RE: [syslog-ng]Corrupted messages in log
An example of corrupted message (one line in syslog file instead of six): Sep 27 02:01:09 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC11/ex040926.log from XXX Sep 27 02:01:11 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC15/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC20/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC22/ex040926.log from XXX Sep 27 02:01:30 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC7/ex040926.log from XXX Sep 27 02:02:00 REMOTEHOST/REMOTEHOST user.warning loader: [ID 702911 user.warning] Autoload has been locked for over an hour I just realized that I haven't seen two messages from remote hosts contatenated. It only happens with messages generated on loghost (server where syslog-ng is installed) and messages from remote hosts (sun-stream() plus udp()). Platform is Solaris 8 with 117350-06. Dmitri -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Monday, September 27, 2004 3:24 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Corrupted messages in log On Sun, 2004-09-26 at 23:44, Dmitri Smirnov wrote:
Thanks, Loic,
some important parts of config, skipping filters:
# source local { sun-streams("/dev/log"); internal(); udp(); };
options { use_fqdn(yes); use_dns(yes); dns_cache(yes); keep_hostname(yes); chain_hostnames(no); bad_hostname("^5.*"); sync(0); stats(0); log_fifo_size(1024); log_msg_size(2048); use_time_recvd(yes); dns_cache_expire(36000); dns_cache_expire_failed(3600); dns_cache_size(10000);
};
destination syslog { file("/var/log/syslog" owner(root) group(other) perm(0644) template("$DATE $FULLHOST $FACILITY.$PRIORITY $MESSAGE\n") template_escape(no)); };
log { source(local); filter(filter1_not); filter(filter2_not); filter(filter3_not); filter(filter4_not); filter(filter5_not); destination(syslog); };
In what way are messages corrupted? You said they are concatenated, but could you post an example? It would also be important to check which syslog-ng parts are used, e.g. the message path as it is received from the network. (udp source, sun-stream source) It would also be useful to verify whether it was mangled on the syslog-ng host itself, or it was already mangled before. BTW: it is known that certain kernel messages on Linux might get corrupted, because of the kernel ring-buffer overflow, increasing the ring buffer size can be used to mitigate (but not solve) the problem. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi, I've found the problem, this is syslog-ng 1.6.3 specific, you should upgrade to at least 1.6.4, or apply the patch in the mailing list archive around 2004 May. On Mon, 2004-09-27 at 18:29, Dmitri Smirnov wrote:
An example of corrupted message (one line in syslog file instead of six):
Sep 27 02:01:09 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC11/ex040926.log from XXX Sep 27 02:01:11 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC15/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC20/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC22/ex040926.log from XXX Sep 27 02:01:30 loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get W3SVC7/ex040926.log from XXX Sep 27 02:02:00 REMOTEHOST/REMOTEHOST user.warning loader: [ID 702911 user.warning] Autoload has been locked for over an hour
I just realized that I haven't seen two messages from remote hosts contatenated. It only happens with messages generated on loghost (server where syslog-ng is installed) and messages from remote hosts (sun-stream() plus udp()).
Platform is Solaris 8 with 117350-06.
Dmitri
-----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Monday, September 27, 2004 3:24 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Corrupted messages in log
On Sun, 2004-09-26 at 23:44, Dmitri Smirnov wrote:
Thanks, Loic,
some important parts of config, skipping filters:
# source local { sun-streams("/dev/log"); internal(); udp(); };
options { use_fqdn(yes); use_dns(yes); dns_cache(yes); keep_hostname(yes); chain_hostnames(no); bad_hostname("^5.*"); sync(0); stats(0); log_fifo_size(1024); log_msg_size(2048); use_time_recvd(yes); dns_cache_expire(36000); dns_cache_expire_failed(3600); dns_cache_size(10000);
};
destination syslog { file("/var/log/syslog" owner(root) group(other) perm(0644) template("$DATE $FULLHOST $FACILITY.$PRIORITY $MESSAGE\n") template_escape(no)); };
log { source(local); filter(filter1_not); filter(filter2_not); filter(filter3_not); filter(filter4_not); filter(filter5_not); destination(syslog); };
In what way are messages corrupted? You said they are concatenated, but could you post an example? It would also be important to check which syslog-ng parts are used, e.g. the message path as it is received from the network. (udp source, sun-stream source)
It would also be useful to verify whether it was mangled on the syslog-ng host itself, or it was already mangled before.
BTW: it is known that certain kernel messages on Linux might get corrupted, because of the kernel ring-buffer overflow, increasing the ring buffer size can be used to mitigate (but not solve) the problem.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Bazsi
participants (2)
-
Balazs Scheidler
-
Dmitri Smirnov