I'm running tests with the db-parser() parser module and finding that the memory grows exponentially until the program finally dies with:<br><br>***MEMORY-ERROR***: syslog-ng[2769]: GSlice: failed to allocate 248 bytes (alignment: 256): Cannot allocate memory<br>
<br>Here is my configuration:<br><br>@version: 3.0<br><br>options {<br>};<br><br>source s_tcp {<br> tcp(ip(0.0.0.0) port(445));<br>};<br><br>parser p_db {<br> db-parser();<br>};<br><br>filter f_security_class {<br>
match("security" value(".classifier.class"));<br>};<br><br>filter f_class_unknown {<br> match("unknown" value(".classifier.class"));<br>};<br><br>filter f_not_class_unknown {<br>
not match("unknown" value(".classifier.class"));<br>};<br><br>filter f_FIREWALL_ACCESS_DENY {<br> match("2" value(".classifier.rule_id"));<br>};<br>template t_FIREWALL_ACCESS_DENY {<br>
template("$R_UNIXTIME\t$SOURCEIP\t$FACILITY\t$PROGRAM\t${.classifier.class}\t${.classifier.rule_id}\t${FIREWALL.proto}\t${FIREWALL.o_int}\t${FIREWALL.srcip}\t${FIREWALL.srcport}\t${FIREWALL.i_int}\t${FIREWALL.dstip}\t${FIREWALL.dstport}\t${FIREWALL.access_group}\t${FWSM.PRIORITY}\t${FWSM.MSG_CODE}\t${MSGONLY}\n");<br>
};<br>destination d_FIREWALL_ACCESS_DENY {<br> fifo("/tmp/db_parsed_fifo", template(t_FIREWALL_ACCESS_DENY));<br>};<br><br>filter f_FIREWALL_CONNECTION_END {<br> match("3" value(".classifier.rule_id"));<br>
};<br>template t_FIREWALL_CONNECTION_END {<br> template("$R_UNIXTIME\t$SOURCEIP\t$FACILITY\t$PROGRAM\t${.classifier.class}\t${.classifier.rule_id}\t${FIREWALL.proto}\t${FIREWALL.o_int}\t${FIREWALL.srcip}\t${FIREWALL.srcport}\t${FIREWALL.i_int}\t${FIREWALL.dstip}\t${FIREWALL.dstport}\t${FIREWALL.conn_duration}\t${FIREWALL.conn_bytes}\t$MSGONLY\n");<br>
};<br>destination d_FIREWALL_CONNECTION_END {<br> fifo("/tmp/db_parsed_fifo", template(t_FIREWALL_CONNECTION_END));<br>};<br><br>template t_DEFAULT {<br> template("$R_UNIXTIME\t$SOURCEIP\t\$FACILITY\t$PROGRAM\t1\t1\t$MSGONLY\n");<br>
};<br><br><br>destination d_default_fifo {<br> fifo("/tmp/db_parsed_fifo", template(t_DEFAULT));<br>};<br><br><br>log {<br> source(s_tcp);<br> log {<br> parser(p_db);<br> filter(f_not_class_unknown);<br>
log {<br> filter(f_FIREWALL_ACCESS_DENY);<br> destination(d_FIREWALL_ACCESS_DENY);<br> };<br> log {<br> filter(f_FIREWALL_CONNECTION_END);<br>
destination(d_FIREWALL_CONNECTION_END);<br> };<br> flags(final);<br> };<br> log {<br> destination(d_default_fifo);<br> };<br>};<br>
<br>var/patterndb.xml:<br><br><patterndb version='1' pub_date='2009-04-16'><br><program name='FWSM'><br> <pattern>%FWSM</pattern><br> <rule id='2' class='2'><br>
<pattern>Deny@QSTRING:FIREWALL.proto: @src@QSTRING:FIREWALL.o_int: :@@IPv4:FIREWALL.srcip:@/@NUMBER:FIREWALL.srcport:@ dst@QSTRING:FIREWALL.i_int: :@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport:@ by access-group @QSTRING:FIREWALL.access_group:"@</pattern><br>
</rule><br> <rule id='3' class='3'><br> <pattern>Teardown@QSTRING:FIREWALL.proto: @connection @NUMBER::@ for@QSTRING:FIREWALL.o_int: :@@IPv4:FIREWALL.srcip:@/@NUMBER:FIREWALL.srcport@ to@QSTRING:FIREWALL.i_int: :@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport@ duration@QSTRING:FIREWALL.conn_duration: @bytes @NUMBER:FIREWALL.conn_bytes:@</pattern><br>
</rule><br></program><br></patterndb><br><br>syslog-ng -V<br>syslog-ng 3.0.1+binpkg4<br>Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#555574a984eaef9410a2869db0af1be0d52b269b<br>
Compile-Date: Apr 16 2009 14:42:21<br>Enable-Threads: on<br>Enable-Debug: off<br>Enable-GProf: off<br>Enable-Memtrace: off<br>Enable-Sun-STREAMS: off<br>Enable-Sun-Door: off<br>Enable-IPv6: on<br>Enable-Spoof-Source: off<br>
Enable-TCP-Wrapper: on<br>Enable-SSL: on<br>Enable-SQL: on<br>Enable-Linux-Caps: off<br>Enable-Pcre: on<br><br>Should I recompile with memtrace on?<br><br>Thanks,<br><br>Martin<br>