gmane.comp.syslog-ng

patterndb and log analysis

Matt Zagrabelny — 2013-06-18T16:52:38

Greetings syslog-ng users,

I've never used patterndb, but have been aware of it for a while.

I just cloned the git://git.balabit.hu/bazsi/syslog-ng-patterndb.git
and it looks like the project has not seen much activity since 2010.
Are people still using patterndb? Do the patterns not change much and
that is the reason that the git database has not changed much?

What are free software enthusiasts using for log analysis?

Thanks for the answers!

-mz
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

AUTO: James B Horwath is out of the office (returning06/19/2013)

James B Horwath — 2013-06-17T10:05:57


I am out of the office until 06/19/2013.

I will be out of the office until 06/19//2013 with limited access to
e-mail.  If you have an urgent issue please contact Sunil Gupta at
(610)-807-6710 or Dylan Yoder at (610)-807-7230.

Regards
Jim Horwath
IT Security Services & Governance, Corporate BTS and IT Security/Risk
Tel 610-807-8795
Mobile 610-533-6972
3900 Burgess Place, Bethlehem, Pa. 18017
Jim_Horwath< at >glic.com





Note: This is an automated response to your message  "syslog-ng Digest, Vol
98, Issue 25" sent on 6/17/2013 6:00:03.

This is the only notification you will receive while this person is away.

-----------------------------------------
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibite

Syslog-ng under Windows (Cygwin - copying from anotherpc)

Tom Doberstein — 2013-06-17T10:05:46

Hello,

I am using syslog-ng in cygwin under WinXP.

On my developer pc I have no problems, everything works very fine. But when
I copy the cygwin directory (from c:/Programs to c:/Programs) on another
pc, I got the following errors:
-----------------
Error opening plugin module; module='afsocket', error='Exec format error'
Error opening plugin module; module='afsocket', error='Exec format error'
Error parsing source, source plugin unix-dgram not found in source confgen
syste
m at line 1, column 1:
                                              included from
/etc/syslog-ng/syslo
g-ng.conf line 10, column 9

unix-dgram
^^^^^^^^^^

syslog-ng documentation:
http://www.balabit.com/support/documentation/?product=s
yslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng
-----------------

I already started the syslog-ng-config and the service was installed
successfully, but it will not start. cygrunsrv.exe -S syslog-ng will
produce this error: "cygrunsrv: Error starting a service:
QueryServiceSta

I/O errors

Russell Fulton — 2013-06-16T23:33:38

getting these errors at a rate of several per second but I can't figure out what is causing them:

Jun 16 03:45:01 s_self< at >itslogprd01.its.auckland.ac.nz syslog-ng[31159]: I/O error occurred while reading; fd='758', error='Connection reset by peer (104)'
Jun 16 03:45:01 s_self< at >itslogprd01.its.auckland.ac.nz syslog-ng[31159]: I/O error occurred while reading; fd='808', error='Connection reset by peer (104)'
Jun 16 03:45:01 s_self< at >itslogprd01.its.auckland.ac.nz syslog-ng[31159]: I/O error occurred while reading; fd='906', 

we have one network destination which is a tcp connection and which appears to be fine.  No errors on the other end and stats show now dropped packets.

Russell
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Problems with recovering from 'disk full' I/O error

Johnson, Chris (HP TippingPoint Roseville — 2013-06-15T00:12:12

Hi all,
I've come across a situation where syslog-ng (3.3.3 and 3.3.9) aborts after trying to write to a disk that has no space and then is cleaned up.

I've been able to reproduce the 'error' condition with the following Set up:
In the config file:
###########################################################
# test log destination
#
filter f_test{program("LOGID_99-*" type("glob"));};
destination d_test { file("/var/testpartition/test.log" perm(0644) flags(no-multi-line)); };
log {
        source(s_local);
        filter(f_test);
        destination(d_test);
        flags(final);
};


1)      Fill up the '/var/testpartition' disk:
root< at >device:/var/testpartition# dd if=/dev/zero of=/var/testpartition/foo bs=1M
dd: writing '/var/testpartition/foo': No space left on device
3531+0 records in
3529+1 records out

2)      Send messages ('TEST: pre I/O error')to 'test.log' until syslog-ng complains:
2013-06-14 22:41:09.623 [device] [syslog-ng-ERROR:] "I/O error occurred while writing; fd='22', error='No space left on

insider 2013-06: syslog-ng 3.4.2 released; PatternDB update; GSoC; RSS destination

Peter Czanik — 2013-06-13T11:36:41

Dear syslog-ng users,


This is the 25th issue of the syslog-ng Insider, a monthly newsletter 
that brings you syslog-ng related news.


FEATURED NEWS


syslog-ng 3.4.2 is released

---------------------------

Last week syslog-ng 3.4.2 was released, the first bugfix release in the 
3.4 series. The most important fix is for a hang when suppress() was 
used. A full list of changes is available in git at: 
https://github.com/balabit/syslog-ng-3.4/commits/master

Sources are available from git or as tgz from 
http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/downloads/download

For third-party binary packages for various Linux and UNIX platforms, visithttp://www.balabit.com/network-security/syslog-ng/opensource-logging-system/downloads/3rd-party  for 3^rd    party binary packages for various distributions and UNIX variants.


PatternDB git moved and updated

-------------------------------

The BalaBit patterndb git moved recently to github. It’s available now 
at https://github.com/

How to log message without a timestamp?

Anton Koldaev — 2013-06-12T17:01:06

Is there any way to send a message from syslog-ng via destination(tcp) with
no timestamp at all?

[PATCH (3.5) 1/2] tests: Add a testcase for template_escape()

Gergely Nagy — 2013-06-12T13:10:45

In order not to break template_escape() functionality, add a test case
for basic functionality testing.

Signed-off-by: Gergely Nagy <algernon< at >balabit.hu>
---
 libtest/template_lib.c     |   17 +++++++++++++----
 libtest/template_lib.h     |    5 +++--
 tests/unit/test_template.c |   10 +++++++++-
 3 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/libtest/template_lib.c b/libtest/template_lib.c
index 38dfeff..7992608 100644
--- a/libtest/template_lib.c
+++ b/libtest/template_lib.c
< at >< at > -1,5 +1,5 < at >< at >
 /*
- * Copyright (c) 2012 BalaBit IT Ltd, Budapest, Hungary
+ * Copyright (c) 2012-2013 BalaBit IT Ltd, Budapest, Hungary
  * Copyright (c) 2012 Balázs Scheidler
  *
  * This library is free software; you can redistribute it and/or
< at >< at > -53,6 +53,7 < at >< at > create_sample_message(void)
   log_msg_set_value(msg, log_msg_get_value_handle("APP.STRIP3"), "     value     ", -1);
   log_msg_set_value(msg, log_msg_get_value_handle("APP.STRIP4"), "value", -1);
   log_msg_set_value(msg, log_msg_get_value_handle("APP.S

[PATCH (3.5) 0/3]: Catching template syntax errors atconfig time

Gergely Nagy — 2013-06-10T15:58:32

Following up on the previous patch that added a check to the file()
and pipe() destinations, allowing them to catch and report template
syntax errors at config time, following this mail are three others,
that do similar things to the set() and subst() rewrite functions, to
the pair() statement of value-pairs() and to templatable settings in
afamqp.

These catch these issues:

rewrite s_broken {
 set("$(+ 0", value(MESSAGE));
 subst("original", "$(+ 0", value(MESSAGE));
};

destination d_broken {
 afamqp(body("$(+ 0")
        routing-key("$(+ 0")
        value-pairs(pair("INVALID", "$(+ 0")));
};

There are a couple of more cases in the codebase where the same issue
is present, namely afsmtp() (the subject, body and header templates),
afsql (fields and table name), and perhaps in patterndb too, I have
not throughly inspected that one yet.

[PATCH (3.5)] affile: Error out when there's a syntax error in the filename template

Gergely Nagy — 2013-06-10T14:54:26

When there is a syntax error in the filename template (eg,
"/var/log/foo-$(+ 0"), error out at config load time. This is done by
adding an error output variable to affile_dd_new_instance() and both
affile_dd_new() and afpipe_dd_new(), then using that to store the result
of log_template_compile(). If that function fails, we bail out early,
and use CHECK_ERROR() in the grammar to notify the user of the issue.

Signed-off-by: Gergely Nagy <algernon< at >balabit.hu>
---
 modules/affile/affile-dest.c     |   23 +++++++++++++++--------
 modules/affile/affile-dest.h     |    6 +++---
 modules/affile/affile-grammar.ym |   12 +++++++++---
 3 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/modules/affile/affile-dest.c b/modules/affile/affile-dest.c
index c8fa9c1..c9447ce 100644
--- a/modules/affile/affile-dest.c
+++ b/modules/affile/affile-dest.c
< at >< at > -1,5 +1,5 < at >< at >
 /*
- * Copyright (c) 2002-2012 BalaBit IT Ltd, Budapest, Hungary
+ * Copyright (c) 2002-2013 BalaBit IT Ltd, Budapest, Hungary
  * Copyright (c) 19

Google Summer of Code 2013 - syslog-ng: MySQLdestination driver

Gyula Petrovics — 2013-06-09T21:52:27

Hi everyone,

I am Gyula Petrovics, one of the students who got the opportunity to help
in the development of the syslog-ng.
My goal is to redesign the current libdbi based solution to store logs in
MySQL database. I made a blog here <http://petrovicsgyula.blogspot.com>,
please visit this blog if you are interested in the current progress and
the details of the project.
Thanks for reading my e-mail.

Best regards,
Gyula
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

syslog-ng consumes a lot of cpu

C. L. Martinez — 2013-06-04T11:18:36

HI all,

 I have installed syslog-ng 3.3.8 under an OpenBSD with a simple configuration:

< at >version: 3.3

options {
        log_fifo_size(30000);
        use_dns (no);
        use_fqdn (no);
        keep_hostname (yes);
};


# Define what files to be monitored
source s_network {
        tcp(port(10514) flags(no-multi-line));
};


# Define filters



# Define default destinations
destination d_ossec_fifo {
        pipe("/var/log/syslog.fifo");
};


#
# Default log actions
#

log {
        source(s_network);
        log { destination(d_ossec_fifo); flags(flow-control,final); };
};

but it is consuming a lot of CPU:

load averages:  1.13,  1.09,  1.08

                      obsdhost 11:17:49
25 processes: 1 running, 23 idle, 1 on processor
CPU states:  0.8% user,  0.0% nice,  3.5% system,  0.0% interrupt, 95.7% idle
Memory: Real: 29M/356M act/tot Free: 2655M Cache: 297M Swap: 0K/3067M

  PID USERNAME PRI NICE  SIZE   RES STATE     WAIT      TIME    CPU COMMAND
30813 root      64    0 1260K 4204K run       -

[Bug 237] New: syslog-ng 3.4.2 (and 3.3.10): test failures in Fedora 18

2013-06-03T16:54:54

https://bugzilla.balabit.com/show_bug.cgi?id=237

           Summary: syslog-ng 3.4.2 (and 3.3.10): test failures in Fedora 18
           Product: syslog-ng
           Version: 3.4.x
          Platform: PC
        OS/Version: Mac OS
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi< at >balabit.hu
        ReportedBy: jpo< at >di.uminho.pt
Type of the Report: ---
   Estimated Hours: 0.0


The syslog-ng 3.4.2 (and 3.3.10) test suite fails in Fedora 18:

----------
...
      $DATE ${HOST:--} ${PROGRAM:--} ${PID:--} ${MSGID:--} ${SDATA:--} $MSG                      speed:  1056859.015 msg/sec
*** glibc detected *** /home/fedora/rpms/BUILD/syslog-ng-3.4.2/tests/unit/.libs/lt-test_template_speed: free(): invalid pointer: 0x0000003a831b1c68 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3a82e7ca8e]
/lib64/libglib-2.0.so.0(g_mutex_free+0x9)[0x3a84a1c719]
/lib64/libglib-2.0.so.0(g_static_mutex_free+0x16)[0x3a84a1ca66]
/home/fedora/rpm

syslog-ng 3.3.10 has been released

2013-06-03T13:54:16

------------------------------------------------------------------------------
PACKAGE             : syslog-ng
VERSION             : 3.3.10
SUMMARY             : new stable release
DATE                : Jun 3, 2013
------------------------------------------------------------------------------

DESCRIPTION:

  A new stable version of syslog-ng Open Source Edition (3.3.10) has been
  released. For latest fixes in the 3.3.x feature branch you are recommended to
  upgrade to this version.

CHANGES:

3.3.10
        Mon,  3 Jun 2013 16:00:00 +0100

        Highlights
        ==========

        This release is a bug-fix release, correcting a handful of
        issues discovered since the previous one.

        Bugfixes
        ========

        * The persist state file (syslog-ng.persist) is now marked
          close-on-exec, so it does not leak through to forked
          subprocesses.
        * A rare race condition in the SQL and MongoDB destinations
          have been fixed.

        Credits
        =======

[Bug 236] New: syslog-ng loses part of kernel log and replaces it with \0 characters

2013-06-02T18:51:22

https://bugzilla.balabit.com/show_bug.cgi?id=236

           Summary: syslog-ng loses part of kernel log and replaces it with
                    \0 characters
           Product: syslog-ng
           Version: 3.4.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi< at >balabit.hu
        ReportedBy: kroz.nn< at >gmail.com
Type of the Report: bug
   Estimated Hours: 0.0


1. syslog-ng with default configuration inserts characters with code 0 into /var/log/messages (2nd line, beginning of kernel log / dmesg). Comparison with
output of dmesg has shown, that no log records lost, just characters inserted.
2. syslog-ng with more complicated configuration inserts two batches of \0 characters (2nd line and 12th line). Second batch of characters replaces 118 lines
of kernel log (comparing with log of default configuration and dmesg)

OS: Gentoo Linux

Attachments:
 - For each of scenario 1 a

Building 3.4.1 RPM

Xuri Nagarin — 2013-06-01T08:41:21

I am trying to build a 3.4.1 RPM for CentOS 6.

I already built the eventlog RPM and upgraded the one provided by EPEL repo.

If I compile straight after untarring the source by running "./configure"
(with options same as listed in the SPEC file below) and "make check", the
tests runs ok and I get the syslog-ng binaries.

But if I build a RPM from the SPEC file below, build fails with the
following error.

------- error ---------------
Input is not valid utf8, glob match requires utf8 input, thus it never
matches in this case;
value='\xe1rv\xedzt\xfbr\xf5t\xfck\xf6rf\xfar\xf3g\xe9p'
PASS: test_matcher
PASS: test_clone_logmsg
PASS: test_serialize
PASS: test_msgparse
PASS: test_template
/bin/sh: line 5: 31254 Segmentation fault      (core dumped) ${dir}$tst
FAIL: test_template_speed
One "invalid regular expression" message is to be expected
Error compiling regular expression; re='((', error='Unmatched ( or \('
One "invalid regular expressions" message is to be expected
Error compiling regular expression; re='(

PatternDB git moved and updated

Peter Czanik — 2013-05-31T11:52:47

Hello,
The BalaBit patterndb git moved recently to github. It’s available now 
at https://github.com/balabit/syslog-ng-patterndb instead of our server. 
The main advantage of this is the access speed and that patterns are now 
available next to the syslog-ng sources. Patterns were not only moved, 
but also updated, reorganized and extended. You can read more about what 
is changed at 
https://czanik.blogs.balabit.com/2013/05/patterndb-git-moved-and-updated/
Bye,

TCP packet collapse errors

Xuri Nagarin — 2013-05-31T05:46:20

I have a pair of Syslog-NG servers running 3.2.5-3. The hardware specs are
- Quad Xeon E5-2680 (32 cores), 32GB RAM, and two 1TB SAS 7200 RPM disks in
RAID-1.

OS is RHEL6.2 - Kernel 2.6.32-279.5.2. Filesystem is ext3.

Global options are set as:
options {
flush_lines (1000);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
keep_timestamp(yes);
dir_group("syslog");
perm(0640);
dir_perm(0750);
group("syslog");
};

I have already set TCP kernel buffers to 128MB max and set disk scheduler
to "deadline".

But even under light disk IO load, from ~8-25MB, I see "1320811067 packets
collapsed in receive queue due to low socket buffer". I had some other
processes on the host writing to disk. Stopping them reduced the packet
errors but this number still keeps incrementing.

To rule out other issues, I temporarily pointed my disk-based destinations
to /dev/null and then packet losses/errors stopped. So either Syslog-NG
isn't able to write

[libsyslog_ng_la-afinter.lo] Error 1,syslog-ng-3.4.1 on x86_64

Flur Blubr — 2013-05-31T04:45:20

Dear all,

looking for help, for 4 days trying to compile syslog-ng-3.4.1 on some kind
of custom RED HAT derivate and still failing. RPMs and YUM are forbidden
and system has libraries spread around all directories / using exports export
EVTLOG_CFLAGS, export EVTLOG_LIBS, export GLIB_CFLAGS, export GLIB_LIBS to
overwrite PKG CONFIG .

uname -a
Linux 2.6.32-279.1.1.el6.x86_64 #1 SMP Wed Jun 20 11:41:22 EDT 2012 x86_64
x86_64 x86_64 GNU/Linux

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
Configuration:

./configure --prefix=/my-prefix/syslog-ng --enable-sql --enable-ipv6
 --enable-dynamic-linking  --build=x86_64-pc-linux-gnu
--host=i686-pc-linux-gnu --enable-shared --disable-static CFLAGS=-O2

Getting this:

syslog-ng Open Source Edition 3.4.1 configured
 Compiler options:
  compiler                    : gcc -std=gnu99
  compiler options            : -O2 -Wall -pthread
-I/my-prefix/sources/glib-2.15.4/
-I/my-prefix/eventlog/include/eventlog/
-I$(top_srcdir)/lib/ivykis/src/incl

Outbound Facility Rewrite?

Randy Baca — 2013-05-29T18:30:36

Hey folks.  I have looked through everywhere I can find but cannot figure out how to rewrite the outbound syslog message to a remote host so that all messages come across on the same facility.  The reason I need this is to automate sorting and parsing by type of device (all Linux on one facility, all IPS on another facility, Cisco firewalls on another, etc.).  Is there a way to do this with syslog-ng?



Regards,



Randy B
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

[PATCH (3.5)] lib/filter/tests: preload thesyslogformat module

Gergely Nagy — 2013-05-27T08:47:59

When linking the filter test program, preload the syslogformat module,
so that make check will work without installing syslog-ng.

Signed-off-by: Gergely Nagy <algernon< at >balabit.hu>
---
 lib/filter/tests/Makefile.am |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/filter/tests/Makefile.am b/lib/filter/tests/Makefile.am
index 44326ec..025dd5d 100644
--- a/lib/filter/tests/Makefile.am
+++ b/lib/filter/tests/Makefile.am
< at >< at > -5,6 +5,7 < at >< at > check_PROGRAMS+= ${lib_filter_tests_TESTS}
 
 lib_filter_tests_test_filters_CFLAGS  = $(TEST_CFLAGS) \
 -I${top_srcdir}/lib/filter/tests
-lib_filter_tests_test_filters_LDADD = $(TEST_LDADD)
+lib_filter_tests_test_filters_LDADD = $(TEST_LDADD)\
+-dlpreopen ${top_builddir}/modules/syslogformat/libsyslogformat.la
 lib_filter_tests_test_filters_SOURCES = \
 lib/filter/tests/test_filters.c