<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I fixed the issue with udp being dropped at the system level by changing the linux core files but this time restarting the system, now I know they are missing somewhere between getting to the system and syslog-ng :(<br><br>I'm lost once again...<br><br><div><hr id="stopSpelling">From: chebannedmeagain@hotmail.com<br>To: syslog-ng@lists.balabit.hu<br>Subject: Re: Ubuntu Precise -ng filling out buffer, dropping messages<br>Date: Tue, 29 Apr 2014 09:43:06 -0700<br><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">Thanks for responding!<br><br>The exact version is of syslog-ng is 3.3.4. Here's something you may find of interest.<br><br>1K Messages<br>root@badbox:/proc/net# nc -lku 514 > /tmp/testing123.txt<br>root@goodbox:/proc/sys/net# loggen --inet --dgram --size 500 --rate 1000 --interval 30 badbox.cbf 514<br>average rate = 996.43 msg/sec, count=29893 <--------------- sent<br>root@badbox:/proc/net# cat /tmp/testing123.txt | wc -l<br>24081 <------------ received/processed<br><br>Lower the rate to 150 messages per second:<br>root@goodbox:/proc/sys/net# loggen --inet --dgram --size 500 --rate 150 --interval 30 badbox.cbf 514<br>average rate = 149.03 msg/sec, count=4471 < -------------------- sent<br>root@badbox:/proc/net# cat /tmp/testing123.txt | wc -l<br>4471 < -------------------------- received/processed<br><br>At this point, given the test above, I don't know if this is a system issue or a syslog-ng issue. It seems to be system, but I really can't tell what.<br><br><br><div>> From: syslog-ng-request@lists.balabit.hu<br>> Subject: syslog-ng Digest, Vol 108, Issue 24<br>> To: syslog-ng@lists.balabit.hu<br>> Date: Tue, 29 Apr 2014 13:25:01 +0200<br>> <br>> Send syslog-ng mailing list submissions to<br>> syslog-ng@lists.balabit.hu<br>> <br>> To subscribe or unsubscribe via the World Wide Web, visit<br>> https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> or, via email, send a message with subject or body 'help' to<br>> syslog-ng-request@lists.balabit.hu<br>> <br>> You can reach the person managing the list at<br>> syslog-ng-owner@lists.balabit.hu<br>> <br>> When replying, please edit your Subject line so it is more specific<br>> than "Re: Contents of syslog-ng digest..."<br>> <br>> <br>> Today's Topics:<br>> <br>> 1. Re: Ubuntu Precise -ng filling out buffer, dropping messages<br>> (Gergely Nagy)<br>> 2. [Bug 279] Syslog-ng central loging server seg fault gentoo<br>> (bugzilla@bugzilla.balabit.com)<br>> 3. [Bug 279] Syslog-ng central loging server seg fault gentoo<br>> (bugzilla@bugzilla.balabit.com)<br>> 4. Re: Pattern DB Parser "Default Values" (Gergely Nagy)<br>> 5. Re: syslog-ng does not start if destination host not found<br>> (Gergely Nagy)<br>> 6. [Bug 275] lib/filter/filter-in-list.c does not compile under<br>> Solaris 10 (bugzilla@bugzilla.balabit.com)<br>> 7. [Bug 279] Syslog-ng central loging server seg fault gentoo<br>> (bugzilla@bugzilla.balabit.com)<br>> 8. Re: Basic (?) multi line question (Jim Hendrick)<br>> <br>> <br>> ----------------------------------------------------------------------<br>> <br>> Message: 1<br>> Date: Tue, 29 Apr 2014 12:24:09 +0200<br>> From: Gergely Nagy <algernon@balabit.hu><br>> Subject: Re: [syslog-ng] Ubuntu Precise -ng filling out buffer,<br>> dropping messages<br>> To: syslog-ng@lists.balabit.hu<br>> Message-ID: <87mwf4xwl2.fsf@balabit.hu><br>> Content-Type: text/plain<br>> <br>> Hi!<br>> <br>> Chaman Chakalaka <chebannedmeagain@hotmail.com> writes:<br>> <br>> > I'm trying to process ~800 UDP messages second, which I don't think is<br>> > much. The current setup worked fine in Ubuntu 10.04 (Lucid) and<br>> > syslog-ng 2.6 (I believe). I'm running into what I believe is receive<br>> > buffer problems on Ubuntu Server 12.04 (Precise) w/ ng 3.XX<br>> <br>> First of all, what's the exact version of your syslog-ng? Precise has a<br>> fairly old version, one that's... not exactly the best release. I'd<br>> suggest you give a try to the packages at:<br>> http://asylum.madhouse-project.org/projects/debian/<br>> <br>> I'd suggest the syslog-ng 3.5 branch from there, and see if the problem<br>> persists with an upgraded syslog-ng. If it persists, let us know, and<br>> we'll help debug the issue further.<br>> <br>> -- <br>> |8]<br>> <br>> <br>> <br>> ------------------------------<br>> <br>> Message: 2<br>> Date: Tue, 29 Apr 2014 12:25:38 +0200 (CEST)<br>> From: bugzilla@bugzilla.balabit.com<br>> Subject: [syslog-ng] [Bug 279] Syslog-ng central loging server seg<br>> fault gentoo<br>> To: syslog-ng@lists.balabit.hu<br>> Message-ID: <20140429102538.E2BAC39DC88@lists.balabit.hu><br>> Content-Type: text/plain; charset="UTF-8"<br>> <br>> https://bugzilla.balabit.com/show_bug.cgi?id=279<br>> <br>> <br>> Gergely Nagy <algernon@balabit.hu> changed:<br>> <br>> What |Removed |Added<br>> ----------------------------------------------------------------------------<br>> CC| |algernon@balabit.hu<br>> AssignedTo|bazsi@balabit.hu |algernon@balabit.hu<br>> <br>> <br>> <br>> <br>> -- <br>> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email<br>> ------- You are receiving this mail because: -------<br>> You are watching all bug changes.<br>> <br>> <br>> ------------------------------<br>> <br>> Message: 3<br>> Date: Tue, 29 Apr 2014 12:29:08 +0200 (CEST)<br>> From: bugzilla@bugzilla.balabit.com<br>> Subject: [syslog-ng] [Bug 279] Syslog-ng central loging server seg<br>> fault gentoo<br>> To: syslog-ng@lists.balabit.hu<br>> Message-ID: <20140429102908.849C539DC78@lists.balabit.hu><br>> Content-Type: text/plain; charset="UTF-8"<br>> <br>> https://bugzilla.balabit.com/show_bug.cgi?id=279<br>> <br>> <br>> <br>> <br>> <br>> --- Comment #1 from Gergely Nagy <algernon@balabit.hu> 2014-04-29 12:29:08 ---<br>> Without debug symbols, the backtrace is fairly useless for debugging purposes, unfortunately. It would help tremendously, if you could reproduce the problem<br>> with a non-stripped binary, so we see the functions in the backtrace.<br>> <br>> Meanwhile, can I ask what config you use on the host where the segmentation fault happened? Maybe we can figure something out from that...<br>> <br>> Thanks!<br>> <br>> <br>> -- <br>> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email<br>> ------- You are receiving this mail because: -------<br>> You are watching all bug changes.<br>> <br>> <br>> ------------------------------<br>> <br>> Message: 4<br>> Date: Tue, 29 Apr 2014 12:41:44 +0200<br>> From: Gergely Nagy <algernon@balabit.hu><br>> Subject: Re: [syslog-ng] Pattern DB Parser "Default Values"<br>> To: syslog-ng@lists.balabit.hu<br>> Cc: Balazs Scheidler <bazsi@balabit.com><br>> Message-ID: <87iopsxvrr.fsf@balabit.hu><br>> Content-Type: text/plain<br>> <br>> David Hauck <davidh@netacquire.com> writes:<br>> <br>> > I was wondering if there was a way to specify default values for<br>> > pattern DB parsers that include a value, but where the parsed value is<br>> > <null>[/empty]?<br>> ><br>> > In particular if I have something like the following:<br>> ><br>> > <pattern>test message; field1=@ESTRING:field1: @field2=@ESTRING:field2: @field3=@ESTRING:: @field4=@ESTRING:field4: @</pattern><br>> ><br>> > I'd like to be able to do something like either, 1:<br>> ><br>> > <pattern>test message; field1=@ESTRING:field1<foo>: @field2=@ESTRING:field2<bar>: @field3=@ESTRING:: @field4=@ESTRING:field4<beef>: @</pattern><br>> ><br>> > Or 2:<br>> ><br>> > <pattern>test message; field1=@ESTRING:field1: @field2=@ESTRING:field2: @field3=@ESTRING:: @field4=@ESTRING:field4: @</pattern><br>> > <values><br>> > <value name="field1.default">foo</value><br>> > <value name="field2.default">bar</value><br>> > <value name="field4.default">beef</value><br>> ><br>> > Just curious...<br>> <br>> You can use ${field1:-foo} in templates, to set a default if none is<br>> set. It doesn't work for empty fields, though, but that can be worked<br>> around with an $(if $(length $field1) eq 0 "default" $field1) template,<br>> possibly in a rewrite rule.<br>> <br>> Though, maybe ${field1:-foo} should work for empty values too, not just<br>> unset ones (to mimic shell better, which does just that). I can make it<br>> do so, if that'd be desired, would make it unnecessary to use the $(if)<br>> hack.<br>> <br>> @Bazsi: What do you think?<br>> <br>> -- <br>> |8]<br>> <br>> <br>> <br>> ------------------------------<br>> <br>> Message: 5<br>> Date: Tue, 29 Apr 2014 12:59:56 +0200<br>> From: Gergely Nagy <algernon@balabit.hu><br>> Subject: Re: [syslog-ng] syslog-ng does not start if destination host<br>> not found<br>> To: syslog-ng@lists.balabit.hu<br>> Message-ID: <87eh0gxuxf.fsf@balabit.hu><br>> Content-Type: text/plain<br>> <br>> "Bendler, Ehren" <ebendler@ciena.com> writes:<br>> <br>> [...]<br>> > If this is the intended behavior, that's fine too. We can deploy our<br>> > own patch to the afsocket module if it isn't going to be changed in a<br>> > release.<br>> <br>> No, this is definitely not the intended behaviour. Some change between<br>> 3.3.5 and 3.5.7 broke the fix, I'll go ahead and restore the intended<br>> behaviour. Thanks for reporting the issue!<br>> <br>> Unfortunately, I can't help with the other issue at the moment, but I'll<br>> try to revisit it later.<br>> <br>> -- <br>> |8]<br>> <br>> <br>> <br>> ------------------------------<br>> <br>> Message: 6<br>> Date: Tue, 29 Apr 2014 13:09:22 +0200 (CEST)<br>> From: bugzilla@bugzilla.balabit.com<br>> Subject: [syslog-ng] [Bug 275] lib/filter/filter-in-list.c does not<br>> compile under Solaris 10<br>> To: syslog-ng@lists.balabit.hu<br>> Message-ID: <20140429110922.7AD9939DC99@lists.balabit.hu><br>> Content-Type: text/plain; charset="UTF-8"<br>> <br>> https://bugzilla.balabit.com/show_bug.cgi?id=275<br>> <br>> <br>> <br>> <br>> <br>> --- Comment #2 from Gergely Nagy <algernon@balabit.hu> 2014-04-29 13:09:22 ---<br>> I think we can change the code to use find_cr_or_lf(), instead of using getline(), or reimplement something like getline() in terms of find_cr_or_lf() + fgets<br>> (or mmap or something). That would solve the problem without having to add much to misc.c. I'll see what I can do.<br>> <br>> <br>> -- <br>> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email<br>> ------- You are receiving this mail because: -------<br>> You are watching all bug changes.<br>> <br>> <br>> ------------------------------<br>> <br>> Message: 7<br>> Date: Tue, 29 Apr 2014 13:21:01 +0200 (CEST)<br>> From: bugzilla@bugzilla.balabit.com<br>> Subject: [syslog-ng] [Bug 279] Syslog-ng central loging server seg<br>> fault gentoo<br>> To: syslog-ng@lists.balabit.hu<br>> Message-ID: <20140429112101.BD6F339DCA1@lists.balabit.hu><br>> Content-Type: text/plain; charset="UTF-8"<br>> <br>> https://bugzilla.balabit.com/show_bug.cgi?id=279<br>> <br>> <br>> <br>> <br>> <br>> --- Comment #2 from Martin <hlavacek@gmx.com> 2014-04-29 13:21:02 ---<br>> I thought that I have recompiled syslog with debug symbols because I have added --enable-debug to my ebuild:<br>> <br>> syslog1 ~ # syslog-ng -V<br>> syslog-ng 3.4.7<br>> Installer-Version: 3.4.7<br>> Revision: ssh+git://algernon@git.balabit/var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.4#detached_from_v3.4.3#999a7a6102d40da44b75a2acf78e54244164771f<br>> Compile-Date: Apr 29 2014 13:06:40<br>> Available-Modules:<br>> affile,afprog,afsocket-notls,afsocket-tls,afuser,basicfuncs,confgen,csvparser,dbparser,syslogformat,cryptofuncs,system-source,afamqp,afsocket<br>> Enable-Debug: on <br>> Enable-GProf: off<br>> Enable-Memtrace: off<br>> Enable-IPv6: on<br>> Enable-Spoof-Source: off<br>> Enable-TCP-Wrapper: on<br>> Enable-Linux-Caps: off<br>> Enable-Pcre: on<br>> <br>> You can see that opt "Enable-Debug:" is ON. It is not enought? If not can you please give me any advice how should I recompile this binary in proper way in<br>> gentoo?<br>> <br>> Size of binary is:<br>> syslog1 ~ # ls -lah /usr/sbin/syslog-ng<br>> 16K -rwxr-xr-x 1 root root 15K Apr 29 13:18 /usr/sbin/syslog-ng*<br>> <br>> Configure options by emerge:<br>> ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share<br>> --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-silent-rules --disable-dependency-tracking --with-ivykis=internal<br>> --with-libmongo-client=internal --sysconfdir=/etc/syslog-ng --localstatedir=/var/lib/syslog-ng --with-pidfile-dir=/var/run<br>> --with-module-dir=/usr/lib64/syslog-ng --enable-debug --with-systemdsystemunitdir=/usr/lib/systemd/system --disable-systemd --disable-linux-caps<br>> --disable-geoip --enable-ipv6 --disable-json --disable-mongodb --enable-pcre --disable-smtp --disable-spoof-source --disable-sql --enable-ssl<br>> --enable-tcp-wrapper<br>> <br>> <br>> -- <br>> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email<br>> ------- You are receiving this mail because: -------<br>> You are watching all bug changes.<br>> <br>> <br>> ------------------------------<br>> <br>> Message: 8<br>> Date: Tue, 29 Apr 2014 07:24:58 -0400<br>> From: Jim Hendrick <jrhendri@roadrunner.com><br>> Subject: Re: [syslog-ng] Basic (?) multi line question<br>> To: Syslog-ng users' and developers' mailing list<br>> <syslog-ng@lists.balabit.hu><br>> Message-ID: <535F8C0A.5060104@roadrunner.com><br>> Content-Type: text/plain; charset="iso-8859-1"<br>> <br>> Thanks all for the thoughts -<br>> <br>> I will try to write up some of the patterns and correlations, starting<br>> with the most simple.<br>> <br>> This would (I think) be a valuable addition to track different logs that<br>> have some dynamic id as a key.<br>> <br>> (ultimately I am hoping to parse specific data out of these multi-line<br>> beasties and be able to populate a database directly from syslog-ng)<br>> <br>> I will work on writing this up this week.<br>> <br>> Thanks again!<br>> Jim<br>> <br>> <br>> On 04/29/2014 04:53 AM, Tusa Viktor wrote:<br>> > Hi!<br>> ><br>> > If you know the format of all the messages which possibly contains a<br>> > MID, you can write patterns for them and then you can use correlation<br>> > to extract information from these messages. But it only works with<br>> > special conditions, I think it wouldn't work in your case. But it<br>> > wouldn't be so hard to create such functionality in syslog-ng, so if<br>> > you open a github issue in http://github.com/balabit/syslog-ng, some<br>> > of us will try to make it work.<br>> ><br>> > Best Regards,<br>> > Viktor<br>> ><br>> ><br>> > On Tue, Apr 29, 2014 at 8:14 AM, C. L. Martinez <carlopmart@gmail.com<br>> > <mailto:carlopmart@gmail.com>> wrote:<br>> ><br>> > Hi Jim,<br>> ><br>> > Some time ago, I have tried the same: correlate logs for Ironport<br>> > devices. And my conclusion was: impossible. I loose a lot info and<br>> > some correlated logs are wrong ...<br>> ><br>> > The only approach that maybe should work with opensource tools, IMO,<br>> > is rsyslog+sec.pl <http://sec.pl>. But, as a Orangepeel says,<br>> > logstash can be an<br>> > option.<br>> ><br>> > Bye.<br>> ><br>> > On Mon, Apr 28, 2014 at 2:44 PM, <jrhendri@roadrunner.com<br>> > <mailto:jrhendri@roadrunner.com>> wrote:<br>> > > Hmmm - crickets :-)<br>> > ><br>> > > I have some examples like this:<br>> > > <date> <host> <program>: Info: New SMTP ICID [0-9]{9} <rest of<br>> > message><br>> > > <date> <host> <program>: Info: Start MID [0-9]{9} ICID [0-9]{9}<br>> > <rest of message><br>> > > <date> <host> <program>: Info: Start MID [0-9]{9} ICID [0-9]{9}<br>> > <rest of message><br>> > > <date> <host> <program>: Info: Start MID [0-9]{9} ICID [0-9]{9}<br>> > <rest of message><br>> > > <date> <host> <program>: Info: Start MID [0-9]{9} ICID [0-9]{9}<br>> > <rest of message><br>> > > <date> <host> <program>: Info: New SMTP DCID [0-9]{9} <rest of<br>> > message><br>> > > <date> <host> <program>: Info: Message done DCID [0-9]{9} MID<br>> > [0-9]{9} <rest of message><br>> > > <date> <host> <program>: Info: ICID [0-9]{9} close<br>> > ><br>> > > this is only an example to illustrate the different message<br>> > elements that contain different kinds of IDs.<br>> > ><br>> > > The issue is there will be interleaving with *different* ICID<br>> > (inbound connections from different SMTP servers) each sending<br>> > multiple MIDs (message IDs) and also different DCID (destination<br>> > connections *to* different mail relays).<br>> > ><br>> > > I have been looking at multi-line-mode(regexp) but that seems to<br>> > imply all consecutive lines until the next regex match are assumed<br>> > to be part of the same message.<br>> > ><br>> > > I hope I can do something where all matching ICIDs are treated<br>> > as part of one line, that can be parsed separately.<br>> > ><br>> > > Not sure if this is possible with multi-line-mode *or* with some<br>> > patterndb wizardry.<br>> > ><br>> > > Has anyone addressed this?<br>> > ><br>> > > Thanks for any working-examples/guidance/sympathy (in roughly<br>> > that order :-)<br>> > ><br>> > > Jim<br>> > ><br>> > ><br>> > ><br>> > ><br>> > > ---- jrhendri@roadrunner.com <mailto:jrhendri@roadrunner.com> wrote:<br>> > >> Hi,<br>> > >><br>> > >> I am trying to parse data elements out of a variable number<br>> > of log lines that all are associated by a single unique key.<br>> > >><br>> > >> Specifically - they are Cisco IronPort email logs that have<br>> > various "ID" fields (MID - message ID is the most common)<br>> > >><br>> > >><br>> > >> Essentially I want to pull the MID out of the line marked marked:<br>> > >><br>> > >> "Start MID (\d+) <other stuff>"<br>> > >><br>> > >> and then process every line that matches that specific MID<br>> > value as part of the message.<br>> > >><br>> > >> Note: they all have this string included somewhere:<br>> > >><br>> > >> "MID (\d+) "<br>> > >><br>> > >> Up to a reasonable timeout - or ended by:<br>> > >><br>> > >> "Message finished mid (\d+) done" with the matching ID.<br>> > >><br>> > >> Is this possible with syslog-ng? (OSE or PE?)<br>> > >><br>> > >> I thought I had seen something using patterndb but I cannot<br>> > seem to find the reference<br>> > >><br>> > >> Clearly there will be interleaved lines with *different* MIDs<br>> > that need to be processed independently.<br>> > >><br>> > >> Thanks in advance!<br>> > >> Jim<br>> > ><br>> > ><br>> > ______________________________________________________________________________<br>> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> > > Documentation:<br>> > http://www.balabit.com/support/documentation/?product=syslog-ng<br>> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br>> > ><br>> > ______________________________________________________________________________<br>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> > Documentation:<br>> > http://www.balabit.com/support/documentation/?product=syslog-ng<br>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br>> ><br>> ><br>> ><br>> ><br>> > ______________________________________________________________________________<br>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<br>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br>> ><br>> <br>> -------------- next part --------------<br>> An HTML attachment was scrubbed...<br>> URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140429/ebda655f/attachment.htm <br>> <br>> ------------------------------<br>> <br>> _______________________________________________<br>> syslog-ng maillist - syslog-ng@lists.balabit.hu<br>> https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> <br>> <br>> End of syslog-ng Digest, Vol 108, Issue 24<br>> ******************************************<br></div> </div></div> </div></body>
</html>