[syslog-ng][PATCH] please test: syslog-ng message mangling fix
Caylan Van Larson
caylan@cs.und.edu
Thu, 8 Aug 2002 13:53:29 -0500 (CDT)
Mr. Bazsi,
I will try to clarify this for you. If I miss something just shoot me an
email and I will answer it immeidately.
When I say "mangled" the logs are cut off prematurely or squished in some
spots, almost as if they are being folded. This "mangled" effect has
happened when I use pipe or file to gather the kernel logs. Using the
command "demsg" I am confronted with a console full of nice looking
iptable logs. When these are compared to the logged versions you can
see the apparent squishing. When syslog-ng is stopped and syslogd is
started /var/log/messages is populated with perfect iptable logs. The
syslog.conf file is at default configuration, while syslog-ng.conf is
customized and attached below. The logs that I have been presenting to
this list are from the local filesystem, although this machine is
configured to send these out to a log host.
I read that syslog-ng could replace klogd and I did this. However, the
effects still showed that w/ only syslog-ng running the logs are still
bad.
Here are some examples of good iptable logs (from dmesg, line wrapped of course):
IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=138.12.5.2 DST=134.129.212.30
LEN=127 TOS=0x00 PREC=0x00 TTL=243 ID=6173 DF PROTO=UDP SPT=53 DPT=33014 LEN=107
IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.194 DST=134.129.212.30
LEN=252 TOS=0x00 PREC=0x00 TTL=127 ID=56906 PROTO=UDP SPT=138 DPT=138 LEN=232
IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.223.141 DST=134.129.212.30
LEN=232 TOS=0x00 PREC=0x00 TTL=127 ID=16276 PROTO=UDP SPT=138 DPT=138 LEN=212
IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30
LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10830 DF PROTO=TCP SPT=2715 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.111.111 DST=134.129.212.30
LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=49241 DF PROTO=TCP SPT=3475 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.223.237 DST=134.129.212.30
LEN=229 TOS=0x00 PREC=0x00 TTL=127 ID=14673 PROTO=UDP SPT=138 DPT=138 LEN=209
Here is an example of what would show up in the logs (/var/log/kern):
Aug 8 12:34:04 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.231 DST=134.129.212.30
LEN=78 S=0PREC=0x00 TL=127 ID=5 0426 PROTO=UDSPT=137T=137 LEN=58
Aug 8 12:34:05 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.231 DST=134.129.212.30
LEN=78 TOS=0x00 PRE
Aug 8 12:34:08 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.54 DS
0x00 TTL=127 ID=36747 OTDP SPT=138PT= LEN=222
Aug 8 12:34:08 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.139 DST=134.129.212.30
LEN=60 TO=0 PREC=0x00 TTL=63 ID=29205 DF PROTO=TCP 347 DPT=53 WINDOW=5840 RES=0x00 URGP=0
Aug 8 12:34:08 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.231 DST=134.129.212.30
LEN=78 T0x00 PREC=0x00 TTL=127 ID=50430 PROTO=UDP SPT=137 DPT=137 LEN=58
>
> Are these mangled also if you are using klogd and not using syslog-ng to
> fetch kernel messages?
>
About that... Hmm, what is the best way to just have klogd log kernel
messages? Maybe they are being "interpreted" twice and thus mucking
something up. I am willing to try anything that you suggest :)
If there is anything else I can do for you let me know. I am very eager
to put this to rest. Also, did you see any errors with the way I patched
the source.c file? I might have possible made a mistake and the patched
version was never built properly thus making the patch a viable option to
continue persuing?
Thanks a million!
(syslog-ng.conf attached below)
Caylan
--SNIP
# global options
#
options { use_dns(yes);
use_fqdn(no);
use_time_recvd(no);
chain_hostnames(no);
mark(0);
sync(0);
};
# sources
#
source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg"); };
# facility filters
#
filter f_authpriv { facility(authpriv); };
filter f_auth { facility(auth); };
filter f_boot { facility(local7); };
filter f_2511 { facility(local5); };
filter f_6509-1-log { facility(local4); };
filter f_6509-2-log { facility(local3); };
filter f_cron { facility(cron); };
filter f_kern { facility(kern); };
filter f_user { facility(user); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_daemon { facility(daemon); };
filter f_messages { priority(info..emerg)
and not facility(mail, news, authpriv, cron, local1,
local2, local3, local4, local5, local6);
};
filter f_news { facility(news); };
# priority filters
#
filter f_emerg { priority(emerg); };
filter f_crit { priority(crit..emerg); };
filter f_crit_only { priority(crit); };
filter f_err { priority(err..emerg); };
filter f_err_only { priority(err); };
filter f_warn { priority(warning..emerg); };
filter f_notice { priority(notice..emerg); };
filter f_info { priority(info..emerg); };
filter f_debug { priority(debug..emerg); };
# host filters
#
filter f_smack { host(smack); };
#destination filters
#
# *network*
destination d_tcp { tcp("134.129.212.33"); };
destination d_udp { udp("134.129.212.33"); };
# *everyone*
destination d_all { usertty("*"); };
# *console*
destination d_console { file("/dev/console"); };
# *boot*
destination d_smacboot { file("/var/log/bootlog"); };
# *cron*
destination d_smaccron { file("/var/log/cron"); };
# *mail*
destination d_smacmail { file("/var/log/maillog"); };
# *messages*
destination d_smacmsg { file("/var/log/messages"); };
# *secure (auth & authpriv)*
destination d_smacsec { file("/var/log/secure"); };
# *user*
destination d_smacuser { file("/var/log/user"); };
# *kern*
destination d_smackern { file("/var/log/kern"); };
# *daemon*
destination d_smacdaemon { file("/var/log/daemon"); };
# *spool (lpr)*
destination d_smacspool { file("/var/log/spooler"); };
#Everyone gets emergency messages
log { source(s_all); filter(f_emerg); destination(d_all); };
#Log messages from Smack
log { source(s_all); filter(f_cron); filter(f_debug); filter(f_smack);
destination(d_smaccron); destination(d_tcp); };
log { source(s_all); filter(f_authpriv); filter(f_debug); filter(f_smack);
destination(d_smacsec); destination(d_tcp); };
log { source(s_all); filter(f_mail); filter(f_warn); filter(f_smack);
destination(d_smacmail); destination(d_tcp); };
log { source(s_all); filter(f_boot); filter(f_debug);
filter(f_smack);destination(d_smacboot); destination(d_tcp); };
# fw-iptables logs at NOTICE <5> (fragments/unknown protocols) and INFO <6> (known udp/tcp/icmp)
# This line will log ALL of kern locally
log { source(s_all); filter(f_kern); filter(f_messages); filter(f_debug); filter(f_smack); destination(d_smackern); };
# This line will only remotely log NOTICE <5> and above (5,4,3,2,1,0)
log { source(s_all); filter(f_kern); filter(f_messages); filter(f_notice); filter(f_smack); destination(d_tcp); };
log { source(s_all); filter(f_user); filter(f_debug); filter(f_smack);
destination(d_smacuser); destination(d_tcp); };
log { source(s_all); filter(f_lpr); filter(f_debug); filter(f_smack);
destination(d_smacspool); destination(d_tcp); };
log { source(s_all); filter(f_daemon); filter(f_notice); filter(f_smack);
destination(d_smacdaemon); destination(d_tcp); };
--SNAP
Some line wrapping occured in PINE. Thanks ~ Caylan