[syslog-ng]libc lost logs bug
Ed Ravin
eravin@panix.com
Sun, 2 Jun 2002 19:26:56 -0400 (EDT)
Peter J. Holzer writes:
> The bug in libc is more subtle:
> Apparently[1] the syslog library function works like this:
>
> check if there is an open file descriptor to syslogd. If there is
> none, try to connect in stream and dgram mode (one of them will
> usually work).
>
> Write message to the socket.
>
> If this fails, close socket.
>
> So, if syslog-ng (or syslogd, for that matter[2]) recreates the socket,
> the next write will fail, syslog will silently drop the message, but at
> the next syslog call it will reopen the socket and continue to log
> happily.
There is a similiar, but more insidious bug in all versions of NetBSD
up to and including 1.5.2: if a program has an open (but invalid) file
descriptor for syslog, all subsequent log messages are lost. NetBSD
1.5.3 and 1.6 will properly re-open the socket if the write fails
(and not lose the message if the open succeeds).
While researching this problem I noticed that some programs, like sendmail,
open the socket once and reuse it, while other programs, like sshd, seem
to close and re-open the syslog socket. The result was that I was losing
sendmail messages from my logs, but not sshd messages.
So with this bug, if I restarted syslogd (or syslog-ng), I would lose
the logs of sendmail and any other daemons that kept their syslog sockets
open.