[syslog-ng]Log Stopage
Brad Arlt
arlt@cpsc.ucalgary.ca
Sun, 8 Jul 2001 13:39:28 -0600
On Sun, Jul 08, 2001 at 02:05:29PM -0400, Gorm Jensen wrote:
> After upgrading from RH6.1 and syslog-ng-1.4.2 to RH7.1 and
> syslog-ng-1.4.11, only the first hit of a series of hits on the firewall is
> logged. Restarting the daemon will cause the next hit to be logged, but no
> more than that. Only the logging of firewall hits is effected.
>
> After a great deal of trial and error, I traced the problem to a specific
> destination in the configuration file. I have attached two verions (Linux
> text and MS.txt) of the config file. To simplify the configuraton for
> testing, I deleted several other log destinations, filters and actions. The
> anomaly persisted, even with the simplified configuration.
>
> When the lines containing the destination 'whodat' are commented out,
> logging proceeds as expected. When the comments are aranged to include
> either one of the lines containing the whodat destination, the logging
> reverts to what is described in para one.
>
> Can anyone tell what is required to fix the problem?
> # -------- SOURCES ---------------
> source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
> #source net { udp(); };
You aren't by any chance running klogd? If so, that is probably the source
of you problems.
Others on the list have reported blocking issues with syslog-ng and
klogd reading from /proc/kmsg. The solution is to either let klogd handle
your kernel logging or to not run klogd.
PS IPTables is in the kernel.
----------------------------------------------------------------------------
__o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__
_ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _
(_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)