[syslog-ng] Bug: syslog 2.0.x circular message delivery if no DNS

Balazs Scheidler bazsi at balabit.hu
Sun Apr 13 18:45:01 CEST 2008


Hi,

This is an old message, but I thought I'd let you know that I've
committed a patch to syslog-ng OSE 2.1 that should retry TCP connections
when a resolution error occurs.

This is the patch in question:
http://git.balabit.hu/?p=bazsi/syslog-ng-2.1.git;a=commit;h=56f6115c623f793a75a37ba9af6e505d7c781907

Some testing would be appreciated.

Thanks in advance.


On Tue, 2007-10-23 at 18:26 +0200, Balazs Scheidler wrote:
> On Wed, 2007-10-17 at 10:42 -0700, Evan Rempel wrote:
> > We recently has an unscheduled power outage in our data center.
> > Our servers came back prior to our DNS being available (actually, prior
> > to the network coming back up). All hosts running syslog-ng consumed their
> > log filespace as fast as the disks would allow writing which took about 2 minutes.
> > 
> > The problem we seem to have encountered is that our source section and destination
> > definitions are;
> > 
> > source local { unix-stream("/dev/log" max-connections(200));
> >                 file("/proc/kmsg" log_prefix("kernel: "));
> >                 tcp( localip(127.0.0.1) port(514) );
> >                 internal();
> >               };
> > 
> > destination syslogServer1 { tcp("syslog.uvic.ca" log_fifo_size(50000) ); };
> > 
> > 
> > It seems that if syslog.uvic.ca could not be resolved, syslog-ng took it upon itself
> > to use 127.0.0.1 as its destination and started logging to itself. Chaining of hostnames
> > is on, which means that we could see a message path of
> > 
> > local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca/local at myhost.uvic.ca
> > 
> > until some maximum length was reached and the hostname field became truncated.
> > 
> > This should be easy to repeat if you use a source like the one above, disconnect the network
> > and start syslog-ng.
> 
> While looking through my pile of syslog-ng todo items I reread this
> message, and I missed something last time.
> 
> Currently, syslog-ng falls back to 0.0.0.0 when resolving the DNS name
> fails, this in turn is interpreted by the kernel as 127.0.0.1 when used
> as a destination address.
> 
> So that's the exact cause of the breakage. I have a half-baked patch
> that should fix this behaviour, however it does not sit too well with
> optional(yes) setting. (e.g. will fail even if optional is yes).
> 
> Anyhow, here's the patch as it stands:
> 
> http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commit;h=6cd4fdaea7d77f1facd36d6fde04ae57d3e51233
> 
-- 
Bazsi




More information about the syslog-ng mailing list