Syslog-ng v3.5.3 - Core dump from a certain incoming message?
Has anyone seen this or know what may be causing it? When I run a stack trace, I can see that this host causes syslog-ng to crash every time it sends a message I've run a couple of tcpdumps and it *seems* to be caused by an ARP request from a Cyclades box. This seems very odd to me of course. 10 130.085308 Cyclades_01:be:4b SuperMic_9a:58:be ARP 60 Who has x.x.188.52? Tell x.x.188.11 The *only* other packets from that host are repeated so they don't seem to be the cause: 4 1.000259 x.x.188.11 x.x.188.52 Syslog 257 LOCAL0.NOTICE: Jul 23 11:04:05 src_dev_log@ACS-01 Buffering: S12.Server-Farm-6509-01 [Jul 23 11:04:03.267 EDT: %MCAST-SP-3-QUERY_INT_MISMATCH: Snooping Querier received a non-matching query interval (125000 msec),]\n [pid 28379] recvfrom(9, "<133>Jul 23 10:19:58 src_dev_log"..., 8192, 0, {sa_family=AF_INET, sin_port=htons(3284), sin_addr=inet_addr("x.x.188.11")}, [16]) = 181 [pid 28379] stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 [pid 28379] mprotect(0x7f956c346000, 12288, PROT_READ|PROT_WRITE) = 0 [pid 28379] write(2, "**\nERROR:../../lib/logmsg.c:535:"..., 114) = 114 [pid 28379] rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 [pid 28379] tgkill(28374, 28379, SIGABRT) = 0 [pid 28379] --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=28374, si_uid=0} --- [pid 28379] +++ killed by SIGABRT (core dumped) +++ [pid 28434] +++ killed by SIGABRT (core dumped) +++ [pid 28428] +++ killed by SIGABRT (core dumped) +++ +++ killed by SIGABRT (core dumped) +++ ______________________________________________________________ Clayton Dukes ______________________________________________________________
Hi, Could you provide your syslog-ng config?
This seems to be an assertion failure in logmsg.c line 535 Unfortunately I cannot tell what assertion as I don't have the code handy on my phone, but I thought I'd share. On Jul 23, 2015 17:33, "Clayton Dukes" <cdukes@gmail.com> wrote:
Has anyone seen this or know what may be causing it? When I run a stack trace, I can see that this host causes syslog-ng to crash every time it sends a message
I've run a couple of tcpdumps and it *seems* to be caused by an ARP request from a Cyclades box. This seems very odd to me of course.
10 130.085308 Cyclades_01:be:4b SuperMic_9a:58:be ARP 60 Who has x.x.188.52? Tell x.x.188.11
The *only* other packets from that host are repeated so they don't seem to be the cause:
4 1.000259 x.x.188.11 x.x.188.52 Syslog 257 LOCAL0.NOTICE: Jul 23 11:04:05 src_dev_log@ACS-01 Buffering: S12.Server-Farm-6509-01 [Jul 23 11:04:03.267 EDT: %MCAST-SP-3-QUERY_INT_MISMATCH: Snooping Querier received a non-matching query interval (125000 msec),]\n
[pid 28379] recvfrom(9, "<133>Jul 23 10:19:58 src_dev_log"..., 8192, 0, {sa_family=AF_INET, sin_port=htons(3284), sin_addr=inet_addr("x.x.188.11")}, [16]) = 181 [pid 28379] stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 [pid 28379] mprotect(0x7f956c346000, 12288, PROT_READ|PROT_WRITE) = 0 [pid 28379] write(2, "**\nERROR:../../lib/logmsg.c:535:"..., 114) = 114 [pid 28379] rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 [pid 28379] tgkill(28374, 28379, SIGABRT) = 0 [pid 28379] --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=28374, si_uid=0} --- [pid 28379] +++ killed by SIGABRT (core dumped) +++ [pid 28434] +++ killed by SIGABRT (core dumped) +++ [pid 28428] +++ killed by SIGABRT (core dumped) +++ +++ killed by SIGABRT (core dumped) +++
______________________________________________________________
Clayton Dukes ______________________________________________________________
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Clayton Dukes
-
Fabien Wernli