Thanks for the reply. Unfortunately, my gdb skills are absolutely terrible. Here is how I have tried to do it, which is probably wrong: # gdb /opt/syslog-ng/sbin/syslog-ng 2>&1 | tee gdb-syslog-ng.txt GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (no debugging symbols found) (gdb) handle SIG33 pass nostop noprint Signal Stop Print Pass to program Description SIG33 No No Yes Real-time event 33 (gdb) set pagination 0 (gdb) run --no-caps --enable-core Starting program: /opt/syslog-ng/sbin/syslog-ng --no-caps --enable-core (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Executing new program: /opt/syslog-ng/libexec/syslog-ng [Thread debugging using libthread_db enabled] Program exited normally. (gdb) backtrace full No stack. (gdb) info registers The program has no registers now. (gdb) Hopefully I am doing something that is simple to fix. Also, when I use --enable-core, where does it put the core file? Thanks! Nate On Mon, May 11, 2009 at 9:26 AM, ILLES, Marton <illes.marton@balabit.hu> wrote:
Hi,
Sorry for answering so slowly...
On Fri, 2009-05-08 at 10:23 -0400, Nate Hausrath wrote:
Thanks for the response.
It looks like there may be a problem with my install or a bug somewhere. With the config file below, I'm still not getting messages in my /var/log/remote/parsed.log file. However, when I comment out "parser(p_db);" in the log section of the config, messages begin showing up.
After a bit more investigations, when I receive the first remote log message over UDP, the following appears in my /var/log/messages:
kernel: : [89941.138626] syslog-ng[16473]: segfault at 00000010 eip 08063e49 esp bfa1a490 error 4
Even after this, the process is still running and the ports are still open. At this point, I'm not really sure how to diagnose the problem.
Basically you have two problems, let's see one after the other.
1, You are using syslog-ng OSE which has support for db-parser pattern version 1 only while you have a version 2 pattern xml (version 2 is only included in the PE and the website provided xmls also in version 2). This way you end up without any actual rule and therefore no matching or parsing would occur.
You can find an XML schema in the distribution which specifies the xml format to be used.
I am currently working on porting the version 2 format to OSE and sorry for any inconvenience I might caused with the different versions. Meanwhile you can use the version 1 style xml:
<?xml version='1.0' encoding='UTF-8'?> <patterndb version='1' pub_date='2009-05-07'> <program name='windows'> <pattern>MSWinEventLog</pattern> <rules> <rule provider='nate' id='1' class='system'> <pattern>540</pattern> <description>This is a terrible terrible message to receive. Game over man! Game over!</description> </rule> </rules> </program> </patterndb>
2, You have a segfault. I would need a backtrace or a core file to track down the problem. To get a core file you can use the --enable-core option to syslog-ng and gdb after that to get a backtrace.
Sorry again for the version problem, I will push an update to my git tree with the new version 2 xml handling.
best,
Marton