[syslog-ng][PATCH] please test: syslog-ng message mangling fix

Balazs Scheidler bazsi@balabit.hu
Fri, 9 Aug 2002 10:50:28 +0200 

On Thu, Aug 08, 2002 at 01:53:29PM -0500, Caylan Van Larson wrote:
> Mr. Bazsi,
> 
> I will try to clarify this for you.  If I miss something just shoot me an 
> email and I will answer it immeidately.
> 
> When I say "mangled" the logs are cut off prematurely or squished in some 
> spots, almost as if they are being folded.  This "mangled" effect has 
> happened when I use pipe or file to gather the kernel logs.  Using the 
> command "demsg" I am confronted with a console full of nice looking 
> iptable logs.  When these are compared to the logged versions you can 
> see the apparent squishing.  When syslog-ng is stopped and syslogd is 
> started /var/log/messages is populated with perfect iptable logs.  The 
> syslog.conf file is at default configuration, while syslog-ng.conf is 
> customized and attached below.  The logs that I have been presenting to 
> this list are from the local filesystem, although this machine is 
> configured to send these out to a log host.
> 
> I read that syslog-ng could replace klogd and I did this.  However, the 
> effects still showed that w/ only syslog-ng running the logs are still 
> bad.
> 
> Here are some examples of good iptable logs (from dmesg, line wrapped of course):
> IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=138.12.5.2 DST=134.129.212.30
> 		LEN=127 TOS=0x00 PREC=0x00 TTL=243 ID=6173 DF PROTO=UDP SPT=53 DPT=33014 LEN=107
> IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.194 DST=134.129.212.30
> 		LEN=252 TOS=0x00 PREC=0x00 TTL=127 ID=56906 PROTO=UDP SPT=138 DPT=138 LEN=232
> IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.223.141 DST=134.129.212.30
> 		LEN=232 TOS=0x00 PREC=0x00 TTL=127 ID=16276 PROTO=UDP SPT=138 DPT=138 LEN=212
> IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30
> 		LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10830 DF PROTO=TCP SPT=2715 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
> IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.111.111 DST=134.129.212.30
> 		LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=49241 DF PROTO=TCP SPT=3475 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
> IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.223.237 DST=134.129.212.30
> 		LEN=229 TOS=0x00 PREC=0x00 TTL=127 ID=14673 PROTO=UDP SPT=138 DPT=138 LEN=209
> 
> Here is an example of what would show up in the logs (/var/log/kern):
> Aug  8 12:34:04 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.231 DST=134.129.212.30
> 		LEN=78 S=0PREC=0x00 TL=127 ID=5 0426 PROTO=UDSPT=137T=137 LEN=58
> Aug  8 12:34:05 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.231 DST=134.129.212.30
> 		LEN=78 TOS=0x00 PRE
> Aug  8 12:34:08 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.54 DS
> 		0x00 TTL=127 ID=36747 OTDP SPT=138PT= LEN=222
> Aug  8 12:34:08 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.139 DST=134.129.212.30
> 		LEN=60 TO=0 PREC=0x00 TTL=63 ID=29205 DF PROTO=TCP 347 DPT=53 WINDOW=5840 RES=0x00  URGP=0
> Aug  8 12:34:08 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.214.231 DST=134.129.212.30
> 		LEN=78 T0x00 PREC=0x00 TTL=127 ID=50430 PROTO=UDP SPT=137 DPT=137 LEN=58
> 

I've installed syslog-ng on a host with kernel 2.4 and iptables installed. I
added a rule

iptables -A INPUT -j LOG

to log all traffic. I generated network traffic using ping, and ssh, all
messages were logged fine to local logs.

can you strace syslog-ng while running?

for example try a simple configuration:


source src { file("/proc/kmsg"); internal(); };

destination dst { file("/var/log/kern.log"); };

log { source(src); destination(dst); };

this syslog-ng doesn't handle local messages only reads kernel messages.

stop any daemons that use /proc/kmsg (klogd, the other syslog-ng)

run this syslog-ng (syslog-ng -f <pathtonewsyslog-ngconf>)

and start strace:

strace -o syslog-ng.strace -s 256 -p <syslogngpid>

generate some iptables lines that are mangled. please send me the logfile,
the strace output, and a dmesg output in private.

Today is the only chance to find the problem, as I'm leaving for holidays
tomorrow.



-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1