[syslog-ng] Re: question regarding program name logs

Balazs Scheidler bazsi at balabit.hu
Sat Oct 7 12:53:50 CEST 2006 

On Wed, 2006-09-27 at 10:09 -0400, Justin Randall wrote:
> Sorry I pasted the wrong "log" statement, here it is:
> 
> log {
>   source(src_udp); source(src_tcp);
>   filter(fltr_PROGRAM);
>   destination(dst_ PROGRAM);
>   flags(final, flow-control);
> };

I have now tried to reproduce the problem without success. This was my
configuration (a bit adapted version of what you sent):


source src_udp {
  udp(
    ip(0.0.0.0)
    port(1514)
  );
};

filter fltr_PROGRAM {
  program("PROGRAM") or match("PROGRAM");
};

destination dst_PROGRAM {
  file(
    "/home/bazsi/logs/messages.lost"
  );
};

log {
  source(src_udp);
  destination(dst_PROGRAM);
  flags(final, flow-control);
};

I have generated bursts with this shell script snippet:

for i in `seq 1 30` ; do echo -ne "<5>Aug 14 22:21:34 localhost PROGRAM: message $i\nmeg ez is ide tartozik" |  nc -q0 -u localhost 1514 ; i=$[i+1]; done

This means that I had newlines embedded in a message too. The complete change
between 2.0rc2 and 2.0rc3 is this patch:

--- orig/src/logwriter.c
+++ mod/src/logwriter.c
@@ -485,11 +485,17 @@ log_writer_options_set_template_escape(L
 void
 log_writer_options_init(LogWriterOptions *options, GlobalConfig *cfg, guint32 flags, const gchar *stats_name)
 {
-  /* NOTE: free everything that might have remained from a previous init
-   * call, this way init can be called any number of times, without calling
-   * destroy first */
+  LogTemplate *template;

+ /* NOTE: free everything that might have remained from a previous init
+  * call, this way init can be called any number of times, without calling
+  * destroy first. We only need to keep options->template around as that's
+  * never initialized based on the configuration
+  */
+
+  template = log_template_ref(options->template);
   log_writer_options_destroy(options);
+  options->template = template;
   options->flags = flags;
   if (options->fifo_size == -1)
     options->fifo_size = cfg->log_fifo_size;


Which only affects initialization (and fixes a nearly guaranteed 
SIGSEGV between 2.0rc2 and 2.0rc3, I'm surprised that 2.0rc2 works for 
you)

So I basically don't see how this could happen. How do you test bursts and 
how do you determine that the first message in every burst is lost?

I would really like to release 2.0.0. But if your findings indeed turn
out to be a bug in syslog-ng that'd prevent me from doing so. 
So helping me to track this down in a timely manner would be 
appreciated. Thanks.

-- 
Bazsi

More information about the syslog-ng mailing list