<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri, sans-serif" size="2">
<div>After considerable effort, I managed to get 3.3.4 built (using gcc 4.4.2, along with glib 2.29.92 and the requisite eventlog 0.2.12). The problem is that the resulting syslog-ng component grows continuously (at an alarming rate). Whereas my 3.0.5 syslog-ng
process starts out running in just under 3MB, and then stabilizes at about 3.3MB, the 3.3.4 version starts out small, and then at the point where I killed it (about 2 hours after starting it), it had already grown to 277MB.</div>
<div> </div>
<div>I’m doing nothing fancy here (config shown below). No data transformations, no use of time normalization features, no DB components. In short, I’m not trying to use any of the many new/elaborate features that have been added over the past few years.
I’m just “eating log input”, writing it to handful of files and pipes, just like I’ve been doing since the syslog-ng 2.x days.</div>
<div> </div>
<div>As one of the regular problems that I see mentioned in various threads is “some new fix for a memory leak”, I’m just trying to see if there’s some known problem in the virgin 3.3.4 code, that might be causing my problems. (I.E. should I wait for 3.3.5,
and try again?)</div>
<div> </div>
<div>FYI, my environment is Solaris 10 x86. Aside from having moved to the newer gcc compiler (in order to even attempt to compile the latest syslog-ng version), the only other major component change was the newer version of glib, which as I recall, was also
necessary to resolve compilation issues with the new syslog-ng versions.</div>
<div> </div>
<div>Anyway… before I beat my head against the wall trying to figure out what to do next, I figured that I’d ask the easy question (about “known bugs”) first, so that I don’t spend any time chasing a problem that may already be fixed. (I did dig thru the mailing
list, and saw at least one mention of a memory leak in 3.3.4, but it seemed to be related to a specific bit of functionality, that I didn’t think applied in my situation.)</div>
<div> </div>
<div>(And just a side-comment, FWIW, I noticed that when I swapped the 3.3.4 version, for the 3.0.5 version, the host system immediately incurred what I estimate to be at least a 20% high CPU load that had been required by the 3.0.5 version. And when I reverted
back to 3.0.5 a few hours later, I saw that happen in reverse. I’m not sure why the newest version requires more resources, again, when I’m not asking it to do anything new, but it definitely seems that it does.)</div>
<div> </div>
<div>Thanks for your time and input.</div>
<div> </div>
<div>Existing config file shown below. Note that other than the version change, the only other modification (from the file that I was using in 3.0.5) relates to the threading changes, which I made based upon Bazsi’s recommendations in an email on 3/18, about
how to avoid potential data loss on inbound UDP packets.</div>
<div> </div>
<div>Again, thanks for any help/input:</div>
<div>@version:3.3</div>
<div>options { dir_perm(0755); perm(0640); group(wheel); chain_hostnames(no);</div>
<div> keep_hostname(yes); log_fifo_size(41000); threaded(no);</div>
<div> dns_cache_size(5000); dns_cache_expire(86400);</div>
<div> dns_cache_expire_failed(86400); };</div>
<div> </div>
<div>source any_udp { udp(flags(store-legacy-msghdr)); };</div>
<div>source any_tcp { tcp(port(601) max-connections(40)</div>
<div> flags("store-legacy-msghdr", "threaded") use_dns(no)); };</div>
<div> </div>
<div>destination SEC {pipe("/tmp/sec"); };</div>
<div>destination WIN-PIPE {pipe("/tmp/windows"); };</div>
<div>destination routers_log {</div>
<div> file("/var/adm/log/routers.log" create_dirs(yes) flags("threaded")); };</div>
<div>destination ravlin_log {</div>
<div> file("/var/adm/log/ravlin.log" create_dirs(yes) flags("threaded")); };</div>
<div>destination windows_log {</div>
<div> file("/var/adm/log/windows.log" create_dirs(yes) flags("threaded")); };</div>
<div>destination workstation_log {</div>
<div> file("/var/adm/log/workstation.log" create_dirs(yes)</div>
<div> flags("threaded")); };</div>
<div>destination catch-all_log {</div>
<div> file("/var/adm/log/catch-all.log" create_dirs(yes)</div>
<div> flags("threaded")); };</div>
<div>destination test {</div>
<div> file("/var/adm/log/test.log" create_dirs(yes) flags("threaded")); };</div>
<div> </div>
<div>destination dev_null {};</div>
<div> </div>
<div>destination secdevedc01 { udp("10.132.193.245" spoof_source(yes)</div>
<div> flags("threaded")); };</div>
<div>destination engedc01 { udp("10.132.192.199" spoof_source(yes)</div>
<div> flags("threaded")); };</div>
<div>destination egssiem { udp("10.10.36.157" spoof_source(yes)</div>
<div> flags("threaded")); };</div>
<div> </div>
<div>log { source(any_udp); destination(SEC); };</div>
<div>log { source(any_udp); destination(egssiem); };</div>
<div> </div>
<div>filter f_4 { facility(syslog) and level(info..emerg); };</div>
<div>log { source(any_udp); filter(f_4); destination(WIN-PIPE); };</div>
<div>log { source(any_udp); filter(f_4); destination(windows_log); flags(final); };</div>
<div> </div>
<div>filter f_1_acl { facility(local5) and level(debug..emerg)</div>
<div> and match("SEC-6-IPACCESSLOG" value("MESSAGE")) ; };</div>
<div>filter f_1 { facility(local5) and level(debug..emerg); };</div>
<div>log { source(any_udp); filter(f_1_acl); destination(routers_log);</div>
<div> flags(final); };</div>
<div>log { source(any_udp); filter(f_1); destination(engedc01); };</div>
<div>log { source(any_udp); filter(f_1); destination(routers_log); flags(final); };</div>
<div> </div>
<div>filter SonicWallNoise {</div>
<div> match("id=firewall" value("MESSAGE"))</div>
<div> and filter(SonicWallMsgs); };</div>
<div>filter SonicWallMsgs {</div>
<div> match("m=97" value("MESSAGE")) or match("m=98" value("MESSAGE"))</div>
<div> or match("m=537" value("MESSAGE")); };</div>
<div>log { source(any_udp); filter(SonicWallNoise); destination(dev_null);</div>
<div> flags(final); };</div>
<div> </div>
<div>filter f_3 { facility(local0) and level(debug..emerg); };</div>
<div>log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final); };</div>
<div> </div>
<div>log { source(any_tcp); destination(workstation_log); flags(final); };</div>
<div> </div>
<div>log { source(any_udp); destination(catch-all_log); flags(final); };</div>
<div> </div>
<div> </div>
<div> </div>
<div><font face="Arial, sans-serif" size="2">Marvin Nipper</font></div>
<div><font face="Arial, sans-serif" size="2">Director of Security</font></div>
<div><font face="Arial, sans-serif" size="2">Stream Global Services</font></div>
<div><font face="Arial, sans-serif" size="2"><a href="mailto:marvin.nipper@stream.com">mailto:marvin.nipper@stream.com</a></font></div>
<div><font face="Arial, sans-serif" size="2">ph: (303) 670-2705</font></div>
<div><font face="Arial, sans-serif" size="2">PGP Key ID: 0x8EE28551 (DSS/DH)</font></div>
<div><font face="Arial, sans-serif" size="2">8C5D 403A D107 0A95 672B B637 BCF1 919A 8EE2 8551</font></div>
<div> </div>
<div> </div>
</font>
</body>
</html>
<pre>
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.