Hi, I am new to syslog-ng and have set up a system using eventlog-0.2.5 and syslog-ng-2.0.1 Local sendmail messages seem to have 2 entries together. I am not sure if something is awry with the config included below, but it seems to only happen with the sendmail entries from sendmail running on the log host. I am trying to write messages to both /var/log/maillog and /var/log/archive/2007-01-25. Messages logged from the sending server seem ok but sendmail running on they log server appear to be on the same line seperated by <22>. Messages in maillog and 2007-01-25 look the same. Thanks for your help, Fran Example: --------- Jan 25 13:20:12 secmgmt-cs01 sendmail[3050]: l0PIKCSY003050: from=<root@secmgmt-cs02.secmgmt.pvt>, size=619, class=0, nrcpts=1, msgi d=<200701251820.l0PIKCEu004718@secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=secmgmt-cs02.secmgmt.pvt [10.200.1.5]<22>Ja n 25 13:20:12 sendmail[3051]: l0PIKCSY003050: to=<lhmn@secmgmt-cs01.secmgmt.pvt>, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30856, dsn=2.0.0, stat=Sent Config: ------- #********** # Options #********** options { use_dns(persist-only); dns_cache_hosts(/etc/hosts); chain_hostnames(no); keep_hostname(yes); log_fifo_size(4096); log_msg_size(8192); stats(3600); sync(0); time_reopen(10); bad_hostname("sccp|tmm"); }; #********* # Sources #********* ## local source s_local { unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); internal(); }; ## remote source s_remote { udp(); tcp(ip(0.0.0.0) port(514) max-connections(300)); }; #********* # Filters #********* ## Local filters filter f_messages { level(info..emerg); }; filter f_secure { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_emerg { level(emerg); }; filter f_spooler { level(crit..emerg) and facility(uucp, news); }; filter f_local7 { facility(local7); }; #filter f_debug { level(debug); }; ## SEC destination d_sec { program("/usr/local/bin/sec.pl -input=\"-\" -conf=/usr/local/etc/sec.conf"); }; ## Archive - timestamped archives destination d_archive { file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY" owner("root") group("logs") dir_group("logs") perm(0640) dir_perm(0750) create_dirs(yes)); }; #***************** # Log statements #***************** # Send all logs to sec.pl log { source(s_local); source(s_remote); destination(d_sec); }; # Send all logs to archive log { source(s_local); source(s_remote); destination(d_archive); }; # Local logs - order DOES matter ! log { source(s_local); filter(f_emerg); destination(d_console); }; log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; log { source(s_local); filter(f_spooler); destination(d_spooler); }; log { source(s_local); filter(f_local7); destination(d_bootlog); }; log { source(s_local); filter(f_messages); destination(d_messages); }; #log { source(s_local); filter(f_debug); destination(d_debug); };
On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
Hi,
I am new to syslog-ng and have set up a system using eventlog-0.2.5 and syslog-ng-2.0.1
Local sendmail messages seem to have 2 entries together. I am not sure if something is awry with the config included below, but it seems to only happen with the sendmail entries from sendmail running on the log host.
I am trying to write messages to both /var/log/maillog and /var/log/archive/2007-01-25. Messages logged from the sending server seem ok but sendmail running on they log server appear to be on the same line seperated by <22>.
Messages in maillog and 2007-01-25 look the same.
can you strace sendmail (or syslog-ng) as it sends/receives a log message? on unix-stream transport syslog-ng expects messages to be NL or NUL terminated. -- Bazsi
On Fri, 26 Jan 2007, Balazs Scheidler wrote:
On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
Hi,
I am new to syslog-ng and have set up a system using eventlog-0.2.5 and syslog-ng-2.0.1
Local sendmail messages seem to have 2 entries together. I am not sure if something is awry with the config included below, but it seems to only happen with the sendmail entries from sendmail running on the log host.
I am trying to write messages to both /var/log/maillog and /var/log/archive/2007-01-25. Messages logged from the sending server seem ok but sendmail running on they log server appear to be on the same line seperated by <22>.
Messages in maillog and 2007-01-25 look the same.
can you strace sendmail (or syslog-ng) as it sends/receives a log message?
on unix-stream transport syslog-ng expects messages to be NL or NUL terminated.
Thanks for your reply: I ran strace -o trc1 -f -ff /usr/local/sbin/syslog-ng and attached the file that seemed to have the sendmail message. I can attach all of the files if needed. Fran
On Fri, 26 Jan 2007, Balazs Scheidler wrote:
On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
Hi,
I am new to syslog-ng and have set up a system using eventlog-0.2.5 and syslog-ng-2.0.1
Local sendmail messages seem to have 2 entries together. I am not sure if something is awry with the config included below, but it seems to only happen with the sendmail entries from sendmail running on the log host.
I am trying to write messages to both /var/log/maillog and /var/log/archive/2007-01-25. Messages logged from the sending server seem ok but sendmail running on they log server appear to be on the same line seperated by <22>.
Messages in maillog and 2007-01-25 look the same.
can you strace sendmail (or syslog-ng) as it sends/receives a log message?
on unix-stream transport syslog-ng expects messages to be NL or NUL terminated.
In addition to my previous post with the syslog-ng strace output I've attached what seems to be the relevant file from a sendmail strace. (I am uncertain if you need all of the strace) Seeing the following in the strace... connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket) ... I changed unix-stream("/dev/log"); to unix-dgram("/dev/log"); and the message appears as expected in the log. Thanks, Fran
On Fri, 2007-01-26 at 12:11 -0500, Fran Loehmann wrote:
On Fri, 26 Jan 2007, Balazs Scheidler wrote:
On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
Hi,
I am new to syslog-ng and have set up a system using eventlog-0.2.5 and syslog-ng-2.0.1
Local sendmail messages seem to have 2 entries together. I am not sure if something is awry with the config included below, but it seems to only happen with the sendmail entries from sendmail running on the log host.
I am trying to write messages to both /var/log/maillog and /var/log/archive/2007-01-25. Messages logged from the sending server seem ok but sendmail running on they log server appear to be on the same line seperated by <22>.
Messages in maillog and 2007-01-25 look the same.
can you strace sendmail (or syslog-ng) as it sends/receives a log message?
on unix-stream transport syslog-ng expects messages to be NL or NUL terminated.
In addition to my previous post with the syslog-ng strace output I've attached what seems to be the relevant file from a sendmail strace. (I am uncertain if you need all of the strace)
Seeing the following in the strace... connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
... I changed unix-stream("/dev/log"); to unix-dgram("/dev/log"); and the message appears as expected in the log.
This is a workaround and not a solution. It just happened that sendmail interops with unix-dgram() better than with unix-stream(). The problem with the strace dump you posted is that it does not contain the complete messages as sent by sendmail. You need to pass the '-s' paramter to strace to include longer strings (for example -s 4096) -- Bazsi
On Mon, 29 Jan 2007, Balazs Scheidler wrote:
On Fri, 2007-01-26 at 12:11 -0500, Fran Loehmann wrote:
On Fri, 26 Jan 2007, Balazs Scheidler wrote:
On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
Hi,
I am new to syslog-ng and have set up a system using eventlog-0.2.5 and syslog-ng-2.0.1
Local sendmail messages seem to have 2 entries together. I am not sure if something is awry with the config included below, but it seems to only happen with the sendmail entries from sendmail running on the log host.
I am trying to write messages to both /var/log/maillog and /var/log/archive/2007-01-25. Messages logged from the sending server seem ok but sendmail running on they log server appear to be on the same line seperated by <22>.
Messages in maillog and 2007-01-25 look the same.
can you strace sendmail (or syslog-ng) as it sends/receives a log message?
on unix-stream transport syslog-ng expects messages to be NL or NUL terminated.
In addition to my previous post with the syslog-ng strace output I've attached what seems to be the relevant file from a sendmail strace. (I am uncertain if you need all of the strace)
Seeing the following in the strace... connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
... I changed unix-stream("/dev/log"); to unix-dgram("/dev/log"); and the message appears as expected in the log.
This is a workaround and not a solution. It just happened that sendmail interops with unix-dgram() better than with unix-stream().
The problem with the strace dump you posted is that it does not contain the complete messages as sent by sendmail. You need to pass the '-s' paramter to strace to include longer strings (for example -s 4096)
Thank you for your guidance and patience. I traced sendmail again and was able to see the messages sent to syslog-ng while using unix-stream. I can send along the whole strace output if helpful. It is ~128k in size. I looked for the log messages below in the strace output. Jan 29 19:41:16 secmgmt-cs02 sendmail[15692]: l0U0fGKc015692: from=<loehmanf@secmgmt-cs02.secmgmt.pvt>, size=385, class=0, nrcpts=1, msgid=<200701300041.l0U0fGWk015689@secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]<22>Jan 29 19:41:16 sendmail[15693]: l0U0fGKc015692: to=<loehmanf@secmgmt-cs02.secmgmt.pvt>, ctladdr=<loehmanf@secmgmt-cs02.secmgmt.pvt> (1011/999), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30636, dsn=2.0.0, stat=Sent It seems the first message does not end in \0 as does the second. 15692 send(3, "<22>Jan 29 19:41:16 sendmail[15692]: l0U0fGKc015692: from=<loehmanf@secmgmt-cs02.secmgmt.pvt>, size=385, class=0 , nrcpts=1, msgid=<200701300041.l0U0fGWk015689@secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]" , 238, MSG_NOSIGNAL) = -1 ENOTCONN (Transport endpoint is not connected) 15692 send(3, "<22>Jan 29 19:41:16 sendmail[15692]: l0U0fGKc015692: from=<loehmanf@secmgmt-cs02.secmgmt.pvt>, size=385, class=0 , nrcpts=1, msgid=<200701300041.l0U0fGWk015689@secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]" , 238, MSG_NOSIGNAL) = 238 15693 send(3, "<22>Jan 29 19:41:16 sendmail[15693]: l0U0fGKc015692: to=<loehmanf@secmgmt-cs02.secmgmt.pvt>, ctladdr=<loehmanf@s ecmgmt-cs02.secmgmt.pvt> (1011/999), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30636, dsn=2.0.0, stat=Sent\0", 228, MSG_NOSIGNAL) = 228 Thanks again, Fran
On Mon, 2007-01-29 at 20:58 -0500, Fran Loehmann wrote:
On Mon, 29 Jan 2007, Balazs Scheidler wrote:
On Fri, 2007-01-26 at 12:11 -0500, Fran Loehmann wrote:
On Fri, 26 Jan 2007, Balazs Scheidler wrote:
On Thu, 2007-01-25 at 14:18 -0500, Fran Loehmann wrote:
Hi,
I am new to syslog-ng and have set up a system using eventlog-0.2.5 and syslog-ng-2.0.1
Local sendmail messages seem to have 2 entries together. I am not sure if something is awry with the config included below, but it seems to only happen with the sendmail entries from sendmail running on the log host.
I am trying to write messages to both /var/log/maillog and /var/log/archive/2007-01-25. Messages logged from the sending server seem ok but sendmail running on they log server appear to be on the same line seperated by <22>.
Messages in maillog and 2007-01-25 look the same.
can you strace sendmail (or syslog-ng) as it sends/receives a log message?
on unix-stream transport syslog-ng expects messages to be NL or NUL terminated.
In addition to my previous post with the syslog-ng strace output I've attached what seems to be the relevant file from a sendmail strace. (I am uncertain if you need all of the strace)
Seeing the following in the strace... connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
... I changed unix-stream("/dev/log"); to unix-dgram("/dev/log"); and the message appears as expected in the log.
This is a workaround and not a solution. It just happened that sendmail interops with unix-dgram() better than with unix-stream().
The problem with the strace dump you posted is that it does not contain the complete messages as sent by sendmail. You need to pass the '-s' paramter to strace to include longer strings (for example -s 4096)
Thank you for your guidance and patience. I traced sendmail again and was able to see the messages sent to syslog-ng while using unix-stream. I can send along the whole strace output if helpful. It is ~128k in size.
I looked for the log messages below in the strace output.
Jan 29 19:41:16 secmgmt-cs02 sendmail[15692]: l0U0fGKc015692: from=<loehmanf@secmgmt-cs02.secmgmt.pvt>, size=385, class=0, nrcpts=1, msgid=<200701300041.l0U0fGWk015689@secmgmt-cs02.secmgmt.pvt>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]<22>Jan 29 19:41:16 sendmail[15693]: l0U0fGKc015692: to=<loehmanf@secmgmt-cs02.secmgmt.pvt>, ctladdr=<loehmanf@secmgmt-cs02.secmgmt.pvt> (1011/999), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30636, dsn=2.0.0, stat=Sent
It seems the first message does not end in \0 as does the second.
This seems to be a sendmail bug then. I don't know why they don't use the syslog() call in libc. -- Bazsi
On Tue, 30 Jan 2007 18:31:52 +0100, Balazs Scheidler said:
This seems to be a sendmail bug then. I don't know why they don't use the syslog() call in libc.
Actually, the sm_syslog() function in sendmail/conf.c *does* call the libc syslog(), and has for quite some time. sm_syslog() exists primarily as a wrapper for working around busticated vendor syslogs. I didn't see any mention of what libc Fran's sendmail is linked against, and thus I can't rule out the possibility that the syslog() call in libc isn't itself buggy.
On Wed, 2007-01-31 at 13:07 -0500, Fran Loehmann wrote:
On Tue, 30 Jan 2007, Valdis.Kletnieks@vt.edu wrote:
On Tue, 30 Jan 2007 18:31:52 +0100, Balazs Scheidler said:
This seems to be a sendmail bug then. I don't know why they don't use the syslog() call in libc.
Actually, the sm_syslog() function in sendmail/conf.c *does* call the libc syslog(), and has for quite some time. sm_syslog() exists primarily as a wrapper for working around busticated vendor syslogs.
I didn't see any mention of what libc Fran's sendmail is linked against, and thus I can't rule out the possibility that the syslog() call in libc isn't itself buggy.
Sorry for not including this info.
The system is RHEL4 AS Update 4. It is running Redhat's rpm.
sendmail-8.13.1-3.RHEL4.5 sendmail-doc-8.13.1-3.RHEL4.5 sendmail-devel-8.13.1-3.RHEL4.5 sendmail-cf-8.13.1-3.RHEL4.5
This information is not itself enough. You'd need to disassemble the sm_syslog() call and see what it does. (or anyone with a RHEL 4). -- Bazsi
On Thu, 01 Feb 2007, Balazs Scheidler wrote:
On Wed, 2007-01-31 at 13:07 -0500, Fran Loehmann wrote:
On Tue, 30 Jan 2007, Valdis.Kletnieks@vt.edu wrote:
On Tue, 30 Jan 2007 18:31:52 +0100, Balazs Scheidler said:
This seems to be a sendmail bug then. I don't know why they don't use the syslog() call in libc.
Actually, the sm_syslog() function in sendmail/conf.c *does* call the libc syslog(), and has for quite some time. sm_syslog() exists primarily as a wrapper for working around busticated vendor syslogs.
I didn't see any mention of what libc Fran's sendmail is linked against, and thus I can't rule out the possibility that the syslog() call in libc isn't itself buggy.
Sorry for not including this info.
The system is RHEL4 AS Update 4. It is running Redhat's rpm.
sendmail-8.13.1-3.RHEL4.5 sendmail-doc-8.13.1-3.RHEL4.5 sendmail-devel-8.13.1-3.RHEL4.5 sendmail-cf-8.13.1-3.RHEL4.5
This information is not itself enough. You'd need to disassemble the sm_syslog() call and see what it does. (or anyone with a RHEL 4).
Thank you. For now I have left it as unix-dgram and will see if I cannot figure something out with disassembling sm_syslog(). Best Regards, Fran
participants (3)
-
Balazs Scheidler
-
Fran Loehmann
-
Valdis.Kletnieks@vt.edu