Re: [syslog-ng] message numbers
Balazs Scheidler <bazsi@balabit.hu> writes:
what is this message number? A serial number?
Actually it is a sequence number. I see it when my Cisco routers log via syslog. The number is incremented by one every time a router sends a syslog message. Very useful to detect missing log entries, among other things. Here's a hex dump of a complete packet, in case this helps clear things up: 0: 0800 2083 600e 0000 0c76 bf10 0800 4500 .. .`....v....E. 16: 0094 0182 0000 fe11 1690 8243 4ffc 8243 ...........CO..C 32: 4fc4 1ac4 0202 0080 302f 3c31 3930 3e33 O.......0/<190>3 48: 3536 313a 2046 6562 2032 3620 3232 3a33 561: Feb 26 22:3 64: 393a 3138 2e32 3132 3a20 2553 4543 2d36 9:18.212: %SEC-6 80: 2d49 5041 4343 4553 534c 4f47 503a 206c -IPACCESSLOGP: l 96: 6973 7420 3132 3020 6465 6e69 6564 2074 ist 120 denied t 112: 6370 cp ... which produces the following syslog message. Note that I have removed the hostname and part of the message stating IP addresses. Feb 26 22:33:46 xxxxxxx.xx.telenor.net 3561: Feb 26 22:39:18.212: %SEC-6-IPACCESSLOGP: list 120 denied tcp... Syslog-ng is running under Solaris 2.6. -- Terje Krogdahl Nextra AS - I don't buy from spammers.
Hi, Syslog-ng doesn't work with HP/UX named pipe /dev/log. syslog-ng must open /dev/log with O_RDRW instead of O_READONLY. -Klaus -- Klaus Groenhoej Kommunedata A/S Hadsundvej 184 9100 Aalborg Denmark Phone: (+45)44601000 #2677 Direct: (+45)44602677 Fax: (+45)44602990
Syslog-ng doesn't work with HP/UX named pipe /dev/log.
syslog-ng must open /dev/log with O_RDRW instead of O_READONLY.
why? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
Hi, snip from: "man 2 read": When attempting to read from an empty pipe or FIFO: + If no process has the pipe open for writing, read() will return 0 to indicate end-of-file. + If some process has the pipe open for writing and O_NONBLOCK is set, read() will return -1 and set errnoto EAGAIN. + If some process has the pipe open for writing and O_NONBLOCK is clear, read() will block until some data is written or the pipe is closed by all processes that had the pipe open for writing. syslog-ng will open /dev/log - try to read from /dev/log and will recive end-of-file. syslog-ng closes /dev/log and open the file again - try to read from /dev/log and recieve end-of-file - etc. etc. -Klaus -- Klaus Groenhoej Kommunedata A/S Hadsundvej 184 9100 Aalborg Denmark Phone: (+45)44601000 #2677 Direct: (+45)44602677 Fax: (+45)44602990 ----- Original Message ----- From: "Balazs Scheidler" <bazsi@balabit.hu> To: <syslog-ng@venus.terrasoft.hu> Sent: Monday, February 28, 2000 2:15 PM Subject: Re: [syslog-ng] syslog-ng on hp-ux
Syslog-ng doesn't work with HP/UX named pipe /dev/log.
syslog-ng must open /dev/log with O_RDRW instead of O_READONLY.
why?
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
Hello! A quick glance at my logfiles shows that on startup syslog-ng will produce 2 messages. One of them ends up in /var/syslog/husmusen/1970/01/debug *snip* Feb 29 14:57:13 husmusen syslog-ng[22926]: syslog-ng version 1.4.0rc3 starting *snip* and the other one ends up in /var/syslog/husmusen/2000/02/debug (which to me seems more correct since it's not year 1970 and not even month 01 :-) *snip* Feb 29 14:57:13 husmusen syslog-ng: syslog-ng startup succeeded *snip* Am I missing something (besides sleep) ? /John
On Tue, Feb 29, 2000 at 03:05:23PM +0100, John Källström wrote:
Hello!
A quick glance at my logfiles shows that on startup syslog-ng will produce 2 messages. One of them ends up in /var/syslog/husmusen/1970/01/debug
*snip* Feb 29 14:57:13 husmusen syslog-ng[22926]: syslog-ng version 1.4.0rc3 starting *snip*
ops, internal messages had bogus date, try this patch: diff -urN syslog-ng-1.4.0rc3/src/log.c syslog-ng-1.4.0rc4/src/log.c --- syslog-ng-1.4.0rc3/src/log.c Fri Feb 25 13:20:43 2000 +++ syslog-ng-1.4.0rc4/src/log.c Tue Feb 29 16:36:13 2000 @@ -142,7 +142,7 @@ } else { while (left && *src != ' ' && *src != '[' && *src != ':' && - src != '/' && src != ',' && src != '<') { + *src != '/' && *src != ',' && *src != '<') { src++; left--; } @@ -193,7 +193,7 @@ NEW_SPACE(self); self->msg = c_format_cstring("syslog-ng[%i]: %s", getpid(), length, data); self->program = c_format_cstring("syslog-ng"); - self->recvd = time(NULL); + self->stamp = self->recvd = time(NULL); self->pri = pri; self->flags = LF_INTERNAL; self->use_cnt = 1;
and the other one ends up in /var/syslog/husmusen/2000/02/debug (which to me seems more correct since it's not year 1970 and not even month 01 :-)
*snip* Feb 29 14:57:13 husmusen syslog-ng: syslog-ng startup succeeded *snip*
this line is not generated by syslog-ng, maybe a special startup script? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
snip from: "man 2 read":
When attempting to read from an empty pipe or FIFO:
+ If no process has the pipe open for writing, read() will return 0 to indicate end-of-file.
+ If some process has the pipe open for writing and O_NONBLOCK is set, read() will return -1 and set errnoto EAGAIN.
+ If some process has the pipe open for writing and O_NONBLOCK is clear, read() will block until some data is written or the pipe is closed by all processes that had the pipe open for writing.
syslog-ng will open /dev/log - try to read from /dev/log and will recive end-of-file. syslog-ng closes /dev/log and open the file again - try to read from /dev/log and recieve end-of-file - etc. etc.
thanks for the explanation. What does poll() return on pipes with no writer processes? If syslog-ng maxes out the CPU it most probably means that poll() returns that the pipe is readable. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
participants (4)
-
Balazs Scheidler
-
John Källström
-
Klaus Groenhoej
-
Terje Krogdahl