[syslog-ng] Logging with db-parser issue

Nate Hausrath hausrath at gmail.com
Fri May 8 16:23:40 CEST 2009


Thanks for the response.

It looks like there may be a problem with my install or a bug
somewhere.  With the config file below, I'm still not getting messages
in my /var/log/remote/parsed.log file.  However, when I comment out
"parser(p_db);" in the log section of the config, messages begin
showing up.

After a bit more investigations, when I receive the first remote log
message over UDP, the following appears in my /var/log/messages:

kernel: : [89941.138626] syslog-ng[16473]: segfault at 00000010 eip
08063e49 esp bfa1a490 error 4

Even after this, the process is still running and the ports are still
open.  At this point, I'm not really sure how to diagnose the problem.

-Nate

>>
>> Other than that, here is my syslog-ng.conf file:
>>
>> @version: 3.0
>> #Default configuration file for syslog-ng.
>> #
>> # For a description of syslog-ng configuration file directives, please read
>> # the syslog-ng Administrator's guide at:
>> #
>> # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
>> #
>>
>> options {
>> };
>>
>> ######
>> # sources
>> source s_local {
>>         # message generated by Syslog-NG
>>         internal();
>>         # standard Linux log source (this is the default place for the syslog()
>>         # function to send logs to)
>>         unix-stream("/dev/log");
>>         # messages from the kernel
>>         file("/proc/kmsg" program_override("kernel: "));
>> };
>>
>> source s_net {
>>         udp();
>>         tcp();
>> };
>>
>> parser p_db { db-parser(); };
>>
>> ######
>> # destinations
>> destination d_messages { file("/var/log/messages"); };
>> destination d_parsed { file("/var/log/remote/parsed.log"); };
>>
>> log {
>>         source(s_local);
>>         destination(d_messages);
>> };
>>
>> log {
>>         source(s_net);
>>         destination(d_parsed);
>>         parser(p_db);
>> };
>
> the log statements define a 'pipeline', thus your messages will reach
> the db-parser() only after having been written to the d_parsed
> destination.
>
>
>>
>> And here is my windows.xml file:
>>
>> <?xml version='1.0' encoding='UTF-8'?>
>> <patterndb version='2' pub_date='2009-05-07'>
>>   <ruleset name='windows'>
>>     <pattern>MSWinEventLog</pattern>
>>     <rules>
>>       <rule provider='nate' id='1' class='system'>
>>         <patterns>
>>           <pattern>540</pattern>
>>         </patterns>
>>         <description>This is a terrible terrible message to receive.
>> Game over man!  Game over!</description>
>>       </rule>
>>     </rules>
>>   </ruleset>
>> </patterndb>
>>
>>
>> As you see, to test I just want to match on the number '540' and put
>> that log message in /var/log/remote/parsed.log.  I have verified that
>> messages that should match this are arriving at the machine when I
>> send them.  If i turn off the db-parser, the messages appear in the
>> parsed.log file.
>
> All messages should end up in your parsed.log file anyway. In order to
> only match those which matched any of the patterns, you need to put
> filters into your log statement.
>
>>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list