AIX and repeated message formats - fix?
Earlier I posted a message asking about whether syslog-ng had standard equipment for dealing with a couple of strange message types: 1) Messages forwarded by AIX syslogd which contain the string "Message forwarded from [hostname]: " ... and 2) Messages of the form: "last message repeated _n times" I haven't received any responses. I've read traffic in the mailing list archives (e.g. December 2000) regarding the topic, but I haven't found any solutions. If I've missed something vital, please help me and let me know about it.. I certainly apologize if I haven't been observant enough to skim the answers from the available resources. I've taken a stab at solving the problem myself, and I thought I'd share it with all of you. Those of you who are so much more familiar with the source than I, please comment about whether you find I might have broken other functionality or adversely affected performance. I'm glad for you suggestions, or if this can help somebody else. For my installation, being able to handle AIX messages is particularly important. My solution is just a simple and straightforward refactoring in log.c/parse_log_msg(). A patch against the 1.4.11 source distribution is attached to this message. I've tested it only on AIX, but I think it ought to work elsewhere since it only adds standard library stuff. (Basically, a couple of memcmp's). Some commented-out debugging output (to stderr) is there, too, if you'd want to enable it. I'll describe the intended effects of this patch: 1) Messages forwarded by AIX systems are recognized, and the source hostname is taken from the string appended by AIX syslogd. For example, MMM DD HH:MM:SS Message forwarded from <hostname>: ... will use <hostname> for the source address. "Message" isn't taken as the source host. 2) If the message is forwarded by AIX syslogd but originally of syslog-ng origin, it'll have the form MMM DD HH:MM:SS Message forwarded from <hostname>: source@hostname ... In this case, "source@hostname" will be used as the source hostname (so that syslog-ng's source info is preserved). 3) If the message doesn't contain a hostname because it's of the form MMM DD HH:MM:SS last message repeated *n* times then it won't try to extract one (so it won't improperly use 'last'). The hostname will just come later when in sources.c it's gotten from the message source socket or wherever. 4) If the message is a "last message repeated ..." which was *also* forwarded by an AIX syslogd, it'll get the hostname extracted from AIX's "Message forwarded from ..." message. I'm no expert in the syslog protocol/format, and I can see there is variablilty in implementation. So I'm certain there are plenty of cases that are left unaddressed. If you don't find this patch helpful in general, perhaps its useful for some common cases. One thing that's not addressed: When a "last message repeated ..." line is received, it's certainly helpful to know *which* was the last line-- the one that got repeated. If you're outputting to files by PROGRAM, then no program name is inherently available from this kind of message itself. And syslog-ng isn't keeping track of what PROGRAM logged last from a particular source host. So these "last message repeated ..." messages won't fall into the same logs as the lines for the PROGRAMs which produced the repeated messages. No simple solution is readily apparent to me... Also, please note that "keep_hostname(yes)" is important, otherwise the AIX sender of forwarded messages is used anyway-- despite that the real origin is available. If you use chain_hostnames(yes), then this info ought to be preserved anyway. Again, please comment and critique! Thanks very much. -- Jonathan Marks Systems Administrator, Production Systems Group Computing and Communication Services Office University of Illinois at Urbana-Champaign
On Fri, Apr 27, 2001 at 04:39:32PM -0500, Jon Marks wrote:
Earlier I posted a message asking about whether syslog-ng had standard equipment for dealing with a couple of strange message types:
1) Messages forwarded by AIX syslogd which contain the string
"Message forwarded from [hostname]: " ...
and
2) Messages of the form:
"last message repeated _n times"
I haven't received any responses. I've read traffic in the mailing list archives (e.g. December 2000) regarding the topic, but I haven't found any solutions. If I've missed something vital, please help me and let me know about it.. I certainly apologize if I haven't been observant enough to skim the answers from the available resources.
I've taken a stab at solving the problem myself, and I thought I'd share it with all of you. Those of you who are so much more familiar with the source than I, please comment about whether you find I might have broken other functionality or adversely affected performance. I'm glad for you suggestions, or if this can help somebody else. For my installation, being able to handle AIX messages is particularly important.
My solution is just a simple and straightforward refactoring in log.c/parse_log_msg(). A patch against the 1.4.11 source distribution is attached to this message. I've tested it only on AIX, but I think it ought to work elsewhere since it only adds standard library stuff. (Basically, a couple of memcmp's). Some commented-out debugging output (to stderr) is there, too, if you'd want to enable it.
I'll describe the intended effects of this patch:
Are you absolutely sure there's no other way to recognize these messages other than parsing their contents? To be honest I don't like putting too much system dependency into syslog-ng. A compile time/runtime option should be integrated though if there's no other way. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Wed, May 02, 2001 at 11:53:04AM +0200, Balazs Scheidler wrote:
On Fri, Apr 27, 2001 at 04:39:32PM -0500, Jon Marks wrote:
Earlier I posted a message asking about whether syslog-ng had standard equipment for dealing with a couple of strange message types:
1) Messages forwarded by AIX syslogd which contain the string
"Message forwarded from [hostname]: " ...
and
2) Messages of the form:
"last message repeated _n times"
Are you absolutely sure there's no other way to recognize these messages other than parsing their contents? To be honest I don't like putting too much system dependency into syslog-ng.
A compile time/runtime option should be integrated though if there's no other way.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
I can certainly understand that chasing system specifics is very problematic-- I only know of the incongruities AIX introduces, but I'm sure other syslogd implementations must do their own things, too. Also, the "last message repeated" problem is from Solaris syslogd, and I think from lots of others. Adding these extra tests where I've put them would make the critical message parsing code bulky and slow. The problem is, in my environment, I *need* to be able to handle these. So I suppose the issue is one of interoperability. Syslog-ng is great because it gives us what the old brainless syslogd couldn't-- but there's still a lot more of the old brainless daemons out there. I'm only familiar with the code in log.c and sources.c, since that's where I could address the issue directly. What I figured out is that log messages' program fields are never re-evaluated after parsing the message, and the host field is either kept (via keep_hostname or chain_hostnames), or replaced by the message's last hop's address. So it seemed necessary to get these fields right during the parsing phase. I don't think there's any other way (or place in the code I've looked at thoroughly) to detect these types of messages. I didn't want to slow things down too much, but I figured memcmp wouldn't hurt too bad. If the message doesn't match the new extra tests, unless the hostname is "last" or "Message" then the memcmp will fail quickly. Even if the message does match, it's only comparing a few extra bytes. It's probably safe to shave off a few bytes from the test strings, too. I agree that some kind of compilation or runtime switch would be a good idea for system-dependent stuff. One of my coworkers suggested that, too. I'm not as familiar with the configuration file lexical analysis and parsing parts of the code, and I'm still struggling a little to understand libol and the object-oriented framework. I'd like to have offered that in my patch-- perhaps I could work that out in the future. -- Jonathan Marks Systems Administrator, Production Systems Group Computing and Communication Services Office University of Illinois at Urbana-Champaign
Jon Marks wrote:
Earlier I posted a message asking about whether syslog-ng had standard equipment for dealing with a couple of strange message types:
1) Messages forwarded by AIX syslogd which contain the string
"Message forwarded from [hostname]: " ...
and
2) Messages of the form:
"last message repeated _n times"
I'm also receiving messages of the form: "above message repeats _n times" I suspect this is coming from Red Hat of some derivation as that is what we have around here, with the exception of the HP-UX boxes - but I don't think they do that. Is there any way the code can artificially insert a hostname into these? Perhaps the message text can be put into a list in a file, and the code can determine who the network connection is coming from, and add the appropriate hostname to it. Or perhaps it could do this automatically to every message: if the hostname is missing, add it.
I'm also receiving messages of the form:
"above message repeats _n times"
I suspect this is coming from Red Hat of some derivation as that is what we have around here, with the exception of the HP-UX boxes - but I don't think they do that.
Is there any way the code can artificially insert a hostname into these? Perhaps the message text can be put into a list in a file, and the code can determine who the network connection is coming from, and add the appropriate hostname to it. Or perhaps it could do this automatically to every message: if the hostname is missing, add it.
syslog-ng adds the hostname to messages automatically unless you turn this behaviour off by setting keep_hostname() to yes. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Balazs Scheidler wrote:
I'm also receiving messages of the form:
"above message repeats _n times"
I suspect this is coming from Red Hat of some derivation as that is what we have around here, with the exception of the HP-UX boxes - but I don't think they do that.
Is there any way the code can artificially insert a hostname into these? Perhaps the message text can be put into a list in a file, and the code can determine who the network connection is coming from, and add the appropriate hostname to it. Or perhaps it could do this automatically to every message: if the hostname is missing, add it.
syslog-ng adds the hostname to messages automatically unless you turn this behaviour off by setting keep_hostname() to yes.
Trouble with this is, then messages coming from other hosts (especially syslog-ng hosts) will be of the form: <host1> <host2> <host3> "message" ...wouldn't it be possible for syslog-ng to take messages like: "above message repeats 3 times" "last message repeated 5 times" "serverx: ftpd[999]: FTP LOGIN" (assuming all from "serverx") and make sure that ALL of them start (once and only once) with "serverx:"?
participants (3)
-
Balazs Scheidler
-
David Douthitt
-
Jon Marks