<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Wondering if someone could help me with an issue I’ve run into recently regarding the program destination in syslog-ng and a python script I wrote to automate parsing log events sent over from our Web Application firewall. For some months
now, the script and syslog-ng configuration were working swimmingly but then things recently started to stop working and now the script refuses to remain up and forwarding as expected.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">First, here is what and destination looks like in my syslog-ng conf. The general flow here being ASM events are generated on the firewall (for whatever purpose), they get sent over to syslog-ng and my python script then parses these logs
and sends them over to another server running ElasticSearch using the python requests library. This takes place within the context of an infinite loop in my script – wait for a log event to come in, execute, go back to waiting, and so forth.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><i>destination asm_post {<o:p></o:p></i></p>
<p class="MsoNormal"><i> program("python -u /home/data/asm_logs/asmlogPost.py" flush_lines(1) flags(no_multi_line));<o:p></o:p></i></p>
<p class="MsoNormal"><i>};<o:p></o:p></i></p>
<p class="MsoNormal">I’ve specified the following flags based off other help forums that suggested this would help to address the stdin buffer flushing issue sometimes encountered with syslog-ng and python scripts. There are no filters being applied here.<o:p></o:p></p>
<p class="MsoNormal"><i><o:p> </o:p></i></p>
<p class="MsoNormal"><i>source(sn_asm);<o:p></o:p></i></p>
<p class="MsoNormal"><i>destination(asm_post);<o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Now, my asmLogPost.py script is setup to always read in standard input through an infinite loop as various best practice syslog-ng sources have recommended. Here’s an excerpt of where the reading in happens - encapsulated within the context
of a try/exception clause:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><i>try:<o:p></o:p></i></p>
<p class="MsoNormal"><i> while 1:<o:p></o:p></i></p>
<p class="MsoNormal"><i> line = sys.stdin.readline()<o:p></o:p></i></p>
<p class="MsoNormal"><i> #...read in line log event, log event parsing and POSTing to other box executes in context of infinite loop…after each POST, it should go back and wait to read in the next line<o:p></o:p></i></p>
<p class="MsoNormal"><i>Exception, e:<o:p></o:p></i></p>
<p class="MsoNormal"><i> # …exception handling block to catch any errors, write to a file…<o:p></o:p></i></p>
<p class="MsoNormal"><i> f = open('~/ error.txt','ab')<o:p></o:p></i></p>
<p class="MsoNormal"><i> f.write('Error happened, here are the details - %s\n'% str(e))<o:p></o:p></i></p>
<p class="MsoNormal"><i> f.close()<o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As was said earlier, this has all worked out fine and dandy for quite some time (and I haven’t made any alterations to my script for about a month or so). But just recently, syslog-ng now appears to be caught in a loop where it constantly
stops, starts, and restarts my script continuously such that it can’t log anything anymore sufficiently. Also the PID is constantly changing for my script whenever I do a ps –aef command, which would indicate that a new instance is constantly being spun up
by syslog-ng.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Not only that, but there apparently appear to be the following messages sprouting up in /var/log/messages constantly as well which I think is due to syslog-ng always restarting my script<o:p></o:p></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in '/home/data/asm_logs/asmlogPost.py'<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in '/home/data/asm_logs/asmlogPost.py'<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in '/home/data/asm_logs/asmlogPost.py'<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in '/home/data/asm_logs/asmlogPost.py'<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in '/home/data/asm_logs/asmlogPost.py'<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:58 sysa03 abrt: detected unhandled Python exception in '/home/data/asm_logs/asmlogPost.py'<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:58 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:58 sysa03 abrt: detected unhandled Python exception in '/home/data/asm_logs/asmlogPost.py'<o:p></o:p></i></p>
<p class="MsoNormal"><i>Sep 25 16:28:58 sysa03 abrt: can't communicate with ABRT daemon, is it running? [Errno 2] No such file or directory<o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But the thing is, there are no exceptions or error files being generated by my script even though these messages seem to say this happening…if there were, my script should catch this and write it down. Besides, it did used to do this initially
as I was developing my script but it would never halt overall execution or cause syslog-ng to tear it down, it would just write out to an error.txt file within the same directory.
<o:p></o:p></p>
<p class="MsoNormal"><i><o:p> </o:p></i></p>
<p class="MsoNormal">Can anyone offer any insight here? I’ll admit I’m not familiar with how the ABRT daemon functions and if it and syslog-ng are somehow related here or not. And I’m pretty confident that there’s nothing wrong with my script as I am able to
execute its current version just fine from a shell prompt – it can send over the log event and everything parsed as expected with no errors. I’m kind of at a dead end, going through my script and these log messages, trying to restart syslog-ng to refresh,
trying to place debug log statements before the “while 1:” loop, trying to move the while 1: loop to be outside the try/exception clause, but not much of this seems to be helping so far.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Many Thanks,<o:p></o:p></p>
<p class="MsoNormal">Andrew <o:p></o:p></p>
</div>
</body>
</html>