Re: Compiling & Using syslog-ng 1.9.10 on Solaris 10

On Wed, 2006-04-26 at 10:06 +0200, Philippe JOYEZ wrote:
> Hello all,
> 
> I've finally succedeed in compiling syslog-ng on my new Solaris 10 box
> using the following tasks:
> 
> Modifications src/Makefile (Add -lrt)
> 75c75
> < LIBS = -lpthread -lnsl -lsocket -ldoor  -ll -L/usr/local/lib
> -lglib-2.0 -lintl   -L/usr/local/lib -levtlog  
> ---
> > LIBS = -lpthread -lrt -lnsl -lsocket -ldoor  -ll -L/usr/local/lib
> -lglib-2.0 -lintl   -L/usr/local/lib -levtlog  

Fixed in the patch below.

> 
> Modification src/filter.c (Adding macros):
> 
> /* Define G_LIKELY() and G_UNLIKELY() so that they are available when
>  * using GLib 1.2 as well. These allow optimization by static branch
>  * prediction with GCC. */
> #ifndef G_LIKELY
>   #define G_LIKELY(x)     (__builtin_expect(x, 1))
>   #define G_UNLIKELY(x)   (__builtin_expect(x, 0))
> #endif /* !G_LIKELY */

I don't understand this one, syslog-ng relies on GLib 2.0 heavily and I
doubt it would build with glib 1.2

Re: Re: HP-UX pipe read errors

On Wed, 2006-04-26 at 16:25 -0600, Andy G. wrote:
> On 04/25/06 09:08, Andrew Gill wrote:

> -- io.c.orig      Mon Mar 13 10:01:31 2006
> +++ io.c        Mon Mar 13 10:01:31 2006
>  <at>  <at>  -361,6 +361,7  <at>  <at> 
>         case EINTR:
>           continue;  /* FIXME: Is it really worth looping here,
>                       * instead of in the select loop? */
> +       case EAGAIN:
>         case EWOULDBLOCK:  /* aka EAGAIN */
>           return 0;
>         case EPIPE:
>  <at>  <at>  -415,6 +416,7  <at>  <at> 
>                         continue;  /* FIXME: Is it really worth looping here,
>                                     * instead of in the select loop? */
>                 case EWOULDBLOCK:  /* aka EAGAIN */
> +               case EAGAIN:
>                         return 0;
>                 case EPIPE:
>                         werror("io.c: recvfrom() returned EPIPE! Treating it as EOF.\n");

The problem with this patch that it breaks platforms that EAGAIN equals
to EWOULDBLOCK as the C compiler complains about overlapping case
statements.

--

-- 
Bazsi

_______________________________________________

syslog-ng 1.6.10 release broken

Hi,

It came to my attention that syslog-ng 1.6.10 broke file("/proc/kmsg")
support with the recent performance improvement patches as /proc/kmsg
does not support nonblocking mode.

The issue might cause the complete system to deadlock. Non-Linux
platforms, or installation where /proc/kmsg is not directly processed by
syslog-ng is not affected.

I'm going to release 1.6.11 as soon as possible to fix this issue.

--

-- 
Bazsi

syslog-ng hanging?

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: syslog-ng hanging?

I'm seeing the same problem. When the connection to a remote server that we
are sending logs to via TCP is broken, presumably from a temporary DNS or
network error, the server starts stacking /dev/log connections till there
are hundreds of them and any program that attempts to write log entries
hangs, including logins.

I can recreate the problem at will by sending logs from a test sender to a
test collector then blocking traffic with IPTables to simulate a network
issue. The sending server never recovers the connections even after turning
the IPTables back off. Syslog-ng has to be restarted on the sender to clear
up the issue. If not restarted, it will eventually lockup the server. I've
had to write a "baby-sitter" process to watch for logging to stop then
automatically restart NG when necessary on critical servers.

I've already tried several variations of the keep-alive, tcp-keep-alive,
log_fifo_size, etc to no avail.

We were running 1.6.0rc3 but upgraded to 1.6.10 on a few servers in hopes
of correcting it, but it hasn't.

Here are the simplified configs I'm using on the test servers:

-----------------------------------------------------------------------------------------------------
#Syslog-NG Test Sending Server
options {
       use_dns(no);
       use_fqdn(yes);
       sync(0);
       stats(3600);
       time_reopen(10);
       log_fifo_size(4096);
       log_msg_size(8192);
};
source s_local  { internal();
                unix-stream("/dev/log"
                        keep-alive(yes)
                        max-connections(100));
                file("/proc/kmsg"); };
destination d_collector  { tcp("testcollector.hertz.com" port(514)
                         tcp-keep-alive(yes)); };
filter f_loc2   { facility(local2); };
log { source(s_local); filter(f_loc2); destination(d_collector); };
-----------------------------------------------------------------------------------------------------
#Syslog-NG Test Collector Server
options {
        use_dns(no);
       sync(0);
       stats(3600);
       time_reopen(10);
       log_fifo_size(4096);
       log_msg_size(8192);
};
source s_local  { internal();
                 unix-stream("/dev/log"
                         keep-alive(yes)
                         max-connections(100));
                 file("/proc/kmsg"); };
source s_tcp    { tcp(port(514) keep-alive(yes)
                        tcp-keep-alive(yes));
                        max-connections(1000)); };
filter f_loc2           { facility(local2); };
destination d_loc2      { file("/tmp/test-loc2.log"); };
log {source(s_tcp); filter(f_loc2); destination(d_loc2); };
-----------------------------------------------------------------------------------------------------

Thank you,

Chris Whipple
Sr. Security Analyst
Unix Security Group
The Hertz Corporation
5601 NW Expressway
Oklahoma City, OK 73132, USA
cwhipple <at> hertz.com

---------------
This message (including attachments) may contain information that is 
privileged, confidential or protected from disclosure.  If you are not the 
intended recipient, you are hereby notified that dissemination, 
disclosure, copying, distribution or use of this message or any 
information contained in it is strictly prohibited.  If you have received 
this message in error, please immediately notify the sender by reply 
e-mail and delete this message from your computer.  Although we have taken 
steps to ensure that this e-mail and attachments are free from any virus, 
we advise that in keeping with good computing practice the recipient 
should ensure they are actually virus free.
---------------

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

how to start the syslog-ng demeaon

Hi:

I configured my syslog-ng on the solaris 9 computer.'
when I did /etc/init.d/syslog start, and then ps -ef
|grep syslog-ng, nothing is  list.
How can i find out how the syslog-ng works.

Thanks

Wayne

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Remote SYSLOG-NG logging - can't log from remote

I am at my wits end with this.  Some devices are logging remotely, but others
are not.  I can see the packets arrive on UDP port 514 using tcpdump, but the
packets don't get recorded in the proper file.  I have tried nearly
everything, and I am certain I am doing something silly, but maybe you can
help out.

Here is my syslog-ng.conf.file:

*************************************************************

source local {
        unix-dgram("/var/run/log");
        udp(ip(0.0.0.0) port(514));
        internal();
};

### SECURITY LOG  -  This logs

filter f_9 {
        facility(security) and level(debug..emerg);
};

destination d_3 {
        file("/var/log/security" create_dirs(yes));
};

log { source(local); filter(f_9); destination(d_3); };

### MAIL LOG  -  This logs

filter f_12 {
        facility(mail) and level(info..emerg);
};

destination d_5 {
        file("/var/log/maillog" create_dirs(yes));
};

log { source(local); filter(f_12); destination(d_5); };

### PHONE DACS LOGS - This also logs

filter f_40 {
                level(debug..emerg) and host("172.12.67.28");
};

destination d_60 {
                file("/var/log/dacs/ftldgaaw_dac_1.log" create_dirs(yes));
};

log{ source(local); filter(f_40); destination(d_60); };

### ROUTER LOG - This does NOT log

filter f_19 {
                host("192.168.1.128");
};

destination d_19 {
                file("/var/log/netrouter_pisst.log" create_dirs(yes));
};

log{ source(local); filter(f_19); destination(d_19); };

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: syslog-ng hanging?

On Tue, May 02, 2006 at 10:38:05AM +0100, Tony Davis wrote:
> Hi,
>  
> I recently converted our RedHat EL servers (Release 3 Update 6) form the
> sysklog package to syslog-ng. On some of the servers syslog-ng appears
> to be occasionally hanging, i.e. messages stop getting written to the
> various log files. This also has a knock on effect of stopping logins,
> cron jobs hanging, etc, presumably because they are waiting to write to
> a log file. I read in the archives that this can be caused by something
> else using /dev/log but there's no other syslogd or minilogd processes
> running and lsof gives the following:
>  
> COMMAND    PID USER   FD   TYPE     DEVICE SIZE NODE NAME
> syslog-ng 1384 root    5u  unix 0xf778c880      1703 /dev/log
> syslog-ng 1384 root    6u  unix 0xf777e8c0      1715 /dev/log
> 
> I'm using the RedHat conf file bundled in the contribs directory that
> comes with the source code.

A while back I had problems with a ppp interface coming up and down
(when using ppp over ssh for a temporary VPN) because a debian script in
/etc/ppp/ip-up.d/ restarted postfix every time the interface came up. 

Something about the interaction between chrooted postfix and syslog-ng
(and maybe my kernel version?) caused /dev/log to get hung up and the
system would become unusable. I simply removed the postfix restart
script and all has been well ever since.

I have no idea what's causing your problem, but thought it worth
mentioning what I'd seen in the past.
--

-- 
Nate

"The real question is not whether machines think but whether men do. The
mystery which surrounds a thinking machine already surrounds a thinking
man." - B. F. Skinner, Contingencies of Reinforcement

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: how to start the syslog-ng demeaon

On Tue, May 02, 2006 at 08:20:14AM -0700, wayne yu wrote:
> 
> I configured my syslog-ng on the solaris 9 computer.'
> when I did /etc/init.d/syslog start, and then ps -ef
> |grep syslog-ng, nothing is  list.
> How can i find out how the syslog-ng works.

/etc/init.d/syslog will start syslogd, not syslog-ng. You'll need to
modify the init script to start syslog-ng - or better would be to leave
the syslog script alone, create /etc/init.d/syslog-ng and symlink it
into /etc/rc2.d/ (or wherever).
--

-- 
Nate

 It is better to keep your mouth shut and be thought a fool,
             than to open it and remove all doubt.

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: Remote SYSLOG-NG logging - can't log from remote

On Tue, May 02, 2006 at 10:24:27PM -0000, rlubbers <at> sysctl.net wrote:
> 
> I am at my wits end with this.  Some devices are logging remotely, but others
> are not.  I can see the packets arrive on UDP port 514 using tcpdump, but the
> packets don't get recorded in the proper file.  I have tried nearly
> everything, and I am certain I am doing something silly, but maybe you can
> help out.
> 
> Here is my syslog-ng.conf.file:
> 
> *************************************************************
> 
> source local {
>         unix-dgram("/var/run/log");
>         udp(ip(0.0.0.0) port(514));
>         internal();
> };
> 
> ### SECURITY LOG  -  This logs
> 
> filter f_9 {
>         facility(security) and level(debug..emerg);
> };
> 
> destination d_3 {
>         file("/var/log/security" create_dirs(yes));
> };
> 
> log { source(local); filter(f_9); destination(d_3); };

Does your system define a "security" facility? Probably not. From
/usr/include/sys/syslog.h on my Linux box:

/* facility codes */
#define LOG_KERN        (0<<3)  /* kernel messages */
#define LOG_USER        (1<<3)  /* random user-level messages */
#define LOG_MAIL        (2<<3)  /* mail system */
#define LOG_DAEMON      (3<<3)  /* system daemons */
#define LOG_AUTH        (4<<3)  /* security/authorization messages */
#define LOG_SYSLOG      (5<<3)  /* messages generated internally by
syslogd */
#define LOG_LPR         (6<<3)  /* line printer subsystem */
#define LOG_NEWS        (7<<3)  /* network news subsystem */
#define LOG_UUCP        (8<<3)  /* UUCP subsystem */
#define LOG_CRON        (9<<3)  /* clock daemon */
#define LOG_AUTHPRIV    (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP         (11<<3) /* ftp daemon */
	/* other codes through 15 reserved for system use */
#define LOG_LOCAL0      (16<<3) /* reserved for local use */
#define LOG_LOCAL1      (17<<3) /* reserved for local use */
#define LOG_LOCAL2      (18<<3) /* reserved for local use */
#define LOG_LOCAL3      (19<<3) /* reserved for local use */
#define LOG_LOCAL4      (20<<3) /* reserved for local use */
#define LOG_LOCAL5      (21<<3) /* reserved for local use */
#define LOG_LOCAL6      (22<<3) /* reserved for local use */
#define LOG_LOCAL7      (23<<3) /* reserved for local use */

...and from a solaris box:

/*
 *  Facility codes
*/
#define LOG_KERN        (0<<3)  /* kernel messages */
#define LOG_USER        (1<<3)  /* random user-level messages */
#define LOG_MAIL        (2<<3)  /* mail system */
#define LOG_DAEMON      (3<<3)  /* system daemons */
#define LOG_AUTH        (4<<3)  /* security/authorization messages */
#define LOG_SYSLOG      (5<<3)  /* messages generated internally by syslogd */
#define LOG_LPR         (6<<3)  /* line printer subsystem */
#define LOG_NEWS        (7<<3)  /* netnews subsystem */
#define LOG_UUCP        (8<<3)  /* uucp subsystem */
#define LOG_CRON        (15<<3) /* cron/at subsystem */
	/* other codes through 15 reserved for system use */
#define LOG_LOCAL0      (16<<3) /* reserved for local use */
#define LOG_LOCAL1      (17<<3) /* reserved for local use */
#define LOG_LOCAL2      (18<<3) /* reserved for local use */
#define LOG_LOCAL3      (19<<3) /* reserved for local use */
#define LOG_LOCAL4      (20<<3) /* reserved for local use */
#define LOG_LOCAL5      (21<<3) /* reserved for local use */
#define LOG_LOCAL6      (22<<3) /* reserved for local use */
#define LOG_LOCAL7      (23<<3) /* reserved for local use */

You need to pick from the available facilities. You might mean authpriv,
if you're on a Linux box and messages are coming from a Linux box.

If you're wondering what's coming in, define a catchall destination and
see what's recorded:

 http://www.campin.net/syslog-ng/faq.html#logall

You might define a template that includes the facility/severity in the
logfile so you can set your filters accordingly:

 http://www.campin.net/syslog-ng/faq.html#template

Something like this:

destination std {
       file("/var/log/catchall.log"
       owner(syslog-ng) group (syslog-ng) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE
$FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE\n")  ); 

};

log {
       source(src);
       destination(std);
};

--

-- 
Nate

"I had to quit my job to have time to read my email." - Curry, Adam [MTV
Host and net.legend] his occasional signature quote

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html