[syslog-ng] [Bug 46] Syslog-ng can go into and endless loop, consume all memory, and crash

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Thu May 7 23:17:56 CEST 2009


--- Comment #4 from Sikkerhed.org ApS <support at sikkerhed.org>  2009-05-07 23:17:56 ---
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > This is a positive feedback loop between the internal() source and one of the destinations (e.g. internal feeds messages to a given destination which in turn
> > > generate error messages that originate from internal()).
> > > 
> > > There's a proper solution for this in syslog-ng 3.0, in which case it'll detect this case and drop internal messages accordingly.
> > > 
> > > Since the change is rather big, it cannot really be backported to either 2.0 or 2.1, so please use 3.0 if you want this fixed, or don't feed internal() 
> > > logs to anywhere but a local static file, then read that file using the file() source. This is only a workaround I know.
> > > 
> > > I set this to WONTFIX on 2.0, a fix is available in later versions.
> > > 
> > 
> > Ok. We've rolled out syslog-ng on all our servers now anyway, so it shouldn't be a problem from here on.
> if there's a feedback loop, and you don't apply the workaround I recommended you might have the same problem if the central server goes down.

Well, your solution was to save to a local static file. That is what I am already doing, if I understand you correctly. The static file is

I guess that by "static" you mean a file that doesn't have any macro expansions in the name?

Now that all the machines have the dir /var/log/syslog in place, I don't see how this feedback loop could be triggered again?

> > 
> > It was, however, a little unnerving when it first happened, before I figured out why :-)
> > 
> > Are there other major reasons to use version 3.x over 2.x? 
> Sure there are various, especially if you also want to take care about the contents of your messages, rather than just store them.
> http://bazsi.blogs.balabit.com/2009/03/as-promised-on-mailing-list-here-comes.html

I'll read that, thanks.

> > 
> > By the way, there's a problem with your mail server configuration. When replying to a bug report, it says:
> > 
> > <bugzilla at bugzilla.balabit.com>: host bugzilla.balabit.com[] said:
> >     554 5.1.1 <bugzilla at bugzilla.balabit.com>: Recipient address rejected:
> >     undeliverable address: mail for bugzilla.balabit.com loops back to myself
> >     (in reply to RCPT TO command)
> > 
> bugzilla at bugzilla.balabit.com is not for replying messages, you should rather post your questions back to the ticket that you opened.

Wouldn't it make more sense to call it do-not-reply at balabit.com.invalid then? Suppling a valid-looking email address that can't be used is not so user-friendly

Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list