[syslog-ng]kern (iptable) logs cut off

Balazs Scheidler bazsi@balabit.hu
Thu, 8 Aug 2002 09:31:14 +0200 

On Thu, Aug 08, 2002 at 12:03:59AM -0500, Caylan Van Larson wrote:
> Greetings,
> 
> This is on a RedHat 7.3 Box.
> 
> We were using the latest syslog-ng rpm from redhat and we noticed that 
> upon migration from syslogd to syslog-ng our iptable logs were getting 
> mangled.
> 
> Here is an exert from syslogd logging of iptables (/var/log/messages):
> 
> Aug  7 23:41:47 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.217.37 DST=134.129.212.30 LEN=240 TOS=0x00 PREC=0x00 TTL=127 ID=13570 PROTO=UDP SPT=138 DPT=138 LEN=220
> Aug  7 23:41:48 smack kernel: IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10095 DF PROTO=TCP SPT=4997 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
> Aug  7 23:41:48 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=12752 PROTO=UDP SPT=137 DPT=137 LEN=58
> Aug  7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13008 PROTO=UDP SPT=137 DPT=137 LEN=58
> Aug  7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13264 PROTO=UDP SPT=137 DPT=137 LEN=58
> 
> Very nice as you can see.
> 
> Now, we would love to use syslog-ng but this is from syslog-ng (/var/log/kern):
> 
> Aug  7 23:38:17 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:
> Aug  7 23:38:17 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:
> Aug  7 23:38:19 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:
> Aug  7 23:38:20 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=24.220.215.146 DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20216 DF PROTO=TCP SPT=2406 DPT=53 WINDOW=2144 RES=0x00 SYN URGP=0
> Aug  7 23:38:20 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=
> Aug  7 23:38:23 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=5 ID=6179 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=17
> Aug  7 23:38:23 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=
> Aug  7 23:38:24 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:
> Aug  7 23:38:25 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=6213 DF PROTO=TCP SPT=1030 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
> Aug  7 23:38:25 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=243 ID=6479 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=255
> 
> At the same time I find this!!!  Could this be the other part of whats missing above?
> 
> [root@smack log]# tail -f user
> Aug  7 23:42:26 smack TO=0x00 PREC=0x00 TTL=127 ID=14587 PROTO=UDP SPT=137 DPT=137 LEN=58
> Aug  7 23:42:37 smack C=UDPT=1
> Aug  7 23:42:39 smack 0TL=127 I5998 PROTO=UDP SPT=137 DPT=137 L8
> Aug  7 23:42:43 smack 0 PREC=0 TTL=127 ID=18027 PROTO=UDP SPT=17 D37 N=
> Aug  7 23:42:57 smack =x00L=127D=1826 PROTO=UDP SPT=137 DPT=137N=
> Aug  7 23:43:05 smack =0x00 TTL7 I14 DF
> Aug  7 23:43:22 smack O=TCP SPT=4481 DPT=53 WINDOW=16384 RES=0x00 SYN U
> Aug  7 23:43:24 smack LEN=78 =0x00 PREC=0x00 TTL=127 ID=21968 PROTDP SPT=137 DPT=137 LEN=58
> Aug  7 23:43:28 smack T=138 DPT
> Aug  7 23:43:31 smack T53 W

Thanks for the report. Others has also reported message mangling so far I
was not able to reproduce it.

I'll try to fix this ASAP. (and this time I really mean it ;)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1