[syslog-ng] syslog-ng and python program destination constantly being restarted again and again

Sandor Geller sandor.geller at ericsson.com
Fri Sep 26 09:48:39 CEST 2014 

Hi,

The logs you quoted imply that your custom script keeps dying therefore 
syslog-ng keeps respawning it. Without seeing the whole script I'd 
assume that the original problem occurs in the code path where the 
script tries to forward logs and an expection gets raised (BTW not all 
exceptions are derived from the Exception class so the exception handler 
is a bit incomplete but let's put this aside for now).

In the exception handler you're trying to open a file containing '~' 
without using os.path.expanduser() so you end up with an invalid 
filename which can't get opened. As this exception isn't handled the 
interpreter aborts the script. So you should eliminate the root cause 
why the script can't forward logs and also improve the exception handling.

hth,

Sandor

On 09/26/2014 01:12 AM, Andrew Bell wrote:
> Hello all,
>
> Wondering if someone could help me with an issue I’ve run into recently
> regarding the program destination in syslog-ng and a python script I
> wrote to automate parsing log events sent over from our Web Application
> firewall. For some months now, the script and syslog-ng configuration
> were working swimmingly but then things recently started to stop working
> and now the script refuses to remain up and forwarding as expected.
>
> First, here is what and destination looks like in my syslog-ng conf. The
> general flow here being  ASM events are generated on the firewall (for
> whatever purpose), they get sent over to syslog-ng and my python script
> then parses these logs and sends them over to another server running
> ElasticSearch using the python requests library. This takes place within
> the context of an infinite loop in my script – wait for a log event to
> come in, execute, go back to waiting, and so forth.
>
> /destination asm_post {/
>
> /                program("python -u /home/data/asm_logs/asmlogPost.py"
> flush_lines(1) flags(no_multi_line));/
>
> /};/
>
> I’ve specified the following flags based off other help forums that
> suggested this would help to address the stdin buffer flushing issue
> sometimes encountered with syslog-ng and python scripts. There are no
> filters being applied here.
>
> //
>
> /source(sn_asm);/
>
> /destination(asm_post);/
>
> Now, my asmLogPost.py script is setup to always read in standard input
> through an infinite loop as various best practice syslog-ng sources have
> recommended. Here’s an excerpt of where the reading in happens  -
> encapsulated within the context of a try/exception clause:
>
> /try:/
>
> /    while 1:/
>
> /        line = sys.stdin.readline()/
>
> /        #...read in line log event, log event parsing and POSTing to
> other box executes in context of infinite loop…after each POST, it
> should go back and wait to read in the next line/
>
> /Exception, e:/
>
> /      # …exception handling block to catch any errors, write to a file…/
>
> /      f = open('~/ error.txt','ab')/
>
> /     f.write('Error happened, here are the details - %s\n'% str(e))/
>
> /     f.close()/
>
> As was said earlier, this has all worked out fine and dandy for quite
> some time (and I haven’t made any alterations to my script for about a
> month or so). But just recently, syslog-ng now appears to be caught in a
> loop where it constantly stops, starts, and restarts my script
> continuously such that it can’t log anything anymore sufficiently. Also
> the PID is constantly changing for my script whenever I do a ps –aef
> command, which would indicate that a new instance is constantly being
> spun up by syslog-ng.
>
> Not only that, but there apparently appear to be the following messages
> sprouting up in /var/log/messages constantly as well which I think is
> due to syslog-ng always restarting my script
>
> /Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> /Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in
> '/home/data/asm_logs/asmlogPost.py'/
>
> /Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> /Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in
> '/home/data/asm_logs/asmlogPost.py'/
>
> /Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> /Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in
> '/home/data/asm_logs/asmlogPost.py'/
>
> /Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> /Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in
> '/home/data/asm_logs/asmlogPost.py'/
>
> /Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> /Sep 25 16:28:57 sysa03 abrt: detected unhandled Python exception in
> '/home/data/asm_logs/asmlogPost.py'/
>
> /Sep 25 16:28:57 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> /Sep 25 16:28:58 sysa03 abrt: detected unhandled Python exception in
> '/home/data/asm_logs/asmlogPost.py'/
>
> /Sep 25 16:28:58 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> /Sep 25 16:28:58 sysa03 abrt: detected unhandled Python exception in
> '/home/data/asm_logs/asmlogPost.py'/
>
> /Sep 25 16:28:58 sysa03 abrt: can't communicate with ABRT daemon, is it
> running? [Errno 2] No such file or directory/
>
> But the thing is, there are no exceptions or error files being generated
> by my script even though these messages seem to say this happening…if
> there were, my script should catch this and write it down. Besides, it
> did used to do this initially as I was developing my script but it would
> never halt overall execution or cause syslog-ng to tear it down, it
> would just write out to an error.txt file within the same directory.
>
> //
>
> Can anyone offer any insight here? I’ll admit I’m not familiar with how
> the ABRT daemon functions and if it and syslog-ng are somehow related
> here or not. And I’m pretty confident that there’s nothing wrong with my
> script as I am able to execute its current version just fine from a
> shell prompt – it can send over the log event and everything parsed as
> expected with no errors. I’m kind of at a dead end, going through my
> script and these log messages, trying to restart syslog-ng to refresh,
> trying to place debug log statements before the “while 1:” loop, trying
> to move the while 1: loop to be outside the try/exception clause, but
> not much of this seems to be helping so far.
>
> Many Thanks,
>
> Andrew
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list