[syslog-ng] logging pauses and log entry truncation

Dustin Trammell DTrammell@PENSON.COM
Wed, 14 Aug 2002 12:12:36 -0500 

I can't comment on the /var/log/kern or /var/log/bootup stuff, as I simply
have ALL logs go to a single file and do post-processing on it nightly which
filters, splits, etc., and so far I have not had any problems with it
failing to log to the logfile at any point.  Because I'm sending all logs to
a single destination (actually multiple destinations, but the point here is
that ALL logs go to them), I don't set the log-level in my iptables
statements, but I do set the log prefix:

iptables -A INPUT -j LOG --log-prefix "$pkey input drop cleanup "
iptables -A INPUT -j DROP

So perhaps the log-prefix option could be the cause of the problem since
we're both using them.  If I get some time this afternoon I'll remove those
from a test firewall and see if it continues to mangle/truncate the iptables
log entries.

---
Dustin D. Trammell
Information Security Specialist
Penson Financial Services, Inc.



-----Original Message-----
From: Caylan Van Larson [mailto:caylan@cs.und.edu]
Sent: Wednesday, August 14, 2002 10:57
To: Dustin Trammell
Cc: 'syslog-ng@lists.balabit.hu'
Subject: RE: [syslog-ng] logging pauses and log entry truncation

Also, I would like to add that syslog-ng stops appending to /var/log/kern 
after about 20k of data.  It just stops, nothing.  I restart syslog-ng and 
here is what happens:

	/var/log/bootup
		Aug 14 10:49:44 smack syslog-ng: klogd shutdown succeeded
		Aug 14 10:49:48 smack syslog-ng: syslog-ng startup succeeded
		Aug 14 10:49:48 smack syslog-ng: klogd startup succeeded
		(never says anything about syslog-ng shutdown ducceeded, 
		is this normal?)

	/var/log/kern 
		Populated for about 30k of data, truncated.

I would also like to know why when I restart iptables it puts any output 
from the scripts to /var/log/bootup???  For instance, the iptables init 
script calls a firewall script that runs a bunch of iptable commands.  
This script also outputs some settings:

--SNIP (from /var/log/bootup on iptables restart)
Aug 14 10:50:53 smack fw-iptables: Serving port 22 (tcp) only to
134.129.212.0/24 134.129.217.128/26
Aug 14 10:50:53 smack fw-iptables: Serving port 113 (tcp) only to
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Serving port 515 (tcp) to the world.
Aug 14 10:50:53 smack fw-iptables: Serving needs client as well: Client may
access port 9100 (tcp) anywhere.
Aug 14 10:50:53 smack fw-iptables: Enabling DNS Server Communications:
Aug 14 10:50:53 smack fw-iptables:     Serving port 53 (udp) to the world.
Aug 14 10:50:53 smack fw-iptables:     Serving needs client as well: Client
may access port 53 (udp) anywhere.
Aug 14 10:50:53 smack fw-iptables:     Serving port 53 (tcp) Zone Transfers
to 134.129.217.44
Aug 14 10:50:53 smack fw-iptables:     Serving port 53 (tcp) Zone Transfers
to 134.129.217.46
Aug 14 10:50:53 smack fw-iptables: Serving port 67 (udp) to the world.
Aug 14 10:50:53 smack fw-iptables: Serving port 58884 (tcp) only to
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 515 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 389 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 636 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 37 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 514 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 514 (udp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 143 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 993 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 110 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 995 (tcp) only on
134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 58884 (tcp) only
on  134.129.212.0/24
Aug 14 10:50:53 smack fw-iptables: Client may access port 23 (tcp) anywhere.
Aug 14 10:50:53 smack fw-iptables: Client may access port 113 (tcp)
anywhere.
--SNAP

Also, it may help to know that I am running all of my iptables LOG 
commands with the --log-level 6 and with custom --log-prefix "PREFIX" like
this:

--SNIP
  # Any tcp not already allowed is logged and then dropped.
  iptables -A INPUT  -i $IFACE -p tcp -j LOG --log-level 6 --log-prefix
"IPTABLES TCP-IN: "
  iptables -A INPUT  -i $IFACE -p tcp -j DROP
  iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-level 6 --log-prefix
"IPTABLES TCP-OUT: "
  iptables -A OUTPUT -o $IFACE -p tcp -j DROP
--SNAP

Are you adding these loglevel and logprefix switches also?  Could this 
possibly be the problem?  If iptables is adding these prefixes to late?

I dont know :P

Thanks,


Caylan