[syslog-ng]Corrupted messages in log

Balazs Scheidler syslog-ng@lists.balabit.hu
Mon, 27 Sep 2004 12:24:05 +0200


On Sun, 2004-09-26 at 23:44, Dmitri Smirnov wrote:
> Thanks, Loic,
> 
> some important parts of config, skipping filters:
> 
> #
> source local { sun-streams("/dev/log"); internal(); udp(); };
> 
> options {
>         use_fqdn(yes);
>         use_dns(yes);
>         dns_cache(yes);
>         keep_hostname(yes);
>         chain_hostnames(no);
>         bad_hostname("^5.*");
>         sync(0);
>         stats(0);
>         log_fifo_size(1024);
>         log_msg_size(2048);
>         use_time_recvd(yes);
>         dns_cache_expire(36000);
>         dns_cache_expire_failed(3600);
>         dns_cache_size(10000);
> 
> }; 
> 
> 
> destination syslog { file("/var/log/syslog" owner(root) group(other) perm(0644) template("$DATE $FULLHOST $FACILITY.$PRIORITY $MESSAGE\n") template_escape(no)); };
> 
> log { source(local); filter(filter1_not); filter(filter2_not); filter(filter3_not); filter(filter4_not); filter(filter5_not); destination(syslog); };

In what way are messages corrupted? You said they are concatenated, but
could you post an example? It would also be important to check which
syslog-ng parts are used, e.g. the message path as it is received from
the network. (udp source, sun-stream source)

It would also be useful to verify whether it was mangled on the
syslog-ng host itself, or it was already mangled before.

BTW: it is known that certain kernel messages on Linux might get
corrupted, because of the kernel ring-buffer overflow, increasing the
ring buffer size can be used to mitigate (but not solve) the problem.

-- 
Bazsi