[syslog-ng] incorrect firewall logs with syslogng-2.0.0
[security error?]
Balazs Scheidler
bazsi at balabit.hu
Thu Nov 30 10:53:44 CET 2006
On Thu, 2006-11-30 at 00:31 +0100, Jacek Kalinski wrote:
> Hello,
>
> After upgradeing from syslogng-1.6.11 to 2.0.0 I've got a strange
> messages in /var/log/messages file:
>
> Nov 29 08:14:05 denise WINDOW=16985 RES=0x00 ACK URGP=0
> Nov 29 11:10:19 denise PT=34536 WINDOW=16985 RES=0x00 ACK URGP=0
> Nov 29 16:42:16 denise W=0 RES=0x00 RST URGP=0
> Nov 29 21:37:15 denise 116 ID=34901 DF PROTO=TCP SPT=3584 DPT=80
> WINDOW=65535 RES=0x00 ACK FIN URGP=0
>
> These are truncated iptables logs.
> Because in firewall.log file are simmilar entries to truncated one, I
> think full file should be:
> Nov 29 11:10:19 denise firewallp=INVALID:1 a=DROP IN=eth1 OUT=
> MAC=00:30:4f:36:2b:dc:00:04:9a:2c:7f:20:08:00 SRC=193.41.230.81
> DST=xxx.xxx.xxx.x LEN=576 TOS=0x00 PREC=0x00 TTL=117 ID=3495 PROTO=TCP
> SPT=443 DPT=34536 WINDOW=16985 RES=0x00 ACK URGP=0
> (xxx.xxx.xxx.x is a real server IP address - one 'x' is one digit)
>
It is not necessarily syslog-ng that is at fault here, if the kernel
ring buffer is overflown (because of higher traffic for example), the
kernel might give partial lines while reading /proc/kmsg.
You can increase the kernel ring buffer size by increasing the config
option CONFIG_LOG_BUF_SHIFT
--
Bazsi
More information about the syslog-ng
mailing list