[syslog-ng] logging pauses and log entry truncation

Caylan Van Larson caylan@cs.und.edu
Wed, 14 Aug 2002 10:08:03 -0500 (CDT) 

Yes, similar, but also erratic.  I have it happening in the MAC addy and 
toward the end.  Sometimes it seems as they are folded in on itself.

I have placed a sample on www.cs.und.edu/~caylan/kern for your viewing 
pleasure.  It is not my sytle to make things like this publicly accessible 
but I want to get this issue resolved.

In case you did not see the above URL or are too lazy :P

Aug 14 10:02:30 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:
Aug 14 10:02:31 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=63.151.197.164 DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00TT14 2103DF PRTCP SW=163
Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:
Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:
Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.35 DST=1PSPT7 DPT=137 L
Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:
Aug 14 10:02:33 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.35 DST=134.129.212.30 LEN=9 138 N=20
Aug 14 10:02:33 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:

Thats a pretty damn good sample!

Good luck,


Caylan Van Larson
Unix Administrator - Systems Team Member
University of North Dakota (Aerospace College)
caylan@cs.und.edu
701-777-6151 (work)

On Wed, 14 Aug 2002, Dustin Trammell wrote:

> I found out why syslog-ng was doing the pausing... I had accidentally left
> two source entries for /proc/kmsg in my syslog-ng.conf file (I was
> originally trying to see if using file() vs. pipe() made any difference in
> the log entry truncation), so I assume it was a locking issue with both of
> them trying to read from the same place.  After removing one of them, I
> haven't had syslog-ng pause on me once, but I am still getting the log entry
> truncation on entries from iptables.  It usually truncates on iptables log
> entries that have an empty OUT= tag (no out interface), and truncates just
> after the OUT= tag and before the MAC= tag, or somewhere halfway through the
> MAC address in the MAC= tag.  Are you getting the truncation at the same
> place on the same types of log entries?
> 
> ---
> Dustin D. Trammell
> Information Security Specialist
> Penson Financial Services, Inc.
> 
> 
> -----Original Message-----
> From: Caylan Van Larson [mailto:caylan@cs.und.edu]
> Sent: Monday, August 12, 2002 15:54
> To: Dustin Trammell
> Cc: 'syslog-ng@lists.balabit.hu'
> Subject: Re: [syslog-ng]logging pauses and log entry truncation
> 
> 
> I am having very similar truncating going on.  Bazsi is working on a fix.  
> However, my logs never paused, maybe for a little bit (5-10seconds) but 
> that is prolly just net traffic jumps.
> 
> Good luck to Bazsi!!!
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>