Problem with HP-UX 11.0
I sent this to the list last week, but didn't get a response. Can anyone help with this issue? Thanks - Hi all, I have been running syslog-ng on a handful of Solaris boxes for some time now with no problems, and am attempting to get it running on HP-UX. I have compiled (with gcc) and installed syslog-ng 1.5.16 and libol 0.3.2 on a system running HP-UX 11.00. I am using the following source statement in my config file: source s_sys { pipe("/dev/log"); internal(); }; The filters are based on facility. It seems that the only readable output in the destination files come from either the internal source (ex. May 7 17:47:24 myhost syslog-ng[5675]: SIGHUP received, restarting syslog-ng), or from a message I sent via logger. The rest of the output looks like this: May 7 17:48:22 myhost ^F May 7 17:48:22 myhost ^B May 7 17:48:22 myhost ^B May 7 17:48:22 myhost À^_'^SÀ^_'^S^?|Fä May 7 17:48:22 myhost ^?~^U` May 7 17:48:22 myhost ^?|Fä May 7 17:48:22 myhost ^?|Fä^?|FäÀ^Ve{À^XAW May 7 17:48:22 myhost ^?|Ç@ May 7 17:48:22 myhost >@^?{à May 7 17:48:22 myhost ^O May 7 17:48:22 myhost ^A May 7 17:48:22 myhost ^?|Fä^?|FäÀ^_Î^[À^X¯^_ May 7 17:48:22 myhost ^D^?~^U`^?{à May 7 17:48:22 myhost May 7 17:48:22 myhost ^A May 7 17:48:22 myhost ^?|Fä^?|FäÀ^_Õs May 7 17:48:22 myhost ^?|Fä May 7 17:48:22 myhost À^XD» May 7 17:48:22 myhost @ May 7 17:48:22 myhost >@^?|¿À^?{à May 7 17:48:22 myhost À^XA May 7 17:48:22 myhost ^A^?|¡À May 7 17:48:22 myhost ^B^?|¡ÔÀ^S«H May 7 17:48:22 myhost ^?|Fä May 7 17:48:22 myhost À^X^[wÀ E¯ May 7 17:48:22 myhost ^?|¿ÀÀ^Wåp Any ideas? I don't know quite what to make of this. Thanks, Sharon. __________________________________________________________________________________________ Any views or opinions are solely those of the author and do not necessarily represent those of CMP Media. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this message please do not read, copy, use or disclose this communication and notify the sender immediately. It should be noted that any review, retransmission, dissemination or other use of, or taking action or reliance upon, this information by persons or entities other than the intended recipient is prohibited. __________________________________________________________________________________________
On Thu, May 16, 2002 at 02:16:58PM -0400, dcntrnoc@cmp.com wrote:
Hi all,
I have been running syslog-ng on a handful of Solaris boxes for some time now with no problems, and am attempting to get it running on HP-UX. I have compiled (with gcc) and installed syslog-ng 1.5.16 and libol 0.3.2 on a system running HP-UX 11.00. I am using the following source statement in my config file:
source s_sys { pipe("/dev/log"); internal(); };
Err... Ah, are you sure that opening a pipe from /dev/log will yeild what you want? /dev/log is usually a Unix domain socket, which might put more in the stream asside from ASCII. I'd turn off any syslog daemons you have and just cat /dev/log | od If your output looks strikingly similar to the output you have seen in your remote log files, you will know that this is the problem. I don't have any (nor have I ever used) an HP-UX box, but I'd guess you want source s_sys { unix-dgram("/dev/log");}; or source s_sys { unix-stream("/dev/log");}; This might not be the issue, but its really easy to try, so why not rule it out.
The filters are based on facility. It seems that the only readable output in the destination files come from either the internal source (ex. May 7 17:47:24 myhost syslog-ng[5675]: SIGHUP received, restarting syslog-ng), or from a message I sent via logger. The rest of the output looks like this:
[snip]
Any ideas? I don't know quite what to make of this.
As I said above, /dev/log is likely a Unix domain socket. The other things you see might be keep alive messages, header information or other such things (if you are familar with INET domain sockets (TCP) Unix domain sockets can have similar properties and mechanisms). All of which will be binary, not ASCII. ---------------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary (_)/(_) http://pages.cpsc.ucalgary.ca/~arlt/ Computer Science
On Thu, May 16, 2002 at 12:53:33PM -0600, Brad Arlt wrote:
On Thu, May 16, 2002 at 02:16:58PM -0400, dcntrnoc@cmp.com wrote:
Hi all,
I have been running syslog-ng on a handful of Solaris boxes for some time now with no problems, and am attempting to get it running on HP-UX. I have compiled (with gcc) and installed syslog-ng 1.5.16 and libol 0.3.2 on a system running HP-UX 11.00. I am using the following source statement in my config file:
source s_sys { pipe("/dev/log"); internal(); };
Err... Ah, are you sure that opening a pipe from /dev/log will yeild what you want? /dev/log is usually a Unix domain socket, which might put more in the stream asside from ASCII. I'd turn off any syslog daemons you have and just cat /dev/log | od
Sorry, but HP-UX's /dev/log is really a pipe and not a socket. The problem seems to be that programs sending messages to /dev/log write a whole 2048 bytes block regardless the real length of the message. As syslog-ng reads _lines_ from a pipe, the rest of the 2048 bytes block is also read, which is what you see there. Currently my development branch of syslog-ng 2.0 supports this, but 1.5.x doesn't. A temporary solution would be to use both original syslogd from HP-UX and have it send messages to localhost where a syslog-ng is listening. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Brad Arlt
-
dcntrnoc@cmp.com