[syslog-ng] Repeated log messages?

Evan Rempel erempel at uvic.ca
Wed Mar 12 23:36:50 CET 2008


John Morrissey wrote:
> On Fri, Feb 29, 2008 at 07:08:14PM +0100, Balazs Scheidler wrote:
> 
>>On Fri, 2008-02-29 at 12:59 -0500, John Morrissey wrote:
>>
>>>Recently, we've noticed a few machines are filling up their log filesystems
>>>with duplicate log entries. At first, I thought this behavior was caused by
>>>running out of disk space (i.e., the machine runs out of disk and syslog-ng
>>>does some sort of buffering, and as disk space oscellates between a few
>>>hundred bytes available and completely full, syslog-ng is writing this
>>>buffered log data out to disk but never removing the log entries from its
>>>buffer), but I can't reliably reproduce it.
>>
>>Hm... is it possible that syslog-ng somehow loops back to itself? I
>>remember a problem which caused syslog-ng to resolve a destination host
>>name as 0.0.0.0 if DNS was unavailable, effectively causing it to send
>>messages to localhost.
> 
> 
> That's exactly it; syslog-ng has a UDP socket open and is sending data to
> its own UDP listener socket. I'd like to backport a targeted patch if
> possible, and haven't looked through the git repo yet; do you have an idea
> when this was fixed, or know the git revision it was fixed in?

This is related to the tcp destination not being followed if it changes IP address,
but maintains its IP name. If you can't resolve the hostname, the retry mechanism
should should start from the beginning, resolve the name and attempt to open.
If the resolve fails, then the retry delay is invoked. If the connection can not
established, then the retry delay is invoked. It should never fail to resolve the address,
but return a valid IP address (0.0.0.0 or 127.0.0.1).

We go around this by binding to port 0.0.0.0:1514 for local stuff. Who would send
stuff to the local syslog via UDP?



This may not work for your situation.

Evan Rempel


More information about the syslog-ng mailing list