600983 poll([{fd=22, events=0}, {fd=16, events=POLLIN}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 21, 100) = 0 poll([{fd=22, events=0}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 21, 28000) = 1 read(16, "", 2048) = 0 time(NULL) = 1116600983 poll([{fd=22, events=0}, {fd=16, events=POLLIN, revents=POLLIN|POLLHUP}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 21, 100) = 1 time(NULL) = 1116600983 close(16) = 0 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 100) = 0 poll([{fd=22, events=0}, {fd=23, events=0}, {fd=20, events=POLLIN}, {fd=21, events=POLLIN, revents=POLLIN}, {fd=19, events=POLLIN}, {fd=15, events=POLLIN}, {fd=14, events=POLLIN}, {fd=7, events=POLLIN}, {fd=18, events=POLLIN}, {fd=17, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=0}, {fd=11, events=0}, {fd=8, events=POLLIN}, {fd=9, events=0}, {fd=10, events=0}, {fd=4, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 20, 28000) = 1 From bazsi at balabit.hu Mon May 23 12:59:04 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Mon May 23 12:59:09 2005 Subject: [syslog-ng] No line break every so often In-Reply-To: <1116616451.25635.23.camel@dwarfstar.stellarcore.net> References: <1116464012.6424.14.camel@dwarfstar.stellarcore.net> <1116485517.3801.7.camel@bzorp.balabit> <1116515576.3393.10.camel@dwarfstar.stellarcore.net> <1116525664.3393.46.camel@dwarfstar.stellarcore.net> <1116589780.10684.12.camel@bzorp.balabit> <1116616451.25635.23.camel@dwarfstar.stellarcore.net> Message-ID: <1116845944.23550.11.camel@bzorp.balabit> On Fri, 2005-05-20 at 12:14 -0700, Mike Tremaine wrote: > On Fri, 2005-05-20 at 04:49, Balazs Scheidler wrote: > Luckly it is... Attached is a trimmed down trace file with a few > examples of the problem [about 200lines let me know if more would be > useful...] > > To my [uneducated] eye it looks like sendmail is the problem but like I > said sometimes it does it right sometime it doesn't. > > Example: > > read(16, "<20>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: > premature EOM: unexpected close", 2048) = 93 > > Notice no \0 or \n > > Then the next read > > read(16, "<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: > unexpected close on connection from [61.43.165.161], > sender=\0<22>May 20 07:48:02 sendmail[16668]: > j4KEkWOv016668: from=, size=0, class=0, nrcpts=1, > proto=SMTP, daemon=MTA, relay=[61.43.165.161]\0", 1955) = 300 > > > A null terminator > That leads to the output > > write(22, "2005-05-20 07:48:02 quasar mail.warning sendmail[16668]: > j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20 > 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on > connection from [61.43.165.161], > sender=\n2005-05-20 07:48:02 quasar mail.info > sendmail[16668]: j4KEkWOv016668: from=, size=0, > class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\n", > 430) = 430 > . > > So the null was caught and turned into \n but the line before it runs > together. With some weird <21> [and more often <22> see trace file]. Hm. Sendmail really seems to be the culprit, it is only hidden by sysklogd using unix-dgram() sockets in which case the syslog daemon does not care whether the message was NL or \0 terminated or not. The manpage for syslogd, mentions: ... "A trailing newline is added when needed." This does not seem to be true. After judging the source it seems to be adding the NL character only if LOG_PERROR is specified to openlog() which clearly isn't the case for sendmail. I'd say this is a libc bug which you can work around by avoiding using unix-stream and sticking to unix-dgram instead. (a solution which I myself do not like). -- Bazsi From iv at zabuchy.net Mon May 23 17:15:34 2005 From: iv at zabuchy.net (iv) Date: Mon May 23 17:15:17 2005 Subject: [syslog-ng] how to avoid logging to consoles? Message-ID: <4291F396.8040307@zabuchy.net> hi all i'm trying to configure syslog-ng for logging events from firewall everything works fine, except one thing: all messages appear on all my consoles how can i avoid that? it makes impossible working with the console, logs appear even while editing files and situation does't change when i comment out all "log" entries in the syslog-ng.conf file please, any ideas:) my syslog-ng.conf: options { use_fqdn(yes); use_dns(no); chain_hostnames(yes); use_time_recvd(no); # sync(10); perm(0640); owner("root"); group("root"); create_dirs(yes); dir_perm(0750); dir_owner("root"); dir_group("root"); }; source syslog { unix-stream("/dev/log"); }; source kernel { file("/proc/kmsg"); }; source syslog-ng { internal(); }; destination firewall { file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall"); }; destination kernel { file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel"); }; destination invalid { file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid"); }; destination postfix { file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix"); }; destination cron { file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron"); }; destination generic { file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM"); }; destination syslog-ng { file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng"); }; destination misc { file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc"); }; ## kernel filter firewall { match("IN=") and match("OUT=") and match("PROTO="); }; filter notfirewall { not match("IN=") and not match("OUT=") and not match("PROTO="); }; log { source(kernel); filter(firewall); destination(firewall); }; log { source(kernel); filter(notfirewall); destination(kernel); }; ## internal log { source(syslog-ng); destination(syslog-ng); }; ## syslog filter invalid { not host("^syslog@[a-z]+$"); }; filter postfix { host("^syslog@[a-z]+$") and program("^postfix/"); }; filter cron { host("^syslog@[a-z]+$") and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$"); }; filter generic { host("^syslog@[a-z]+$") and program("^([a-z][a-z._-]*)$"); }; log { source(syslog); filter(invalid); destination(invalid); }; log { source(syslog); filter(postfix); destination(postfix); }; log { source(syslog); filter(cron); destination(cron); }; log { source(syslog); filter(generic); destination(generic); }; log { source(syslog); destination(misc); flags(fallback); }; i'm running linux debian 2.6.11.8 testing thanks in advance, iv From bazsi at balabit.hu Mon May 23 18:08:35 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Mon May 23 18:08:39 2005 Subject: [syslog-ng] how to avoid logging to consoles? In-Reply-To: <4291F396.8040307@zabuchy.net> References: <4291F396.8040307@zabuchy.net> Message-ID: <1116864515.19621.7.camel@bzorp.balabit> On Mon, 2005-05-23 at 17:15 +0200, iv wrote: > hi all > i'm trying to configure syslog-ng for logging events from firewall > everything works fine, except one thing: all messages appear on all my > consoles > how can i avoid that? it makes impossible working with the console, logs > appear even while editing files > and situation does't change when i comment out all "log" entries in the > syslog-ng.conf file > please, any ideas:) short answer: "dmesg -n1" long answer: syslog-ng does not change kernel logging parameters on its own, which is performed automatically by klogd. but you can do the same using dmesg. -- Bazsi From jesse at opendreams.net Mon May 23 19:40:13 2005 From: jesse at opendreams.net (Jesse Molina) Date: Mon May 23 19:40:18 2005 Subject: [syslog-ng] how to avoid logging to consoles? In-Reply-To: <4291F396.8040307@zabuchy.net> References: <4291F396.8040307@zabuchy.net> Message-ID: <20050523174013.GA18331@shoebox> Hi man dmesg Use the -n arg, which will do what you want. You will probably need to add this to a startup script. Use update-rc.d for that, or make yourself a .deb if you must. On Mon, May 23, 2005 at 05:15:34PM +0200, iv wrote: > hi all > i'm trying to configure syslog-ng for logging events from firewall > everything works fine, except one thing: all messages appear on all my > consoles > how can i avoid that? it makes impossible working with the console, logs > appear even while editing files > and situation does't change when i comment out all "log" entries in the > syslog-ng.conf file > please, any ideas:) > > my syslog-ng.conf: > > options { > use_fqdn(yes); > use_dns(no); > chain_hostnames(yes); > use_time_recvd(no); > # sync(10); > > perm(0640); > owner("root"); > group("root"); > create_dirs(yes); > dir_perm(0750); > dir_owner("root"); > dir_group("root"); > }; > > > > source syslog { > unix-stream("/dev/log"); > }; > > source kernel { > file("/proc/kmsg"); > }; > > source syslog-ng { > internal(); > }; > > > > destination firewall { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall"); > }; > > destination kernel { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel"); > }; > > destination invalid { > file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid"); > }; > > destination postfix { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix"); > }; > > destination cron { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron"); > }; > > destination generic { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM"); > }; > > destination syslog-ng { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng"); > }; > > destination misc { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc"); > }; > > > ## kernel > filter firewall { > match("IN=") and match("OUT=") and match("PROTO="); > }; > > filter notfirewall { > not match("IN=") and not match("OUT=") and not match("PROTO="); > }; > > log { > source(kernel); > filter(firewall); > destination(firewall); > }; > > log { > source(kernel); > filter(notfirewall); > destination(kernel); > }; > > > ## internal > log { > source(syslog-ng); > destination(syslog-ng); > }; > > > ## syslog > filter invalid { > not host("^syslog@[a-z]+$"); > }; > > filter postfix { > host("^syslog@[a-z]+$") > and program("^postfix/"); > }; > > filter cron { > host("^syslog@[a-z]+$") > and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$"); > }; > > filter generic { > host("^syslog@[a-z]+$") > and program("^([a-z][a-z._-]*)$"); > }; > > log { > source(syslog); > filter(invalid); > destination(invalid); > }; > > log { > source(syslog); > filter(postfix); > destination(postfix); > }; > > log { > source(syslog); > filter(cron); > destination(cron); > }; > > log { > source(syslog); > filter(generic); > destination(generic); > }; > > log { > source(syslog); > destination(misc); > flags(fallback); > }; > > i'm running linux debian 2.6.11.8 testing > > thanks in advance, > iv > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > -- # Jesse Molina # Mail = jesse@opendreams.net # Page = page-jesse@opendreams.net # Cell = 1.602.323.7608 # Web = http://www.opendreams.net/jesse/ From balajee4 at rediffmail.com Tue May 24 16:51:20 2005 From: balajee4 at rediffmail.com ( M.Balajee) Date: Tue May 24 16:49:44 2005 Subject: [syslog-ng] Re: syslog-ng Digest, Vol 1, Issue 1253 Message-ID: <20050524145120.21985.qmail@webmail36.rediffmail.com> Hi, You can edit /etc/syslog-ng.conf file to avoid this. Edit this file so that you will not be seeing the messages on the console. On Tue, 24 May 2005 syslog-ng-request@lists.balabit.hu wrote : >Send syslog-ng mailing list submissions to > syslog-ng@lists.balabit.hu > >To subscribe or unsubscribe via the World Wide Web, visit > https://lists.balabit.hu/mailman/listinfo/syslog-ng >or, via email, send a message with subject or body 'help' to > syslog-ng-request@lists.balabit.hu > >You can reach the person managing the list at > syslog-ng-owner@lists.balabit.hu > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of syslog-ng digest..." > > >Today's Topics: > > 1. Re: No line break every so often (Balazs Scheidler) > 2. how to avoid logging to consoles? (iv) > 3. Re: how to avoid logging to consoles? (Balazs Scheidler) > 4. Re: how to avoid logging to consoles? (Jesse Molina) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Mon, 23 May 2005 12:59:04 +0200 > From: Balazs Scheidler >Subject: Re: [syslog-ng] No line break every so often >To: Syslog-ng users' and developers' mailing list > >Message-ID: <1116845944.23550.11.camel@bzorp.balabit> >Content-Type: text/plain > >On Fri, 2005-05-20 at 12:14 -0700, Mike Tremaine wrote: > > On Fri, 2005-05-20 at 04:49, Balazs Scheidler wrote: > > > Luckly it is... Attached is a trimmed down trace file with a few > > examples of the problem [about 200lines let me know if more would be > > useful...] > > > > To my [uneducated] eye it looks like sendmail is the problem but like I > > said sometimes it does it right sometime it doesn't. > > > > Example: > > > > read(16, "<20>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: > > premature EOM: unexpected close", 2048) = 93 > > > > Notice no \0 or \n > > > > Then the next read > > > > read(16, "<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: > > unexpected close on connection from [61.43.165.161], > > sender=\0<22>May 20 07:48:02 sendmail[16668]: > > j4KEkWOv016668: from=, size=0, class=0, nrcpts=1, > > proto=SMTP, daemon=MTA, relay=[61.43.165.161]\0", 1955) = 300 > > > > > > A null terminator > > That leads to the output > > > > write(22, "2005-05-20 07:48:02 quasar mail.warning sendmail[16668]: > > j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20 > > 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on > > connection from [61.43.165.161], > > sender=\n2005-05-20 07:48:02 quasar mail.info > > sendmail[16668]: j4KEkWOv016668: from=, size=0, > > class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\n", > > 430) = 430 > > . > > > > So the null was caught and turned into \n but the line before it runs > > together. With some weird <21> [and more often <22> see trace file]. > >Hm. Sendmail really seems to be the culprit, it is only hidden by >sysklogd using unix-dgram() sockets in which case the syslog daemon does >not care whether the message was NL or \0 terminated or not. > >The manpage for syslogd, mentions: > >... "A trailing newline is added when needed." > >This does not seem to be true. After judging the source it seems to be >adding the NL character only if LOG_PERROR is specified to openlog() >which clearly isn't the case for sendmail. > >I'd say this is a libc bug which you can work around by avoiding using >unix-stream and sticking to unix-dgram instead. (a solution which I >myself do not like). > >-- >Bazsi > > > >------------------------------ > >Message: 2 >Date: Mon, 23 May 2005 17:15:34 +0200 > From: iv >Subject: [syslog-ng] how to avoid logging to consoles? >To: syslog-ng@lists.balabit.hu >Message-ID: <4291F396.8040307@zabuchy.net> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >hi all >i'm trying to configure syslog-ng for logging events from firewall >everything works fine, except one thing: all messages appear on all my >consoles >how can i avoid that? it makes impossible working with the console, logs >appear even while editing files >and situation does't change when i comment out all "log" entries in the >syslog-ng.conf file >please, any ideas:) > >my syslog-ng.conf: > >options { > use_fqdn(yes); > use_dns(no); > chain_hostnames(yes); > use_time_recvd(no); ># sync(10); > > perm(0640); > owner("root"); > group("root"); > create_dirs(yes); > dir_perm(0750); > dir_owner("root"); > dir_group("root"); >}; > > > >source syslog { > unix-stream("/dev/log"); >}; > >source kernel { > file("/proc/kmsg"); >}; > >source syslog-ng { > internal(); >}; > > > >destination firewall { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall"); >}; > >destination kernel { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel"); >}; > >destination invalid { > file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid"); >}; > >destination postfix { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix"); >}; > >destination cron { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron"); >}; > >destination generic { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM"); >}; > >destination syslog-ng { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng"); >}; > >destination misc { > file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc"); >}; > > >## kernel >filter firewall { > match("IN=") and match("OUT=") and match("PROTO="); >}; > >filter notfirewall { > not match("IN=") and not match("OUT=") and not match("PROTO="); >}; > >log { > source(kernel); > filter(firewall); > destination(firewall); >}; > >log { > source(kernel); > filter(notfirewall); > destination(kernel); >}; > > >## internal >log { > source(syslog-ng); > destination(syslog-ng); >}; > > >## syslog >filter invalid { > not host("^syslog@[a-z]+$"); >}; > >filter postfix { > host("^syslog@[a-z]+$") > and program("^postfix/"); >}; > >filter cron { > host("^syslog@[a-z]+$") > and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$"); >}; > >filter generic { > host("^syslog@[a-z]+$") > and program("^([a-z][a-z._-]*)$"); >}; > >log { > source(syslog); > filter(invalid); > destination(invalid); >}; > >log { > source(syslog); > filter(postfix); > destination(postfix); >}; > >log { > source(syslog); > filter(cron); > destination(cron); >}; > >log { > source(syslog); > filter(generic); > destination(generic); >}; > >log { > source(syslog); > destination(misc); > flags(fallback); >}; > >i'm running linux debian 2.6.11.8 testing > >thanks in advance, >iv > > >------------------------------ > >Message: 3 >Date: Mon, 23 May 2005 18:08:35 +0200 > From: Balazs Scheidler >Subject: Re: [syslog-ng] how to avoid logging to consoles? >To: Syslog-ng users' and developers' mailing list > >Message-ID: <1116864515.19621.7.camel@bzorp.balabit> >Content-Type: text/plain > >On Mon, 2005-05-23 at 17:15 +0200, iv wrote: > > hi all > > i'm trying to configure syslog-ng for logging events from firewall > > everything works fine, except one thing: all messages appear on all my > > consoles > > how can i avoid that? it makes impossible working with the console, logs > > appear even while editing files > > and situation does't change when i comment out all "log" entries in the > > syslog-ng.conf file > > please, any ideas:) > >short answer: "dmesg -n1" > >long answer: syslog-ng does not change kernel logging parameters on its >own, which is performed automatically by klogd. but you can do the same >using dmesg. > >-- >Bazsi > > > >------------------------------ > >Message: 4 >Date: Mon, 23 May 2005 10:40:13 -0700 > From: Jesse Molina >Subject: Re: [syslog-ng] how to avoid logging to consoles? >To: Syslog-ng users' and developers' mailing list > >Message-ID: <20050523174013.GA18331@shoebox> >Content-Type: text/plain; charset=us-ascii > > >Hi > >man dmesg > >Use the -n arg, which will do what you want. > >You will probably need to add this to a startup script. Use update-rc.d >for that, or make yourself a .deb if you must. > > > >On Mon, May 23, 2005 at 05:15:34PM +0200, iv wrote: > > hi all > > i'm trying to configure syslog-ng for logging events from firewall > > everything works fine, except one thing: all messages appear on all my > > consoles > > how can i avoid that? it makes impossible working with the console, logs > > appear even while editing files > > and situation does't change when i comment out all "log" entries in the > > syslog-ng.conf file > > please, any ideas:) > > > > my syslog-ng.conf: > > > > options { > > use_fqdn(yes); > > use_dns(no); > > chain_hostnames(yes); > > use_time_recvd(no); > > # sync(10); > > > > perm(0640); > > owner("root"); > > group("root"); > > create_dirs(yes); > > dir_perm(0750); > > dir_owner("root"); > > dir_group("root"); > > }; > > > > > > > > source syslog { > > unix-stream("/dev/log"); > > }; > > > > source kernel { > > file("/proc/kmsg"); > > }; > > > > source syslog-ng { > > internal(); > > }; > > > > > > > > destination firewall { > > file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall"); > > }; > > > > destination kernel { > > file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel"); > > }; > > > > destination invalid { > > file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid"); > > }; > > > > destination postfix { > > file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix"); > > }; > > > > destination cron { > > file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron"); > > }; > > > > destination generic { > > file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM"); > > }; > > > > destination syslog-ng { > > file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng"); > > }; > > > > destination misc { > > file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc"); > > }; > > > > > > ## kernel > > filter firewall { > > match("IN=") and match("OUT=") and match("PROTO="); > > }; > > > > filter notfirewall { > > not match("IN=") and not match("OUT=") and not match("PROTO="); > > }; > > > > log { > > source(kernel); > > filter(firewall); > > destination(firewall); > > }; > > > > log { > > source(kernel); > > filter(notfirewall); > > destination(kernel); > > }; > > > > > > ## internal > > log { > > source(syslog-ng); > > destination(syslog-ng); > > }; > > > > > > ## syslog > > filter invalid { > > not host("^syslog@[a-z]+$"); > > }; > > > > filter postfix { > > host("^syslog@[a-z]+$") > > and program("^postfix/"); > > }; > > > > filter cron { > > host("^syslog@[a-z]+$") > > and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$"); > > }; > > > > filter generic { > > host("^syslog@[a-z]+$") > > and program("^([a-z][a-z._-]*)$"); > > }; > > > > log { > > source(syslog); > > filter(invalid); > > destination(invalid); > > }; > > > > log { > > source(syslog); > > filter(postfix); > > destination(postfix); > > }; > > > > log { > > source(syslog); > > filter(cron); > > destination(cron); > > }; > > > > log { > > source(syslog); > > filter(generic); > > destination(generic); > > }; > > > > log { > > source(syslog); > > destination(misc); > > flags(fallback); > > }; > > > > i'm running linux debian 2.6.11.8 testing > > > > thanks in advance, > > iv > > _______________________________________________ > > syslog-ng maillist - syslog-ng@lists.balabit.hu > > https://lists.balabit.hu/mailman/listinfo/syslog-ng > > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > > >-- ># Jesse Molina ># Mail = jesse@opendreams.net ># Page = page-jesse@opendreams.net ># Cell = 1.602.323.7608 ># Web = http://www.opendreams.net/jesse/ > > > > >------------------------------ > >_______________________________________________ >syslog-ng maillist - syslog-ng@lists.balabit.hu >https://lists.balabit.hu/mailman/listinfo/syslog-ng > > >End of syslog-ng Digest, Vol 1, Issue 1253 >****************************************** Muggalla Balajee, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050524/5df9dd08/attachment-0001.html From Mark.Hokhold at mail.house.gov Tue May 24 17:10:13 2005 From: Mark.Hokhold at mail.house.gov (Hokhold, Mark) Date: Tue May 24 17:10:24 2005 Subject: [syslog-ng] Syslog-ng 1.9.4 configure question Message-ID: Syslog-ng Users, I'm currently trying to configure syslog-ng 1.9.4 on my Sunblade 100 (Solaris 9) as a test. I've loaded and installed Stunnel-4.10 and openssl-0.9.7g so far, but when I configure syslog-ng, I get the following: # ./configure ..... ... checking GLIB CFLAGS... -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include checking GLIB_LIBS... -lglib-2.0 checking for eventlog... Package eventlog was not found in the pkg-config search path Perhaps you should add the directory containing `eventlog.pc` To the PKG_CONFIG_PATH environment variable No package 'eventlog' found Configure: error: Library requirements (eventlog) not met;....... I checked my system and eventlog.pc doesn't exist on my system, so therefore I don't have this package installed. Where can I find them? Thanks in advance, Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050524/3a473ad0/attachment.htm From jbell at stelesys.com Tue May 24 17:34:58 2005 From: jbell at stelesys.com (Jerry Bell) Date: Tue May 24 17:35:05 2005 Subject: [syslog-ng] Syslog-ng 1.9.4 configure question In-Reply-To: References: Message-ID: <4814.209.134.164.17.1116948898.squirrel@209.134.164.17> eventlog is a separate distribution that you need to compile and install. You can find it here: http://www.balabit.com/downloads/syslog-ng/1.9/src/ alongside the source for syslog-ng 1.9 > I checked my system and eventlog.pc doesn't exist on my > system, > so therefore I don't have this package installed. > Jerry http://www.syslog.org From Mark.Hokhold at mail.house.gov Tue May 24 18:52:51 2005 From: Mark.Hokhold at mail.house.gov (Hokhold, Mark) Date: Tue May 24 18:53:02 2005 Subject: [syslog-ng] Syslog-ng 1.9.4 configure question Message-ID: Thanks Jerry, I'll get it a shot. Just another newbie. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Jerry Bell Sent: Tuesday, May 24, 2005 11:35 AM To: Syslog-ng users' and developers' mailing list Cc: 'syslog-ng@lists.balabit.hu' Subject: Re: [syslog-ng] Syslog-ng 1.9.4 configure question eventlog is a separate distribution that you need to compile and install. You can find it here: http://www.balabit.com/downloads/syslog-ng/1.9/src/ alongside the source for syslog-ng 1.9 > I checked my system and eventlog.pc doesn't exist on my > system, > so therefore I don't have this package installed. > Jerry http://www.syslog.org _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From launch.all.zig at gmail.com Tue May 24 21:55:34 2005 From: launch.all.zig at gmail.com (Tristan Natsirt) Date: Tue May 24 21:55:38 2005 Subject: [syslog-ng] Error while making on Mac OS X Tiger Message-ID: <7129ac0105052412555aeb725e@mail.gmail.com> I've got libol 0.3.16, glib 2.0.7, and i'm trying to configure and make syslog-ng-1.6.7 and I recieve the following errors: ./configure make [...] gcc -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o syslog-ng main.o sources.o center.o filters.o destinations.o log.o cfgfile.o cfg-grammar.o cfg-lex.o affile.o afsocket.o afunix.o afinet.o afinter.o afuser.o afstreams.o afprogram.o afremctrl.o nscache.o utils.o syslog-names.o macros.o -lresolv /usr/local/lib/libol.a -Wl,-Bstatic -lfl -lwrap -Wl,-Bdynamic ld: unknown flag: -Bstatic make[3]: *** [syslog-ng] Error 1 make[2]: *** [all-recursive] Error 1 make[1]: *** [all] Error 2 make: *** [all-recursive] Error 1 any help at all would be much obliged. Thanks, Adam. From Mark.Hokhold at mail.house.gov Tue May 24 22:51:43 2005 From: Mark.Hokhold at mail.house.gov (Hokhold, Mark) Date: Tue May 24 22:51:54 2005 Subject: [syslog-ng] Syslog-ng 1.9.4 configure/compile question Message-ID: Syslog-ng Users, I'm currently trying to configure syslog-ng 1.9.4 on my Sunblade 100 (Solaris 9) as a test. I've loaded and compiled the following software: Stunnel-4.10 openssl-0.9.7g eventlog-0.1.2 All three packages compiled cleanly. The "eventlog" compiled successfully, but no eventlog.pc was produced when completed and I still receive the following output compiling syslog-ng: # ./configure ..... ... checking GLIB CFLAGS... -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include checking GLIB_LIBS... -lglib-2.0 checking for eventlog... Package eventlog was not found in the pkg-config search path Perhaps you should add the directory containing `eventlog.pc` To the PKG_CONFIG_PATH environment variable No package 'eventlog' found Configure: error: Library requirements (eventlog) not met;....... ########################################################################### MORE INFO: I've been loading all packages under /usr/local, so by default everything will get placed within the /usr/local directory tree. I've tried NOT setting up the PKG_CONFIG and PKG_CONFIG_PATH variables -using the default. And I've also tried setting different values, all with the same results. Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050524/43d90d0f/attachment.html From bostjan.golob at gmail.com Tue May 24 23:05:24 2005 From: bostjan.golob at gmail.com (Bostjan Golob) Date: Tue May 24 23:05:28 2005 Subject: [syslog-ng] syslog-ng 1.6.x on OpenBSD on sparc64 Message-ID: It appears that syslog-ng has an issue on OpenBSD/sparc64, as it does not determine the hostname of the remote system, making all messages appear to be from the syslog-ng server. The bug appears to be well hidden in sources.c. In line 98, the call to do_recv (as seen in gdb backtrace) is made, which requires a socklen_t* parameter. The catch is in line 88, where salen is declared as size_t and then cast to socklen_t; on sparc64, size_t is 64bit and socklen_t is 32bit and that causes the salen variable to always contain 0, causing the known bug. If you change line 88 to socklen_t salen = sizeof(sabuf), the host name of the sending host is determined correctly and written in the logfiles. That also explains why syslog-ng works correctly on OpenBSD/i386, but not on sparc64. Bostjan Golob IT department, Gimnazija Bezigrad, Ljubljana, SI From Charles_Smith at raytheon.com Tue May 24 23:07:54 2005 From: Charles_Smith at raytheon.com (Charles D Smith) Date: Tue May 24 23:09:28 2005 Subject: [syslog-ng] syslog-ng on Trusted Solaris Message-ID: I have been running syslog-ng on Solaris for the past few months. I would also like to try to run it on Trusted Solaris. Has any consideration been given to supporting syslog-ng on Trusted Solaris? Also if anyone has experimented with syslog-ng on Trusted Solaris, I would be interested in hearing about your experience. Thanks, Charles -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050524/f549a54a/attachment-0001.htm From OpenMacNews at speakeasy.net Tue May 24 23:13:38 2005 From: OpenMacNews at speakeasy.net (OpenMacNews) Date: Tue May 24 23:14:00 2005 Subject: [syslog-ng] Error while making on Mac OS X Tiger In-Reply-To: <7129ac0105052412555aeb725e@mail.gmail.com> References: <7129ac0105052412555aeb725e@mail.gmail.com> Message-ID: <3E59BCA950D33EB5E485D01C@tiedgar> hi tristan, i'm building on OSX 10.4.1 ... > gcc -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o > syslog-ng main.o sources.o center.o filters.o destinations.o log.o > cfgfile.o cfg-grammar.o cfg-lex.o affile.o afsocket.o afunix.o > afinet.o afinter.o afuser.o afstreams.o afprogram.o afremctrl.o > nscache.o utils.o syslog-names.o macros.o -lresolv > /usr/local/lib/libol.a -Wl,-Bstatic -lfl -lwrap -Wl,-Bdynamic > ld: unknown flag: -Bstatic > make[3]: *** [syslog-ng] Error 1 > make[2]: *** [all-recursive] Error 1 > make[1]: *** [all] Error 2 > make: *** [all-recursive] Error 1 you'll need to make a couple of changes to configure.in (see below) ... for completeness, i'm including my start-to-finish notes: LIBOL setenv LIBOL_LOC "http://www.balabit.com/downloads/syslog-ng/1.6/src-snapshot" setenv LIBOL_VER "libol-0.3.16+20050524" wget $LIBOL_LOC/$LIBOL_VER.tar.gz gnutar zxvf $LIBOL_VER.tar.gz unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS cd /usr/ports/$LIBOL_VER glibtoolize --force --copy aclocal automake --foreign --add-missing autoheader autoconf ./configure \ --prefix=/usr/local \ --enable-shared \ --enable-static make make install unsetenv LIBOL_LOC LIBOL_VER SYSLOG-NG setenv SYSLOGNG_LOC "http://www.balabit.com/downloads/syslog-ng/1.6/src-snapshot" setenv SYSLOGNG_VER "syslog-ng-1.6.7+20050524" cd /usr/ports wget $SYSLOGNG_LOC/$SYSLOGNG_VER.tar.gz gnutar zxvf $SYSLOGNG_VER.tar.gz cd /usr/ports/$SYSLOGNG_VER NOTE: i'm building against an external BIND9 install ... unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS setenv LDFLAGS "-bind_at_load -L/usr/local/bind9/lib -llwres -lbind9" setenv CPPFLAGS "-I/usr/local/bind9/include" ================================================================ (EDITOR) /usr/ports/$SYSLOGNG_VER/configure.in @164 --- AC_CHECK_LIB(resolv, res_init) +++ dnl AC_CHECK_LIB(resolv, res_init) dnl on Linux res_init is a macro --- AC_CHECK_LIB(resolv, __res_init) +++ dnl AC_CHECK_LIB(resolv, __res_init) @301 else --- LD_START_STATIC="" --- LD_END_STATIC="" +++ LD_START_STATIC="-Wl,-dynamic" +++ LD_END_STATIC="-Wl,-dynamic" AC_MSG_RESULT([no clues, linking everything dynamically, please send appropriate ld arguments to syslog-ng@lists.balabit.hu]) fi ================================================================ glibtoolize --force --copy aclocal autoconf ./configure \ --prefix=/usr/local/syslog-ng \ --sysconfdir=/usr/local/etc/syslog-ng \ --enable-debug \ --enable-full-static=no \ --enable-tcp-wrapper make make install % ls -al /usr/local/syslog-ng/sbin/syslog-ng -rwxr-xr-x 1 root staff 466124 May 24 14:04 sbin/syslog-ng % otool -L /usr/local/syslog-ng/sbin/syslog-ng sbin/syslog-ng: /usr/local/bind9/lib/liblwres.1.dylib (compatibility version 4.0.0, current version 4.2.0) /usr/local/bind9/lib/libbind9.0.dylib (compatibility version 1.0.0, current version 1.5.0) /usr/lib/libmx.A.dylib (compatibility version 1.0.0, current version 92.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 88.0.0) hth! cheers, richard From bazsi at balabit.hu Wed May 25 10:25:07 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Wed May 25 10:25:16 2005 Subject: [syslog-ng] Error while making on Mac OS X Tiger In-Reply-To: <3E59BCA950D33EB5E485D01C@tiedgar> References: <7129ac0105052412555aeb725e@mail.gmail.com> <3E59BCA950D33EB5E485D01C@tiedgar> Message-ID: <1117009507.3689.0.camel@bzorp.balabit> On Tue, 2005-05-24 at 14:13 -0700, OpenMacNews wrote: > hi tristan, > > i'm building on OSX 10.4.1 ... > > > gcc -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -o > > syslog-ng main.o sources.o center.o filters.o destinations.o log.o > > cfgfile.o cfg-grammar.o cfg-lex.o affile.o afsocket.o afunix.o > > afinet.o afinter.o afuser.o afstreams.o afprogram.o afremctrl.o > > nscache.o utils.o syslog-names.o macros.o -lresolv > > /usr/local/lib/libol.a -Wl,-Bstatic -lfl -lwrap -Wl,-Bdynamic > > ld: unknown flag: -Bstatic > > make[3]: *** [syslog-ng] Error 1 > > make[2]: *** [all-recursive] Error 1 > > make[1]: *** [all] Error 2 > > make: *** [all-recursive] Error 1 > > you'll need to make a couple of changes to configure.in (see below) ... for > completeness, i'm including my start-to-finish notes: I'd be willing to include MacOS specific changes to the configure script if someone would send me a patch to make syslog-ng compile there out-of-the box. -- Bazsi From bazsi at balabit.hu Wed May 25 10:29:42 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Wed May 25 10:29:45 2005 Subject: [syslog-ng] syslog-ng 1.6.x on OpenBSD on sparc64 In-Reply-To: References: Message-ID: <1117009782.3689.2.camel@bzorp.balabit> On Tue, 2005-05-24 at 23:05 +0200, Bostjan Golob wrote: > It appears that syslog-ng has an issue on OpenBSD/sparc64, as it does > not determine the hostname of the remote system, making all messages > appear to be from the syslog-ng server. The bug appears to be well > hidden in sources.c. In line 98, the call to do_recv (as seen in gdb > backtrace) is made, which requires a socklen_t* parameter. The catch > is in line 88, where salen is declared as size_t and then cast to > socklen_t; on sparc64, size_t is 64bit and socklen_t is 32bit and that > causes the salen variable to always contain 0, causing the known bug. > If you change line 88 to socklen_t salen = sizeof(sabuf), the host > name of the sending host is determined correctly and written in the > logfiles. > That also explains why syslog-ng works correctly on OpenBSD/i386, but > not on sparc64. Thanks, committed a fix for that. -- Bazsi From christian.janssen at gmail.com Wed May 25 10:39:53 2005 From: christian.janssen at gmail.com (Christian Janssen) Date: Wed May 25 10:39:58 2005 Subject: [syslog-ng] Re: Netscreen fw logs not piped in mysql In-Reply-To: References: Message-ID: RESOLVED, resp. kind of fixed in upstream [Debian 1.6.7-1] * Upgrade to "1.6.7" fixed they Problem !!! FYI: * first tried upgrade to Debian Package "1.6.5-2.2" Still PROBLEM ... nothing else changed = bug in 1.6.5 as expected from rmkml Thanks Christian --------------------- On 4/25/05, Rmkml wrote Hi Christian, please update syslog-ng v1.6.6 and retest Regards Rmkml --------------------- On 4/25/05, Christian Janssen wrote: .... > > * Netscreen Firewalls (Screen OS 5.1r3 & 4.1) > My System is Debian sarge, syslog-ng 1.6.5 > > a) Unix syslog entries are stored correctly in mysql database (and > textfile) all seems fine ! > > b) Netscreen syslog infos are logged as expected in txt file (see attach) > > c) [PROBLEM] but logging in mysql are not working, got following > message from my pipe script > > ERROR at line 1: Unknown command '\"'. > ERROR at line 1: Unknown command '\"'. > ERROR at line 1: Unknown command '\"'. > ... From speedysweedy at hotmail.com Wed May 25 17:26:59 2005 From: speedysweedy at hotmail.com (Speedy Sweedy) Date: Wed May 25 17:27:07 2005 Subject: [syslog-ng] host$ Message-ID: I am new to this list and new to syslog-ng so please forgive me if this question has been asked before. I looked through the archive but didn't come across anything that helped me. I have syslog-ng working on my FC3 box with SELinux set at its highest setting(wow that was fun!) but it logs the IP address of the remote host instead of the hostname. I can't seem to get it to log anything different than the IP address of the box sending the log. Here is my options in syslog-ng.conf: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; what am I doing wrong? Regards, The Speedster _________________________________________________________________ MSN� Calendar keeps you organized and takes the effort out of scheduling get-togethers. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN� Premium right now and get the first two months FREE*. From Valdis.Kletnieks at vt.edu Wed May 25 19:12:09 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Wed May 25 19:12:18 2005 Subject: [syslog-ng] host$ In-Reply-To: Your message of "Wed, 25 May 2005 15:26:59 -0000." References: Message-ID: <200505251712.j4PHC9fF015382@turing-police.cc.vt.edu> On Wed, 25 May 2005 15:26:59 -0000, Speedy Sweedy said: > I am new to this list and new to syslog-ng so please forgive me if this > question has been asked before. I looked through the archive but didn't > come across anything that helped me. > > I have syslog-ng working on my FC3 box with SELinux set at its highest > setting(wow that was fun!) but it logs the IP address of the remote host > instead of the hostname. I can't seem to get it to log anything different > than the IP address of the box sending the log. Here is my options in > syslog-ng.conf: > > options { > sync (0); > time_reopen (10); > log_fifo_size (1000); > long_hostnames (off); > use_dns (no); > use_fqdn (no); > create_dirs (yes); > keep_hostname (yes); > }; > > what am I doing wrong? Most likely, you have a borked syslog-ng.te that doesn't allow the syslog-ng process to read /etc/nsswitch.conf or similar, breaking DNS lookups. Grep through your logs and find any avc entries that reference syslog-ng. (And BTW - FC4 is about to escape, I'd *strongly* recommend upgrading to it if you're doing any SELinux work - the policy definitions have been worked on a *lot*. If you can't upgrade, at least get the updated SELinux RPMs (they should work OK on the FC3 kernel)). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050525/c90243e9/attachment.pgp From speedysweedy at hotmail.com Wed May 25 19:34:16 2005 From: speedysweedy at hotmail.com (Speedy Sweedy) Date: Wed May 25 19:34:20 2005 Subject: [syslog-ng] host$ In-Reply-To: <200505251712.j4PHC9fF015382@turing-police.cc.vt.edu> Message-ID: >Most likely, you have a borked syslog-ng.te that doesn't allow the >syslog-ng >process to read /etc/nsswitch.conf or similar, breaking DNS lookups. I used an RPM to install syslog-ng - could I get away with downloading the source, compile it and replace the syslog-ng bin? > >Grep through your logs and find any avc entries that reference syslog-ng. > >(And BTW - FC4 is about to escape, I'd *strongly* recommend upgrading to it >if you're doing any SELinux work - the policy definitions have been worked >on a *lot*. If you can't upgrade, at least get the updated SELinux RPMs >(they >should work OK on the FC3 kernel)). Yeah, I've read about FC4 being much better for syslog-ng. I'm about ready to start over using the FC4 test3 iso's but didn't know what happens once fc4 is released as far as installing the new released version. _________________________________________________________________ Don't just Search. Find! http://search.sympatico.msn.ca/default.aspx The new MSN Search! Check it out! From Valdis.Kletnieks at vt.edu Wed May 25 22:21:11 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Wed May 25 22:21:22 2005 Subject: [syslog-ng] host$ In-Reply-To: Your message of "Wed, 25 May 2005 17:34:16 -0000." References: Message-ID: <200505252021.j4PKLBVe022337@turing-police.cc.vt.edu> On Wed, 25 May 2005 17:34:16 -0000, Speedy Sweedy said: > I used an RPM to install syslog-ng - could I get away with downloading the > source, compile it and replace the syslog-ng bin? Probably wouldn't make a difference - the policy is in the selinux-policy-* RPMs. Having an RPM ship its own policy is an open research problem at the moment. > Yeah, I've read about FC4 being much better for syslog-ng. I'm about ready > to start over using the FC4 test3 iso's but didn't know what happens once > fc4 is released as far as installing the new released version. FC4-test3 and the final FC4 will be close enough that you should be able to just 'yum update' or 'up2date' the system to FC4-final. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050525/0ebf130b/attachment.pgp From asolis at oppd.com Wed May 25 22:22:53 2005 From: asolis at oppd.com (SOLIS, ALEX) Date: Wed May 25 22:22:59 2005 Subject: [syslog-ng] host$ Message-ID: <3E061654BA925846A7FAFE98BA3603B710CF4EC3@SEPEX04.oppd.oppd-ds.com> My syslog-ng setup will resolve to hostnames as long as the /etc/resolv.conf or /etc/hosts entries are valid. If you ping the hosts logging to your box by IP does it resolve to the hostname? -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Speedy Sweedy Sent: Wednesday, May 25, 2005 12:34 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] host$ >Most likely, you have a borked syslog-ng.te that doesn't allow the >syslog-ng >process to read /etc/nsswitch.conf or similar, breaking DNS lookups. I used an RPM to install syslog-ng - could I get away with downloading the source, compile it and replace the syslog-ng bin? > >Grep through your logs and find any avc entries that reference syslog-ng. > >(And BTW - FC4 is about to escape, I'd *strongly* recommend upgrading to it >if you're doing any SELinux work - the policy definitions have been worked >on a *lot*. If you can't upgrade, at least get the updated SELinux RPMs >(they >should work OK on the FC3 kernel)). Yeah, I've read about FC4 being much better for syslog-ng. I'm about ready to start over using the FC4 test3 iso's but didn't know what happens once fc4 is released as far as installing the new released version. _________________________________________________________________ Don't just Search. Find! http://search.sympatico.msn.ca/default.aspx The new MSN Search! Check it out! _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From jpo at di.uminho.pt Thu May 26 02:31:10 2005 From: jpo at di.uminho.pt (=?ISO-8859-1?Q?Jos=E9_Pedro_Oliveira?=) Date: Thu May 26 02:31:19 2005 Subject: [syslog-ng] host$ (Fedora Core and SELinux) In-Reply-To: References: Message-ID: <429518CE.9000401@di.uminho.pt> >> (And BTW - FC4 is about to escape, I'd *strongly* recommend upgrading >> to it >> if you're doing any SELinux work - the policy definitions have been >> worked >> on a *lot*. If you can't upgrade, at least get the updated SELinux >> RPMs (they >> should work OK on the FC3 kernel)). > > > Yeah, I've read about FC4 being much better for syslog-ng. I'm about > ready to start over using the FC4 test3 iso's but didn't know what > happens once fc4 is released as far as installing the new released version. FYI: The use_syslogng SELinux boolean (see [1]) has been dropped from the FC4 targeted policy leaving all the syslog-ng rules enabled by default. This change is also expected to be backported to FC3 and RHEL4. jpo References: [1] [syslog-ng]FYI: Fedora Core 3, syslog-ng, and SELinux https://lists.balabit.hu/pipermail/syslog-ng/2005-April/007347.html -- Jos? Pedro Oliveira * mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B * -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature Url : http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050526/24eae4d0/signature.pgp From bazsi at balabit.hu Thu May 26 10:45:58 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Thu May 26 10:46:06 2005 Subject: [syslog-ng] syslog-ng 1.6.8 has been released Message-ID: <1117097158.5346.2.camel@bzorp.balabit> Hi, I have released syslog-ng 1.6.8 containing some configure tweaks, a 64bit compatibility fix and a use_fqdn() fix when getting local hostnames. The NEWS entry is below: News for the 1.6.8 release Thu, 26 May 2005 10:24:33 +0200 * Some configure tweaking to detect proper ld options dynamically on Linux, Solaris and HP-UX. Other platforms might still have problems with static linking. * Some minor manpage fixes. * Use use_fqdn() option when determining local hostname instead of directly using the possibly short hostname returned by gethostname(). * Fixed a 64 bit compatibility issue when resolving hostnames. The release can be found at the usual place: http://www.balabit.com/products/syslog-ng/upgrades.bbq -- Bazsi From kenneth.gullberg at foreningssparbanken.se Thu May 26 12:11:31 2005 From: kenneth.gullberg at foreningssparbanken.se (kenneth.gullberg@foreningssparbanken.se) Date: Thu May 26 12:12:32 2005 Subject: SV: [syslog-ng] syslog-ng 1.6.8 has been released Message-ID: Hi, Here is a small suggestion for the INSTALL file in the next release for unexperienced admin's: Solaris 10 ---------- For successful compilation on Solaris 10 you need to use --enable-full-dynamic when you run configure. // Kenneth -----Ursprungligt meddelande----- Fr?n: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] F?r Balazs Scheidler Skickat: den 26 maj 2005 10:46 Till: syslog-ng@lists.balabit.hu Kopia: syslog-ng-announce@lists.balabit.hu ?mne: [syslog-ng] syslog-ng 1.6.8 has been released Hi, I have released syslog-ng 1.6.8 containing some configure tweaks, a 64bit compatibility fix and a use_fqdn() fix when getting local hostnames. The NEWS entry is below: News for the 1.6.8 release Thu, 26 May 2005 10:24:33 +0200 * Some configure tweaking to detect proper ld options dynamically on Linux, Solaris and HP-UX. Other platforms might still have problems with static linking. * Some minor manpage fixes. * Use use_fqdn() option when determining local hostname instead of directly using the possibly short hostname returned by gethostname(). * Fixed a 64 bit compatibility issue when resolving hostnames. The release can be found at the usual place: http://www.balabit.com/products/syslog-ng/upgrades.bbq -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From jennylou.sequeira at hp.com Fri May 27 12:24:15 2005 From: jennylou.sequeira at hp.com (Jenny-Lou Sequeira) Date: Fri May 27 12:24:30 2005 Subject: [syslog-ng] Get "warning: ignoring #pragma" warnings when compiling libol-0.3.16 on HP-UX Message-ID: <200505271024.j4RAOFAh782699@power.usa.hp.com> If I just run #./configure CC=gcc CFLAGS="-v #make It compiles fine. Looking at the log from make the include path is: . /usr/local/include /usr/local/lib/gcc/ia64-hp-hpux11.23/3.4.3/include /usr/include However, if I restrict the "Include" path to the following ./configure CC=gcc CFLAGS="-v -nostdinc -O2" CPPFLAGS="-I/usr/local/include -I/usr/local/lib/gc/ia64-hphpux11.23/3.4.3/include -I/usr/include" "make" spews out warnings like: /usr/local/lib/gcc/ia64-hp-hpux11.23/3.4.3/include/stdlib.h:30: warning: ignorin g #pragma builtin_milli abs /usr/local/lib/gcc/ia64-hp-hpux11.23/3.4.3/include/stdlib.h:31: warning: ignorin g #pragma extern abs /usr/local/lib/gcc/ia64-hp-hpux11.23/3.4.3/include/stdlib.h:65: warning: ignorin g #pragma builtin_milli div /usr/include/sys/signal.h:174: warning: ignoring #pragma extern signal /usr/include/sys/signal.h:191: warning: ignoring #pragma extern kill /usr/include/sys/signal.h:192: warning: ignoring #pragma extern sigismember /usr/include/sys/signal.h:193: warning: ignoring #pragma extern sigpending Thanks, Jenny-Lou From finattack at gmail.com Fri May 27 12:29:46 2005 From: finattack at gmail.com (Metal Gear) Date: Fri May 27 12:29:54 2005 Subject: [syslog-ng] Program Filters In-Reply-To: <20050525052214.GD9477@campin.net> References: <110c784405051602595e349b58@mail.gmail.com> <20050516150134.GZ26013@campin.net> <110c7844050516205954698e9@mail.gmail.com> <20050521055026.GA9477@campin.net> <110c7844050522225868205d5f@mail.gmail.com> <20050523132030.GC9477@campin.net> <110c7844050524032434f56e01@mail.gmail.com> <20050525052214.GD9477@campin.net> Message-ID: <110c784405052703295a79d5a6@mail.gmail.com> Still there are no compilation errors now but i m not having any logs of ftp and ssh when i remove filters then i get the bunch of logs. Setting the filters for facility(auth, authpriv) is working but it gives only the users who are successfully connected theu ssh or ftp. I m sending my syslog-ng.conf using filters but i m not getting the logs of it. source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; source stunnel {tcp(ip("127.0.0.1 ") port(514) keep-alive(yes));}; filter f_ftp {program(".*ftp*.");}; filter f_ssh {program(".*ssh*.");}; log {source(src); filter(f_syslog); filter(f_ftp); filter(f_ssh); destination(dest2);}; log {source(stunnel); filter(f_syslog); filter(f_ftp); filter(f_ssh); destination(dest2);}; Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050527/7bf28016/attachment.html From nate at campin.net Fri May 27 22:33:42 2005 From: nate at campin.net (Nate Campi) Date: Fri May 27 22:33:51 2005 Subject: [syslog-ng] Program Filters In-Reply-To: <110c784405052703295a79d5a6@mail.gmail.com> References: <110c784405051602595e349b58@mail.gmail.com> <20050516150134.GZ26013@campin.net> <110c7844050516205954698e9@mail.gmail.com> <20050521055026.GA9477@campin.net> <110c7844050522225868205d5f@mail.gmail.com> <20050523132030.GC9477@campin.net> <110c7844050524032434f56e01@mail.gmail.com> <20050525052214.GD9477@campin.net> <110c784405052703295a79d5a6@mail.gmail.com> Message-ID: <20050527203342.GG9477@campin.net> On Fri, May 27, 2005 at 04:29:46PM +0600, Metal Gear wrote: > Still there are no compilation errors now but i m not having any logs of ftp > and ssh when i remove filters then i get the bunch of logs. Setting the > filters for facility(auth, authpriv) is working but it gives only the users > who are successfully connected theu ssh or ftp. I m sending my > syslog-ng.conf using filters but i m not getting the logs of it. > > > source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; > source stunnel {tcp(ip("127.0.0.1 ") port(514) > keep-alive(yes));}; > > filter f_ftp {program(".*ftp*.");}; > filter f_ssh {program(".*ssh*.");}; > > log {source(src); filter(f_syslog); filter(f_ftp); filter(f_ssh); > destination(dest2);}; > log {source(stunnel); filter(f_syslog); filter(f_ftp); filter(f_ssh); > destination(dest2);}; I already pointed out your error in this same thread. You can't have those filters all set up, you'll only see messages if ALL OF THEM MATCH. Read back through for an example I gave on how to make it filter the way you want it to. -- Nate "A lie can travel half way around the world while the truth is putting on it's shoes." - Samuel Clemens From cokeeffe at gmail.com Sun May 29 15:46:49 2005 From: cokeeffe at gmail.com (Colin O'Keeffe) Date: Sun May 29 15:46:52 2005 Subject: [syslog-ng] Error logging to MySQL Message-ID: <668897570505290646511e0f64@mail.gmail.com> I get syntax error at 132 Parse error reading configuratin file, exiting. (line 132) when i do syslog-ng start heres my config file.... # # Configuration file for syslog-ng under Debian # # attempts at reproducing default syslog behavior # the standard syslog levels are (in descending order of priority): # emerg alert crit err warning notice info debug # the aliases "error", "panic", and "warn" are deprecated # the "none" priority found in the original syslogd configuration is # only used in internal messages created by syslogd ###### # options options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0); # the time to wait before a died connection is re-established # (default is 60) time_reopen(10); # the time to wait before an idle destination file is closed # (default is 60) time_reap(360); # the number of lines buffered before written to file # you might want to increase this if your disk isn't catching with # all the log messages you get or if you want less disk activity # (say on a laptop) # (default is 0) #sync(0); # the number of lines fitting in the output queue log_fifo_size(2048); # enable or disable directory creation for destination files create_dirs(yes); # default owner, group, and permissions for log files # (defaults are 0, 0, 0600) #owner(root); group(adm); perm(0640); # default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) #dir_owner(root); #dir_group(root); dir_perm(0755); # enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(no); # maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) #log_msg_size(2048); }; ###### # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) #unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the above line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; ###### # destinations # some standard log files destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; destination df_cron { file("/var/log/cron.log"); }; destination df_daemon { file("/var/log/daemon.log"); }; destination df_kern { file("/var/log/kern.log"); }; destination df_lpr { file("/var/log/lpr.log"); }; destination df_mail { file("/var/log/mail.log"); }; destination df_user { file("/var/log/user.log"); }; destination df_uucp { file("/var/log/uucp.log"); }; # these files are meant for the mail system log files # and provide re-usable destinations for {mail,cron,...}.info, # {mail,cron,...}.notice, etc. destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; # these files are meant for the news system, and are kept separated # because they should be owned by "news" instead of "root" destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; # some more classical and useful files found in standard syslog configurations destination df_debug { file("/var/log/debug"); }; destination df_messages { file("/var/log/messages"); }; # pipes # a console to view log messages under X destination dp_xconsole { pipe("/dev/xconsole"); }; # consoles # this will send messages to everyone logged in destination du_all { usertty("*"); }; destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs VALUES('$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG');\n") template-escape(yes)); }; log {source; destination(d_mysql); }; ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; # some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); }; # all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; # all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; # messages with priority emerg filter f_emerg { level(emerg); }; # complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); }; ###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement # these rules provide the same behavior as the commented original syslogd rules # auth,authpriv.* /var/log/auth.log log { source(s_all); filter(f_auth); destination(df_auth); }; # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf # cron.* /var/log/cron.log #log { # source(s_all); # filter(f_cron); # destination(df_cron); #}; # daemon.* -/var/log/daemon.log log { source(s_all); filter(f_daemon); destination(df_daemon); }; # kern.* -/var/log/kern.log log { source(s_all); filter(f_kern); destination(df_kern); }; # lpr.* -/var/log/lpr.log log { source(s_all); filter(f_lpr); destination(df_lpr); }; # mail.* -/var/log/mail.log log { source(s_all); filter(f_mail); destination(df_mail); }; # user.* -/var/log/user.log log { source(s_all); filter(f_user); destination(df_user); }; # uucp.* /var/log/uucp.log log { source(s_all); filter(f_uucp); destination(df_uucp); }; # mail.info -/var/log/mail.info log { source(s_all); filter(f_mail); filter(f_at_least_info); destination(df_facility_dot_info); }; # mail.warn -/var/log/mail.warn log { source(s_all); filter(f_mail); filter(f_at_least_warn); destination(df_facility_dot_warn); }; # mail.err /var/log/mail.err log { source(s_all); filter(f_mail); filter(f_at_least_err); destination(df_facility_dot_err); }; # news.crit /var/log/news/news.crit log { source(s_all); filter(f_news); filter(f_at_least_crit); destination(df_news_dot_crit); }; # news.err /var/log/news/news.err log { source(s_all); filter(f_news); filter(f_at_least_err); destination(df_news_dot_err); }; # news.notice /var/log/news/news.notice log { source(s_all); filter(f_news); filter(f_at_least_notice); destination(df_news_dot_notice); }; # *.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug log { source(s_all); filter(f_debug); destination(df_debug); }; # *.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages log { source(s_all); filter(f_messages); destination(df_messages); }; # *.emerg * log { source(s_all); filter(f_emerg); destination(du_all); }; # daemon.*;mail.*;\ # news.crit;news.err;news.notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole log { source(s_all); filter(f_xconsole); destination(dp_xconsole); }; iam running on Debain Sarge AMD64bit any idea whats wrong? -- Colin O'Keeffe From Valdis.Kletnieks at vt.edu Sun May 29 18:22:11 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Sun May 29 18:22:25 2005 Subject: [syslog-ng] Error logging to MySQL In-Reply-To: Your message of "Sun, 29 May 2005 14:46:49 BST." <668897570505290646511e0f64@mail.gmail.com> References: <668897570505290646511e0f64@mail.gmail.com> Message-ID: <200505291622.j4TGMCUM007197@turing-police.cc.vt.edu> On Sun, 29 May 2005 14:46:49 BST, "Colin O'Keeffe" said: > I get > > syntax error at 132 > Parse error reading configuratin file, exiting. (line 132) > destination d_mysql { > pipe("/tmp/mysql.pipe" > template("INSERT INTO logs VALUES('$HOST', '$FACILITY', '$PRIORITY', > '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', > '$MSG');\n") template-escape(yes)); > }; > log {source; destination(d_mysql); > }; I'm guessing that the 'log' is line 132? Maybe you need something after the 'source' telling it *which* source? "source(s_all);" may be what you meant to have here? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050529/f3079170/attachment.pgp From finattack at gmail.com Mon May 30 08:35:32 2005 From: finattack at gmail.com (Metal Gear) Date: Mon May 30 08:42:17 2005 Subject: [Filter Test: C10] Re: [syslog-ng] Program Filters In-Reply-To: <200505272102.j4RL2nn23271@soda-pop.corpnet.sel.sony.com> References: <200505272102.j4RL2nn23271@soda-pop.corpnet.sel.sony.com> Message-ID: <110c784405052923351a13f4d2@mail.gmail.com> Hi, thank u guys for the help actually i missed two of posts of Mr. Nate following the instructions in the post have no problem. Now i have the logs that i wanted thanks again -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050530/e806fa95/attachment.html From tilaris at wanadoo.fr Mon May 30 11:08:05 2005 From: tilaris at wanadoo.fr (JF Suret) Date: Mon May 30 11:08:09 2005 Subject: [syslog-ng] syslog-ng and windows Message-ID: <32738732.1117444085565.JavaMail.www@wwinf1307> Hello, I'm using syslog-ng as a central log server, and I have both linux and windows clients. I know that there are some syslog windows clients ( NTsyslog, snare) but I can't find any open source syslog-ng clients. What I'm looking for is (at least if it does not exist) information on the TCP data format used by syslog-ng. So I could write a little udp to tcp syslog translator that could be used on windows clients (and maybe modify NTsyslog if I have enought time...) Thanks JF From bazsi at balabit.hu Mon May 30 13:23:37 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Mon May 30 13:23:40 2005 Subject: [syslog-ng] syslog-ng and windows In-Reply-To: <32738732.1117444085565.JavaMail.www@wwinf1307> References: <32738732.1117444085565.JavaMail.www@wwinf1307> Message-ID: <1117452217.2371.3.camel@bzorp.balabit> On Mon, 2005-05-30 at 11:08 +0200, JF Suret wrote: > Hello, > > I'm using syslog-ng as a central log server, and I have both linux and windows clients. I know that there are some syslog windows clients ( NTsyslog, snare) but I can't find any open source syslog-ng clients. > > What I'm looking for is (at least if it does not exist) information on the TCP data format used by syslog-ng. > So I could write a little udp to tcp syslog translator that could be used on windows clients (and maybe modify NTsyslog if I have enought time...) It is basically the same as UDP, the only exception is that messages has to be translated by an NL or NUL characters as otherwise there's no way to recognize message boundary. -- Bazsi From micaho at gmail.com Tue May 31 02:12:51 2005 From: micaho at gmail.com (micah milano) Date: Tue May 31 02:13:00 2005 Subject: [syslog-ng] syslog-ng anon patch Message-ID: <70fda320505301712644a05a6@mail.gmail.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: syslog-ng-anon.diff Type: text/x-patch Size: 16286 bytes Desc: not available Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050530/20bccbf2/syslog-ng-anon-0001.bin From torpedo at bluebottle.com Tue May 31 07:13:42 2005 From: torpedo at bluebottle.com (torpedo) Date: Tue May 31 07:13:47 2005 Subject: [syslog-ng] meaning internal message Message-ID: <1117516422.429bf2862468a@bluebottle.com> Hi all, syslog-ng generates internal message => May 31 10:33:39 inter@abc syslog-ng[3841]: STATS: dropped 0 What does this message means ? Where can I find,what all internal messages does the syslog-ng generates and their meanings. thanks in advance. regards, torpedo From bazsi at balabit.hu Tue May 31 10:25:02 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Tue May 31 10:25:08 2005 Subject: [syslog-ng] meaning internal message In-Reply-To: <1117516422.429bf2862468a@bluebottle.com> References: <1117516422.429bf2862468a@bluebottle.com> Message-ID: <1117527902.3700.4.camel@bzorp.balabit> On Tue, 2005-05-31 at 00:13 -0500, torpedo wrote: > Hi all, > > syslog-ng generates internal message => > > May 31 10:33:39 inter@abc syslog-ng[3841]: STATS: dropped 0 > > What does this message means ? It means that syslog-ng itself dropped 0 messages internally. Note that there might be other sources for message drops, like incoming UDP buffers. syslog-ng 1.6.x drops messages if the output FIFO is full. > > Where can I find,what all internal messages does the syslog-ng > generates and their meanings. Only in the source, I'm afraid. -- Bazsi From alessandrorocha at gmail.com Tue May 31 16:47:21 2005 From: alessandrorocha at gmail.com (Alessandro Rocha) Date: Tue May 31 16:47:53 2005 Subject: [syslog-ng] Question Message-ID: Hi All, Do you know if it is possible to redirect syslog logs to an oracle database ? If it is possible, do you know where i can find a how to ? Thanks in advance. Alessandro. From alessandrorocha at gmail.com Tue May 31 16:47:21 2005 From: alessandrorocha at gmail.com (Alessandro Rocha) Date: Tue May 31 16:47:59 2005 Subject: [syslog-ng] Question Message-ID: Hi All, Do you know if it is possible to redirect syslog logs to an oracle database ? If it is possible, do you know where i can find a how to ? Thanks in advance. Alessandro. From mlist at sanderscorner.com Tue May 31 16:58:59 2005 From: mlist at sanderscorner.com (Sander) Date: Tue May 31 16:59:02 2005 Subject: [syslog-ng] Question In-Reply-To: References: Message-ID: <429C7BB3.9030109@sanderscorner.com> Alessandro Rocha wrote: >Hi All, > >Do you know if it is possible to redirect syslog logs to an oracle database ? >If it is possible, do you know where i can find a how to ? > >Thanks in advance. > >Alessandro. >_______________________________________________ >syslog-ng maillist - syslog-ng@lists.balabit.hu >https://lists.balabit.hu/mailman/listinfo/syslog-ng >Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > > > > http://vermeer.org/display_doc.php?doc_id=1 or... google for syslog-ng and oracle. Sander From asolis at oppd.com Tue May 31 17:00:02 2005 From: asolis at oppd.com (SOLIS, ALEX) Date: Tue May 31 17:00:10 2005 Subject: [syslog-ng] syslog-ng and windows Message-ID: <3E061654BA925846A7FAFE98BA3603B710CF51C4@SEPEX04.oppd.oppd-ds.com> Just curious.... What would happen if TCP transmission was not terminated with an nl or nul char? Would TCP receive buffers fill up and kill communication on the server? -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Monday, May 30, 2005 6:24 AM To: tilaris@wanadoo.fr; Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] syslog-ng and windows On Mon, 2005-05-30 at 11:08 +0200, JF Suret wrote: > Hello, > > I'm using syslog-ng as a central log server, and I have both linux and windows clients. I know that there are some syslog windows clients ( NTsyslog, snare) but I can't find any open source syslog-ng clients. > > What I'm looking for is (at least if it does not exist) information on the TCP data format used by syslog-ng. > So I could write a little udp to tcp syslog translator that could be used on windows clients (and maybe modify NTsyslog if I have enought time...) It is basically the same as UDP, the only exception is that messages has to be translated by an NL or NUL characters as otherwise there's no way to recognize message boundary. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

From bazsi at balabit.hu Tue May 31 17:49:46 2005 From: bazsi at balabit.hu (Balazs Scheidler) Date: Tue May 31 17:49:50 2005 Subject: [syslog-ng] syslog-ng and windows In-Reply-To: <3E061654BA925846A7FAFE98BA3603B710CF51C4@SEPEX04.oppd.oppd-ds.com> References: <3E061654BA925846A7FAFE98BA3603B710CF51C4@SEPEX04.oppd.oppd-ds.com> Message-ID: <1117554586.6898.0.camel@bzorp.balabit> On Tue, 2005-05-31 at 10:00 -0500, SOLIS, ALEX wrote: > Just curious.... > > What would happen if TCP transmission was not terminated with an nl or > nul char? Would TCP receive buffers fill up and kill communication on > the server? of course not. syslog-ng reads the incoming TCP stream and once reached the message size limit (controllable using log_msg_size) it will flush the message even if there was no terminating newline. -- Bazsi From Valdis.Kletnieks at vt.edu Tue May 31 19:26:04 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Tue May 31 19:26:11 2005 Subject: [syslog-ng] syslog-ng anon patch In-Reply-To: Your message of "Mon, 30 May 2005 19:12:51 CDT." <70fda320505301712644a05a6@mail.gmail.com> References: <70fda320505301712644a05a6@mail.gmail.com> Message-ID: <200505311726.j4VHQ4Q7009612@turing-police.cc.vt.edu> On Mon, 30 May 2005 19:12:51 CDT, micah milano said: > The attached patch comes from http://dev.riseup.net/patches/syslog-ng what > it does is provide a simple filter to strip out unwanted regular expressions > from logs, as well as an IP alias that enables you to strip out IP addresses > from your logs. Interesting. Does it apply the regexp to *the entire message* (a quick read of the code indicates so)? Also, I see in make_filter_replace: if (strcasecmp(re,"ips") == 0) { re = "...([\\.\\-](25 Was the \\- intended? And just to *ensure* that rocks and rotten tomatoes are heaved at me: Any plans to expand that RE to cover IPv6 addresses? ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050531/536eb846/attachment.pgp From elijah at riseup.net Tue May 31 20:28:29 2005 From: elijah at riseup.net (Elijah) Date: Tue May 31 20:29:37 2005 Subject: [syslog-ng] syslog-ng anon patch In-Reply-To: <200505311726.j4VHQ4Q7009612@turing-police.cc.vt.edu> References: <70fda320505301712644a05a6@mail.gmail.com> <200505311726.j4VHQ4Q7009612@turing-police.cc.vt.edu> Message-ID: <34695.elijah.1117564109.squirrel@mail.riseup.net> Valdis.Kletnieks@vt.edu said: > On Mon, 30 May 2005 19:12:51 CDT, micah milano said: > >> The attached patch comes from http://dev.riseup.net/patches/syslog-ng >> what it does is provide a simple filter to strip out unwanted regular >> expressions from logs, as well as an IP alias that enables you to >> strip out IP addresses from your logs. > > Interesting. Does it apply the regexp to *the entire message* (a quick > read of the code indicates so)? yes. perhaps it should not? > Also, I see in make_filter_replace: > > if (strcasecmp(re,"ips") == 0) { > re = "...([\\.\\-](25 > > Was the \\- intended? Many ISPs set the reverse dns to include the ip address in the form 69-90-134-155-myisp.com, so I thought it would be useful to remove those as well. > Any plans to expand that RE to cover IPv6 addresses? ;) Yes. Alas, IPv6 is complicated. I had a pcre which worked, but had some difficulty converting it to regexp. Eventually, I plan to do so. Any suggestions for what the regexp should be? -elijah