[syslog-ng] logging pauses and log entry truncation
Caylan Van Larson
caylan@cs.und.edu
Wed, 14 Aug 2002 10:57:22 -0500 (CDT)
> One difference I noticed between your log entries and mine is, yours appear
> to either get mangled and/or truncated, and then that's it, it continues on
> the next line with a new log entry. I've seen a bit different behavior in
> mine, where it will mangle and/or truncate a line, but then on the next
> entry, it continues with the rest of the previous entry. It's like when
> reading from /proc/kmsg it's erroneously detecting an end of line, sending
> that bit of data to the destinations, then continues reading from
> /proc/kmsg, starting where it cut off. For example:
>
> Aug 14 10:17:46 loghost01 fwlog input drop cleanup IN=eth0 OUT= MAC=00:06:
> Aug 14 10:17:46 loghost01 5b:84:60:7e:00:50:04:a5:11:1f:08:00
> SRC=172.30.10.33 DST=172.30.8.40 LEN=60 TOS=0x00 PREC=0x00 TTL=219 ID=61008
> DF PROTO=TCP SPT=54189 DPT=32601 WINDOW=5840 RES=0x00 SYN URGP=0
>
> Aug 14 10:17:52 loghost01 <4>fwlog input drop cleanup IN=eth0 OUT= MAC=00:
> Aug 14 10:17:52 loghost01 06:5b:84:60:7e:00:50:04:a5:11:1f:08:00
> SRC=172.30.10.33 DST=172.30.8.40 LEN=60 TOS=0x00 PREC=0x00 TTL=219 ID=36311
> DF PROTO=TCP SPT=54189 DPT=32601 WINDOW=5840 RES=0x00 SYN URGP=0
True.
> While writing this, I just saw the most mangled entry I've seen yet:
>
> Aug 14 10:16:15 loghost01 fwlog input drop clenup Ib:84:602. PREC=0x00
> TTL=79 ID=T=TCP S SYN TCP i OUT MAC=00:06:5b:84172.3072.=5840 RES=0x00 N=0
Yikes.
> As opposed to what it /should/ look like:
>
> Aug 14 10:17:46 loghost01 fwlog input drop cleanup IN=eth0 OUT=
> MAC=00:06:5b:84:60:7e:00:50:04:a5:11:1f:08:00 SRC=172.30.10.33
> DST=172.30.8.40 LEN=60 TOS=0x00 PREC=0x00 TTL=219 ID=45827 DF PROTO=TCP
> SPT=38821 DPT=32606 WINDOW=5840 RES=0x00 SYN URGP=0
>
> Weird weird stuff. Hopefully some of this discussion and related log
> snippets will help Balazs pinpoint the problem.
Also, I would like to add that syslog-ng stops appending to /var/log/kern
after about 20k of data. It just stops, nothing. I restart syslog-ng and
here is what happens:
/var/log/bootup
Aug 14 10:49:44 smack syslog-ng: klogd shutdown succeeded
Aug 14 10:49:48 smack syslog-ng: syslog-ng startup succeeded
Aug 14 10:49:48 smack syslog-ng: klogd startup succeeded
(never says anything about syslog-ng shutdown ducceeded,
is this normal?)
/var/log/kern
Populated for about 30k of data, truncated.
I would also like to know why when I restart iptables it puts any output
from the scripts to /var/log/bootup??? For instance, the iptables init
script calls a firewall script that runs a bunch of iptable commands.
This script also outputs some settings:
--SNIP (from /var/log/bootup on iptables restart)
Aug 14 10:50:53 smack fw-iptables: Serving port 22 (tcp) only to 134.129.212.0/24 134.129.217.128/26
Aug 14 10:50:53 smack fw-iptables: Serving port 113 (tcp) only to 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Serving port 515 (tcp) to the world.
Aug 14 10:50:53 smack fw-iptables: Serving needs client as well: Client may access port 9100 (tcp) anywhere.
Aug 14 10:50:53 smack fw-iptables: Enabling DNS Server Communications:
Aug 14 10:50:53 smack fw-iptables: Serving port 53 (udp) to the world.
Aug 14 10:50:53 smack fw-iptables: Serving needs client as well: Client may access port 53 (udp) anywhere.
Aug 14 10:50:53 smack fw-iptables: Serving port 53 (tcp) Zone Transfers to 134.129.217.44
Aug 14 10:50:53 smack fw-iptables: Serving port 53 (tcp) Zone Transfers to 134.129.217.46
Aug 14 10:50:53 smack fw-iptables: Serving port 67 (udp) to the world.
Aug 14 10:50:53 smack fw-iptables: Serving port 58884 (tcp) only to 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 515 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 389 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 636 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 37 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 514 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 514 (udp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 143 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 993 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 110 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 995 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 58884 (tcp) only on 134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 23 (tcp) anywhere.
Aug 14 10:50:53 smack fw-iptables: Client may access port 113 (tcp) anywhere.
--SNAP
Also, it may help to know that I am running all of my iptables LOG
commands with the --log-level 6 and with custom --log-prefix "PREFIX" like this:
--SNIP
# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-level 6 --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-level 6 --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
--SNAP
Are you adding these loglevel and logprefix switches also? Could this
possibly be the problem? If iptables is adding these prefixes to late?
I dont know :P
Thanks,
Caylan
> ---
> Dustin D. Trammell
> Information Security Specialist
> Penson Financial Services, Inc.
>
>
>
> -----Original Message-----
> From: Caylan Van Larson [mailto:caylan@cs.und.edu]
> Sent: Wednesday, August 14, 2002 10:08
> To: 'syslog-ng@lists.balabit.hu'
> Subject: RE: [syslog-ng] logging pauses and log entry truncation
>
>
> Yes, similar, but also erratic. I have it happening in the MAC addy and
> toward the end. Sometimes it seems as they are folded in on itself.
>
> I have placed a sample on www.cs.und.edu/~caylan/kern for your viewing
> pleasure. It is not my sytle to make things like this publicly accessible
> but I want to get this issue resolved.
>
> In case you did not see the above URL or are too lazy :P
>
> Aug 14 10:02:30 smack IPTABLES UDP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:
> Aug 14 10:02:31 smack IPTABLES TCP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=63.151.197.164
> DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00TT14 2103DF PRTCP SW=163
> Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:
> Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:
> Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.35 DST=1PSPT7
> DPT=137 L
> Aug 14 10:02:32 smack IPTABLES UDP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:
> Aug 14 10:02:33 smack IPTABLES UDP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.215.35
> DST=134.129.212.30 LEN=9 138 N=20
> Aug 14 10:02:33 smack IPTABLES UDP-IN: IN=eth1 OUT=
> MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:
>
> Thats a pretty damn good sample!
>
> Good luck,
>
>
> Caylan Van Larson
> Unix Administrator - Systems Team Member
> University of North Dakota (Aerospace College)
> caylan@cs.und.edu
> 701-777-6151 (work)
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>