On Sun, Jul 08, 2001 at 02:05:29PM -0400, Gorm Jensen wrote:
After upgrading from RH6.1 and syslog-ng-1.4.2 to RH7.1 and syslog-ng-1.4.11, only the first hit of a series of hits on the firewall is logged. Restarting the daemon will cause the next hit to be logged, but no more than that. Only the logging of firewall hits is effected.
After a great deal of trial and error, I traced the problem to a specific destination in the configuration file. I have attached two verions (Linux text and MS.txt) of the config file. To simplify the configuraton for testing, I deleted several other log destinations, filters and actions. The anomaly persisted, even with the simplified configuration.
When the lines containing the destination 'whodat' are commented out, logging proceeds as expected. When the comments are aranged to include either one of the lines containing the whodat destination, the logging reverts to what is described in para one.
Can anyone tell what is required to fix the problem?
# -------- SOURCES --------------- source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); }; #source net { udp(); };
You aren't by any chance running klogd? If so, that is probably the source of you problems. Others on the list have reported blocking issues with syslog-ng and klogd reading from /proc/kmsg. The solution is to either let klogd handle your kernel logging or to not run klogd. PS IPTables is in the kernel. ---------------------------------------------------------------------------- __o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__ _ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _ (_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)