An example of corrupted message (one line in syslog file instead of six): Sep 27 02:01:09 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC11/ex040926.log from XXX Sep 27 02:01:11 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC15/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC20/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC22/ex040926.log from XXX Sep 27 02:01:30 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC7/ex040926.log from XXX Sep 27 02:02:00 REMOTEHOST/REMOTEHOST user.warning loader: [ID 702911 user.warning] Autoload has been locked for over an hour I just realized that I haven't seen two messages from remote hosts contatenated. It only happens with messages generated on loghost (server where syslog-ng is installed) and messages from remote hosts (sun-stream() plus udp()). Platform is Solaris 8 with 117350-06. Dmitri -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Monday, September 27, 2004 3:24 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Corrupted messages in log On Sun, 2004-09-26 at 23:44, Dmitri Smirnov wrote:
Thanks, Loic,
some important parts of config, skipping filters:
# source local { sun-streams("/dev/log"); internal(); udp(); };
options { use_fqdn(yes); use_dns(yes); dns_cache(yes); keep_hostname(yes); chain_hostnames(no); bad_hostname("^5.*"); sync(0); stats(0); log_fifo_size(1024); log_msg_size(2048); use_time_recvd(yes); dns_cache_expire(36000); dns_cache_expire_failed(3600); dns_cache_size(10000);
};
destination syslog { file("/var/log/syslog" owner(root) group(other) perm(0644) template("$DATE $FULLHOST $FACILITY.$PRIORITY $MESSAGE\n") template_escape(no)); };
log { source(local); filter(filter1_not); filter(filter2_not); filter(filter3_not); filter(filter4_not); filter(filter5_not); destination(syslog); };
In what way are messages corrupted? You said they are concatenated, but could you post an example? It would also be important to check which syslog-ng parts are used, e.g. the message path as it is received from the network. (udp source, sun-stream source) It would also be useful to verify whether it was mangled on the syslog-ng host itself, or it was already mangled before. BTW: it is known that certain kernel messages on Linux might get corrupted, because of the kernel ring-buffer overflow, increasing the ring buffer size can be used to mitigate (but not solve) the problem. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html