October 2017 - syslog-ng - lists.balabit.hu

UDP devices stop logging after network services restart.
by Vincenti Francesco 05 Oct '17

05 Oct '17

Hello I have syslog-ng 3.7 installed on a CentOS7 Server with 4G RAM and 4 CPU. The server is receiving logs from almost 300 devices, either network devices (UDP) and servers (TCP). The problem I have is the following: to reduce incoming traffic on initial two NICs I added two more NICs to the server, where I sent some UDP devices and it worked immediately, without any issue. But when I restarted network services (systemctl restart network) the devices stopped to log, they restarted only after I resent them to the initial NIC, without any other action on syslog-ng server. When I started syslog-ng in debug mode to verify this behavior I saw that these devices ARE NOT considered by syslog-ng at all, they are not present in logs generated by debug, but they REACH the server (tcpdump shows them entering). I'm getting mad about this issue, any suggestion will be welcome. Following my configuration files: - /etc/syslog-ng/syslog-ng.conf # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (persist_only); dns-cache-hosts(/etc/hosts); use_fqdn (no); create_dirs (yes); keep_hostname (yes); owner ("1007"); group ("1007"); dir_owner ("1007"); dir_group ("1007"); dir_perm (0750); }; source s_sys { system(); internal(); # udp(ip(0.0.0.0) port(514)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; destination d_auth_loc { network ("127.0.0.1" port (601) ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); destination(d_auth_loc); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: - /etc/syslog-ng/conf.d/network_dev.conf source s_network_appa { network ( ip(0.0.0.0) port (514) transport ("udp") so-rcvbuf (4096000) ); }; # Destinazioni destination d_network_udp { file("/var/log/syslog-ng/APPARATI/${YEAR}${MONTH}${DAY}/${HOST}/${YEAR}${MONTH}${DAY}_hh${HOUR}_${HOST}" create_dirs(yes) dir_perm(0755) perm(0755) ) ; }; filter f_appa_rete { not host ("SymantecServer") and not host ("part8") and not host ("parti") and not host ("partd") and not host ("part1") and not host ("parte") and not host ("part10") and not host ("part11") and not host ("part12") and not host ("part3") and not host ("part6") and not host ("part8") and not host ("part9") and not host ("parta") and not host ("partc") and not host ("partd") and not host ("partf") and not host ("partg") and not host ("parth") and not host ("partn") and not host ("parto") and not host ("SLITES8736.sercom.aspasiel.it<http://SLITES8736.sercom.aspasiel.it>") and not host ("172.23.112.47") and not host ("SLITES4557.sercom.aspasiel.it<http://SLITES4557.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES4558.sercom.aspasiel.it<http://SLITES4558.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES4559.sercom.aspasiel.it<http://SLITES4559.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES4560.sercom.aspasiel.it<http://SLITES4560.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES8731.sercom.aspasiel.it<http://SLITES8731.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES8732.sercom.aspasiel.it<http://SLITES8732.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES8733.sercom.aspasiel.it<http://SLITES8733.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES8734.sercom.aspasiel.it<http://SLITES8734.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("SLITES8735.sercom.aspasiel.it<http://SLITES8735.sercom.aspasiel.it>") and not host ("172.23.X.Y") and not host ("slitdd2727"); }; log { source(s_network_appa); filter(f_appa_rete); destination(d_network_udp); }; - /etc/syslog-ng/conf.d/server_TCP.conf source s_server_sop { network ( ip(0.0.0.0) port(601) transport("tcp") max-connections(200) log_fetch_limit(100) log_iw_size(20000) ); }; destination d_server_sop { file("/var/log/syslog-ng/SERVER/${YEAR}${MONTH}${DAY}/${HOST}/${YEAR}${MONTH}${DAY}_hh${HOUR}_${HOST}" create_dirs(yes) dir_perm(0755) perm(0755) flush_lines(100) ); }; # Indirizzo le destinazioni. log { source(s_server_sop); destination(d_server_sop); flags(flow-control); }; I changed the following kernel parameters as follow: net.core.rmem_max = 4096000 net.core.wmem_max = 4096000 Thanks in advance Francesco Vincenti RHCSA Area Data Center Open Source, Quality and Security Aspasiel Divisione della Società Acciai Speciali Terni S.p.A. con Unico Socio Strada di Pentima, 3 - 05100 Terni francesco.vincenti(a)acciaiterni.it<mailto:francesco.vincenti@acciaiterni.it> www.aspasiel.it<http://www.aspasiel.it/> Ufficio: +39 0744 203224 Fax: +39 0744 203444 This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the error at the following email address: helpdesk(a)aspasiel.it<mailto:helpdesk@aspasiel.it> or at Aspasiel Helpdesk Team by phone (phone number +390744203555), and then delete this message from your system. P Please consider our environment and think before you print. Thank you! q

3 6

Re: [syslog-ng] Cross-compiling syslog-ng 3.11.1 for an embedded application.
by Chris_Johnson＠trendmicro.com 04 Oct '17

04 Oct '17

I had similar issues when I first started using syslog-ng (I think we started with v2.8) in our embedded system. Specifically we were using SVN for source code control and the automated ‘build’ would do a fresh checkout every time. This screwed up the timestamps on the source files and syslog-ng was trying to rebuild files that really didn’t need it. My solution was to add a section to my Makefile that would ‘touch’ the relevant files to avoid this problem (also, the utilities syslog-ng uses were a newer version of the same utilities used elsewhere in our build, and each would break the other; so we couldn’t just let them be rebuild every time). Definitions for vars used in the Makefile: # define ROOTDIR if undefined (RELPATH is where we *know* this Makefile is located under ROOTDIR) RELPATH := /ports/syslogd/syslog-ng ROOTDIR ?= $(subst $(RELPATH),,$(CURDIR)) STAGEDIR = $(CURDIR)/stage SOURCEDIR = syslog-ng-3.5.6 The relevant portion of the Makefile that resets the timestamps is: # We never need to rebuild 'Makefile.in' or 'configure' in production # commenting out rules for: # $(SOURCEDIR)/Makefile.in # $(SOURCEDIR)/configure.in # # commenting out pre-requisites for: # $(SOURCEDIR)/Makefile # config # # NOTE: syslog-ng 3.5.x needs to use autoconf v2.69 # automake v1.14 # # WARNING: Currently (as of 11/11/13) the rest of the build needs version(s): # autoconf v2.63 # automake v1.11 # and will fail when using the v2.69 (v1.14) versions! # # If 'configure' and/or any 'Makefile.in' file(s) need to be updated, # you will have 'switch' between the two versions of autoconf/automake; # using 2.69/1.14 for syslog-ng and 2.63/1.11 for the rest of the build. # # force 'foreign' strictness (this is how Makefiles from syslog-ng were made) # see www.gnu.org/software/automake/manual for more info #$(SOURCEDIR)/Makefile.in: $(SOURCEDIR)/Makefile.am # cd $(SOURCEDIR); \ # automake --foreign # 3.3.x uses 'older' nomenclature of 'configure.in' (instead of 'configure.ac') # 3.5.x now uses 'configure.ac' nomenclature # see www.gnu.org/software/autoconf/manual for more info #$(SOURCEDIR)/configure: $(SOURCEDIR)/configure.in # cd $(SOURCEDIR); \ # autoconf # build a new 'Makefile' if 'Makefile.in' or 'configure' is newer # or this Makefile is newer (assume a change to configure parameter list) #$(SOURCEDIR)/Makefile: $(SOURCEDIR)/Makefile.in $(SOURCEDIR)/configure Makefile # # Force 'recipe' to NOT run in parallel (.NOTPARALLEL:). # This allows the 'kludge' for timestamps to work correctly! # Without this, the two sets of touches occur virtually simultaneously since # each command in the 'recipe' runs in its own shell AND the shells run in # parallel, the 'sleep' command isn't causing the second set of touches # to generate a different timestamp from the first set of touches. # # This seems to be causing random build errors on the EC build box as each # command is run in a different parallel order # .NOTPARALLEL: $(SOURCEDIR)/Makefile: make config ######################################################################## # kludge to fix 'svn checkout' timestamps messing up Makefile rules # - touch files to restore proper relative timestamps # # cfg-grammar.y needs to be older that the other -grammar.y files touch $(SOURCEDIR)/lib/cfg-grammar.y sleep 1 find $(SOURCEDIR) -name .svn -prune -o -name cfg-grammar.y -prune -o -name "*-grammar.y" -exec touch {} \; # # touch 'configure' dependent files for d in \ . \ lib/ivykis \ modules/afamqp/rabbitmq-c \ modules/afmongodb/libmongo-client \ ;do for f in \ configure.ac \ aclocal.m4 \ Makefile.in \ config.h.in \ configure \ ;do touch $(SOURCEDIR)/$$d/$$f ; \ done ; \ done # # force '-grammar.y' files to be older than '-grammar.[ch]' files sleep 1 find $(SOURCEDIR) -name .svn -prune -o -name "*-grammar.[ch]" -exec touch {} \; # # force '.n' files to be younger than '.n.xml' files for f in \ loggen.1 \ pdbtool.1 \ syslog-ng.8 \ syslog-ng.conf.5 \ syslog-ng-ctl.1 \ ;do touch $(SOURCEDIR)/doc/man/$$f ; \ done # # touch any other files as needed touch $(SOURCEDIR)/lib/cfg-lex.h touch $(SOURCEDIR)/lib/cfg-lex.c ######################################################################## Also, related to this was the ‘clean’ feature that was removing too much: clean distclean: @# syslog-ng 3.5.x build system's clean is too clean and is deleting '-grammar' files @# requiring them to be rebuild... BUT the utilities needed are either missing or the @# wrong version to successfully be rebuild in the BUILD system(s)! @# @# So, manually clean! @# @#make -C $(SOURCEDIR) $@ || true @rm -rf $(STAGEDIR) @# @# walk through a list of dirs deleting them @for d in \ autom4te.cache \ .deps \ .libs \ ;do find $(SOURCEDIR) -depth -name .svn -prune -o -name $$d -exec rm -rf {} \; ; \ done @# @# walk through a list of file patterns deleting them @for fpat in \ config.h \ config.log \ config.status \ stamp-h1 \ libtool \ "*.pc" \ .dirstamp \ "*.l[ao]" \ "*.[ao]" \ ;do find $(SOURCEDIR) -name .svn -prune -o -name $$fpat -exec rm -f {} \; ; \ done @# @# delete Makefile(s) @for d in \ . \ lib/ivykis \ lib/ivykis/test \ lib/ivykis/src \ lib/ivykis/misc \ lib/ivykis/man3 \ lib/ivykis/contrib \ lib/ivykis/contrib/kojines \ lib/ivykis/contrib/iv_getaddrinfo \ modules/afamqp/rabbitmq-c \ ;do rm -f $(SOURCEDIR)/$$d/Makefile;\ done @# @# delete specific files not already covered @for f in \ scripts/update-patterndb \ tests/loggen/loggen \ lib/ivykis/src/include/iv.h \ modules/dbparser/pdbtool/pdbtool \ modules/afamqp/rabbitmq-c/examples/amqp_exchange_declare \ modules/afamqp/rabbitmq-c/examples/amqp_bind \ modules/afamqp/rabbitmq-c/examples/amqp_listenq \ modules/afamqp/rabbitmq-c/examples/amqp_unbind \ modules/afamqp/rabbitmq-c/examples/amqp_sendstring \ modules/afamqp/rabbitmq-c/examples/amqp_rpc_sendstring_client \ modules/afamqp/rabbitmq-c/examples/amqp_producer \ modules/afamqp/rabbitmq-c/examples/amqp_consumer \ modules/afamqp/rabbitmq-c/examples/amqp_listen \ syslog-ng/syslog-ng-ctl \ syslog-ng/syslog-ng \ ;do rm -f $(SOURCEDIR)/$$f; \ done Hope these snippets are useful starting points. Chris ------------------------------------- Christopher Johnson chris_johnson(a)trendmicro.com<mailto:chris_johnson@trendmicro.com> Trend Micro Inc. - Tippingpoint ------------------------------------- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Robert King Sent: Wednesday, October 4, 2017 8:09 AM To: Syslog-ng users' and developers' mailing list <syslog-ng(a)lists.balabit.hu> Subject: Re: [syslog-ng] Cross-compiling syslog-ng 3.11.1 for an embedded application. Not easily, and not without getting permission from the director of development. Let’s start with an easy question. …/syslog-ng/syslog-ng is a script. Is this part of the *final* distribution to be installed on the target system? There is also …/syslog-ng/.libs/syslog-ng with is an ELF binary executable. Is this part of the *final* distribution to be installed on the target system? Why are there two executable files with the same name? …/syslog-ng/.libs/syslog-ng is being natively built on a generic Linux Mint system, but not on my cross-development system. How do you suggest troubleshooting this? Going through the generated Makefile in the project root directory is a nightmare. There is no makefile in …/syslog-ng, so I can’t try to build just that. Sorry that I was irritated earlier, but I’ve been fighting this for three weeks and my boss is getting angry. From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Budai, László Sent: Wednesday, October 04, 2017 10:00 AM To: Syslog-ng users' and developers' mailing list <syslog-ng(a)lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] Cross-compiling syslog-ng 3.11.1 for an embedded application. Hi, could you share a build environment where we can easily reproduce the issue(eg.: a docker file, or, image )? Laszlo Budai On Wednesday, October 4, 2017, Robert King <robert.king(a)tellabs.com<mailto:robert.king@tellabs.com>> wrote: From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu<javascript:_e(%7B%7D,'cvml','syslog-ng-bounces(a)lists.balabit.hu');>] On Behalf Of Scheidler, Balázs Sent: Tuesday, October 03, 2017 11:32 PM To: Syslog-ng users' and developers' mailing list <syslog-ng(a)lists.balabit.hu<javascript:_e(%7B%7D,'cvml','syslog-ng(a)lists.balabit.hu');>> Subject: Re: [syslog-ng] Cross-compiling syslog-ng 3.11.1 for an embedded application. Hi, Again, so without your help and a civilized exchange of emails this can't be troubleshot, as I never saw your environment, and can't check various details that would affect compilation. What information would you like from me to progress? We are using gmake to build the targets. We are calling the configure script with the following arguments: PKG_CONFIG_PATH=$PCRERELEASE/lib/pkgconfig:$EVENTLOGRELEASE/lib/pkgconfig:$GLIBRELEASE/lib/pkgconfig \ SED=/bin/sed \ ./configure \ --host=$HOST \ PKG_CONFIG_PATH=$PCRERELEASE/lib/pkgconfig:$EVENTLOGRELEASE/lib/pkgconfig:$GLIBRELEASE/lib/pkgconfig \ --build=$BUILD \ --prefix=$INSTALLDIR \ --bindir=$INSTALLDIR/bin \ --sbindir=$INSTALLDIR/sbin \ --includedir=$INSTALLDIR/include \ --libdir=$INSTALLDIR/lib \ --sharedstatedir=$INSTALLDIR/share \ --exec-prefix=$EXECDIR \ --libexecdir=$EXECDIR/lib \ --localstatedir=$EXECDIR/etc/syslog-ng/var \ --sysconfdir=$EXECDIR/etc/syslog-ng/etc \ --enable-shared=yes \ --enable-ssl \ --enable-static=yes \ --enable-dynamic-linking=yes \ --disable-json \ --enable-pcre=no \ --with-libmongo-client=no \ --with-librabbitmq-client=no \ CC=$MVL/bin/ppc_440-gcc \ CFLAGS="-g -O2" \ CPP=$MVL/bin/ppc_440-cpp \ CPPFLAGS="-I$EVENTLOGRELEASE/include -I$GLIBRELEASE/include -I$TARGET/usr/include -I$TARGET/usr/local/include" \ LDFLAGS="-L/vobs/tools/openssl/openssl/release/$OS/lib -L$EVENTLOGRELEASE/lib -L$GLIBRELEASE/lib -L$TARGET/lib -L$TARGET/usr/lib" \ OPENSSL_CFLAGS="${OPENSSL_CC_INC_PATH} ${OPENSSL_CC_FIPS_INC_PATH} -DBUILD_WITH_SSL" \ OPENSSL_LIBS="-lssl -lcrypto" \ LIBS="-lssl -lcrypto" <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table>

1 0

Cross-compiling syslog-ng 3.11.1 for an embedded application.
by Robert King 04 Oct '17

04 Oct '17

Greetings! We are currently running syslog-ng v3.8.1 in an embedded Linux system. However, we want to upgrade to 3.11.1 in order to eliminate some memory leaks. Unfortunately we've run into a bit of a snag getting 3.11.1 to run on our target system. Under 3.8.1, syslogND is an ELF binary installed in the sbin directory. Under 3.11.1, it is a *script* installed in sbin. This script is trying to do some bad things including linking an executable (lt-syslog-ng, I believe.) We do not have a linker that will run on the target system. We cannot link anything. What is the reason behind this and how can it be circumvented? -- Robert King, Tellabs

5 11