[syslog-ng] possible memleak or bad configuration?

Andreas Sartori andreas.sartori at fh-salzburg.ac.at
Sat Mar 13 09:22:50 CET 2010 

hello,


we have setup a central logging server. currently we are logging firewalls
and  some webserver / mailserver for testing purpose. the memory usage on
the logging server is badly increasing. after 2 days of operation we are
at 6.8 gb ram usage.

can someone help out, what information do you need to help?

thanks in advance.

-andy

------------

@version:3.0
#
# configuration file for syslog-ng, customized for remote logging
#

options {
	owner("root");
	group("root");
	perm(0600);
	dir_perm(0750);
	create_dirs(yes);
	log_fifo_size(10000);
};



################################################################################################
#########################                SOURCES                 
##############################
################################################################################################

# Syslog internal logging
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };


# Remote logging
source s_remote {
	tcp(ip(0.0.0.0) max-connections(20) port(514) keep_hostname(yes));
	udp(ip(0.0.0.0) port(514) use_dns(no) log_fetch_limit(500)
log_iw_size(1000));
};


################################################################################################
#########################                FILTER                  
##############################
################################################################################################

filter http-official { netmask(xxx.xxx.xxx.47/255.255.255.255) or
netmask(xxx.xxx.xxx.48/255.255.255.255) or
netmask(xxx.xxx.xxx.167/255.255.255.255) or
netmask(xxx.xxx.xxx.46/255.255.255.255) or
netmask(xxx.xxx.xxx.52/255.255.255.255) or
netmask(xxx.xxx.xxx.25/255.255.255.255) or
netmask(xxx.xxx.xxx.26/255.255.255.255); };

filter mail-proxy-internal { netmask(10.10.9.20/255.255.255.255) and not
program("perdition"); };
filter mail-relay-internal { netmask(10.10.9.30/255.255.255.255); };

filter mail-relay-alpha-external-out {
netmask(xxx.xxx.xxx.59/255.255.255.255) and facility(local1); };
filter mail-relay-beta-external-out {
netmask(xxx.xxx.xxx.60/255.255.255.255) and facility(local1); };
filter mail-relay-alpha-external-in {
netmask(xxx.xxx.xxx.59/255.255.255.255) and facility(mail); };
filter mail-relay-beta-external-in {
netmask(xxx.xxx.xxx.60/255.255.255.255) and facility(mail); };

filter mail-proxy-node1-external { netmask(xxx.xxx.xxx.18/255.255.255.255)
and not program("perdition"); };
filter mail-proxy-node2-external { netmask(xxx.xxx.xxx.22/255.255.255.255)
and not program("perdition"); };

filter vpn { netmask(10.20.40.0/255.255.255.0); };
filter fw-intern-all { netmask(10.10.20.1/255.255.255.255); };

filter fw-intern-security {
		netmask(10.10.20.1/255.255.255.255) and
		match("security" value(".classifier.class") type("string"));
};

filter fw-intern-info {
		netmask(10.10.20.1/255.255.255.255) and
		match("informational" value(".classifier.class") type("string"));
};

filter fw-intern-rest {
		netmask(10.10.20.1/255.255.255.255) and not
		match("security" value(".classifier.class") type("string")) and not
		match("informational" value(".classifier.class") type("string"));
};


filter fw-extern-all { netmask(10.80.11.20/255.255.255.255); };

filter fw-extern-security {
		netmask(10.80.11.20/255.255.255.255) and
		match("security" value(".classifier.class") type("string"));
};

filter fw-extern-info {
		netmask(10.80.11.20/255.255.255.255) and
		match("informational" value(".classifier.class") type("string"));
};

filter fw-extern-rest {
		netmask(10.80.11.20/255.255.255.255) and not
		match("security" value(".classifier.class") type("string")) and not
		match("informational" value(".classifier.class") type("string"));
};

filter fw-extern-new { netmask(10.80.11.30/255.255.255.255); };

################################################################################################
#########################                PARSER                  
##############################
################################################################################################

parser pattern_db_fwint {
	db_parser(
	file("/etc/syslog-ng/fw-int_patterndb.xml")
	);
};

parser pattern_db_fwext {
	db_parser(
	file("/etc/syslog-ng/fw-ext_patterndb.xml")
	);
};

################################################################################################
#########################             DESTINATIONS               
##############################
################################################################################################

destination http-log { file("/logging/server/web/$HOST"
template("$MSGONLY\n") template-escape(no) owner("root") group("root")
perm(0644));  };

destination mail-out { file("/logging/server/mail/mail-out_$MONTH.log"); };
destination mail-in { file("/logging/server/mail/mail-in_$MONTH.log"); };

destination vpn {
	file("/logging/network/vpn_$MONTH.log" flush_lines(10));
};

destination fw-intern-all {
	file("/logging/network/fw-intern_$MONTH.log" flush_lines(10));
};

destination fw-extern-all {
	file("/logging/network/fw-extern_$MONTH.log" flush_lines(10));
};


destination fw-extern-new {
	file("/logging/network/fw-new_$MONTH.log" flush_lines(10));
};


destination dump {
	file("/logging/network/dump.log" template ("$R_YEAR-$R_MONTH-$R_DAY
$R_HOUR:$R_MIN:$R_SEC, $HOST, $FIREWALL_SEQ, $MSGHDR, 0, $FIREWALL_IO,
$FIREWALL_PROTO, $FIREWALL_SCR_LAN, $FIREWALL_SRC_IP, $FIREWALL_SRC_PORT,
$FIREWALL_DST_LAN, $FIREWALL_DST_IP, $FIREWALL_DST_PORT,
$FIREWALL_NAT_SRC_IP, $FIREWALL_NAT_DST_IP, $FIREWALL_RULE,
$FIREWALL_REASON, $FIREWALL_DURATION\n"));
#	file("/logging/network/dump.log" template ("$MSGHDR\n") flush_lines(5));
};



################################################################################################
#########################              FINAL-LOGS                
##############################
################################################################################################

##### TO FILE

log { source(s_remote); filter(http-official); destination(http-log); };
log { source(s_remote); filter(mail-proxy-internal);
destination(mail-out); };
log { source(s_remote); filter(mail-relay-internal);
destination(mail-out); };
log { source(s_remote); filter(mail-relay-alpha-external-out);
destination(mail-out); };
log { source(s_remote); filter(mail-relay-beta-external-out);
destination(mail-out); };
log { source(s_remote); filter(mail-proxy-node1-external);
destination(mail-out); };
log { source(s_remote); filter(mail-proxy-node2-external);
destination(mail-out); };
log { source(s_remote); filter(mail-relay-alpha-external-in);
destination(mail-in); };
log { source(s_remote); filter(mail-relay-beta-external-in);
destination(mail-in); };
log { source(s_remote); filter(vpn); destination(vpn); };
log { source(s_remote); filter(fw-intern-all); destination(fw-intern-all); };
log { source(s_remote); filter(fw-extern-new); destination(fw-extern-new); };
log { source(s_remote); filter(fw-extern-all); destination(fw-extern-all);
flags(final); };

More information about the syslog-ng mailing list