Hi, I'm testing the stomp destination using syslog-ng ose 3.6.2, and as the process starts it logs: # /opt/syslog-ng-3.6.2/sbin/syslog-ng -f /opt/syslog-ng-3.6.2/etc/syslog-ng.conf -F -d -v -t 2>&1 | grep -i stomp [2015-01-29T18:29:45.323518] Reading shared object for a candidate module; path='/opt/syslog-ng-3.6.2/lib/syslog-ng', fname='afstomp.so', module='afstomp' [2015-01-29T18:29:45.323629] Registering candidate plugin; module='afstomp', context='destination', name='stomp', preference='0' [2015-01-29T18:29:45.343833] Module loaded and initialized successfully; module='afstomp' [2015-01-29T18:29:45.344725] Compiling d_stomp reference [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:70:2] [2015-01-29T18:29:45.344728] Compiling d_stomp sequence [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:32:1] [2015-01-29T18:29:45.345092] Initializing STOMP destination; host='localhost', port='61613', destination='/topic/syslog' [2015-01-29T18:29:45.345368] Worker thread started; driver='d_stomp#0' [2015-01-29T18:29:45.346854] Stomp connection failed; host='localhost' Relevant parts of my configuration: destination d_stomp { stomp( host("localhost") port(61613) body("testing") ack(yes) retries(9) value-pairs(scope(everything)) ); }; The strange thing is that when I'm starting syslog-ng I am running tcpdump -i lo -s0 -nn -v port 61613, and cannot see any packets. I would expect at least a syn connection since it claims to fail. SELinux does not log any denies during the startup, so I suspect the problem to be elsewhere. If i do a tcpdump -i lo -s0 -nn -v -X and start syslog-ng this is captured: 18:33:26.833330 IP (tos 0x0, ttl 64, id 5652, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.35340 > 127.0.0.1.0: Flags [S], cksum 0xd601 (correct), seq 801587243, win 65495, options [mss 65495,sackOK,TS val 700601919 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 1614 4000 4006 26a6 7f00 0001 E..<..@.@.&..... 0x0010: 7f00 0001 8a0c 0000 2fc7 402b 0000 0000 ......../.@+.... 0x0020: a002 ffd7 d601 0000 0204 ffd7 0402 080a ................ 0x0030: 29c2 563f 0000 0000 0103 0307 ).V?........ 18:33:26.833412 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.0 > 127.0.0.1.35340: Flags [R.], cksum 0xb7ce (correct), seq 0, ack 801587244, win 0, length 0 0x0000: 4500 0028 0000 4000 4006 3cce 7f00 0001 E..(..@.@.<..... 0x0010: 7f00 0001 0000 8a0c 0000 0000 2fc7 402c ............/.@, 0x0020: 5014 0000 b7ce 0000 P....... So we get a syn to port 0 and answer with reset. Could there be a port parsing error for stomp in syslog-ng OSE 3.6.2? Any suggestions? Also: syslog-ng spawns another thread to do the stomp connection, any suggestions on how I can strace this thread during startup to see what is actually going on? Would love to know if in fact this connection is made to port 0. Thanks, Ole
Hi Ole! You are totally right, this is a bug in afstomp module. There is a missing g_sockaddr_set_port() call in stomp.c. I can create a patch for you at the weekend, or you can patch it manually by inserting the line: g_sockaddr_set_port(conn->remote_sa, (uint16) port); into modules/afstomp/stomp.c in line 118. Thanks for the detailed bug report! HtH, Viktor On Thu, Jan 29, 2015 at 6:39 PM, Ole Jørgensen <oleide@gmail.com> wrote:
Hi,
I'm testing the stomp destination using syslog-ng ose 3.6.2, and as the process starts it logs: # /opt/syslog-ng-3.6.2/sbin/syslog-ng -f /opt/syslog-ng-3.6.2/etc/syslog-ng.conf -F -d -v -t 2>&1 | grep -i stomp [2015-01-29T18:29:45.323518] Reading shared object for a candidate module; path='/opt/syslog-ng-3.6.2/lib/syslog-ng', fname='afstomp.so', module='afstomp' [2015-01-29T18:29:45.323629] Registering candidate plugin; module='afstomp', context='destination', name='stomp', preference='0' [2015-01-29T18:29:45.343833] Module loaded and initialized successfully; module='afstomp' [2015-01-29T18:29:45.344725] Compiling d_stomp reference [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:70:2] [2015-01-29T18:29:45.344728] Compiling d_stomp sequence [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:32:1] [2015-01-29T18:29:45.345092] Initializing STOMP destination; host='localhost', port='61613', destination='/topic/syslog' [2015-01-29T18:29:45.345368] Worker thread started; driver='d_stomp#0' [2015-01-29T18:29:45.346854] Stomp connection failed; host='localhost'
Relevant parts of my configuration: destination d_stomp { stomp( host("localhost") port(61613) body("testing") ack(yes) retries(9) value-pairs(scope(everything)) ); };
The strange thing is that when I'm starting syslog-ng I am running tcpdump -i lo -s0 -nn -v port 61613, and cannot see any packets. I would expect at least a syn connection since it claims to fail. SELinux does not log any denies during the startup, so I suspect the problem to be elsewhere.
If i do a tcpdump -i lo -s0 -nn -v -X and start syslog-ng this is captured: 18:33:26.833330 IP (tos 0x0, ttl 64, id 5652, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.35340 > 127.0.0.1.0: Flags [S], cksum 0xd601 (correct), seq 801587243, win 65495, options [mss 65495,sackOK,TS val 700601919 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 1614 4000 4006 26a6 7f00 0001 E..<..@.@.&..... 0x0010: 7f00 0001 8a0c 0000 2fc7 402b 0000 0000 ......../.@+.... 0x0020: a002 ffd7 d601 0000 0204 ffd7 0402 080a ................ 0x0030: 29c2 563f 0000 0000 0103 0307 ).V?........ 18:33:26.833412 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.0 > 127.0.0.1.35340: Flags [R.], cksum 0xb7ce (correct), seq 0, ack 801587244, win 0, length 0 0x0000: 4500 0028 0000 4000 4006 3cce 7f00 0001 E..(..@.@.<..... 0x0010: 7f00 0001 0000 8a0c 0000 0000 2fc7 402c ............/.@, 0x0020: 5014 0000 b7ce 0000 P.......
So we get a syn to port 0 and answer with reset. Could there be a port parsing error for stomp in syslog-ng OSE 3.6.2? Any suggestions?
Also: syslog-ng spawns another thread to do the stomp connection, any suggestions on how I can strace this thread during startup to see what is actually going on? Would love to know if in fact this connection is made to port 0.
Thanks, Ole
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, I have pushed an untested but compiled commit on f/stomp-port-fix. Could you pls test whether it solves your problem? It was broken here: Author: Balazs Scheidler <bazsi@balabit.hu> 2013-10-31 08:17:02 Committer: Balazs Scheidler <bazsi@balabit.hu> 2013-11-10 19:04:35 Parent: ebb82d15f586829e478e51e7c33d6bb69dc7c3d8 (stomp: rearrange headers to match syslog-ng conventions) Branches: master, nisz, remotes/origin/master and many more (82) Follows: v3.5.1 Precedes: syslog-ng-3.6.0alpha1 host-resolve: always return a new GSockAddr instance from resolve_hostname_to_sockaddr() Instead of trying to _change_ an existing GSockAddr instance, always return a new one. This makes the API easier to use, as well as makes the implementation simpler. The original prototype probably dates back to times when the afsocket driver stored ip/port parameters in an existing GSockAddr instance and creating a new one was not good. These times, we basically create the GSockAddr instance in the drivers just to satisfy this requirement. So this patch simplifies call-sites as well. The only reason the input GSockAddr was used to determine the target address family, but I introduced a new parameter for that. Also the patch adds coverage for IPv6 in the testsuite. Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- Bazsi On Fri, Jan 30, 2015 at 12:25 AM, Tusa Viktor <tusavik@gmail.com> wrote:
Hi Ole!
You are totally right, this is a bug in afstomp module. There is a missing g_sockaddr_set_port() call in stomp.c. I can create a patch for you at the weekend, or you can patch it manually by inserting the line: g_sockaddr_set_port(conn->remote_sa, (uint16) port); into modules/afstomp/stomp.c in line 118.
Thanks for the detailed bug report!
HtH, Viktor
On Thu, Jan 29, 2015 at 6:39 PM, Ole Jørgensen <oleide@gmail.com> wrote:
Hi,
I'm testing the stomp destination using syslog-ng ose 3.6.2, and as the process starts it logs: # /opt/syslog-ng-3.6.2/sbin/syslog-ng -f /opt/syslog-ng-3.6.2/etc/syslog-ng.conf -F -d -v -t 2>&1 | grep -i stomp [2015-01-29T18:29:45.323518] Reading shared object for a candidate module; path='/opt/syslog-ng-3.6.2/lib/syslog-ng', fname='afstomp.so', module='afstomp' [2015-01-29T18:29:45.323629] Registering candidate plugin; module='afstomp', context='destination', name='stomp', preference='0' [2015-01-29T18:29:45.343833] Module loaded and initialized successfully; module='afstomp' [2015-01-29T18:29:45.344725] Compiling d_stomp reference [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:70:2] [2015-01-29T18:29:45.344728] Compiling d_stomp sequence [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:32:1] [2015-01-29T18:29:45.345092] Initializing STOMP destination; host='localhost', port='61613', destination='/topic/syslog' [2015-01-29T18:29:45.345368] Worker thread started; driver='d_stomp#0' [2015-01-29T18:29:45.346854] Stomp connection failed; host='localhost'
Relevant parts of my configuration: destination d_stomp { stomp( host("localhost") port(61613) body("testing") ack(yes) retries(9) value-pairs(scope(everything)) ); };
The strange thing is that when I'm starting syslog-ng I am running tcpdump -i lo -s0 -nn -v port 61613, and cannot see any packets. I would expect at least a syn connection since it claims to fail. SELinux does not log any denies during the startup, so I suspect the problem to be elsewhere.
If i do a tcpdump -i lo -s0 -nn -v -X and start syslog-ng this is captured: 18:33:26.833330 IP (tos 0x0, ttl 64, id 5652, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.35340 > 127.0.0.1.0: Flags [S], cksum 0xd601 (correct), seq 801587243, win 65495, options [mss 65495,sackOK,TS val 700601919 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 1614 4000 4006 26a6 7f00 0001 E..<..@.@.&..... 0x0010: 7f00 0001 8a0c 0000 2fc7 402b 0000 0000 ......../.@+.... 0x0020: a002 ffd7 d601 0000 0204 ffd7 0402 080a ................ 0x0030: 29c2 563f 0000 0000 0103 0307 ).V?........ 18:33:26.833412 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.0 > 127.0.0.1.35340: Flags [R.], cksum 0xb7ce (correct), seq 0, ack 801587244, win 0, length 0 0x0000: 4500 0028 0000 4000 4006 3cce 7f00 0001 E..(..@.@.<..... 0x0010: 7f00 0001 0000 8a0c 0000 0000 2fc7 402c ............/.@, 0x0020: 5014 0000 b7ce 0000 P.......
So we get a syn to port 0 and answer with reset. Could there be a port parsing error for stomp in syslog-ng OSE 3.6.2? Any suggestions?
Also: syslog-ng spawns another thread to do the stomp connection, any suggestions on how I can strace this thread during startup to see what is actually going on? Would love to know if in fact this connection is made to port 0.
Thanks, Ole
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Here's the pull request: https://github.com/balabit/syslog-ng/pull/376 Could you pls report success with this patch there? Thanks. -- Bazsi On Fri, Jan 30, 2015 at 10:50 AM, Scheidler, Balázs < balazs.scheidler@balabit.com> wrote:
Hi,
I have pushed an untested but compiled commit on f/stomp-port-fix. Could you pls test whether it solves your problem?
It was broken here:
Author: Balazs Scheidler <bazsi@balabit.hu> 2013-10-31 08:17:02 Committer: Balazs Scheidler <bazsi@balabit.hu> 2013-11-10 19:04:35 Parent: ebb82d15f586829e478e51e7c33d6bb69dc7c3d8 (stomp: rearrange headers to match syslog-ng conventions) Branches: master, nisz, remotes/origin/master and many more (82) Follows: v3.5.1 Precedes: syslog-ng-3.6.0alpha1
host-resolve: always return a new GSockAddr instance from resolve_hostname_to_sockaddr()
Instead of trying to _change_ an existing GSockAddr instance, always return a new one. This makes the API easier to use, as well as makes the implementation simpler. The original prototype probably dates back to times when the afsocket driver stored ip/port parameters in an existing GSockAddr instance and creating a new one was not good.
These times, we basically create the GSockAddr instance in the drivers just to satisfy this requirement. So this patch simplifies call-sites as well.
The only reason the input GSockAddr was used to determine the target address family, but I introduced a new parameter for that.
Also the patch adds coverage for IPv6 in the testsuite.
Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
-- Bazsi
On Fri, Jan 30, 2015 at 12:25 AM, Tusa Viktor <tusavik@gmail.com> wrote:
Hi Ole!
You are totally right, this is a bug in afstomp module. There is a missing g_sockaddr_set_port() call in stomp.c. I can create a patch for you at the weekend, or you can patch it manually by inserting the line: g_sockaddr_set_port(conn->remote_sa, (uint16) port); into modules/afstomp/stomp.c in line 118.
Thanks for the detailed bug report!
HtH, Viktor
On Thu, Jan 29, 2015 at 6:39 PM, Ole Jørgensen <oleide@gmail.com> wrote:
Hi,
I'm testing the stomp destination using syslog-ng ose 3.6.2, and as the process starts it logs: # /opt/syslog-ng-3.6.2/sbin/syslog-ng -f /opt/syslog-ng-3.6.2/etc/syslog-ng.conf -F -d -v -t 2>&1 | grep -i stomp [2015-01-29T18:29:45.323518] Reading shared object for a candidate module; path='/opt/syslog-ng-3.6.2/lib/syslog-ng', fname='afstomp.so', module='afstomp' [2015-01-29T18:29:45.323629] Registering candidate plugin; module='afstomp', context='destination', name='stomp', preference='0' [2015-01-29T18:29:45.343833] Module loaded and initialized successfully; module='afstomp' [2015-01-29T18:29:45.344725] Compiling d_stomp reference [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:70:2] [2015-01-29T18:29:45.344728] Compiling d_stomp sequence [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:32:1] [2015-01-29T18:29:45.345092] Initializing STOMP destination; host='localhost', port='61613', destination='/topic/syslog' [2015-01-29T18:29:45.345368] Worker thread started; driver='d_stomp#0' [2015-01-29T18:29:45.346854] Stomp connection failed; host='localhost'
Relevant parts of my configuration: destination d_stomp { stomp( host("localhost") port(61613) body("testing") ack(yes) retries(9) value-pairs(scope(everything)) ); };
The strange thing is that when I'm starting syslog-ng I am running tcpdump -i lo -s0 -nn -v port 61613, and cannot see any packets. I would expect at least a syn connection since it claims to fail. SELinux does not log any denies during the startup, so I suspect the problem to be elsewhere.
If i do a tcpdump -i lo -s0 -nn -v -X and start syslog-ng this is captured: 18:33:26.833330 IP (tos 0x0, ttl 64, id 5652, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.35340 > 127.0.0.1.0: Flags [S], cksum 0xd601 (correct), seq 801587243, win 65495, options [mss 65495,sackOK,TS val 700601919 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 1614 4000 4006 26a6 7f00 0001 E..<..@.@.&..... 0x0010: 7f00 0001 8a0c 0000 2fc7 402b 0000 0000 ......../.@+.... 0x0020: a002 ffd7 d601 0000 0204 ffd7 0402 080a ................ 0x0030: 29c2 563f 0000 0000 0103 0307 ).V?........ 18:33:26.833412 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.0 > 127.0.0.1.35340: Flags [R.], cksum 0xb7ce (correct), seq 0, ack 801587244, win 0, length 0 0x0000: 4500 0028 0000 4000 4006 3cce 7f00 0001 E..(..@.@.<..... 0x0010: 7f00 0001 0000 8a0c 0000 0000 2fc7 402c ............/.@, 0x0020: 5014 0000 b7ce 0000 P.......
So we get a syn to port 0 and answer with reset. Could there be a port parsing error for stomp in syslog-ng OSE 3.6.2? Any suggestions?
Also: syslog-ng spawns another thread to do the stomp connection, any suggestions on how I can strace this thread during startup to see what is actually going on? Would love to know if in fact this connection is made to port 0.
Thanks, Ole
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Tusa, Compiled successfully with the addition of: #include <stdint.h> g_sockaddr_set_port(conn->remote_sa, (uint16_t) port); Now it seems my stomp server needs some credentials :-) BR, Ole On Fri, Jan 30, 2015 at 12:25 AM, Tusa Viktor <tusavik@gmail.com> wrote:
Hi Ole!
You are totally right, this is a bug in afstomp module. There is a missing g_sockaddr_set_port() call in stomp.c. I can create a patch for you at the weekend, or you can patch it manually by inserting the line: g_sockaddr_set_port(conn->remote_sa, (uint16) port); into modules/afstomp/stomp.c in line 118.
Thanks for the detailed bug report!
HtH, Viktor
On Thu, Jan 29, 2015 at 6:39 PM, Ole Jørgensen <oleide@gmail.com> wrote:
Hi,
I'm testing the stomp destination using syslog-ng ose 3.6.2, and as the process starts it logs: # /opt/syslog-ng-3.6.2/sbin/syslog-ng -f /opt/syslog-ng-3.6.2/etc/syslog-ng.conf -F -d -v -t 2>&1 | grep -i stomp [2015-01-29T18:29:45.323518] Reading shared object for a candidate module; path='/opt/syslog-ng-3.6.2/lib/syslog-ng', fname='afstomp.so', module='afstomp' [2015-01-29T18:29:45.323629] Registering candidate plugin; module='afstomp', context='destination', name='stomp', preference='0' [2015-01-29T18:29:45.343833] Module loaded and initialized successfully; module='afstomp' [2015-01-29T18:29:45.344725] Compiling d_stomp reference [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:70:2] [2015-01-29T18:29:45.344728] Compiling d_stomp sequence [destination] at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:32:1] [2015-01-29T18:29:45.345092] Initializing STOMP destination; host='localhost', port='61613', destination='/topic/syslog' [2015-01-29T18:29:45.345368] Worker thread started; driver='d_stomp#0' [2015-01-29T18:29:45.346854] Stomp connection failed; host='localhost'
Relevant parts of my configuration: destination d_stomp { stomp( host("localhost") port(61613) body("testing") ack(yes) retries(9) value-pairs(scope(everything)) ); };
The strange thing is that when I'm starting syslog-ng I am running tcpdump -i lo -s0 -nn -v port 61613, and cannot see any packets. I would expect at least a syn connection since it claims to fail. SELinux does not log any denies during the startup, so I suspect the problem to be elsewhere.
If i do a tcpdump -i lo -s0 -nn -v -X and start syslog-ng this is captured: 18:33:26.833330 IP (tos 0x0, ttl 64, id 5652, offset 0, flags [DF], proto TCP (6), length 60) 127.0.0.1.35340 > 127.0.0.1.0: Flags [S], cksum 0xd601 (correct), seq 801587243, win 65495, options [mss 65495,sackOK,TS val 700601919 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 1614 4000 4006 26a6 7f00 0001 E..<..@.@.&..... 0x0010: 7f00 0001 8a0c 0000 2fc7 402b 0000 0000 ......../.@+.... 0x0020: a002 ffd7 d601 0000 0204 ffd7 0402 080a ................ 0x0030: 29c2 563f 0000 0000 0103 0307 ).V?........ 18:33:26.833412 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.0 > 127.0.0.1.35340: Flags [R.], cksum 0xb7ce (correct), seq 0, ack 801587244, win 0, length 0 0x0000: 4500 0028 0000 4000 4006 3cce 7f00 0001 E..(..@.@.<..... 0x0010: 7f00 0001 0000 8a0c 0000 0000 2fc7 402c ............/.@, 0x0020: 5014 0000 b7ce 0000 P.......
So we get a syn to port 0 and answer with reset. Could there be a port parsing error for stomp in syslog-ng OSE 3.6.2? Any suggestions?
Also: syslog-ng spawns another thread to do the stomp connection, any suggestions on how I can strace this thread during startup to see what is actually going on? Would love to know if in fact this connection is made to port 0.
Thanks, Ole
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Ole Jørgensen
-
Ole Jørgensen
-
Scheidler, Balázs
-
Tusa Viktor