[syslog-ng] [Bug 190] New: syslog-ng with TCP source, fails to shutdown properly, and generates core dump

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Tue Aug 28 17:19:47 CEST 2012


https://bugzilla.balabit.com/show_bug.cgi?id=190

           Summary: syslog-ng with TCP source, fails to shutdown properly,
                    and generates core dump
           Product: syslog-ng
           Version: 3.3.x
          Platform: PC
        OS/Version: Solaris
            Status: NEW
          Severity: major
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: marvin.nipper at stream.com
Type of the Report: bug
   Estimated Hours: 0.0


OK.  I decided to jump to 3.3.6, so that I could get rid of the source patching that I was doing to fix the address spoofing bug in 3.3.5.  It compiled
cleanly, and I was hoping that I was finally going to be on an "unpatched" version of 3.3.x!!

However, there is now a completely new bug that has apparently been introduced into 3.3.6, related to TCP sources.

My environment is Solaris 10 U10 x86.

What I am seeing:
The daemon starts fine, and starts collecting log data just fine;
When I execute the standard /etc/init.d script to stop the daemon (using the kill of the PID):
I now instantly get a core dump;
I find that both of the syslog-ng processes are still running;
I find that syslog-ng no longer appears to be processing any of the UDP input (as the files that should grow, because of UDP input, are no longer growing); and
I find that the one file that I generate from TCP input, is still continuing to grow.

Put simply, it appears that the "kill" does not clearly shutdown the TCP source, and so syslog-ng just continues to run, and continues to "eat" TCP packets,
and feed them to their designated target file.

I end up having to do a kill -9 on both of the syslog-ng daemons, in order to get them to stop.


The relevant statements are fairly trivial, and they work flawlessly in 3.3.5 (as well as all previous releases):
source any_tcp { tcp(port(601) max-connections(40)
                 flags("store-legacy-msghdr", "threaded") use_dns(no)
                 log_fetch_limit(100) log_iw_size(250)); };

destination workstation_log {
        file("/var/adm/log/workstation.log" create_dirs(yes)
                                            flags("threaded")); };

log { source(any_tcp); destination(workstation_log); flags(final); };


Anyway, I'm hoping that you will possibly have some clue as to a particular bit of code that might have been changed between 3.3.5 and 3.3.6, that might be
causing this behavior(??).

Let me know what all you might want/need from me, to assist in sorting this out.  SORRY for the bad news (really).  I was really hoping that 3.3.6 would be
"painless", and I'm sure that you were hoping for the same thing.

As with the spoofing bug in 3.3.5, I am ALWAYS more than happy to try out a patch, to see if that fixes the problem.  I know that it may not be easy to try out
Solaris-related changes (and maybe this issue is just something in Solaris).

As always, THANKS for your time and help.


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the syslog-ng mailing list