[syslog-ng] [Bug 46] Syslog-ng can go into and endless loop, consume all memory, and crash
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Thu May 7 23:17:56 CEST 2009
https://bugzilla.balabit.com/show_bug.cgi?id=46
--- Comment #4 from Sikkerhed.org ApS <support at sikkerhed.org> 2009-05-07 23:17:56 ---
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > This is a positive feedback loop between the internal() source and one of the destinations (e.g. internal feeds messages to a given destination which in turn
> > > generate error messages that originate from internal()).
> > >
> > > There's a proper solution for this in syslog-ng 3.0, in which case it'll detect this case and drop internal messages accordingly.
> > >
> > > Since the change is rather big, it cannot really be backported to either 2.0 or 2.1, so please use 3.0 if you want this fixed, or don't feed internal()
> > > logs to anywhere but a local static file, then read that file using the file() source. This is only a workaround I know.
> > >
> > > I set this to WONTFIX on 2.0, a fix is available in later versions.
> > >
> >
> > Ok. We've rolled out syslog-ng on all our servers now anyway, so it shouldn't be a problem from here on.
>
> if there's a feedback loop, and you don't apply the workaround I recommended you might have the same problem if the central server goes down.
Well, your solution was to save to a local static file. That is what I am already doing, if I understand you correctly. The static file is
/var/log/syslog/current.
I guess that by "static" you mean a file that doesn't have any macro expansions in the name?
Now that all the machines have the dir /var/log/syslog in place, I don't see how this feedback loop could be triggered again?
> >
> > It was, however, a little unnerving when it first happened, before I figured out why :-)
> >
> > Are there other major reasons to use version 3.x over 2.x?
>
> Sure there are various, especially if you also want to take care about the contents of your messages, rather than just store them.
>
> http://bazsi.blogs.balabit.com/2009/03/as-promised-on-mailing-list-here-comes.html
I'll read that, thanks.
> >
> > By the way, there's a problem with your mail server configuration. When replying to a bug report, it says:
> >
> > <bugzilla at bugzilla.balabit.com>: host bugzilla.balabit.com[195.70.41.85] said:
> > 554 5.1.1 <bugzilla at bugzilla.balabit.com>: Recipient address rejected:
> > undeliverable address: mail for bugzilla.balabit.com loops back to myself
> > (in reply to RCPT TO command)
> >
>
> bugzilla at bugzilla.balabit.com is not for replying messages, you should rather post your questions back to the ticket that you opened.
Wouldn't it make more sense to call it do-not-reply at balabit.com.invalid then? Suppling a valid-looking email address that can't be used is not so user-friendly
:)
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list