RE: [syslog-ng] Re: question regarding program name logs
Sorry I pasted the wrong "log" statement, here it is: log { source(src_udp); source(src_tcp); filter(fltr_PROGRAM); destination(dst_ PROGRAM); flags(final, flow-control); }; -----Original Message----- From: Justin Randall Sent: Wednesday, September 27, 2006 10:07 AM To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] Re: question regarding program name logs Hi and thanks for the response. This is actually relating to UDP logging. I have devices sending Syslog messages via UDP to a central Syslog-NG server. Usually the devices log messages to Syslog-NG via UDP in bursts (about 20-25 message within a couple seconds). The source, filter, destination, log statements for the handling are as follows: source src_udp { udp( ip(IPADDRESS) port(PORT) ); }; filter fltr_PROGRAM { program("PROGRAM") or match("PROGRAM"); }; destination dst_PROGRAM { file( "/var/log/PROGRAM/messages" owner(root) group(tomcat) perm(0640) ); }; log { source(src_udp); source(src_tcp); destination(dst_remote_system); flags(final, flow-control); }; What ends up happening when a host falls into this flow, the first log message is missed. The format of the bursts of messages are exactly the same. This did not happen in 2.0rc2, I have downgraded and verified this. Let me know if there's any other info I can provide that would help out. Regards, Justin. -----Original Message----- From: G.W. Haywood [mailto:ged@jubileegroup.co.uk] Sent: Wednesday, September 27, 2006 7:42 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Re: question regarding program name logs Hi there, On Wed, 27 Sep 2006 Justin Randall wrote:
Can anyone confirm if the patch that was to fix this issue was included in 2.0rc3?
Yes, it was. Note that it only affects logging via UDP. -- 73, Ged. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Wed, 2006-09-27 at 10:09 -0400, Justin Randall wrote:
Sorry I pasted the wrong "log" statement, here it is:
log { source(src_udp); source(src_tcp); filter(fltr_PROGRAM); destination(dst_ PROGRAM); flags(final, flow-control); };
I have now tried to reproduce the problem without success. This was my configuration (a bit adapted version of what you sent): source src_udp { udp( ip(0.0.0.0) port(1514) ); }; filter fltr_PROGRAM { program("PROGRAM") or match("PROGRAM"); }; destination dst_PROGRAM { file( "/home/bazsi/logs/messages.lost" ); }; log { source(src_udp); destination(dst_PROGRAM); flags(final, flow-control); }; I have generated bursts with this shell script snippet: for i in `seq 1 30` ; do echo -ne "<5>Aug 14 22:21:34 localhost PROGRAM: message $i\nmeg ez is ide tartozik" | nc -q0 -u localhost 1514 ; i=$[i+1]; done This means that I had newlines embedded in a message too. The complete change between 2.0rc2 and 2.0rc3 is this patch: --- orig/src/logwriter.c +++ mod/src/logwriter.c @@ -485,11 +485,17 @@ log_writer_options_set_template_escape(L void log_writer_options_init(LogWriterOptions *options, GlobalConfig *cfg, guint32 flags, const gchar *stats_name) { - /* NOTE: free everything that might have remained from a previous init - * call, this way init can be called any number of times, without calling - * destroy first */ + LogTemplate *template; + /* NOTE: free everything that might have remained from a previous init + * call, this way init can be called any number of times, without calling + * destroy first. We only need to keep options->template around as that's + * never initialized based on the configuration + */ + + template = log_template_ref(options->template); log_writer_options_destroy(options); + options->template = template; options->flags = flags; if (options->fifo_size == -1) options->fifo_size = cfg->log_fifo_size; Which only affects initialization (and fixes a nearly guaranteed SIGSEGV between 2.0rc2 and 2.0rc3, I'm surprised that 2.0rc2 works for you) So I basically don't see how this could happen. How do you test bursts and how do you determine that the first message in every burst is lost? I would really like to release 2.0.0. But if your findings indeed turn out to be a bug in syslog-ng that'd prevent me from doing so. So helping me to track this down in a timely manner would be appreciated. Thanks. -- Bazsi
On Sat, 2006-10-07 at 12:53 +0200, Balazs Scheidler wrote:
On Wed, 2006-09-27 at 10:09 -0400, Justin Randall wrote:
Sorry I pasted the wrong "log" statement, here it is:
I would really like to release 2.0.0. But if your findings indeed turn out to be a bug in syslog-ng that'd prevent me from doing so. So helping me to track this down in a timely manner would be appreciated. Thanks.
An important question relating this: Does anyone else experience the same problem? -- Bazsi
participants (2)
-
Balazs Scheidler
-
Justin Randall