[syslog-ng] syslog-ng 3.0.2 issues: Extraneous colon (:) in forwarded log; two instances of syslog-ng

Marvin Nipper Marvin.Nipper at stream.com
Fri May 29 20:52:40 CEST 2009 

Sorry for a second message, but I've just noticed a third issue with 3.0.2.  Same test scenario as already described.

Here's a messaged logged on my production 2.0.9 server, and also forwarded to my test server (I've removed some of the trailing noise):
May 29 16:15:09 fwmil01 [LOG_WARNING] ipsrd[213]: igmp_recv_leave_group: <truncated.....>

When it arrives on my test server, and a 2.0.9 daemon catches it (and writes it to a file), it looks exactly as above, but when 3.0.2 catches it, this is the result:
May 29 16:15:09 fwmil01 ipsrd[213]: igmp_recv_leave_group: <truncated.....>

In short, the Severity information has been stripped.  Again, in looking at the 3.0 docs, I'm not clear as to any change that would cause this to be stripped out.  (It might not be that big a deal to lose that, except that there are subsequent filters in my system that are looking for that "translated severity" as part of their search.)

Anyway, again, I would appreciate any input as to why 3.x would be doing this, and what configuration change might restore the original content.

THANKS for your help.

_____________________________________________
From: Marvin Nipper
Sent: Friday, May 29, 2009 12:08 PM
To: 'syslog-ng at lists.balabit.hu'
Subject: syslog-ng 3.0.2 issues: Extraneous colon (:) in forwarded log; two instances of syslog-ng


Hi.  I'm been running syslog-ng 2.0.9 for eons, and wanted to get 3.0.2 in place, but have run into two issues.

First, the prerequisite info:
This is on Solaris 10 x86, and I'm running the eventlog-0.2.9 component.  It has all compiled cleanly.  I'm using the same script to initialize syslog-ng as I was using before.  In the conf file, added in some value() parameters on my filters, in accordance with the 3.0 "warnings", and added in the @version directive, but other than that, it's essentially the same (reasonably simple) conf file I was using with my 2.0.9 version of the code.

For reference, I've appended my conf file at the end of the email.

"Generally" syslog-ng, seems to start-up fine, and does feed the output files that I've indicated in the conf file.  If I didn't "look too closely", I would have thought it was all fine, but...

My problems:
As part of my test environment, I'm forwarding data from another (production 2.0.9) server, to my test server, so that I can see how things are working.  Here are some (truncated) messages, showing both the original message (as it looks in the output file on the 2.0.9 server), and the second message being what gets written to the file by the 3.0.2 component:
Original:
May 29 09:15:05 10.132.240.25 id=firewall sn=0006B10B2E88 <truncated>

Received and written by 3.0.2:
May 29 09:15:05 10.132.240.25 id=firewall: sn=0006B10B2E88 <truncated>

So the "bug" (I assume it to be a bug) is that "colon" that is now sitting just behind the word "firewall".  When my test server is running a 2.0.9 daemon, these two lines match, but the 3.0.2 daemon has inserted that colon.  I can only assume that this is tied to a bug in the filtering activity, because if you look at my conf file, you will see these lines:
filter SonicWallNoise {
        match("id=firewall" value("MSG")) and filter(SonicWallMsgs);
};
Bottom line, I am doing a filter that happens to "match on" that exact "firewall" string, and it seems like more than just coincidence that this is the exact location where that unwanted colon now appears.  It seems like that filtering process has somehow injected that character into the output.  (Maybe I'm just missing some "new functionality or feature" in the 3.0 docs, that would intentionally cause this?)

Anyway... I'm obviously looking for any input as to why this is different, and/or how to fix it (or even just work-around the problem  until it is fixed).


And secondly, as my subject line implies, when I run my "/etc/init.d/syslog-ng start" scripting (the same one I've always used), I find, right away, that I now have two instances of syslog-ng running.  I saw a bug report from back in 2006, mentioning a similar behavior that was related to (I think) syslog-ng restarting itself, but that was supposedly fixed.  I'm ass-u-me-ing that something is now causing the daemon to restart itself, but again, when I run my 2.0.9 code on place of the 3.0.2 code, I get just the one copy running.

Again, I'm looking for any guidance as to something that might be driving that behavior (and as I said, maybe it's just something stupid on my part, because I'm missing something "new" in the 3.0 behavior).

Thanks, in advance, for any help and/or guidance as to what these issues might be.  I'm glad to provide further information if it will help.

Marvin Nipper

syslog-ng.conf:
@version:3.0
options { dir_perm(0755); perm(0600); chain_hostnames(no);
          keep_hostname(yes); log_fifo_size(1000);
          dns_cache_size(5000); dns_cache_expire(86400);
          dns_cache_expire_failed(86400); };


source any_udp { udp(); };

source any_tcp { tcp(port(601)); };

destination SEC {pipe("/tmp/sec"); };

destination routers_log {
        file("/var/adm/log/routers.log" create_dirs(yes));
};

destination ravlin_log {
        file("/var/adm/log/ravlin.log" create_dirs(yes));
};

destination windows_log {
        file("/var/adm/log/windows.log" create_dirs(yes));
};

destination workstation_log {
        file("/var/adm/log/workstation.log" create_dirs(yes));
};

destination catch-all_log {
        file("/var/adm/log/catch-all.log" create_dirs(yes));
};

destination test {
        file("/var/adm/log/test.log" create_dirs(yes));
};

destination dev_null {};

filter f_4 { facility(syslog) and level(info..emerg); };
log { source(any_udp); filter(f_4); destination(windows_log); flags(final); };

filter f_1 { facility(local5) and level(debug..emerg); };
log { source(any_udp); filter(f_1); destination(routers_log); flags(final); };

filter SonicWallNoise {
        match("id=firewall" value("MSG")) and filter(SonicWallMsgs);
};
filter SonicWallMsgs {
        match("m=97" value("MSG")) or match("m=98" value("MSG")) or match("m=537" value("MSG"));
};
log { source(any_udp); filter(SonicWallNoise); destination(dev_null); flags(final); };

filter f_3 { facility(local0) and level(debug..emerg); };
log { source(any_udp); filter(f_3); destination(ravlin_log); flags(final); };

log { source(any_tcp); destination(workstation_log); flags(final); };

log { source(any_udp); destination(catch-all_log); flags(final); };



This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090529/373261cb/attachment.htm

More information about the syslog-ng mailing list