[syslog-ng] Logging with db-parser issue

ILLES, Marton illes.marton at balabit.hu
Mon May 11 15:26:05 CEST 2009 

Hi,

Sorry for answering so slowly...

On Fri, 2009-05-08 at 10:23 -0400, Nate Hausrath wrote:
> Thanks for the response.
> 
> It looks like there may be a problem with my install or a bug
> somewhere.  With the config file below, I'm still not getting messages
> in my /var/log/remote/parsed.log file.  However, when I comment out
> "parser(p_db);" in the log section of the config, messages begin
> showing up.
> 
> After a bit more investigations, when I receive the first remote log
> message over UDP, the following appears in my /var/log/messages:
> 
> kernel: : [89941.138626] syslog-ng[16473]: segfault at 00000010 eip
> 08063e49 esp bfa1a490 error 4
> 
> Even after this, the process is still running and the ports are still
> open.  At this point, I'm not really sure how to diagnose the problem.
> 

Basically you have two problems, let's see one after the other.

1, You are using syslog-ng OSE which has support for db-parser pattern
version 1 only while you have a version 2 pattern xml (version 2 is only
included in the PE and the website provided xmls also in version 2).
This way you end up without any actual rule and therefore no matching or
parsing would occur.

You can find an XML schema in the distribution which specifies the xml
format to be used.

I am currently working on porting the version 2 format to OSE and sorry
for any inconvenience I might caused with the different versions.
Meanwhile you can use the version 1 style xml:

<?xml version='1.0' encoding='UTF-8'?>
 <patterndb version='1' pub_date='2009-05-07'>
   <program name='windows'>
     <pattern>MSWinEventLog</pattern>
     <rules>
       <rule provider='nate' id='1' class='system'>
         <pattern>540</pattern>
         <description>This is a terrible terrible message to receive.
 Game over man!  Game over!</description>
       </rule>
     </rules>
   </program>
 </patterndb>

2, You have a segfault. I would need a backtrace or a core file to track
down the problem. To get a core file you can use the --enable-core
option to syslog-ng and gdb after that to get a backtrace.

Sorry again for the version problem, I will push an update to my git
tree with the new version 2 xml handling.

best,

Marton

> -Nate
> 
> >>
> >> Other than that, here is my syslog-ng.conf file:
> >>
> >> @version: 3.0
> >> #Default configuration file for syslog-ng.
> >> #
> >> # For a description of syslog-ng configuration file directives, please read
> >> # the syslog-ng Administrator's guide at:
> >> #
> >> # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
> >> #
> >>
> >> options {
> >> };
> >>
> >> ######
> >> # sources
> >> source s_local {
> >>         # message generated by Syslog-NG
> >>         internal();
> >>         # standard Linux log source (this is the default place for the syslog()
> >>         # function to send logs to)
> >>         unix-stream("/dev/log");
> >>         # messages from the kernel
> >>         file("/proc/kmsg" program_override("kernel: "));
> >> };
> >>
> >> source s_net {
> >>         udp();
> >>         tcp();
> >> };
> >>
> >> parser p_db { db-parser(); };
> >>
> >> ######
> >> # destinations
> >> destination d_messages { file("/var/log/messages"); };
> >> destination d_parsed { file("/var/log/remote/parsed.log"); };
> >>
> >> log {
> >>         source(s_local);
> >>         destination(d_messages);
> >> };
> >>
> >> log {
> >>         source(s_net);
> >>         destination(d_parsed);
> >>         parser(p_db);
> >> };
> >
> > the log statements define a 'pipeline', thus your messages will reach
> > the db-parser() only after having been written to the d_parsed
> > destination.
> >
> >
> >>
> >> And here is my windows.xml file:
> >>
> >> <?xml version='1.0' encoding='UTF-8'?>
> >> <patterndb version='2' pub_date='2009-05-07'>
> >>   <ruleset name='windows'>
> >>     <pattern>MSWinEventLog</pattern>
> >>     <rules>
> >>       <rule provider='nate' id='1' class='system'>
> >>         <patterns>
> >>           <pattern>540</pattern>
> >>         </patterns>
> >>         <description>This is a terrible terrible message to receive.
> >> Game over man!  Game over!</description>
> >>       </rule>
> >>     </rules>
> >>   </ruleset>
> >> </patterndb>
> >>
> >>
> >> As you see, to test I just want to match on the number '540' and put
> >> that log message in /var/log/remote/parsed.log.  I have verified that
> >> messages that should match this are arriving at the machine when I
> >> send them.  If i turn off the db-parser, the messages appear in the
> >> parsed.log file.
> >
> > All messages should end up in your parsed.log file anyway. In order to
> > only match those which matched any of the patterns, you need to put
> > filters into your log statement.
> >
> >>
> >
> > --
> > Bazsi
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D

More information about the syslog-ng mailing list