[syslog-ng] Bug: syslog 2.0.x circular message delivery if no DNS
Andreas Kurz
andreas.kurz at gmail.com
Thu Oct 18 15:50:12 CEST 2007
On 10/18/07, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Wed, 2007-10-17 at 10:42 -0700, Evan Rempel wrote:
> > We recently has an unscheduled power outage in our data center.
> > Our servers came back prior to our DNS being available (actually, prior
> > to the network coming back up). All hosts running syslog-ng consumed their
> > log filespace as fast as the disks would allow writing which took about 2 minutes.
> >
> > The problem we seem to have encountered is that our source section and destination
> > definitions are;
> >
> > source local { unix-stream("/dev/log" max-connections(200));
> > file("/proc/kmsg" log_prefix("kernel: "));
> > tcp( localip(127.0.0.1) port(514) );
> > internal();
> > };
> >
> > destination syslogServer1 { tcp("syslog.uvic.ca" log_fifo_size(50000) ); };
> >
> >
> > It seems that if syslog.uvic.ca could not be resolved, syslog-ng took it upon itself
> > to use 127.0.0.1 as its destination and started logging to itself. Chaining of hostnames
> > is on, which means that we could see a message path of
> >
> > local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca
> >
> > until some maximum length was reached and the hostname field became truncated.
> >
> > This should be easy to repeat if you use a source like the one above, disconnect the network
> > and start syslog-ng.
>
> I was already thinking about the idea of dropping internal messages
> generated while another internal message is being delivered to prevent
> such loops.
Just out of curiosity:
What is the intention of the line 'tcp( localip(127.0.0.1) port(514) );' ?
Which local logging messages are not processed if just using:
source local { unix-stream("/dev/log" max-connections(200));
file("/proc/kmsg" log_prefix("kernel: "));
internal();
};
Thanks,
Andreas
More information about the syslog-ng
mailing list