[syslog-ng] v3.9: Core dump on python module

Scheidler, Balázs balazs.scheidler at balabit.com
Wed Jan 4 07:23:23 UTC 2017


It seems that creating the _syslogng module fails for some reason. But
theres no error handling there.

Adding null handling and printing the error should help finding the culprit.

On Jan 4, 2017 1:02 AM, "Clayton Dukes" <cdukes at logzilla.net> wrote:

> Andreas, we found an error in our pattern file, check to see if this fixes
> it (I don't have a u16 box to test on at the moment):
>
>
>
> s/logzilla.program/PROGRAM/
>
>
>
>
>
>
>
> *From: *syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> "Mitzki, András" <andras.mitzki at balabit.com>
> *Reply-To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Date: *Tuesday, January 3, 2017 at 8:04 AM
> *To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Cc: *"Czanik, Péter" <peter.czanik at balabit.com>
> *Subject: *Re: [syslog-ng] v3.9: Core dump on python module
>
>
>
> With your configuration syslog-ng crashes for me also.
>
> We will check where is the main problem.
>
>
>
> Thanks,
>
>
>
> On Tue, Jan 3, 2017 at 1:56 PM, Clayton Dukes <cdukes at logzilla.net> wrote:
>
> I'll send it to you directly. I need some time to get it from one of the
> devs
>
>
>
>
>
> *From: *syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> "Mitzki, András" <andras.mitzki at balabit.com>
> *Reply-To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Date: *Tuesday, January 3, 2017 at 7:55 AM
>
>
> *To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Cc: *"Czanik, Péter" <peter.czanik at balabit.com>
> *Subject: *Re: [syslog-ng] v3.9: Core dump on python module
>
>
>
> If possible could you send it also?
>
>
>
> Thanks.
>
>
>
> On Tue, Jan 3, 2017 at 1:51 PM, Clayton Dukes <cdukes at logzilla.net> wrote:
>
> Here you go (I modified the python portion so you don't have to use our
> libs).
>
> Do you need the patterndb file?
>
>
>
>
>
> python {
>
>
>
> def is_well_known_port(p):
>
>     return p in (22, 53, 80, 443)
>
>
>
> def parse_port(msg, port):
>
>     try:
>
>         if is_well_known_port(int(port)):
>
>             return port
>
>         else:
>
>             return 'unknown'
>
>     except ValueError:
>
>         return 'unknown'
>
> };
>
>
>
>
>
> parser patterndb_logzilla_sample {
>
>     db-parser(file('/etc/syslog-ng/patterndb.d/logzilla-sample.xml'));
>
> };
>
>
>
> log {
>
>     source(s_logzilla);
>
>     # disable s_src if you don't want local server events
>
>     source(s_src);
>
>     rewrite(rw_program);
>
>     rewrite(rw_basename);
>
>     parser(patterndb_logzilla_sample);
>
>     rewrite {
>
>         set("$(python parse_port ${logzilla.ut.src_port})"
>
>             value("logzilla.ut.src_port")
>
>             condition("${logzilla.ut.src_port}" ne "")
>
>         ); };
>
>     rewrite {
>
>         set("$(python parse_port ${logzilla.ut.dst_port})"
>
>             value("logzilla.ut.dst_port")
>
>             condition("${logzilla.ut.dst_port}" ne "")
>
>         ); };
>
>     destination(d_logzilla);
>
>     # Enable below for debug/testing of incoming events
>
>    # destination(df_debug);
>
>     flags(flow-control);
>
> };
>
>
>
>
>
>
>
>
>
>
>
> *From: *syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> "Mitzki, András" <andras.mitzki at balabit.com>
> *Reply-To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Date: *Tuesday, January 3, 2017 at 7:43 AM
> *To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Cc: *"Czanik, Péter" <peter.czanik at balabit.com>
>
>
> *Subject: *Re: [syslog-ng] v3.9: Core dump on python module
>
>
>
> Hi Clayton,
>
>
>
> I have tried to reproduce the issue, but for me syslog-ng can load the
> python module.
>
> I have tried with the actual Ubuntu 16.04 host machine and also with
> ubuntu:16.04 docker image.
>
> syslog-ng version was 3.9.1 from Laci's repository.
>
>
>
> Could you send a minimalized syslog-ng configuration (which is still
> failing)?
>
>
>
> Thanks
>
> Micek
>
>
>
>
>
> On Mon, Jan 2, 2017 at 4:01 PM, Clayton Dukes <cdukes at logzilla.net> wrote:
>
> My last email bounced, making sure you got this:
>
>
>
> I tested with both. Neither work on U16.
>
> The server was originally on 3.9 when it happened, so I tried downgrading
> to 3.8. Still didn't work.
>
>
>
>
>
>
>
>
>
> *From: *syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> "Czanik, Péter" <peter.czanik at balabit.com>
> *Reply-To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Date: *Monday, January 2, 2017 at 6:48 AM
> *To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject: *Re: [syslog-ng] v3.9: Core dump on python module
>
>
>
> Hi,
>
>
> Is it 3.8 or 3.9? Your title says 3.9 but your gdb trace shows 3.8. As 3.9
> has tons of bugfixes over 3.8, I'd recommend trying 3.9.
>
> Bye,
>
>
> Peter Czanik (CzP) <peter.czanik at balabit.com>
> Balabit / syslog-ng upstream
> https://www.balabit.com/blog/author/peterczanik/
> https://twitter.com/PCzanik
>
>
>
> On Sun, Jan 1, 2017 at 11:34 PM, Clayton Dukes <cdukes at logzilla.net>
> wrote:
>
> Confirmed: I installed Ubuntu 14 on that server and it works as expected,
> so it's got something to do with U16.
>
>
>
>
>
> *From: *Clayton Dukes <cdukes at logzilla.net>
> *Date: *Sunday, January 1, 2017 at 4:04 PM
>
>
> *To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject: *Re: v3.9: Core dump on python module
>
>
>
> No idea if this helps - I'm not a programmer ;) -  but here's a gdb
> output. Happy to provide the core file also if you want (it's only 5MB)
>
>
>
>
>
> Reading symbols from /usr/sbin/syslog-ng...(no debugging symbols
> found)...done.
>
> [New LWP 13186]
>
> [Thread debugging using libthread_db enabled]
>
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>
> Core was generated by `syslog-ng -Fdve'.
>
> Program terminated with signal SIGSEGV, Segmentation fault.
>
> #0  0x00007fd99f82a54b in PyModule_GetDict () from
> /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
>
> (gdb) bt full
>
> #0  0x00007fd99f82a54b in PyModule_GetDict () from
> /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
>
> No symbol table info available.
>
> #1  0x00007fd99fc223b8 in _py_get_main_module () from
> /usr/lib/syslog-ng/3.8/libmod-python.so
>
> No symbol table info available.
>
> #2  0x00007fd99fc22473 in _py_evaluate_global_code () from
> /usr/lib/syslog-ng/3.8/libmod-python.so
>
> No symbol table info available.
>
> #3  0x00007fd99fc22551 in python_evaluate_global_code () from
> /usr/lib/syslog-ng/3.8/libmod-python.so
>
> No symbol table info available.
>
> #4  0x00007fd99fc2342f in python_parse () from
> /usr/lib/syslog-ng/3.8/libmod-python.so
>
> No symbol table info available.
>
> #5  0x00007fd9a44b068f in plugin_parse_config () from
> /usr/lib/syslog-ng/libsyslog-ng-3.8.so.0
>
> No symbol table info available.
>
> #6  0x00007fd9a44bd869 in main_parse () from /usr/lib/syslog-ng/libsyslog-
> ng-3.8.so.0
>
> No symbol table info available.
>
> #7  0x00007fd9a4497690 in cfg_run_parser () from
> /usr/lib/syslog-ng/libsyslog-ng-3.8.so.0
>
> No symbol table info available.
>
> #8  0x00007fd9a4497887 in cfg_read_config () from
> /usr/lib/syslog-ng/libsyslog-ng-3.8.so.0
>
> No symbol table info available.
>
> #9  0x00007fd9a44acae7 in main_loop_read_and_init_config () from
> /usr/lib/syslog-ng/libsyslog-ng-3.8.so.0
>
> No symbol table info available.
>
> #10 0x00000000004016f5 in main ()
>
> No symbol table info available.
>
>
>
>
>
>
>
> *From: *Clayton Dukes <cdukes at logzilla.net>
> *Date: *Sunday, January 1, 2017 at 3:18 PM
> *To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject: *Re: v3.9: Core dump on python module
>
>
>
> Looks like this is happening with 3.8.1-3 as well :(
>
> Only difference I can see if Ubuntu 14 vs 16?
>
> Any ideas of what I can try?
>
>
>
>
>
> *From: *Clayton Dukes <cdukes at logzilla.net>
> *Date: *Sunday, January 1, 2017 at 2:56 PM
> *To: *Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject: *v3.9: Core dump on python module
>
>
>
> Hey guys, just want you to know Ubuntu16 is dumping core on loading the
> python module.
>
> Ubuntu14 does not do this.
>
>
>
>
>
> [2017-01-01T19:54:52.576749 <(52)%20576%20749>] Module loaded and
> initialized successfully; module='mod-python'
>
> Segmentation fault (core dumped)
>
>
>
> -Clayton Dukes
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170104/0b836955/attachment-0001.html>


More information about the syslog-ng mailing list