[syslog-ng] incorrect firewall logs with syslogng-2.0.0 [security error?]

Jacek Kalinski jacek_kal at o2.pl
Thu Nov 30 19:23:53 CET 2006


Dnia 2006-11-30 10:53, Użytkownik Balazs Scheidler napisał:
>> After upgradeing from syslogng-1.6.11 to 2.0.0 I've got a strange
>> messages in /var/log/messages file:
>>
>> Nov 29 08:14:05 denise WINDOW=16985 RES=0x00 ACK URGP=0
>> Nov 29 11:10:19 denise PT=34536 WINDOW=16985 RES=0x00 ACK URGP=0
>> Nov 29 16:42:16 denise W=0 RES=0x00 RST URGP=0
>> Nov 29 21:37:15 denise 116 ID=34901 DF PROTO=TCP SPT=3584 DPT=80
>> WINDOW=65535 RES=0x00 ACK FIN URGP=0
>>     
> It is not necessarily syslog-ng that is at fault here, if the kernel
> ring buffer is overflown (because of higher traffic for example), the
> kernel might give partial lines while reading /proc/kmsg.
>
> You can increase the kernel ring buffer size by increasing the config
> option CONFIG_LOG_BUF_SHIFT
>   

I don't think so.
Previously syslog-ng 1.6.11 was installed for 3 months (exactly since 1
August). Kernel also wasn't changed at least within last month or two.
There wasn't before this kind of problems (even in a lot of higher
network traffic). And I'm sure that there was no "truncated" entries,
because every strange line in system logs is reported to me immediately.

After upgrade (27th November) truncated lines are reported in logs every
3-10 hours. So it is very often.
Everything I can do in this situation is to downgrade to syslog-ng 1.6
(yes I have previous binary in backup) and check if this errors will be
repeated.

PS: I'm not sure it is a syslog-ng error, but circumstances are very,
very strange and connected with upgrade.

Jacek



More information about the syslog-ng mailing list