[syslog-ng] [Bug 46] New: Syslog-ng can go into and endless loop, consume all memory, and crash

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Fri May 1 16:04:37 CEST 2009 

https://bugzilla.balabit.com/show_bug.cgi?id=46

           Summary: Syslog-ng can go into and endless loop, consume all
                    memory, and crash
           Product: syslog-ng
           Version: 2.0.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: support at sikkerhed.org
Type of the Report: bug
   Estimated Hours: 0.0


I've discovered a scenario where syslog-ng will eat all memory, and then either crash or get OOM-killed.

I'm using the following config:

{{{
options {
  chain_hostnames(0);
  time_reopen(10);
  time_reap(360);

  log_fifo_size(2048);
  create_dirs(yes);

  owner(root); group(adm); perm(0640);
  dir_owner(root); dir_group(adm); dir_perm(0755);

  use_dns(yes);
  use_fqdn(yes);
  stats_freq(3600);
};

source s_all {
        internal();
        unix-stream("/dev/log");
        file("/proc/kmsg" log_prefix("kernel: "));
};


destination du_all        { usertty("*"); };
destination df_logs       { file("/var/log/$FACILITY/log-$YEAR-$MONTH-$DAY"); file("/var/log/$FACILITY/current"); };
destination df_everything { file("/var/log/everything/log-$YEAR-$MONTH-$DAY"); file("/var/log/everything/current"); };

filter f_messages        { level(info,notice,warn) and not facility(auth,authpriv); };
filter f_emerg           { level(emerg); };

log                      { source(s_all);                     destination(df_logs);       };
log                      { source(s_all); filter(f_messages); destination(df_everything); };
log                      { source(s_all); filter(f_emerg);    destination(du_all);        };
}}}

The problem is the "/var/log/$FACILITY/current" output. I had some old output left over from the earlier logger, which meant that /var/log/syslog was a file.

When syslog-ng expects this node to be a directory, not a file, it tries to mkdir() it, and fails. This fail generates a syslog message, which needs to 
get logged to /var/log/syslog/current... which doesn't exist, is mkdir()'ed, fails, is syslogged, etc.

In other words, it never starts up, and doesn't log anything useful about what is going on.


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list