[syslog-ng] 3.0.3: Accessing unix-dgram source appears to break all logging
Balazs Scheidler
bazsi at balabit.hu
Wed Aug 5 20:32:22 CEST 2009
On Wed, 2009-08-05 at 16:56 +0200, Sandor Geller wrote:
> Hi,
>
> On Wed, Aug 5, 2009 at 3:48 PM, Markus Stalder<ms2 at lightupnet.de> wrote:
> > Hello list,
> >
> > my first post to the list, so hello everybody! :-) I'm on Ubuntu 8.04.2
> > amd64 and trying to upgrade from syslog-ng 2.0.9-1ubuntu1 to syslog-ng
> > 3.0.3. I've both tried the on balabit.com provided amd64 .deb package and
> > also created an own amd64 .deb with the default settings in /debian using
> > dpkg buildpackage.
> >
> > I have the following two sources in my config:
> >
> > source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg"
> > program_override("kernel: ")); };
> >
> > source src { internal(); unix-dgram("/dev/log"); file("/proc/kmsg"
> > program_override("kernel: ")); };
>
> You're referencing exactly the same sources (like /dev/log,
> /proc/kmsg)? This config is horribly broken. I can't imagine how was
> syslog-ng 2.0.9 working with such a config. You should eliminate all
> duplicated sources. You can add as many log {} sections using the same
> source definition as you wish.
the configuration is indeed broken, you basically tell syslog-ng to
open /dev/log _twice_, what's worse: in a different mode (stream vs.
dgram). Also the linux kernel does not like when there are
multiple /proc/kmsg readers, syslog-ng might deadlock in this scenario.
I'm not sure syslog-ng hangs or simply the applications trying to send
messages cease to do so, you could find that out using strace (either
the application or syslog-ng, or both)
--
Bazsi
More information about the syslog-ng
mailing list