<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-size: 10pt'>
<p>Dear all</p>
<p> </p>
<p>I need to perform following architecture:</p>
<ul>
<li>Serveur: Syslog NG</li>
<li>client: Kind of IDS device/solution ( Stormshield)</li>
<li>Port used: TCP/514</li>
</ul>
<p> </p>
<p>Problem: When I run syslog on client</p>
<ul>
<li>none suitable directory is created on serveur</li>
<li>I see flow arrives on serveur by using whireshark</li>
</ul>
<p>Please, could you help me to fixe this issue</p>
<p>Regards</p>
<p> </p>
<p>Simon</p>
<p>Le 2014-12-18 22:58, Tibor Benke a écrit :</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div dir="ltr">
<div class="gmail_extra">The patch seems to work, I sent a PR.</div>
<div class="gmail_extra"> </div>
<div class="gmail_extra"><a href="https://github.com/balabit/syslog-ng/pull/359">https://github.com/balabit/syslog-ng/pull/359</a></div>
<div class="gmail_extra"><br />
<div class="gmail_quote">2014-12-18 8:48 GMT+01:00 Tibor Benke <span><<a href="mailto:ihrwein@gmail.com">ihrwein@gmail.com</a>></span>:
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">
<div dir="ltr">You can find the patch on this branch:
<div> </div>
<a href="https://github.com/ihrwein/syslog-ng/tree/f/fix-redis-memleak">https://github.com/ihrwein/syslog-ng/tree/f/fix-redis-memleak</a>
<div> </div>
<div> </div>
</div>
<div>
<div class="h5">
<div class="gmail_extra"><br />
<div class="gmail_quote">2014-12-18 3:11 GMT+01:00 Jim Hendrick <span><<a href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>></span>:
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">
<div>
<div>I will certainly try.</div>
<div> </div>
<div>Send me a link, and Thanks!</div>
<div> </div>
<div> </div>
<div> </div>
<div>
<div style="font-size: 9px; color: #575757;">Sent from my Verizon Wireless 4G LTE smartphone</div>
</div>
<div>
<div>
<div> </div>
<br /><br />-------- Original message --------<br />From: Tibor Benke <<a href="mailto:ihrwein@gmail.com">ihrwein@gmail.com</a>> <br />Date:12/17/2014 5:42 PM (GMT-05:00) <br />To: Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>> <br />Cc: <a href="mailto:wernli@in2p3.fr">wernli@in2p3.fr</a>, <a href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a> <br />Subject: Re: [syslog-ng] syslog-ng memory usage grows <br /><br />
<div dir="ltr">Hi All,
<div> </div>
<div>I checked your valgrind log and the redis module and I think the leak is in redis.c:137:</div>
<div> </div>
<div> redisCommand(self->c, "ping"); </div>
<div> </div>
<div>This returns a reply object, but it's ignored and never freed. </div>
<div> </div>
<div>If we make a patch on GitHub, could you test it?</div>
<div> </div>
<div>Regards,</div>
<div>Tibor</div>
</div>
<div class="gmail_extra"><br />
<div class="gmail_quote">2014-12-17 18:36 GMT+01:00 <span><<a href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>></span>:
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">Hi Fabien,<br /><br /> Hope the season is treating you well.<br /><br /> I ran syslog-ng for 10 minutes (recall, ~7000 EPS incoming) under valgrind and here is the output (attached).<br /><br /> It looks like there is some sort of leak as the process from yesterday had grown to over 16GB before I stopped it for the valgrind test.<br /><br /> Thanks for the help (as always).<br /><br /> And please let me know if I can provide any other data.<br /><span><span style="color: #888888;"><br /> Jim<br /></span></span>
<div>
<div><br /><br /><br /> ---- Fabien Wernli <<a href="mailto:wernli@in2p3.fr">wernli@in2p3.fr</a>> wrote:<br /> > Hi Jim,<br /> ><br /> > On Tue, Dec 16, 2014 at 01:24:28PM -0500, Jim Hendrick wrote:<br /> > > I'm not sure what I am asking, other than general advice on:<br /> > > - performance using patterndb<br /> ><br /> > performance is awesome, I wouldn't worry about it<br /> > although it would help to have some counters on the parsers in the stats<br /> > interface. That bieng said, it could help you to increase the stats level.<br /> ><br /> > > - performance using redis destination<br /> ><br /> > I can't comment on that one, sorry<br /> ><br /> > > - advice on debugging where this memory growth is happening<br /> ><br /> > Could you run syslog-ng inside `valgrind --tool=memcheck<br /> > --trace-children=yes --leak-check=yes`?<br /> ><br /> > The problem is this will really slow down your instance, but let it run a<br /> > few minutes nevertheless and pastebin the result somewhere.<br /> ><br /> > > As a rough measure - I have a syslog-ng process that has been running for<br /> > > less than 3 hours and right now is using 1.52GB of resident memory (shown by<br /> > > "top")<br /> ><br /> > I'm suspecting `format-json` to be the source of the leak, or the flow<br /> > control cache. These have been the leak source of our own observations many<br /> > times, although many patches have solved the issues.<br /> ><br /> > > (I would rather parse things in syslog-ng, but I *could* do this all using<br /> > > logstash/grok if this proves too much for patterndb at this load)<br /> ><br /> > if you're worried about performance, I wouldn't even consider to begin thinking about comparing<br /> > LS/grok to patterndb<br /> ><br /> > ______________________________________________________________________________<br /> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br /> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br /> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br /> ></div>
</div>
<br />______________________________________________________________________________<br /> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br /> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br /> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br /><br /><br /></blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br />
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<p> </p>
<div>
<pre>-- <br />Bien cordialement, Kind Regards
HIFA, Chairman
32 rue de la République 92190 MEUDON - FRANCE
Phone: +33 1 46 31 44 25
Mobile: +33 6 11 30 36 57
email: simon.obounou@hifa.biz</pre>
</div>
</body></html>