[syslog-ng]Corrupted messages in log
Balazs Scheidler
syslog-ng@lists.balabit.hu
Mon, 27 Sep 2004 22:29:50 +0200
Hi,
I've found the problem, this is syslog-ng 1.6.3 specific, you should
upgrade to at least 1.6.4, or apply the patch in the mailing list
archive around 2004 May.
On Mon, 2004-09-27 at 18:29, Dmitri Smirnov wrote:
> An example of corrupted message (one line in syslog file instead of
> six):
>
> Sep 27 02:01:09 loghost local1.err MSWTRS [5572]: [ user.error] Error:
> 256 Couldn't get W3SVC11/ex040926.log from XXX Sep 27 02:01:11 loghost
> local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get
> W3SVC15/ex040926.log from XXX Sep 27 02:01:15 loghost local1.err MSWTRS
> [5572]: [ user.error] Error: 256 Couldn't get W3SVC20/ex040926.log from
> XXX Sep 27 02:01:15 loghost local1.err MSWTRS [5572]: [ user.error]
> Error: 256 Couldn't get W3SVC22/ex040926.log from XXX Sep 27 02:01:30
> loghost local1.err MSWTRS [5572]: [ user.error] Error: 256 Couldn't get
> W3SVC7/ex040926.log from XXX Sep 27 02:02:00 REMOTEHOST/REMOTEHOST
> user.warning loader: [ID 702911 user.warning] Autoload has been locked
> for over an hour
>
> I just realized that I haven't seen two messages from remote hosts
> contatenated.
> It only happens with messages generated on loghost (server where
> syslog-ng is installed) and messages from remote hosts (sun-stream()
> plus udp()).
>
> Platform is Solaris 8 with 117350-06.
>
> Dmitri
>
>
> -----Original Message-----
> From: Balazs Scheidler [mailto:bazsi@balabit.hu]
> Sent: Monday, September 27, 2004 3:24 AM
> To: syslog-ng@lists.balabit.hu
> Subject: RE: [syslog-ng]Corrupted messages in log
>
> On Sun, 2004-09-26 at 23:44, Dmitri Smirnov wrote:
> > Thanks, Loic,
> >
> > some important parts of config, skipping filters:
> >
> > #
> > source local { sun-streams("/dev/log"); internal(); udp(); };
> >
> > options {
> > use_fqdn(yes);
> > use_dns(yes);
> > dns_cache(yes);
> > keep_hostname(yes);
> > chain_hostnames(no);
> > bad_hostname("^5.*");
> > sync(0);
> > stats(0);
> > log_fifo_size(1024);
> > log_msg_size(2048);
> > use_time_recvd(yes);
> > dns_cache_expire(36000);
> > dns_cache_expire_failed(3600);
> > dns_cache_size(10000);
> >
> > };
> >
> >
> > destination syslog { file("/var/log/syslog" owner(root) group(other)
> > perm(0644) template("$DATE $FULLHOST $FACILITY.$PRIORITY $MESSAGE\n")
> > template_escape(no)); };
> >
> > log { source(local); filter(filter1_not); filter(filter2_not);
> > filter(filter3_not); filter(filter4_not); filter(filter5_not);
> > destination(syslog); };
>
> In what way are messages corrupted? You said they are concatenated, but
> could you post an example? It would also be important to check which
> syslog-ng parts are used, e.g. the message path as it is received from
> the network. (udp source, sun-stream source)
>
> It would also be useful to verify whether it was mangled on the
> syslog-ng host itself, or it was already mangled before.
>
> BTW: it is known that certain kernel messages on Linux might get
> corrupted, because of the kernel ring-buffer overflow, increasing the
> ring buffer size can be used to mitigate (but not solve) the problem.
>
> --
> Bazsi
>
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
--
Bazsi