[syslog-ng] syslog-ng under HP-UX processing unwanted "padded" data
Balazs Scheidler
bazsi at balabit.hu
Sun Sep 12 15:05:55 CEST 2010
On Tue, 2010-09-07 at 22:05 +1100, Scott Rochford wrote:
>
> Apologies for my broken email client, which shall remain nameless!
>
> > > # default contrib'd version
> > > # source s_sys { pipe("/dev/log"); internal(); };
> > >
> > > # recommended by INSTALL
> > > source s_sys { pipe("/dev/log" pad_size(2048)); };
> >
> > This should be the proper source statement. I've just retested it on
> our
> > local HP-UX box and it seems to work fine.
> >
> > The things you are experiencing seems to indicate that the
> pad_size()
> > option is missing, therefore I'd like to ask if you are certain
> that
> > syslog-ng is running with the pad_size() configuration.
>
> Yep, it definitely appears to be opening the configuration file that
> I'm playing with:
>
> # nohup /opt/tusc/bin/truss -o /tmp/syslog-ng.truss
> -aef /usr/local/sbin/syslog-ng --debug --foreground --stderr >
> syslog-ng.out 2>&1 &
> # grep syslog-ng.conf /tmp/syslog-ng.truss
> 7197: open("/usr/local/etc/syslog-ng.conf", O_RDONLY|O_LARGEFILE,
> 0666) = 4
> #
>
> > If you still think it is, you might want to use tusc to check if
> > syslog-ng reads /dev/log in 2048 byte chunks (which is should if
> > pad_size() is enabled and which it doesn't if it is not).
>
> Most of the time it does, but sometimes it doesn't:
>
> 7197: read(4, "< 3 8 > S e p 7 1 0 : 5 2 ".., 8192) = 2048
> 7197: read(4, 0x40025dbd, 8187) ERR#11
> EAGAIN
> 7197: read(4, "< 2 8 > S e p 7 1 0 : 5 3 ".., 8187) = 2048
> 7197: read(4, "< 2 7 > S e p 7 1 0 : 5 3 ".., 8187) = 4096
> 7197: read(4, 0x40025db8, 8192) ERR#11
> EAGAIN
> 7197: read(4, "< 2 2 > S e p 7 1 0 : 5 4 ".., 8192) = 4096
> 7197: read(4, "< 2 2 > S e p 7 1 0 : 5 4 ".., 8187) = 2048
> 7197: read(4, 0x40025dbd, 8187) ERR#11
> EAGAIN
> 7197: read(4, "< 2 2 > S e p 7 1 0 : 5 4 ".., 8187) = 2048
> 7197: read(4, 0x40025dbd, 8187) ERR#11
> EAGAIN
> 7197: read(4, "< 3 8 > S e p 7 1 0 : 5 5 ".., 8187) = 8187
> 7197: read(4, "\0\0\0\0\0< 3 8 > S e p 7 ".., 8192) = 6149
> 7197: read(4, "< 2 2 > S e p 7 1 0 : 5 5 ".., 8187) = 8187
> 7197: read(4, "u s . n e ", 8173) = 5
> 7197: read(4, "< 2 8 > S e p 7 1 0 : 5 5 ".., 8168) = 2048
> 7197: read(4, "< 2 7 > S e p 7 1 0 : 5 5 ".., 8187) = 4096
> 7197: read(4, 0x40025db8, 8192) ERR#11
> EAGAIN
> 7197: read(4, "< 2 8 > S e p 7 1 0 : 5 7 ".., 8192) = 2048
> 7197: read(4, "< 2 7 > S e p 7 1 0 : 5 7 ".., 8187) = 4096
> 7197: read(4, 0x40025db8, 8192) ERR#11
> EAGAIN
> 7197: read(4, "< 2 8 > S e p 7 1 0 : 5 9 ".., 8192) = 2048
> 7197: read(4, "< 2 7 > S e p 7 1 0 : 5 9 ".., 8187) = 4096
> 7197: read(4, 0x40025db8, 8192) ERR#11
> EAGAIN
> 7197: read(4, "< 3 8 > S e p 7 1 1 : 0 0 ".., 8192) = 2048
> 7197: read(4, "< 3 8 > S e p 7 1 1 : 0 0 ".., 8192) = 8192
> 7197: read(4, "< 3 8 > S e p 7 1 1 : 0 0 ".., 8192) = 8192
> 7197: read(4, "< 3 8 > S e p 7 1 1 : 0 0 ".., 8192) = 8192
> 7197: read(4, "< 2 2 > S e p 7 1 1 : 0 0 ".., 8192) = 8192
> 7197: read(4, "< 2 2 > S e p 7 1 1 : 0 0 ".., 8187) = 8187
> 7197: read(4, "\0\0\0\0\0", 8192) = 5
> 7197: read(4, "< 2 8 > S e p 7 1 1 : 0 1 ".., 8192) = 2048
> 7197: read(4, "< 2 7 > S e p 7 1 1 : 0 1 ".., 8187) = 4096
> 7197: read(4, 0x40025db8, 8192) ERR#11
> EAGAIN
this tusc trace basically proves that syslog-ng is NOT in pad_size mode,
if it were it would issue exactly 2048 byte sized reads whereas it does
about 8k reads (probably your log_msg_size is set to 8192), the default.
It should look like this (this is actually a PE testbox, but the OSE
should be the same):
read(5, "< 1 3 > S e p 1 2 1 4 : 5 9 ".., 2048) ............................................................. = 2048
But the same should happen on my Linux testbox, here with OSE 3.1.2, strace:
read(6, "alma"..., 2048) = 2048
So for some reason it doesn't process the pad_size() argument.
--
Bazsi
More information about the syslog-ng
mailing list