[syslog-ng] Re: syslog-ng Digest, Vol 1, Issue 1253
M.Balajee
balajee4 at rediffmail.com
Tue May 24 16:51:20 CEST 2005
Hi,
You can edit /etc/syslog-ng.conf file to avoid this. Edit this file so that you will not be seeing the messages on the console.
On Tue, 24 May 2005 syslog-ng-request at lists.balabit.hu wrote :
>Send syslog-ng mailing list submissions to
> syslog-ng at lists.balabit.hu
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>or, via email, send a message with subject or body 'help' to
> syslog-ng-request at lists.balabit.hu
>
>You can reach the person managing the list at
> syslog-ng-owner at lists.balabit.hu
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of syslog-ng digest..."
>
>
>Today's Topics:
>
> 1. Re: No line break every so often (Balazs Scheidler)
> 2. how to avoid logging to consoles? (iv)
> 3. Re: how to avoid logging to consoles? (Balazs Scheidler)
> 4. Re: how to avoid logging to consoles? (Jesse Molina)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Mon, 23 May 2005 12:59:04 +0200
> From: Balazs Scheidler <bazsi at balabit.hu>
>Subject: Re: [syslog-ng] No line break every so often
>To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
>Message-ID: <1116845944.23550.11.camel at bzorp.balabit>
>Content-Type: text/plain
>
>On Fri, 2005-05-20 at 12:14 -0700, Mike Tremaine wrote:
> > On Fri, 2005-05-20 at 04:49, Balazs Scheidler wrote:
>
> > Luckly it is... Attached is a trimmed down trace file with a few
> > examples of the problem [about 200lines let me know if more would be
> > useful...]
> >
> > To my [uneducated] eye it looks like sendmail is the problem but like I
> > said sometimes it does it right sometime it doesn't.
> >
> > Example:
> >
> > read(16, "<20>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect:
> > premature EOM: unexpected close", 2048) = 93
> >
> > Notice no \0 or \n
> >
> > Then the next read
> >
> > read(16, "<21>May 20 07:48:02 sendmail[16668]: j4KEkWOv016668: collect:
> > unexpected close on connection from [61.43.165.161],
> > sender=<Hager at indiatimes.com>\0<22>May 20 07:48:02 sendmail[16668]:
> > j4KEkWOv016668: from=<Hager at indiatimes.com>, size=0, class=0, nrcpts=1,
> > proto=SMTP, daemon=MTA, relay=[61.43.165.161]\0", 1955) = 300
> >
> >
> > A null terminator
> > That leads to the output
> >
> > write(22, "2005-05-20 07:48:02 quasar mail.warning sendmail[16668]:
> > j4KEkWOv016668: collect: premature EOM: unexpected close<21>May 20
> > 07:48:02 sendmail[16668]: j4KEkWOv016668: collect: unexpected close on
> > connection from [61.43.165.161],
> > sender=<Hager at indiatimes.com>\n2005-05-20 07:48:02 quasar mail.info
> > sendmail[16668]: j4KEkWOv016668: from=<Hager at indiatimes.com>, size=0,
> > class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[61.43.165.161]\n",
> > 430) = 430
> > .
> >
> > So the null was caught and turned into \n but the line before it runs
> > together. With some weird <21> [and more often <22> see trace file].
>
>Hm. Sendmail really seems to be the culprit, it is only hidden by
>sysklogd using unix-dgram() sockets in which case the syslog daemon does
>not care whether the message was NL or \0 terminated or not.
>
>The manpage for syslogd, mentions:
>
>... "A trailing newline is added when needed."
>
>This does not seem to be true. After judging the source it seems to be
>adding the NL character only if LOG_PERROR is specified to openlog()
>which clearly isn't the case for sendmail.
>
>I'd say this is a libc bug which you can work around by avoiding using
>unix-stream and sticking to unix-dgram instead. (a solution which I
>myself do not like).
>
>--
>Bazsi
>
>
>
>------------------------------
>
>Message: 2
>Date: Mon, 23 May 2005 17:15:34 +0200
> From: iv <iv at zabuchy.net>
>Subject: [syslog-ng] how to avoid logging to consoles?
>To: syslog-ng at lists.balabit.hu
>Message-ID: <4291F396.8040307 at zabuchy.net>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>hi all
>i'm trying to configure syslog-ng for logging events from firewall
>everything works fine, except one thing: all messages appear on all my
>consoles
>how can i avoid that? it makes impossible working with the console, logs
>appear even while editing files
>and situation does't change when i comment out all "log" entries in the
>syslog-ng.conf file
>please, any ideas:)
>
>my syslog-ng.conf:
>
>options {
> use_fqdn(yes);
> use_dns(no);
> chain_hostnames(yes);
> use_time_recvd(no);
># sync(10);
>
> perm(0640);
> owner("root");
> group("root");
> create_dirs(yes);
> dir_perm(0750);
> dir_owner("root");
> dir_group("root");
>};
>
>
>
>source syslog {
> unix-stream("/dev/log");
>};
>
>source kernel {
> file("/proc/kmsg");
>};
>
>source syslog-ng {
> internal();
>};
>
>
>
>destination firewall {
> file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall");
>};
>
>destination kernel {
> file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel");
>};
>
>destination invalid {
> file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid");
>};
>
>destination postfix {
> file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix");
>};
>
>destination cron {
> file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron");
>};
>
>destination generic {
> file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM");
>};
>
>destination syslog-ng {
> file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng");
>};
>
>destination misc {
> file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc");
>};
>
>
>## kernel
>filter firewall {
> match("IN=") and match("OUT=") and match("PROTO=");
>};
>
>filter notfirewall {
> not match("IN=") and not match("OUT=") and not match("PROTO=");
>};
>
>log {
> source(kernel);
> filter(firewall);
> destination(firewall);
>};
>
>log {
> source(kernel);
> filter(notfirewall);
> destination(kernel);
>};
>
>
>## internal
>log {
> source(syslog-ng);
> destination(syslog-ng);
>};
>
>
>## syslog
>filter invalid {
> not host("^syslog@[a-z]+$");
>};
>
>filter postfix {
> host("^syslog@[a-z]+$")
> and program("^postfix/");
>};
>
>filter cron {
> host("^syslog@[a-z]+$")
> and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$");
>};
>
>filter generic {
> host("^syslog@[a-z]+$")
> and program("^([a-z][a-z._-]*)$");
>};
>
>log {
> source(syslog);
> filter(invalid);
> destination(invalid);
>};
>
>log {
> source(syslog);
> filter(postfix);
> destination(postfix);
>};
>
>log {
> source(syslog);
> filter(cron);
> destination(cron);
>};
>
>log {
> source(syslog);
> filter(generic);
> destination(generic);
>};
>
>log {
> source(syslog);
> destination(misc);
> flags(fallback);
>};
>
>i'm running linux debian 2.6.11.8 testing
>
>thanks in advance,
>iv
>
>
>------------------------------
>
>Message: 3
>Date: Mon, 23 May 2005 18:08:35 +0200
> From: Balazs Scheidler <bazsi at balabit.hu>
>Subject: Re: [syslog-ng] how to avoid logging to consoles?
>To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
>Message-ID: <1116864515.19621.7.camel at bzorp.balabit>
>Content-Type: text/plain
>
>On Mon, 2005-05-23 at 17:15 +0200, iv wrote:
> > hi all
> > i'm trying to configure syslog-ng for logging events from firewall
> > everything works fine, except one thing: all messages appear on all my
> > consoles
> > how can i avoid that? it makes impossible working with the console, logs
> > appear even while editing files
> > and situation does't change when i comment out all "log" entries in the
> > syslog-ng.conf file
> > please, any ideas:)
>
>short answer: "dmesg -n1"
>
>long answer: syslog-ng does not change kernel logging parameters on its
>own, which is performed automatically by klogd. but you can do the same
>using dmesg.
>
>--
>Bazsi
>
>
>
>------------------------------
>
>Message: 4
>Date: Mon, 23 May 2005 10:40:13 -0700
> From: Jesse Molina <jesse at opendreams.net>
>Subject: Re: [syslog-ng] how to avoid logging to consoles?
>To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
>Message-ID: <20050523174013.GA18331 at shoebox>
>Content-Type: text/plain; charset=us-ascii
>
>
>Hi
>
>man dmesg
>
>Use the -n arg, which will do what you want.
>
>You will probably need to add this to a startup script. Use update-rc.d
>for that, or make yourself a .deb if you must.
>
>
>
>On Mon, May 23, 2005 at 05:15:34PM +0200, iv wrote:
> > hi all
> > i'm trying to configure syslog-ng for logging events from firewall
> > everything works fine, except one thing: all messages appear on all my
> > consoles
> > how can i avoid that? it makes impossible working with the console, logs
> > appear even while editing files
> > and situation does't change when i comment out all "log" entries in the
> > syslog-ng.conf file
> > please, any ideas:)
> >
> > my syslog-ng.conf:
> >
> > options {
> > use_fqdn(yes);
> > use_dns(no);
> > chain_hostnames(yes);
> > use_time_recvd(no);
> > # sync(10);
> >
> > perm(0640);
> > owner("root");
> > group("root");
> > create_dirs(yes);
> > dir_perm(0750);
> > dir_owner("root");
> > dir_group("root");
> > };
> >
> >
> >
> > source syslog {
> > unix-stream("/dev/log");
> > };
> >
> > source kernel {
> > file("/proc/kmsg");
> > };
> >
> > source syslog-ng {
> > internal();
> > };
> >
> >
> >
> > destination firewall {
> > file("/spool/$HOST/$YEAR/$MONTH/$DAY/firewall");
> > };
> >
> > destination kernel {
> > file("/spool/$HOST/$YEAR/$MONTH/$DAY/kernel");
> > };
> >
> > destination invalid {
> > file("/spool/unknown/$YEAR/$MONTH/$DAY/invalid");
> > };
> >
> > destination postfix {
> > file("/spool/$HOST/$YEAR/$MONTH/$DAY/postfix");
> > };
> >
> > destination cron {
> > file("/spool/$HOST/$YEAR/$MONTH/$DAY/cron");
> > };
> >
> > destination generic {
> > file("/spool/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM");
> > };
> >
> > destination syslog-ng {
> > file("/spool/$HOST/$YEAR/$MONTH/$DAY/syslog-ng");
> > };
> >
> > destination misc {
> > file("/spool/$HOST/$YEAR/$MONTH/$DAY/misc");
> > };
> >
> >
> > ## kernel
> > filter firewall {
> > match("IN=") and match("OUT=") and match("PROTO=");
> > };
> >
> > filter notfirewall {
> > not match("IN=") and not match("OUT=") and not match("PROTO=");
> > };
> >
> > log {
> > source(kernel);
> > filter(firewall);
> > destination(firewall);
> > };
> >
> > log {
> > source(kernel);
> > filter(notfirewall);
> > destination(kernel);
> > };
> >
> >
> > ## internal
> > log {
> > source(syslog-ng);
> > destination(syslog-ng);
> > };
> >
> >
> > ## syslog
> > filter invalid {
> > not host("^syslog@[a-z]+$");
> > };
> >
> > filter postfix {
> > host("^syslog@[a-z]+$")
> > and program("^postfix/");
> > };
> >
> > filter cron {
> > host("^syslog@[a-z]+$")
> > and program("^(/USR/SBIN/CRON|/usr/sbin/cron)$");
> > };
> >
> > filter generic {
> > host("^syslog@[a-z]+$")
> > and program("^([a-z][a-z._-]*)$");
> > };
> >
> > log {
> > source(syslog);
> > filter(invalid);
> > destination(invalid);
> > };
> >
> > log {
> > source(syslog);
> > filter(postfix);
> > destination(postfix);
> > };
> >
> > log {
> > source(syslog);
> > filter(cron);
> > destination(cron);
> > };
> >
> > log {
> > source(syslog);
> > filter(generic);
> > destination(generic);
> > };
> >
> > log {
> > source(syslog);
> > destination(misc);
> > flags(fallback);
> > };
> >
> > i'm running linux debian 2.6.11.8 testing
> >
> > thanks in advance,
> > iv
> > _______________________________________________
> > syslog-ng maillist - syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
>
>--
># Jesse Molina
># Mail = jesse at opendreams.net
># Page = page-jesse at opendreams.net
># Cell = 1.602.323.7608
># Web = http://www.opendreams.net/jesse/
>
>
>
>
>------------------------------
>
>_______________________________________________
>syslog-ng maillist - syslog-ng at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
>End of syslog-ng Digest, Vol 1, Issue 1253
>******************************************
Muggalla Balajee,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.test.balabit.hu/pipermail/syslog-ng/attachments/20050524/5df9dd08/attachment-0001.html
More information about the syslog-ng
mailing list