[syslog-ng]Corrupted messages in log

Balazs Scheidler syslog-ng@lists.balabit.hu
Mon, 27 Sep 2004 22:29:50 +0200


Hi,

I've found the problem, this is syslog-ng 1.6.3 specific, you should
upgrade to at least 1.6.4, or apply the patch in the mailing list
archive around 2004 May.

On Mon, 2004-09-27 at 18:29, Dmitri Smirnov wrote:
> An example of corrupted message (one line in syslog file instead of
> six):
> 
> Sep 27 02:01:09 loghost local1.err MSWTRS [5572]: [ user.error] Error:
> 256 Couldn't get W3SVC11/ex040926.log from XXX Sep 27 02:01:11 loghost
> local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get
> W3SVC15/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS
> [5572]: [ user.error] Error: 256 Couldn't get W3SVC20/ex040926.log from
> XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error]
> Error: 256 Couldn't get W3SVC22/ex040926.log from XXX Sep 27 02:01:30
> loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get
> W3SVC7/ex040926.log from XXX Sep 27 02:02:00 REMOTEHOST/REMOTEHOST
> user.warning loader: [ID 702911 user.warning] Autoload has been locked
> for over an hour 
> 
> I just realized that I haven't seen two messages from remote hosts
> contatenated. 
> It only happens with messages generated on loghost (server where
> syslog-ng is installed) and messages from remote hosts (sun-stream()
> plus udp()).
> 
> Platform is Solaris 8 with 117350-06. 
> 
> Dmitri
> 
> 
> -----Original Message-----
> From: Balazs Scheidler [mailto:bazsi@balabit.hu] 
> Sent: Monday, September 27, 2004 3:24 AM
> To: syslog-ng@lists.balabit.hu
> Subject: RE: [syslog-ng]Corrupted messages in log
> 
> On Sun, 2004-09-26 at 23:44, Dmitri Smirnov wrote:
> > Thanks, Loic,
> > 
> > some important parts of config, skipping filters:
> > 
> > #
> > source local { sun-streams("/dev/log"); internal(); udp(); };
> > 
> > options {
> >         use_fqdn(yes);
> >         use_dns(yes);
> >         dns_cache(yes);
> >         keep_hostname(yes);
> >         chain_hostnames(no);
> >         bad_hostname("^5.*");
> >         sync(0);
> >         stats(0);
> >         log_fifo_size(1024);
> >         log_msg_size(2048);
> >         use_time_recvd(yes);
> >         dns_cache_expire(36000);
> >         dns_cache_expire_failed(3600);
> >         dns_cache_size(10000);
> > 
> > };
> > 
> > 
> > destination syslog { file("/var/log/syslog" owner(root) group(other) 
> > perm(0644) template("$DATE $FULLHOST $FACILITY.$PRIORITY $MESSAGE\n") 
> > template_escape(no)); };
> > 
> > log { source(local); filter(filter1_not); filter(filter2_not); 
> > filter(filter3_not); filter(filter4_not); filter(filter5_not); 
> > destination(syslog); };
> 
> In what way are messages corrupted? You said they are concatenated, but
> could you post an example? It would also be important to check which
> syslog-ng parts are used, e.g. the message path as it is received from
> the network. (udp source, sun-stream source)
> 
> It would also be useful to verify whether it was mangled on the
> syslog-ng host itself, or it was already mangled before.
> 
> BTW: it is known that certain kernel messages on Linux might get
> corrupted, because of the kernel ring-buffer overflow, increasing the
> ring buffer size can be used to mitigate (but not solve) the problem.
> 
> --
> Bazsi
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
-- 
Bazsi