On Thu, 2006-11-30 at 00:31 +0100, Jacek Kalinski wrote:
Hello,
After upgradeing from syslogng-1.6.11 to 2.0.0 I've got a strange messages in /var/log/messages file:
Nov 29 08:14:05 denise WINDOW=16985 RES=0x00 ACK URGP=0 Nov 29 11:10:19 denise PT=34536 WINDOW=16985 RES=0x00 ACK URGP=0 Nov 29 16:42:16 denise W=0 RES=0x00 RST URGP=0 Nov 29 21:37:15 denise 116 ID=34901 DF PROTO=TCP SPT=3584 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
These are truncated iptables logs. Because in firewall.log file are simmilar entries to truncated one, I think full file should be: Nov 29 11:10:19 denise firewallp=INVALID:1 a=DROP IN=eth1 OUT= MAC=00:30:4f:36:2b:dc:00:04:9a:2c:7f:20:08:00 SRC=193.41.230.81 DST=xxx.xxx.xxx.x LEN=576 TOS=0x00 PREC=0x00 TTL=117 ID=3495 PROTO=TCP SPT=443 DPT=34536 WINDOW=16985 RES=0x00 ACK URGP=0 (xxx.xxx.xxx.x is a real server IP address - one 'x' is one digit)
It is not necessarily syslog-ng that is at fault here, if the kernel ring buffer is overflown (because of higher traffic for example), the kernel might give partial lines while reading /proc/kmsg. You can increase the kernel ring buffer size by increasing the config option CONFIG_LOG_BUF_SHIFT -- Bazsi