[syslog-ng] Bug: syslog 2.0.x circular message delivery if no DNS

Evan Rempel erempel at uvic.ca
Thu Oct 18 18:01:40 CEST 2007 

Balazs Scheidler wrote:
> On Wed, 2007-10-17 at 10:42 -0700, Evan Rempel wrote:
>> We recently has an unscheduled power outage in our data center.
>> Our servers came back prior to our DNS being available (actually, prior
>> to the network coming back up). All hosts running syslog-ng consumed their
>> log filespace as fast as the disks would allow writing which took about 2 minutes.
>>
>> The problem we seem to have encountered is that our source section and destination
>> definitions are;
>>
>> source local { unix-stream("/dev/log" max-connections(200));
>>                 file("/proc/kmsg" log_prefix("kernel: "));
>>                 tcp( localip(127.0.0.1) port(514) );
>>                 internal();
>>               };
>>
>> destination syslogServer1 { tcp("syslog.uvic.ca" log_fifo_size(50000) ); };
>>
>>
>> It seems that if syslog.uvic.ca could not be resolved, syslog-ng took it upon itself
>> to use 127.0.0.1 as its destination and started logging to itself. Chaining of hostnames
>> is on, which means that we could see a message path of
>>
>> local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca
>>
>> until some maximum length was reached and the hostname field became truncated.
>>
>> This should be easy to repeat if you use a source like the one above, disconnect the network
>> and start syslog-ng.
> 
> I was already thinking about the idea of dropping internal messages
> generated while another internal message is being delivered to prevent
> such loops.

The messages were not exclusively internal messages. A message from the kernel would be logged and
sent to 127.0.0.1 rather than being logged and sent to syslog.uvic.ca
syslog-ng would receive this message from 127.0.0.1 and process it as usual, by logging
it to disk and sending it to 127.0.0.1 which would repeat the process.

-- 
Evan Rempel                erempel at uvic.ca
Senior Programmer Analyst        250.721.7691
Computing Services
University of Victoria

More information about the syslog-ng mailing list