<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style>.EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; }</style>
</head>
<body>
<font face="Calibri, sans-serif" size="2">
<div><font color="#1F497D">Sorry for a second message, but I’ve just noticed a third issue with 3.0.2. Same test scenario as already described.</font></div>
<div><font color="#1F497D"> </font></div>
<div><font color="#1F497D">Here’s a messaged logged on my production 2.0.9 server, and also forwarded to my test server (I’ve removed some of the trailing noise):</font></div>
<div><font color="#1F497D">May 29 16:15:09 fwmil01 [LOG_WARNING] ipsrd[213]: igmp_recv_leave_group: <truncated…..></font></div>
<div><font face="Calibri, sans-serif" color="#1F497D"> </font></div>
<div><font color="#1F497D">When it arrives on my test server, and a 2.0.9 daemon catches it (and writes it to a file), it looks exactly as above, but when 3.0.2 catches it, this is the result:</font></div>
<div><font color="#1F497D">May 29 16:15:09 fwmil01 ipsrd[213]: igmp_recv_leave_group: <truncated…..></font></div>
<div><font face="Calibri, sans-serif" color="#1F497D"> </font></div>
<div><font color="#1F497D">In short, the Severity information has been stripped. Again, in looking at the 3.0 docs, I’m not clear as to any change that would cause this to be stripped out. (It might not be that big a deal to lose that, except that there are
subsequent filters in my system that are looking for that “translated severity” as part of their search.)</font></div>
<div><font color="#1F497D"> </font></div>
<div><font color="#1F497D">Anyway, again, I would appreciate any input as to why 3.x would be doing this, and what configuration change might restore the original content.</font></div>
<div><font color="#1F497D"> </font></div>
<div><font color="#1F497D">THANKS for your help.</font></div>
<div><font face="Calibri, sans-serif" color="#1F497D"> </font></div>
<div><font face="Tahoma, sans-serif" size="2">_____________________________________________<br>
<b>From:</b> Marvin Nipper <br>
<b>Sent:</b> Friday, May 29, 2009 12:08 PM<br>
<b>To:</b> 'syslog-ng@lists.balabit.hu'<br>
<b>Subject:</b> syslog-ng 3.0.2 issues: Extraneous colon (:) in forwarded log; two instances of syslog-ng</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">Hi. I’m been running syslog-ng 2.0.9 for eons, and wanted to get 3.0.2 in place, but have run into two issues.</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">First, the prerequisite info:</font></div>
<div><font face="Calibri, sans-serif">This is on Solaris 10 x86, and I’m running the eventlog-0.2.9 component. It has all compiled cleanly. I’m using the same script to initialize syslog-ng as I was using before. In the conf file, added in some value() parameters
on my filters, in accordance with the 3.0 “warnings”, and added in the @version directive, but other than that, it’s essentially the same (reasonably simple) conf file I was using with my 2.0.9 version of the code.</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">For reference, I’ve appended my conf file at the end of the email.</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">“Generally” syslog-ng, seems to start-up fine, and does feed the output files that I’ve indicated in the conf file. If I didn’t “look too closely”, I would have thought it was all fine, but…</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">My problems:</font></div>
<div><font face="Calibri, sans-serif">As part of my test environment, I’m forwarding data from another (production 2.0.9) server, to my test server, so that I can see how things are working. Here are some (truncated) messages, showing both the original message
(as it looks in the output file on the 2.0.9 server), and the second message being what gets written to the file by the 3.0.2 component:</font></div>
<div><font face="Calibri, sans-serif">Original:</font></div>
<div><font face="Calibri, sans-serif">May 29 09:15:05 10.132.240.25 id=firewall sn=0006B10B2E88 <truncated></font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">Received and written by 3.0.2:</font></div>
<div><font face="Calibri, sans-serif">May 29 09:15:05 10.132.240.25 id=firewall: sn=0006B10B2E88 <truncated></font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">So the “bug” (I assume it to be a bug) is that “colon” that is now sitting just behind the word “firewall”. When my test server is running a 2.0.9 daemon, these two lines match, but the 3.0.2 daemon has inserted that colon.
I can only assume that this is tied to a bug in the filtering activity, because if you look at my conf file, you will see these lines:</font></div>
<div><font face="Calibri, sans-serif">filter SonicWallNoise {</font></div>
<div><font face="Calibri, sans-serif"> match("id=firewall" value("MSG")) and filter(SonicWallMsgs);</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif">Bottom line, I am doing a filter that happens to “match on” that exact “firewall” string, and it seems like more than just coincidence that this is the exact location where that unwanted colon now appears. It seems like
that filtering process has somehow injected that character into the output. (Maybe I’m just missing some “new functionality or feature” in the 3.0 docs, that would intentionally cause this?)</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">Anyway… I’m obviously looking for any input as to why this is different, and/or how to fix it (or even just work-around the problem until it is fixed).</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">And secondly, as my subject line implies, when I run my “/etc/init.d/syslog-ng start” scripting (the same one I’ve always used), I find, right away, that I now have two instances of syslog-ng running. I saw a bug report
from back in 2006, mentioning a similar behavior that was related to (I think) syslog-ng restarting itself, but that was supposedly fixed. I’m ass-u-me-ing that something is now causing the daemon to restart itself, but again, when I run my 2.0.9 code on place
of the 3.0.2 code, I get just the one copy running.</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">Again, I’m looking for any guidance as to something that might be driving that behavior (and as I said, maybe it’s just something stupid on my part, because I’m missing something “new” in the 3.0 behavior).</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">Thanks, in advance, for any help and/or guidance as to what these issues might be. I’m glad to provide further information if it will help.</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Arial, sans-serif" size="2">Marvin Nipper</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">syslog-ng.conf:</font></div>
<div><font face="Calibri, sans-serif">@version:3.0</font></div>
<div><font face="Calibri, sans-serif">options { dir_perm(0755); perm(0600); chain_hostnames(no);</font></div>
<div><font face="Calibri, sans-serif"> keep_hostname(yes); log_fifo_size(1000);</font></div>
<div><font face="Calibri, sans-serif"> dns_cache_size(5000); dns_cache_expire(86400);</font></div>
<div><font face="Calibri, sans-serif"> dns_cache_expire_failed(86400); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">source any_udp { udp(); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">source any_tcp { tcp(port(601)); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination SEC {pipe("/tmp/sec"); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination routers_log {</font></div>
<div><font face="Calibri, sans-serif"> file("/var/adm/log/routers.log" create_dirs(yes));</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination ravlin_log {</font></div>
<div><font face="Calibri, sans-serif"> file("/var/adm/log/ravlin.log" create_dirs(yes));</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination windows_log {</font></div>
<div><font face="Calibri, sans-serif"> file("/var/adm/log/windows.log" create_dirs(yes));</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination workstation_log {</font></div>
<div><font face="Calibri, sans-serif"> file("/var/adm/log/workstation.log" create_dirs(yes));</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination catch-all_log {</font></div>
<div><font face="Calibri, sans-serif"> file("/var/adm/log/catch-all.log" create_dirs(yes));</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination test {</font></div>
<div><font face="Calibri, sans-serif"> file("/var/adm/log/test.log" create_dirs(yes));</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">destination dev_null {};</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">filter f_4 { facility(syslog) and level(info..emerg); };</font></div>
<div><font face="Calibri, sans-serif">log { source(any_udp); filter(f_4); destination(windows_log); flags(final); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">filter f_1 { facility(local5) and level(debug..emerg); };</font></div>
<div><font face="Calibri, sans-serif">log { source(any_udp); filter(f_1); destination(routers_log); flags(final); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">filter SonicWallNoise {</font></div>
<div><font face="Calibri, sans-serif"> match("id=firewall" value("MSG")) and filter(SonicWallMsgs);</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif">filter SonicWallMsgs {</font></div>
<div><font face="Calibri, sans-serif"> match("m=97" value("MSG")) or match("m=98" value("MSG")) or match("m=537" value("MSG"));</font></div>
<div><font face="Calibri, sans-serif">};</font></div>
<div><font face="Calibri, sans-serif">log { source(any_udp); filter(SonicWallNoise); destination(dev_null); flags(final); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">filter f_3 { facility(local0) and level(debug..emerg); };</font></div>
<div><font face="Calibri, sans-serif">log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">log { source(any_tcp); destination(workstation_log); flags(final); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">log { source(any_udp); destination(catch-all_log); flags(final); };</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
</font>
</body>
</html>
<pre>
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.