[syslog-ng] "Errors" in /var/log/messages

Wed Sep 28 18:12:02 CEST 2011

Hi,

On Wed, Sep 28, 2011 at 5:44 PM, Aldrich, Jamie S <JSAldrich at pier1.com> wrote:
> I have setup syslog-ng to report application logs to a LogLogic device over
> UDP.  Below is a excerpt of the syslog.conf file:
>
>
>
> source s_file_fs3 {
>
> file("/tmp/APPSRV_fs3_current.LOG" flags(no-parse) follow-freq(1));
>
> };
>
>
>
> destination d_messages{
>
> udp("10.13.33.11" port(514));
>
> };
>
> log {
>
> source(s_file_fs3);
>
> destination(d_messages);
>
> };
>
>
>
> I am seeing the following messages from our OSSEC server and
> /var/log/messages:
>
>
>
> OSSEC HIDS Notification.
>
> 2011 Sep 28 09:50:11
>
>
>
> Received From: lxfwossecp3->/var/log/messages
>
> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too
> large)."
>
> Portion of the log(s):
>
>
>
> Sep 28 09:50:10 lxfwossecp3 syslog-ng[3992]: Log statistics;
> processed='destination(d_mail)=2', processed='destination(d_spol)=0',
> processed='source(s_file_fs3)=1690',
> processed='global(payload_reallocs)=218', processed='source(s_sys)=325',
> processed='destination(d_mesg)=114', processed='global(msg_clones)=0',
> processed='src.internal(s_sys#2)=114',
> stamp='src.internal(s_sys#2)=1317220810', processed='destination(d_kern)=0',
> processed='destination(d_mlal)=0', processed='destination(d_cron)=200',
> dropped='dst.udp(d_messages#0,10.13.33.11:514)=0',
> processed='dst.udp(d_messages#0,10.13.33.11:514)=20670',
> stored='dst.udp(d_messages#0,10.13.33.11:514)=0',
> processed='global(sdata_updates)=0', processed='destination(d_auth)=9',
> processed='destination(d_boot)=0', processed='source(s_file_hr1)=2025',
> processed='center(received)=0', processed='source(s_file_fs1)=3896',
> processed='destination(d_messages)=20670',
> processed='source(s_file_hr2)=2743', processed='center(queued)=0',
> processed='source(s_file_fs2)=2662', processed='source(s_file_hr3)=7654'
>
>
>
>
>
> Do we have an issue?  It looks like the log size is too large to process
> correctly, and it is kicking it out.  What would we need to do to remedy the
> situation?

Looks like LocLogic and OSSEC the same. The long message is coming
from syslog-ng, the statistical message is arriving on the internal()
source and could get filtered to do not get sent over the network.
Traditionally syslog messages were limited to 1k but as this
limitation was pretty impractical many implementations including
syslog-ng allow longer messages. If your device doesn't accepts
messages longer than 1k then I'd say it's broken.

Regards,

Sandor