[syslog-ng] syslog-ng 3.6.2 using stomp

Ole Jørgensen oleide at gmail.com
Thu Jan 29 18:39:41 CET 2015 

Hi,

I'm testing the stomp destination using syslog-ng ose 3.6.2, and as the
process starts it logs:
# /opt/syslog-ng-3.6.2/sbin/syslog-ng -f
/opt/syslog-ng-3.6.2/etc/syslog-ng.conf -F -d -v -t 2>&1 | grep -i stomp
[2015-01-29T18:29:45.323518] Reading shared object for a candidate module;
path='/opt/syslog-ng-3.6.2/lib/syslog-ng', fname='afstomp.so',
module='afstomp'
[2015-01-29T18:29:45.323629] Registering candidate plugin;
module='afstomp', context='destination', name='stomp', preference='0'
[2015-01-29T18:29:45.343833] Module loaded and initialized successfully;
module='afstomp'
[2015-01-29T18:29:45.344725]   Compiling d_stomp reference [destination] at
[/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:70:2]
[2015-01-29T18:29:45.344728]     Compiling d_stomp sequence [destination]
at [/opt/syslog-ng-3.6.2/etc/syslog-ng.conf:32:1]
[2015-01-29T18:29:45.345092] Initializing STOMP destination;
host='localhost', port='61613', destination='/topic/syslog'
[2015-01-29T18:29:45.345368] Worker thread started; driver='d_stomp#0'
[2015-01-29T18:29:45.346854] Stomp connection failed; host='localhost'

Relevant parts of my configuration:
destination d_stomp {
        stomp(
                host("localhost")
                port(61613)
                body("testing")
                ack(yes)
                retries(9)
                value-pairs(scope(everything))
        );
};

The strange thing is that when I'm starting syslog-ng I am running tcpdump
-i lo -s0 -nn -v port 61613, and cannot see any packets. I would expect at
least a syn connection since it claims to fail. SELinux does not log any
denies during the startup, so I suspect the problem to be elsewhere.

If i do a tcpdump -i lo -s0 -nn -v -X and start syslog-ng this is captured:
18:33:26.833330 IP (tos 0x0, ttl 64, id 5652, offset 0, flags [DF], proto
TCP (6), length 60)
    127.0.0.1.35340 > 127.0.0.1.0: Flags [S], cksum 0xd601 (correct), seq
801587243, win 65495, options [mss 65495,sackOK,TS val 700601919 ecr
0,nop,wscale 7], length 0
        0x0000:  4500 003c 1614 4000 4006 26a6 7f00 0001  E..<.. at .@.&.....
        0x0010:  7f00 0001 8a0c 0000 2fc7 402b 0000 0000  ......../. at +....
        0x0020:  a002 ffd7 d601 0000 0204 ffd7 0402 080a  ................
        0x0030:  29c2 563f 0000 0000 0103 0307            ).V?........
18:33:26.833412 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 40)
    127.0.0.1.0 > 127.0.0.1.35340: Flags [R.], cksum 0xb7ce (correct), seq
0, ack 801587244, win 0, length 0
        0x0000:  4500 0028 0000 4000 4006 3cce 7f00 0001  E..(.. at .@.<.....
        0x0010:  7f00 0001 0000 8a0c 0000 0000 2fc7 402c  ............/.@,
        0x0020:  5014 0000 b7ce 0000                      P.......

So we get a syn to port 0 and answer with reset. Could there be a port
parsing error for stomp in syslog-ng OSE 3.6.2? Any suggestions?

Also: syslog-ng spawns another thread to do the stomp connection, any
suggestions on how I can strace this thread during startup to see what is
actually going on? Would love to know if in fact this connection is made to
port 0.

Thanks,
Ole
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150129/d31acd39/attachment.htm

More information about the syslog-ng mailing list