flags(final) in version 3.4
According to this report, the flags(final) does not work in 3.4 as one got used to in prior versions. https://lists.balabit.hu/pipermail/syslog-ng/2013-February/020039.html In version 3.3 I used flags(final) in each of my log{ } statements so that a message was not unnecessarily processed by anything beyond a matching filter. My last entry in the config used flags(fallback) so that any message not previously sent to a destination was caught by this final stanza. With version 3.4, the same syntax does not work, and all messages appear to be passing through every filter and getting duplicated in the first match and my final log destination. Surely, there must be another way to handle this sort of thing. Not only is it useful for processing efficiency, but it is also a useful way to identify "unmatched" filters in the config. Any suggestions for replicating the 3.3 behavior would be appreciated. Thanks Bill Fanselow
There was a patch with refarss to include statements tgat fixes this. Not a release yet but will be 3.4.2 ---- Evan Rempel, 250-721-7691 Senior Systems Administrator Data Centre Services, University of Victoria -------- Original message -------- From: "Fanselow, William" <William.Fanselow@Level3.com> Date: To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] flags(final) in version 3.4 According to this report, the flags(final) does not work in 3.4 as one got used to in prior versions. https://lists.balabit.hu/pipermail/syslog-ng/2013-February/020039.html In version 3.3 I used flags(final) in each of my log{ } statements so that a message was not unnecessarily processed by anything beyond a matching filter. My last entry in the config used flags(fallback) so that any message not previously sent to a destination was caught by this final stanza. With version 3.4, the same syntax does not work, and all messages appear to be passing through every filter and getting duplicated in the first match and my final log destination. Surely, there must be another way to handle this sort of thing. Not only is it useful for processing efficiency, but it is also a useful way to identify "unmatched" filters in the config. Any suggestions for replicating the 3.3 behavior would be appreciated. Thanks Bill Fanselow ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
yup, you can find the patch reference in bugzilla, but it also got integrated to mainline, github.com/balabit/syslog-ng-3.4 that is. the fix is quite recent, so you can cherry-pick it yourself, but Algernon had nightly builds for a number of platforms on madhouse.org ----- Original message -----
There was a patch with refarss to include statements tgat fixes this. Not a release yet but will be 3.4.2
---- Evan Rempel, 250-721-7691 Senior Systems Administrator Data Centre Services, University of Victoria
-------- Original message -------- From: "Fanselow, William" <William.Fanselow@Level3.com> Date: To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] flags(final) in version 3.4
According to this report, the flags(final) does not work in 3.4 as one got used to in prior versions. https://lists.balabit.hu/pipermail/syslog-ng/2013-February/020039.html
In version 3.3 I used flags(final) in each of my log{ } statements so that a message was not unnecessarily processed by anything beyond a matching filter. My last entry in the config used flags(fallback) so that any message not previously sent to a destination was caught by this final stanza.
With version 3.4, the same syntax does not work, and all messages appear to be passing through every filter and getting duplicated in the first match and my final log destination.
Surely, there must be another way to handle this sort of thing. Not only is it useful for processing efficiency, but it is also a useful way to identify "unmatched" filters in the config.
Any suggestions for replicating the 3.3 behavior would be appreciated.
Thanks Bill Fanselow ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On 03/14/2013 09:44 AM, Balazs Scheidler wrote:
yup, you can find the patch reference in bugzilla, but it also got integrated to mainline, github.com/balabit/syslog-ng-3.4 that is.
the fix is quite recent, so you can cherry-pick it yourself, but Algernon had nightly builds for a number of platforms on madhouse.org
As I already wrote Algernon directly: the cherry-picked patches or git head currently does not seem to work on openSUSE 12.3. syslog-ng segfaults. Please let us know, if your platform is also affected (and send your config in that case). "bt full" on openSUSE looks like: (gdb) bt full #0 0xb7733ee0 in cfg_tree_propagate_expr_node_properties_to_pipe.isra.1 () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #1 0xb77354ee in cfg_tree_compile_node () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #2 0xb773559b in cfg_tree_compile_node () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #3 0xb7734f3a in cfg_tree_compile_node () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #4 0xb773562f in cfg_tree_compile_rule () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #5 0xb77357cc in cfg_tree_compile () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #6 0xb773585e in cfg_tree_start () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #7 0xb77305a1 in cfg_init () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #8 0xb775045d in main_loop_init () from /usr/lib/libsyslog-ng-3.4.1.so No symbol table info available. #9 0x080491e8 in main () No symbol table info available. (gdb) Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
Peter Czanik <czanik@balabit.hu> writes:
On 03/14/2013 09:44 AM, Balazs Scheidler wrote:
yup, you can find the patch reference in bugzilla, but it also got integrated to mainline, github.com/balabit/syslog-ng-3.4 that is.
the fix is quite recent, so you can cherry-pick it yourself, but Algernon had nightly builds for a number of platforms on madhouse.org
It's actually packages.madhouse-project.org, and http://packages.madhouse-project.org/syslog-ng/3.4/syslog-ng-3.4-HEAD.tar.gz is always going to point to the latest git master of syslog-ng 3.4 (tarballs are generated once a day around midnight +01:00).
As I already wrote Algernon directly: the cherry-picked patches or git head currently does not seem to work on openSUSE 12.3. syslog-ng segfaults. Please let us know, if your platform is also affected (and send your config in that case). "bt full" on openSUSE looks like:
I finally had time to research the issue, and found the problem, it's already fixed on 3.4's master (3.3 is not affected, nor is 3.5, the bug was introduced by one of the patches that were applied after 3.4.1, but before 3.5 was branched off). -- |8]
participants (5)
-
Balazs Scheidler
-
Evan Rempel
-
Fanselow, William
-
Gergely Nagy
-
Peter Czanik