On Wed, 2008-03-12 at 14:07 -0400, John Morrissey wrote:
On Fri, Feb 29, 2008 at 07:08:14PM +0100, Balazs Scheidler wrote:
On Fri, 2008-02-29 at 12:59 -0500, John Morrissey wrote:
Recently, we've noticed a few machines are filling up their log filesystems with duplicate log entries. At first, I thought this behavior was caused by running out of disk space (i.e., the machine runs out of disk and syslog-ng does some sort of buffering, and as disk space oscellates between a few hundred bytes available and completely full, syslog-ng is writing this buffered log data out to disk but never removing the log entries from its buffer), but I can't reliably reproduce it.
Hm... is it possible that syslog-ng somehow loops back to itself? I remember a problem which caused syslog-ng to resolve a destination host name as 0.0.0.0 if DNS was unavailable, effectively causing it to send messages to localhost.
That's exactly it; syslog-ng has a UDP socket open and is sending data to its own UDP listener socket. I'd like to backport a targeted patch if possible, and haven't looked through the git repo yet; do you have an idea when this was fixed, or know the git revision it was fixed in?
It was fixed here, e.g. it was included in 2.0.6 Author: Balazs Scheidler <bazsi@balabit.hu> 2007-10-23 17:04:46 Committer: Balazs Scheidler <bazsi@balabit.hu> 2007-10-23 17:04:46 Parent: 2288151086e2557c8a30e37c1b4a37a7b373fffb (fixed implicit declaration of strtol warning) Child: 1661ca746f13eacf3c5e0d08640dd00c71548d11 (fixed ipv6 address resolution as only parts of the sockaddr_in6 structure were copied) Follows: v2.0.5 unset destination/bind address if a name resolution error occurs (fixes: #12393) 2007-10-23 Balazs Scheidler <bazsi@balabit.hu> * src/afinet.c (afinet_resolve_name): changed prototype to require a pointer to GSockAddr *, set the passed reference to NULL whenever a resolve error occurs (fixes: #12393), (various functions): changed all afinet_resolve_name invocations to use the new prototype -- Bazsi