[syslog-ng] Logging with db-parser issue

Nate Hausrath hausrath at gmail.com
Mon May 11 17:32:06 CEST 2009 

Thanks for the reply.  Unfortunately, my gdb skills are absolutely
terrible.  Here is how I have tried to do it, which is probably wrong:

# gdb /opt/syslog-ng/sbin/syslog-ng 2>&1 | tee gdb-syslog-ng.txt
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) handle SIG33 pass nostop noprint
Signal        Stop	Print	Pass to program	Description
SIG33         No	No	Yes		Real-time event 33
(gdb) set pagination 0
(gdb) run --no-caps --enable-core
Starting program: /opt/syslog-ng/sbin/syslog-ng --no-caps --enable-core
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Executing new program: /opt/syslog-ng/libexec/syslog-ng
[Thread debugging using libthread_db enabled]

Program exited normally.
(gdb) backtrace full
No stack.
(gdb) info registers
The program has no registers now.
(gdb)

Hopefully I am doing something that is simple to fix.

Also, when I use --enable-core, where does it put the core file?

Thanks!
Nate

On Mon, May 11, 2009 at 9:26 AM, ILLES, Marton <illes.marton at balabit.hu> wrote:
> Hi,
>
> Sorry for answering so slowly...
>
> On Fri, 2009-05-08 at 10:23 -0400, Nate Hausrath wrote:
>> Thanks for the response.
>>
>> It looks like there may be a problem with my install or a bug
>> somewhere.  With the config file below, I'm still not getting messages
>> in my /var/log/remote/parsed.log file.  However, when I comment out
>> "parser(p_db);" in the log section of the config, messages begin
>> showing up.
>>
>> After a bit more investigations, when I receive the first remote log
>> message over UDP, the following appears in my /var/log/messages:
>>
>> kernel: : [89941.138626] syslog-ng[16473]: segfault at 00000010 eip
>> 08063e49 esp bfa1a490 error 4
>>
>> Even after this, the process is still running and the ports are still
>> open.  At this point, I'm not really sure how to diagnose the problem.
>>
>
> Basically you have two problems, let's see one after the other.
>
> 1, You are using syslog-ng OSE which has support for db-parser pattern
> version 1 only while you have a version 2 pattern xml (version 2 is only
> included in the PE and the website provided xmls also in version 2).
> This way you end up without any actual rule and therefore no matching or
> parsing would occur.
>
> You can find an XML schema in the distribution which specifies the xml
> format to be used.
>
> I am currently working on porting the version 2 format to OSE and sorry
> for any inconvenience I might caused with the different versions.
> Meanwhile you can use the version 1 style xml:
>
> <?xml version='1.0' encoding='UTF-8'?>
>  <patterndb version='1' pub_date='2009-05-07'>
>   <program name='windows'>
>     <pattern>MSWinEventLog</pattern>
>     <rules>
>       <rule provider='nate' id='1' class='system'>
>         <pattern>540</pattern>
>         <description>This is a terrible terrible message to receive.
>  Game over man!  Game over!</description>
>       </rule>
>     </rules>
>   </program>
>  </patterndb>
>
> 2, You have a segfault. I would need a backtrace or a core file to track
> down the problem. To get a core file you can use the --enable-core
> option to syslog-ng and gdb after that to get a backtrace.
>
> Sorry again for the version problem, I will push an update to my git
> tree with the new version 2 xml handling.
>
> best,
>
> Marton
>

More information about the syslog-ng mailing list