[syslog-ng] Parser-DB Memory Leak
Martin Holste
mcholste at gmail.com
Fri Apr 24 17:29:12 CEST 2009
I'm running tests with the db-parser() parser module and finding that the
memory grows exponentially until the program finally dies with:
***MEMORY-ERROR***: syslog-ng[2769]: GSlice: failed to allocate 248 bytes
(alignment: 256): Cannot allocate memory
Here is my configuration:
@version: 3.0
options {
};
source s_tcp {
tcp(ip(0.0.0.0) port(445));
};
parser p_db {
db-parser();
};
filter f_security_class {
match("security" value(".classifier.class"));
};
filter f_class_unknown {
match("unknown" value(".classifier.class"));
};
filter f_not_class_unknown {
not match("unknown" value(".classifier.class"));
};
filter f_FIREWALL_ACCESS_DENY {
match("2" value(".classifier.rule_id"));
};
template t_FIREWALL_ACCESS_DENY {
template("$R_UNIXTIME\t$SOURCEIP\t$FACILITY\t$PROGRAM\t${.classifier.class}\t${.classifier.rule_id}\t${FIREWALL.proto}\t${FIREWALL.o_int}\t${FIREWALL.srcip}\t${FIREWALL.srcport}\t${FIREWALL.i_int}\t${FIREWALL.dstip}\t${FIREWALL.dstport}\t${FIREWALL.access_group}\t${FWSM.PRIORITY}\t${FWSM.MSG_CODE}\t${MSGONLY}\n");
};
destination d_FIREWALL_ACCESS_DENY {
fifo("/tmp/db_parsed_fifo", template(t_FIREWALL_ACCESS_DENY));
};
filter f_FIREWALL_CONNECTION_END {
match("3" value(".classifier.rule_id"));
};
template t_FIREWALL_CONNECTION_END {
template("$R_UNIXTIME\t$SOURCEIP\t$FACILITY\t$PROGRAM\t${.classifier.class}\t${.classifier.rule_id}\t${FIREWALL.proto}\t${FIREWALL.o_int}\t${FIREWALL.srcip}\t${FIREWALL.srcport}\t${FIREWALL.i_int}\t${FIREWALL.dstip}\t${FIREWALL.dstport}\t${FIREWALL.conn_duration}\t${FIREWALL.conn_bytes}\t$MSGONLY\n");
};
destination d_FIREWALL_CONNECTION_END {
fifo("/tmp/db_parsed_fifo", template(t_FIREWALL_CONNECTION_END));
};
template t_DEFAULT {
template("$R_UNIXTIME\t$SOURCEIP\t\$FACILITY\t$PROGRAM\t1\t1\t$MSGONLY\n");
};
destination d_default_fifo {
fifo("/tmp/db_parsed_fifo", template(t_DEFAULT));
};
log {
source(s_tcp);
log {
parser(p_db);
filter(f_not_class_unknown);
log {
filter(f_FIREWALL_ACCESS_DENY);
destination(d_FIREWALL_ACCESS_DENY);
};
log {
filter(f_FIREWALL_CONNECTION_END);
destination(d_FIREWALL_CONNECTION_END);
};
flags(final);
};
log {
destination(d_default_fifo);
};
};
var/patterndb.xml:
<patterndb version='1' pub_date='2009-04-16'>
<program name='FWSM'>
<pattern>%FWSM</pattern>
<rule id='2' class='2'>
<pattern>Deny at QSTRING:FIREWALL.proto:
@src at QSTRING:FIREWALL.o_int:
:@@IPv4:FIREWALL.srcip:@/@NUMBER:FIREWALL.srcport:@ dst at QSTRING:FIREWALL.i_int:
:@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport:@ by access-group
@QSTRING:FIREWALL.access_group:"@</pattern>
</rule>
<rule id='3' class='3'>
<pattern>Teardown at QSTRING:FIREWALL.proto: @connection
@NUMBER::@ for at QSTRING:FIREWALL.o_int: :@@IPv4:FIREWALL.srcip:@
/@NUMBER:FIREWALL.srcport@ to at QSTRING:FIREWALL.i_int:
:@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport@
duration at QSTRING:FIREWALL.conn_duration:
@bytes @NUMBER:FIREWALL.conn_bytes:@</pattern>
</rule>
</program>
</patterndb>
syslog-ng -V
syslog-ng 3.0.1+binpkg4
Revision: ssh+git://bazsi@git.balabit
//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#555574a984eaef9410a2869db0af1be0d52b269b
Compile-Date: Apr 16 2009 14:42:21
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-Sun-Door: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: on
Enable-SSL: on
Enable-SQL: on
Enable-Linux-Caps: off
Enable-Pcre: on
Should I recompile with memtrace on?
Thanks,
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090424/a827c9c3/attachment.htm
More information about the syslog-ng
mailing list