Re: syslog-ng Digest, Vol 1, Issue 1253

24 May 2005


      Hi,

    You can edit /etc/syslog-ng.conf file to avoid this. Edit this file so that you will not be seeing the messages on the console. 


On Tue, 24 May 2005 syslog-ng-request@lists.balabit.hu wrote :
...
Send syslog-ng mailing list submissions to
  syslog-ng@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
  https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
  syslog-ng-request@lists.balabit.hu
You can reach the person managing the list at
  syslog-ng-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re:  No line break every so often (Balazs Scheidler)
   2.  how to avoid logging to consoles? (iv)
   3. Re:  how to avoid logging to consoles? (Balazs Scheidler)
   4. Re:  how to avoid logging to consoles? (Jesse Molina)
----------------------------------------------------------------------
Message: 1
Date: Mon, 23 May 2005 12:59:04 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] No line break every so often
To: Syslog-ng users' and developers' mailing list
  <syslog-ng@lists.balabit.hu>
Message-ID: <1116845944.23550.11.camel@bzorp.balabit>
Content-Type: text/plain
On Fri, 2005-05-20 at 12:14 -0700, Mike Tremaine wrote:
...
On Fri, 2005-05-20 at 04:49, Balazs Scheidler wrote:
...
Luckly it is... Attached is a trimmed down trace file with a few
examples of the problem [about 200lines let me know if more would be
useful...]
To my [uneducated] eye it looks like sendmail is the problem but like I
said sometimes it does it right sometime it doesn't.
Example:
read(16, "<20>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect:
premature EOM: unexpected close", 2048) = 93
Notice no \0 or \n
Then the next read
read(16, "<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect:
unexpected close on connection from [61.43.165.161],
sender=<Hager@indiatimes.com>\0<22>May 20 07:48:02 sendmail[16668]:
j4KEkWOv016668: from=<Hager@indiatimes.com>, size=0, class=0, nrcpts=1,
proto=SMTP, daemon=MTA, relay=[61.43.165.161]\0", 1955) = 300
A null terminator
That leads to the output
write(22, "2005-05-20 07:48:02 quasar mail.warning sendmail[16668]:
j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20
07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on
connection from [61.43.165.161],
sender=<Hager@indiatimes.com>\n2005-05-20 07:48:02 quasar mail.info
sendmail[16668]: j4KEkWOv016668: from=<Hager@indiatimes.com>, size=0,
class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\n",
430) = 430
.
So the null was caught and turned into \n but the line before it runs
together. With some weird <21> [and more often <22> see trace file].
Hm. Sendmail really seems to be the culprit, it is only hidden by
sysklogd using unix-dgram() sockets in which case the syslog daemon does
not care whether the message was NL or \0 terminated or not.
The manpage for syslogd, mentions:
... "A trailing newline is added when needed."
This does not seem to be true. After judging the source it seems to be
adding the NL character only if LOG_PERROR is specified to openlog()
which clearly isn't the case for sendmail.
I'd say this is a libc bug which you can work around by avoiding using
unix-stream and sticking to unix-dgram instead. (a solution which I
myself do not like).
--
Bazsi
------------------------------
Message: 2
Date: Mon, 23 May 2005 17:15:34 +0200
From: iv <iv@zabuchy.net>
Subject: [syslog-ng] how to avoid logging to consoles?
To: syslog-ng@lists.balabit.hu
Message-ID: <4291F396.8040307@zabuchy.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
hi all
i'm trying to configure syslog-ng for logging events from firewall
everything works fine, except one thing: all messages appear on all my
consoles
how can i avoid that? it makes impossible working with the console, logs
appear even while editing files
and situation does't change when i comment out all "log" entries in the
syslog-ng.conf file
please, any ideas:)
my syslog-ng.conf:
options {
       use_fqdn(yes);
       use_dns(no);
       chain_hostnames(yes);
       use_time_recvd(no);
#       sync(10);
perm(0640);
       owner("root");
       group("root");
       create_dirs(yes);
       dir_perm(0750);
       dir_owner("root");
       dir_group("root");
};
source syslog {
       unix-stream("/dev/log");
};
source kernel {
       file("/proc/kmsg");
};
source syslog-ng {
       internal();
};
destination firewall {
       file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall");
};
destination kernel {
       file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel");
};
destination invalid {
       file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid");
};
destination postfix {
       file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix");
};
destination cron {
       file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron");
};
destination generic {
       file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM");
};
destination syslog-ng {
       file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng");
};
destination misc {
       file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc");
};
## kernel
filter firewall {
       match("IN=") and match("OUT=") and match("PROTO=");
};
filter notfirewall {
       not match("IN=") and not match("OUT=") and not match("PROTO=");
};
log {
       source(kernel);
       filter(firewall);
       destination(firewall);
};
log {
       source(kernel);
       filter(notfirewall);
       destination(kernel);
};
## internal
log {
       source(syslog-ng);
       destination(syslog-ng);
};
## syslog
filter invalid {
       not host("^syslog@[a-z]+$");
};
filter postfix {
       host("^syslog@[a-z]+$")
       and program("^postfix/");
};
filter cron {
       host("^syslog@[a-z]+$")
       and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$");
};
filter generic {
       host("^syslog@[a-z]+$")
       and program("^([a-z][a-z._-]*)$");
};
log {
       source(syslog);
       filter(invalid);
       destination(invalid);
};
log {
       source(syslog);
       filter(postfix);
       destination(postfix);
};
log {
       source(syslog);
       filter(cron);
       destination(cron);
};
log {
       source(syslog);
       filter(generic);
       destination(generic);
};
log {
       source(syslog);
       destination(misc);
       flags(fallback);
};
i'm running linux debian 2.6.11.8 testing
thanks in advance,
iv
------------------------------
Message: 3
Date: Mon, 23 May 2005 18:08:35 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] how to avoid logging to consoles?
To: Syslog-ng users' and developers' mailing list
  <syslog-ng@lists.balabit.hu>
Message-ID: <1116864515.19621.7.camel@bzorp.balabit>
Content-Type: text/plain
On Mon, 2005-05-23 at 17:15 +0200, iv wrote:
...
hi all
i'm trying to configure syslog-ng for logging events from firewall
everything works fine, except one thing: all messages appear on all my
consoles
how can i avoid that? it makes impossible working with the console, logs
appear even while editing files
and situation does't change when i comment out all "log" entries in the
syslog-ng.conf file
please, any ideas:)
short answer: "dmesg -n1"
long answer: syslog-ng does not change kernel logging parameters on its
own, which is performed automatically by klogd. but you can do the same
using dmesg.
--
Bazsi
------------------------------
Message: 4
Date: Mon, 23 May 2005 10:40:13 -0700
From: Jesse Molina <jesse@opendreams.net>
Subject: Re: [syslog-ng] how to avoid logging to consoles?
To: Syslog-ng users' and developers' mailing list
  <syslog-ng@lists.balabit.hu>
Message-ID: <20050523174013.GA18331@shoebox>
Content-Type: text/plain; charset=us-ascii
Hi
man dmesg
Use the -n arg, which will do what you want.
You will probably need to add this to a startup script.  Use update-rc.d
for that, or make yourself a .deb if you must.
On Mon, May 23, 2005 at 05:15:34PM +0200, iv wrote:
...
hi all
i'm trying to configure syslog-ng for logging events from firewall
everything works fine, except one thing: all messages appear on all my
consoles
how can i avoid that? it makes impossible working with the console, logs
appear even while editing files
and situation does't change when i comment out all "log" entries in the
syslog-ng.conf file
please, any ideas:)
my syslog-ng.conf:
options {
      use_fqdn(yes);
      use_dns(no);
      chain_hostnames(yes);
      use_time_recvd(no);
#       sync(10);
perm(0640);
      owner("root");
      group("root");
      create_dirs(yes);
      dir_perm(0750);
      dir_owner("root");
      dir_group("root");
};
source syslog {
      unix-stream("/dev/log");
};
source kernel {
      file("/proc/kmsg");
};
source syslog-ng {
      internal();
};
destination firewall {
      file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall");
};
destination kernel {
      file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel");
};
destination invalid {
      file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid");
};
destination postfix {
      file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix");
};
destination cron {
      file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron");
};
destination generic {
      file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM");
};
destination syslog-ng {
      file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng");
};
destination misc {
      file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc");
};
## kernel
filter firewall {
      match("IN=") and match("OUT=") and match("PROTO=");
};
filter notfirewall {
      not match("IN=") and not match("OUT=") and not match("PROTO=");
};
log {
      source(kernel);
      filter(firewall);
      destination(firewall);
};
log {
      source(kernel);
      filter(notfirewall);
      destination(kernel);
};
## internal
log {
      source(syslog-ng);
      destination(syslog-ng);
};
## syslog
filter invalid {
      not host("^syslog@[a-z]+$");
};
filter postfix {
      host("^syslog@[a-z]+$")
      and program("^postfix/");
};
filter cron {
      host("^syslog@[a-z]+$")
      and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$");
};
filter generic {
      host("^syslog@[a-z]+$")
      and program("^([a-z][a-z._-]*)$");
};
log {
      source(syslog);
      filter(invalid);
      destination(invalid);
};
log {
      source(syslog);
      filter(postfix);
      destination(postfix);
};
log {
      source(syslog);
      filter(cron);
      destination(cron);
};
log {
      source(syslog);
      filter(generic);
      destination(generic);
};
log {
      source(syslog);
      destination(misc);
      flags(fallback);
};
i'm running linux debian 2.6.11.8 testing
thanks in advance,
iv
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
--
# Jesse Molina
# Mail = jesse@opendreams.net
# Page = page-jesse@opendreams.net
# Cell = 1.602.323.7608
# Web  = http://www.opendreams.net/jesse/
------------------------------
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 1, Issue 1253
******************************************
Muggalla Balajee,

M.Balajee

tags

participants (1)