[syslog-ng]Corrupted messages in log

Dmitri Smirnov syslog-ng@lists.balabit.hu
Mon, 27 Sep 2004 09:29:05 -0700 

An example of corrupted message (one line in syslog file instead of
six):

Sep 27 02:01:09 loghost local1.err MSWTRS [5572]: [ user.error] Error:
256 Couldn't get W3SVC11/ex040926.log from XXX Sep 27 02:01:11 loghost
local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get
W3SVC15/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS
[5572]: [ user.error] Error: 256 Couldn't get W3SVC20/ex040926.log from
XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error]
Error: 256 Couldn't get W3SVC22/ex040926.log from XXX Sep 27 02:01:30
loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get
W3SVC7/ex040926.log from XXX Sep 27 02:02:00 REMOTEHOST/REMOTEHOST
user.warning loader: [ID 702911 user.warning] Autoload has been locked
for over an hour=20

I just realized that I haven't seen two messages from remote hosts
contatenated.=20
It only happens with messages generated on loghost (server where
syslog-ng is installed) and messages from remote hosts (sun-stream()
plus udp()).

Platform is Solaris 8 with 117350-06.=20

Dmitri


-----Original Message-----
From: Balazs Scheidler [mailto:bazsi@balabit.hu]=20
Sent: Monday, September 27, 2004 3:24 AM
To: syslog-ng@lists.balabit.hu
Subject: RE: [syslog-ng]Corrupted messages in log

On Sun, 2004-09-26 at 23:44, Dmitri Smirnov wrote:
> Thanks, Loic,
>=20
> some important parts of config, skipping filters:
>=20
> #
> source local { sun-streams("/dev/log"); internal(); udp(); };
>=20
> options {
>         use_fqdn(yes);
>         use_dns(yes);
>         dns_cache(yes);
>         keep_hostname(yes);
>         chain_hostnames(no);
>         bad_hostname("^5.*");
>         sync(0);
>         stats(0);
>         log_fifo_size(1024);
>         log_msg_size(2048);
>         use_time_recvd(yes);
>         dns_cache_expire(36000);
>         dns_cache_expire_failed(3600);
>         dns_cache_size(10000);
>=20
> };
>=20
>=20
> destination syslog { file("/var/log/syslog" owner(root) group(other)=20
> perm(0644) template("$DATE $FULLHOST $FACILITY.$PRIORITY $MESSAGE\n")=20
> template_escape(no)); };
>=20
> log { source(local); filter(filter1_not); filter(filter2_not);=20
> filter(filter3_not); filter(filter4_not); filter(filter5_not);=20
> destination(syslog); };

In what way are messages corrupted? You said they are concatenated, but
could you post an example? It would also be important to check which
syslog-ng parts are used, e.g. the message path as it is received from
the network. (udp source, sun-stream source)

It would also be useful to verify whether it was mangled on the
syslog-ng host itself, or it was already mangled before.

BTW: it is known that certain kernel messages on Linux might get
corrupted, because of the kernel ring-buffer overflow, increasing the
ring buffer size can be used to mitigate (but not solve) the problem.

--
Bazsi


_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html