[syslog-ng] syslog-ng looping problem

Jeff Gates Jeff.Gates at maxsp.com
Mon Jan 15 23:43:27 CET 2007


Hello,

I'm currently running Fedora 6. I installed eventlog-0.2.6+20070115 and
syslog-ng-2.0.1+20070115 and started syslog-ng and all goes well.

 

Then if I do a logger command:

logger [test:test123]

this works

but if I run

logger [status:test123]

syslog-ng goes onto a loop and fills up my disk.

 

 

This only happens when resolv.conf is configured but the DNS server not
up.

I can reproduce it by setting the resolv.conf to:

domain maxsp.com

#nameserver 192.168.1.53

#nameserver 63.198.110.86

 

And you can see in the syslog-ng.conf where I'm using the Status in the
filter.

 

]# cat syslog-ng.conf

 

options { sync (0);

          time_reopen (10);

          log_fifo_size (10000);

          long_hostnames (on);

          use_dns (no);

          use_fqdn (yes);

          create_dirs (no);

          keep_hostname (yes);

        };

 

 

 

 

# Input source for syslog

source src {

        internal();

        udp();

        tcp();

        unix-stream("/dev/log");

#        file("/proc/kmsg" log_prefix("kernel: "));

};

 

 

 

# Standard Unix syslog bucketes

destination d_cons { file("/dev/console"); };

destination d_mesg { file("/var/log/messages"); };

destination d_auth { file("/var/log/secure"); };

destination d_mail { file("/var/log/maillog"); };

destination d_spol { file("/var/log/spooler"); };

destination d_boot { file("/var/log/boot.log"); };

destination d_cron { file("/var/log/cron"); };

destination d_mlal { usertty("*"); };

 

filter f_filter1     { facility(kern); };

filter f_filter2     { level(info) and

                     not (facility(mail)

                        or facility(authpriv) or facility(cron)); };

filter f_filter3     { facility(authpriv); };

filter f_filter4     { facility(mail); };

filter f_filter5     { level(emerg); };

filter f_filter6     { facility(uucp) or

                     (facility(news) and level(crit)); };

filter f_filter7     { facility(local7); };

filter f_filter8     { facility(cron); };

 

#log { source(src); filter(f_filter1); destination(d_cons); };

#log { source(src); filter(f_filter2); destination(d_mesg); };

log { source(src); filter(f_filter3); destination(d_auth); };

log { source(src); filter(f_filter4); destination(d_mail); };

log { source(src); filter(f_filter5); destination(d_mlal); };

log { source(src); filter(f_filter6); destination(d_spol); };

log { source(src); filter(f_filter7); destination(d_boot); };

log { source(src); filter(f_filter8); destination(d_cron); };

 

 

 

# Filter for useful log data before sending upstream

filter f_apps {

        match("[Application:Activescan]")

        or match("[Application:Expert]")

        or match("[Application:BCAmonitor]")

;

 };

 

filter f_alert_message {

        match("Type:High")

        or match("Type:Medium")

        or match("\\[Status:")

        or match("\\[status:")

        or match("\\[zippy:")

;

 };

 

 

# Full log messages file

 

destination std {

        file("/var/log/messages"

                owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes)

        );

};

 

 

log {

       source(src);

       destination(std);

};

 

## set up logging to loghost

destination loghost {

        tcp("logsink.maxsp.com" port(514));

};

 

# send to loghost

log {

        source(src);

        filter(f_apps);

        filter(f_alert_message);

        destination(loghost);

};

 

 

 

 

 

 

 

Thanks,

Jeff

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070115/a477502c/attachment-0001.htm


More information about the syslog-ng mailing list