Yes, similar, but also erratic. I have it happening in the MAC addy and toward the end. Sometimes it seems as they are folded in on itself. I have placed a sample on www.cs.und.edu/~caylan/kern for your viewing pleasure. It is not my sytle to make things like this publicly accessible but I want to get this issue resolved. In case you did not see the above URL or are too lazy :P Aug 14 10:02:30 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08: Aug 14 10:02:31 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=63.151.197.164 DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00TT14 2103DF PRTCP SW=163 Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08: Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc: Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.35 DST=1PSPT7 DPT=137 L Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08: Aug 14 10:02:33 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.35 DST=134.129.212.30 LEN=9 138 N=20 Aug 14 10:02:33 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08: Thats a pretty damn good sample! Good luck, Caylan Van Larson Unix Administrator - Systems Team Member University of North Dakota (Aerospace College) caylan@cs.und.edu 701-777-6151 (work) On Wed, 14 Aug 2002, Dustin Trammell wrote:

I found out why syslog-ng was doing the pausing... I had accidentally left two source entries for /proc/kmsg in my syslog-ng.conf file (I was originally trying to see if using file() vs. pipe() made any difference in the log entry truncation), so I assume it was a locking issue with both of them trying to read from the same place. After removing one of them, I haven't had syslog-ng pause on me once, but I am still getting the log entry truncation on entries from iptables. It usually truncates on iptables log entries that have an empty OUT= tag (no out interface), and truncates just after the OUT= tag and before the MAC= tag, or somewhere halfway through the MAC address in the MAC= tag. Are you getting the truncation at the same place on the same types of log entries?

--- Dustin D. Trammell Information Security Specialist Penson Financial Services, Inc.

-----Original Message----- From: Caylan Van Larson [mailto:caylan@cs.und.edu] Sent: Monday, August 12, 2002 15:54 To: Dustin Trammell Cc: 'syslog-ng@lists.balabit.hu' Subject: Re: [syslog-ng]logging pauses and log entry truncation

I am having very similar truncating going on. Bazsi is working on a fix. However, my logs never paused, maybe for a little bit (5-10seconds) but that is prolly just net traffic jumps.

Good luck to Bazsi!!!

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html