Having a bit of a problem with this patch... Using a freshly un-tarred copy of 1.5.19: [/usr/local/src/syslog-ng-1.5.19/src]# patch -p0 < /root/mangle.patch patching file sources.c [/usr/local/src/syslog-ng-1.5.19]# ./configure (snip - configure completes with no problems) [/usr/local/src/syslog-ng-1.5.19]# make Making all in src make[1]: Entering directory `/usr/local/src/syslog-ng-1.5.19/src' make all-recursive make[2]: Entering directory `/usr/local/src/syslog-ng-1.5.19/src' Making all in . make[3]: Entering directory `/usr/local/src/syslog-ng-1.5.19/src' gcc -DHAVE_CONFIG_H -I. -I/usr/local/src/syslog-ng-1.5.19/src -I. -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE -c main.c make_class <sources.c >sources.c.xT /bin/sh: /usr/local/bin/make_class: bad interpreter: No such file or directory make[3]: *** [sources.c.x] Error 126 make[3]: Leaving directory `/usr/local/src/syslog-ng-1.5.19/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/local/src/syslog-ng-1.5.19/src' make[1]: *** [all-recursive-am] Error 2 make[1]: Leaving directory `/usr/local/src/syslog-ng-1.5.19/src' make: *** [all-recursive] Error 1 Without the patch it configures and compiles fine. Any ideas what could be causing the problem that's related to the patch under Linux 2.4.18 (libc 2.2.3 & libol 0.3.3)? Thanks, --- Dustin D. Trammell Information Security Specialist Penson Financial Services, Inc. -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Wednesday, August 21, 2002 07:51 To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng][PATCH] please test: syslog-ng message mangling fix On Tue, Aug 20, 2002 at 07:38:21AM -0400, Stephen Frost wrote:
Balazs and everyone,
The first fix which was posted to the list changing the if to be:
if (!eol && closure->pos == closure->max_log_line)
appeared to work correctly for me. The second fix posted which changed the if to be:
if (!eol && (start_pos == 0 || closure->pos == closure->max_log_line))
had the same (broken) behaviour as the unmodified if. This leads me to conclude that 'closure->pos == closure->max_log_line' is false, '!eol' is true and 'start_pos == 0' is true. log_msg_size() does not appear to have any effect. I have increased it to be 2048 and still my logs are split amoung lines. Message length doesn't appear to matter either as messages which are longer can end up being intact while shorter messages are split. The one common factor is that all of the messages being split are coming from /proc/kmsg.
hm. as it seems there was a change on the behaviour of /proc/kmsg. The condition used to be: - if (!eol && closure->pos) { - /* we don't have a terminating nl nor \0 */ and there was no reports on mangled messages. Maybe 2.4 kernel introduced a change, and syslog-ng reads kernel message parts with multiple read() calls.
Since there was some concern about UDP messages being broken by this my first thought is to change the if to be:
if (!eol && (closure->dgram || closure->pos == closure->max_log_line))
This makes the assumption that messages coming from streams such as a TCP connection or /dev/log or a file/pipe will eventually have a terminating newline or \0. Of course, it keeps the sanity check to not create messages over max_log_line. I have this working on my setup now but I don't swear that it's perfect, I'd love to hear feedback on it, esp. from Balazs. These messages being split causes me a real problem on my firewall.
Relying on closure->dgram seems to me a sane decision. start_pos was only a hack anyway. Here's an updated patch (still against 1.5.19): diff -u -r1.34 sources.c --- sources.c 18 Jul 2002 13:18:02 -0000 1.34 +++ sources.c 21 Aug 2002 12:44:18 -0000 @@ -112,8 +113,11 @@ closure->pos = 0; return ST_OK | ST_GOON; } - if (!eol && closure->pos) { - /* we don't have a terminating nl nor \0 */ + if (!eol && (closure->dgram || closure->pos == closure->max_log_line)) { + /* we don't have a terminating nl nor \0, and our buffer is + full or we are a datagram receiver, when the message is in + its own packet. + */ do_handle_line(closure, closure->pos, closure->buffer, salen ? (abstract_addr *) &sabuf : NULL, salen); closure->pos = 0; return ST_OK | ST_GOON; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html