From rgerhards at hq.adiscon.com Wed Oct 5 17:35:43 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 5 Oct 2005 17:35:43 +0200 Subject: [rsyslog] rsyslog stable 1.0.2 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3B52@grfint2.intern.adiscon.com> Hi all, rsyslog 1.0.2 has been released. This is a purely bug fixing release for the stable branch. It adresses an issue where the MySQL error handler can lead (and most probably will lead) to an endless loop when an MySQL error occured. This is already fixed in the development branch, so if you run 1.10.2 there is no need to do anything. If you run the stable branch and use the MySQL functionality, updating is advisable. Please note that 1.0.2 does NOT contain any other fix or feature enhancement than the MySQL error handler. The download can be found at http://www.rsyslog.com/Downloads-index-req-getit-lid-20.phtml Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 12 17:48:07 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 12 Oct 2005 17:48:07 +0200 Subject: [rsyslog] rsyslog 1.11.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3BC5@grfint2.intern.adiscon.com> Hi all, I am glad to announce rsyslog 1.11.0 (development branch). This version finally supports the RFC 3195 listener, bringing rsyslog even closer to its initial design goals. The listener supports full RAW and limited COOKED profiles (no relay operations). It is implemented as an optional stand-alone RFC3195-to-local-domain-socket forwarder (named rfc3195d). This allows it to be used with other syslogds, too. The RFC 3195 listener is a major feature improvement for rsyslog. It is build on liblogging (http://www.liblogging.org). It should be noted, however, that there still is much room for improvement in rfc3195d. An implementation of the RFC 3195 sender is still due. However, I will first have a look into eventually multi-threading rsyslogd, as that would relax some of the implications of RFC 3195. Other than the RFC 3195 support, there is a patch for using multiple domain sockets in rsyslogd. I discovered a bug present for a very long time (in fact, it stems back to sysklogd). If you use multiple unix domain sockets, you might be interested in upgrading. There are also some other minor things changed. There is no need to upgrade if you do not need the fix or RFC 3195 support. If anyone actually uses RFC 3195, I would be most interested to hear about it. I hope the release is useful. Best regards, Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 19 18:06:34 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 19 Oct 2005 18:06:34 +0200 Subject: [rsyslog] rsyslog 1.11.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3C5F@grfint2.intern.adiscon.com> Hi all, I have just released rsyslog 1.11.1. The main new feature is support for BSD-style program and hostname blocks. This facilitates rsyslogd usage in multi-host environments and environments migrating from stock BSD syslogd. It is also helpful for any complex logging needs. The release contains some other minor feature enhancements as well bug fixes and stability updates. Full details can be found in the change log at http://www.rsyslog.com/Article44.phtml I hope the release is useful. As always, feedback is appreciated. Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 26 12:37:50 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 26 Oct 2005 12:37:50 +0200 Subject: [rsyslog] rsyslog 1.12.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3CCD@grfint2.intern.adiscon.com> Hi list, I am pleased to announce rsyslog 1.12.0. Its most prominent feature is support for multi-threading. The new threading approach decouples the receiver part and the action part via an in-memory queue. This design allows to buffer message burts before actions are carried out on them. This dramatically decreases the likelyhood of message loss. Multiple threads are also very important to fully utilize the power of multicore machines. Threading has been implemented in the least intrusive way possible. However, concurrency is never an easy thing, so multithreading should be considered experimental for the time being. There are known issues with BSD implementations. For this release, it is not recommended to use multithreading on BSD platforms. I will (hopefully) address this in the next release. Besides multi-threading, rsyslogd has also received a number of fixes, most importantly in the TCP syslog area. If you use TCP syslog, I recommend upgrading to the new released. If you do not want to run the experimental threading code, simply set FEATURE_PTHREADS to 0 in Makefile. The full change log can be found at http://www.rsyslog.com/Article47.phtml The download is available at: http://www.rsyslog.com/Downloads-index-req-getit-lid-22.phtml As always, feedback is appreciated. Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 26 12:57:36 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 26 Oct 2005 12:57:36 +0200 Subject: [rsyslog] rsyslog 1.12.0 release announcement - CORRECTION Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3CCE@grfint2.intern.adiscon.com> Hi list, unfortunately, the download link was for the older 1.11.1 release. The correct download link is http://www.rsyslog.com/Downloads-index-req-getit-lid-23.phtml Sorry, Rainer From halljer at auburn.edu Fri Oct 28 00:07:19 2005 From: halljer at auburn.edu (Dusty Hall) Date: Thu, 27 Oct 2005 17:07:19 -0500 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <436109470200003A0000094D@groupwise1.duc.auburn.edu> I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't seem to catch the name from the clients leading to a seg fault. Ideas, workarounds? Any help would be greatly appreciated! -Dusty # /usr/sbin/rsyslogd -d -r 0 -n ...... -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx -1208042912: Message length: 46, File descriptor: 12. -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 16:15:38 snort: GLOBAL CONFIG Segmentation fault server messages file contains: ---------- Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- Oct 27 16:15:39 snort: | Stats Interval: 0 Oct 27 16:15:39 snort: | Hash Method: 2 Oct 27 16:15:39 snort: | Memcap: 10485760 Oct 27 16:15:39 snort: | Rows : 4099 Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) Oct 27 16:15:39 snort: `---------------------------------------------- Oct 27 16:15:39 snort: HttpInspect Config: client messages file contains: --------- Oct 27 10:00:03 fred snort: ,-----------[Flow Config]---------------------- Oct 27 10:00:03 fred snort: | Stats Interval: 0 Oct 27 10:00:03 fred snort: | Hash Method: 2 Oct 27 10:00:03 fred snort: | Memcap: 10485760 Oct 27 10:00:03 fred snort: | Rows : 4099 Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) Oct 27 10:00:03 fred snort: `---------------------------------------------- Oct 27 10:00:03 fred snort: HttpInspect Config: Oct 27 10:00:03 fred snort: GLOBAL CONFIG Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 Oct 27 10:00:03 fred snort: Inspection Type: STATELESS Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: /etc/nsm/unicode.map Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: From rgerhards at hq.adiscon.com Fri Oct 28 08:46:52 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 28 Oct 2005 08:46:52 +0200 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <436109470200003A0000094D@groupwise1.duc.auburn.edu> References: <436109470200003A0000094D@groupwise1.duc.auburn.edu> Message-ID: <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> Hi Dusty, I first thought this were just a cosmetic problem with the printf. After some review, I think the non-parsable hostname is really causing the segfault. I have to admit I am a bit puzzled this did not show up earlier. Anyhow, I'll see that I can do something against it today. Rainer On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > seem to catch the name from the clients leading to a seg fault. Ideas, > workarounds? Any help would be greatly appreciated! > > > -Dusty > > > # /usr/sbin/rsyslogd -d -r 0 -n > ...... > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > -1208042912: Message length: 46, File descriptor: 12. > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > 16:15:38 snort: GLOBAL CONFIG > Segmentation fault > > > server messages file contains: > ---------- > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > Oct 27 16:15:39 snort: | Stats Interval: 0 > Oct 27 16:15:39 snort: | Hash Method: 2 > Oct 27 16:15:39 snort: | Memcap: 10485760 > Oct 27 16:15:39 snort: | Rows : 4099 > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > Oct 27 16:15:39 snort: `---------------------------------------------- > Oct 27 16:15:39 snort: HttpInspect Config: > > > client messages file contains: > --------- > Oct 27 10:00:03 fred snort: ,-----------[Flow > Config]---------------------- > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > Oct 27 10:00:03 fred snort: | Hash Method: 2 > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > Oct 27 10:00:03 fred snort: | Rows : 4099 > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > Oct 27 10:00:03 fred snort: > `---------------------------------------------- > Oct 27 10:00:03 fred snort: HttpInspect Config: > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > /etc/nsm/unicode.map > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Fri Oct 28 09:29:05 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 28 Oct 2005 09:29:05 +0200 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> References: <436109470200003A0000094D@groupwise1.duc.auburn.edu> <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> Message-ID: <1130484544.2186.7.camel@rh9lt.intern.adiscon.com> Dusty, after some more testing, I am now back to thinking that the printf() is just a cosmetic problem. The code I was suspecting to have a bug actually is OK. Anyhow, could you please replace the printf at the start of logmsg(). The new version is: dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", textpri(pri), flags, getRcvFrom(pMsg), msg); This is all on one line. Search for "logmsg:" in the code, that will show you only the to-be-replaced line. I think the problem will persist after applying this patch. If so, I now suspect there is a problem with multithreading. It is experimental, and that everything works well in my lab does not really mean it will in practice. So if the bug persists, I would like you to disable multitasking. This is easy. Just go to your Makefile and find FEATURE_PTHREADS. Switch that from 1 to 0. Then, run make clean make make install After that, rsyslogd will run in single-threading mode. Please let me know if the error then persists, too. Please let me know the outcome. Rainer On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > Hi Dusty, > > I first thought this were just a cosmetic problem with the printf. After > some review, I think the non-parsable hostname is really causing the > segfault. I have to admit I am a bit puzzled this did not show up > earlier. Anyhow, I'll see that I can do something against it today. > > Rainer > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > > seem to catch the name from the clients leading to a seg fault. Ideas, > > workarounds? Any help would be greatly appreciated! > > > > > > -Dusty > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > ...... > > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > -1208042912: Message length: 46, File descriptor: 12. > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > > 16:15:38 snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file contains: > > ---------- > > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > Oct 27 16:15:39 snort: | Hash Method: 2 > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > Oct 27 16:15:39 snort: | Rows : 4099 > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 16:15:39 snort: `---------------------------------------------- > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > client messages file contains: > > --------- > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > Config]---------------------- > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 10:00:03 fred snort: > > `---------------------------------------------- > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > /etc/nsm/unicode.map > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From halljer at auburn.edu Fri Oct 28 14:54:19 2005 From: halljer at auburn.edu (Dusty Hall) Date: Fri, 28 Oct 2005 07:54:19 -0500 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> Rainer, First off, I really appreciate your help with this... I just got through trying both ideas but neither work :(. It seg faulted in the same place. I tried running the daemon a little different here and it actually caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the log, thoughts? /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has both revisions applied) Calling selet, active file descriptors (max 12): 3 12 Successful select, descriptor count = 1, Activity on: 12 Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx Message length: 47, File descriptor: 12. logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 snort: GLOBAL CONFIG Segmentation fault server messages file: ----- Oct 28 07:48:38 snort: Writing PID "47582" to file "/var/run//snort_fxp0.pid" Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf Oct 28 07:48:38 snort: ,-----------[Flow Config]---------------------- Oct 28 07:48:38 snort: | Stats Interval: 0 Oct 28 07:48:38 snort: | Hash Method: 2 Oct 28 07:48:38 snort: | Memcap: 10485760 Oct 28 07:48:38 snort: | Rows : 4099 Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) Oct 28 07:48:38 snort: `---------------------------------------------- Oct 28 07:48:38 snort: HttpInspect Config: >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> Dusty, after some more testing, I am now back to thinking that the printf() is just a cosmetic problem. The code I was suspecting to have a bug actually is OK. Anyhow, could you please replace the printf at the start of logmsg(). The new version is: dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", textpri(pri), flags, getRcvFrom(pMsg), msg); This is all on one line. Search for "logmsg:" in the code, that will show you only the to-be-replaced line. I think the problem will persist after applying this patch. If so, I now suspect there is a problem with multithreading. It is experimental, and that everything works well in my lab does not really mean it will in practice. So if the bug persists, I would like you to disable multitasking. This is easy. Just go to your Makefile and find FEATURE_PTHREADS. Switch that from 1 to 0. Then, run make clean make make install After that, rsyslogd will run in single-threading mode. Please let me know if the error then persists, too. Please let me know the outcome. Rainer On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > Hi Dusty, > > I first thought this were just a cosmetic problem with the printf. After > some review, I think the non-parsable hostname is really causing the > segfault. I have to admit I am a bit puzzled this did not show up > earlier. Anyhow, I'll see that I can do something against it today. > > Rainer > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > > seem to catch the name from the clients leading to a seg fault. Ideas, > > workarounds? Any help would be greatly appreciated! > > > > > > -Dusty > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > ...... > > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > -1208042912: Message length: 46, File descriptor: 12. > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > > 16:15:38 snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file contains: > > ---------- > > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > Oct 27 16:15:39 snort: | Hash Method: 2 > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > Oct 27 16:15:39 snort: | Rows : 4099 > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 16:15:39 snort: `---------------------------------------------- > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > client messages file contains: > > --------- > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > Config]---------------------- > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 10:00:03 fred snort: > > `---------------------------------------------- > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > /etc/nsm/unicode.map > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Wed Oct 5 17:35:43 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 5 Oct 2005 17:35:43 +0200 Subject: [rsyslog] rsyslog stable 1.0.2 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3B52@grfint2.intern.adiscon.com> Hi all, rsyslog 1.0.2 has been released. This is a purely bug fixing release for the stable branch. It adresses an issue where the MySQL error handler can lead (and most probably will lead) to an endless loop when an MySQL error occured. This is already fixed in the development branch, so if you run 1.10.2 there is no need to do anything. If you run the stable branch and use the MySQL functionality, updating is advisable. Please note that 1.0.2 does NOT contain any other fix or feature enhancement than the MySQL error handler. The download can be found at http://www.rsyslog.com/Downloads-index-req-getit-lid-20.phtml Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 12 17:48:07 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 12 Oct 2005 17:48:07 +0200 Subject: [rsyslog] rsyslog 1.11.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3BC5@grfint2.intern.adiscon.com> Hi all, I am glad to announce rsyslog 1.11.0 (development branch). This version finally supports the RFC 3195 listener, bringing rsyslog even closer to its initial design goals. The listener supports full RAW and limited COOKED profiles (no relay operations). It is implemented as an optional stand-alone RFC3195-to-local-domain-socket forwarder (named rfc3195d). This allows it to be used with other syslogds, too. The RFC 3195 listener is a major feature improvement for rsyslog. It is build on liblogging (http://www.liblogging.org). It should be noted, however, that there still is much room for improvement in rfc3195d. An implementation of the RFC 3195 sender is still due. However, I will first have a look into eventually multi-threading rsyslogd, as that would relax some of the implications of RFC 3195. Other than the RFC 3195 support, there is a patch for using multiple domain sockets in rsyslogd. I discovered a bug present for a very long time (in fact, it stems back to sysklogd). If you use multiple unix domain sockets, you might be interested in upgrading. There are also some other minor things changed. There is no need to upgrade if you do not need the fix or RFC 3195 support. If anyone actually uses RFC 3195, I would be most interested to hear about it. I hope the release is useful. Best regards, Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 19 18:06:34 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 19 Oct 2005 18:06:34 +0200 Subject: [rsyslog] rsyslog 1.11.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3C5F@grfint2.intern.adiscon.com> Hi all, I have just released rsyslog 1.11.1. The main new feature is support for BSD-style program and hostname blocks. This facilitates rsyslogd usage in multi-host environments and environments migrating from stock BSD syslogd. It is also helpful for any complex logging needs. The release contains some other minor feature enhancements as well bug fixes and stability updates. Full details can be found in the change log at http://www.rsyslog.com/Article44.phtml I hope the release is useful. As always, feedback is appreciated. Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 26 12:37:50 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 26 Oct 2005 12:37:50 +0200 Subject: [rsyslog] rsyslog 1.12.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3CCD@grfint2.intern.adiscon.com> Hi list, I am pleased to announce rsyslog 1.12.0. Its most prominent feature is support for multi-threading. The new threading approach decouples the receiver part and the action part via an in-memory queue. This design allows to buffer message burts before actions are carried out on them. This dramatically decreases the likelyhood of message loss. Multiple threads are also very important to fully utilize the power of multicore machines. Threading has been implemented in the least intrusive way possible. However, concurrency is never an easy thing, so multithreading should be considered experimental for the time being. There are known issues with BSD implementations. For this release, it is not recommended to use multithreading on BSD platforms. I will (hopefully) address this in the next release. Besides multi-threading, rsyslogd has also received a number of fixes, most importantly in the TCP syslog area. If you use TCP syslog, I recommend upgrading to the new released. If you do not want to run the experimental threading code, simply set FEATURE_PTHREADS to 0 in Makefile. The full change log can be found at http://www.rsyslog.com/Article47.phtml The download is available at: http://www.rsyslog.com/Downloads-index-req-getit-lid-22.phtml As always, feedback is appreciated. Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 26 12:57:36 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 26 Oct 2005 12:57:36 +0200 Subject: [rsyslog] rsyslog 1.12.0 release announcement - CORRECTION Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3CCE@grfint2.intern.adiscon.com> Hi list, unfortunately, the download link was for the older 1.11.1 release. The correct download link is http://www.rsyslog.com/Downloads-index-req-getit-lid-23.phtml Sorry, Rainer From halljer at auburn.edu Fri Oct 28 00:07:19 2005 From: halljer at auburn.edu (Dusty Hall) Date: Thu, 27 Oct 2005 17:07:19 -0500 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <436109470200003A0000094D@groupwise1.duc.auburn.edu> I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't seem to catch the name from the clients leading to a seg fault. Ideas, workarounds? Any help would be greatly appreciated! -Dusty # /usr/sbin/rsyslogd -d -r 0 -n ...... -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx -1208042912: Message length: 46, File descriptor: 12. -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 16:15:38 snort: GLOBAL CONFIG Segmentation fault server messages file contains: ---------- Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- Oct 27 16:15:39 snort: | Stats Interval: 0 Oct 27 16:15:39 snort: | Hash Method: 2 Oct 27 16:15:39 snort: | Memcap: 10485760 Oct 27 16:15:39 snort: | Rows : 4099 Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) Oct 27 16:15:39 snort: `---------------------------------------------- Oct 27 16:15:39 snort: HttpInspect Config: client messages file contains: --------- Oct 27 10:00:03 fred snort: ,-----------[Flow Config]---------------------- Oct 27 10:00:03 fred snort: | Stats Interval: 0 Oct 27 10:00:03 fred snort: | Hash Method: 2 Oct 27 10:00:03 fred snort: | Memcap: 10485760 Oct 27 10:00:03 fred snort: | Rows : 4099 Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) Oct 27 10:00:03 fred snort: `---------------------------------------------- Oct 27 10:00:03 fred snort: HttpInspect Config: Oct 27 10:00:03 fred snort: GLOBAL CONFIG Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 Oct 27 10:00:03 fred snort: Inspection Type: STATELESS Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: /etc/nsm/unicode.map Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: From rgerhards at hq.adiscon.com Fri Oct 28 08:46:52 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 28 Oct 2005 08:46:52 +0200 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <436109470200003A0000094D@groupwise1.duc.auburn.edu> References: <436109470200003A0000094D@groupwise1.duc.auburn.edu> Message-ID: <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> Hi Dusty, I first thought this were just a cosmetic problem with the printf. After some review, I think the non-parsable hostname is really causing the segfault. I have to admit I am a bit puzzled this did not show up earlier. Anyhow, I'll see that I can do something against it today. Rainer On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > seem to catch the name from the clients leading to a seg fault. Ideas, > workarounds? Any help would be greatly appreciated! > > > -Dusty > > > # /usr/sbin/rsyslogd -d -r 0 -n > ...... > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > -1208042912: Message length: 46, File descriptor: 12. > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > 16:15:38 snort: GLOBAL CONFIG > Segmentation fault > > > server messages file contains: > ---------- > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > Oct 27 16:15:39 snort: | Stats Interval: 0 > Oct 27 16:15:39 snort: | Hash Method: 2 > Oct 27 16:15:39 snort: | Memcap: 10485760 > Oct 27 16:15:39 snort: | Rows : 4099 > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > Oct 27 16:15:39 snort: `---------------------------------------------- > Oct 27 16:15:39 snort: HttpInspect Config: > > > client messages file contains: > --------- > Oct 27 10:00:03 fred snort: ,-----------[Flow > Config]---------------------- > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > Oct 27 10:00:03 fred snort: | Hash Method: 2 > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > Oct 27 10:00:03 fred snort: | Rows : 4099 > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > Oct 27 10:00:03 fred snort: > `---------------------------------------------- > Oct 27 10:00:03 fred snort: HttpInspect Config: > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > /etc/nsm/unicode.map > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Fri Oct 28 09:29:05 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 28 Oct 2005 09:29:05 +0200 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> References: <436109470200003A0000094D@groupwise1.duc.auburn.edu> <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> Message-ID: <1130484544.2186.7.camel@rh9lt.intern.adiscon.com> Dusty, after some more testing, I am now back to thinking that the printf() is just a cosmetic problem. The code I was suspecting to have a bug actually is OK. Anyhow, could you please replace the printf at the start of logmsg(). The new version is: dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", textpri(pri), flags, getRcvFrom(pMsg), msg); This is all on one line. Search for "logmsg:" in the code, that will show you only the to-be-replaced line. I think the problem will persist after applying this patch. If so, I now suspect there is a problem with multithreading. It is experimental, and that everything works well in my lab does not really mean it will in practice. So if the bug persists, I would like you to disable multitasking. This is easy. Just go to your Makefile and find FEATURE_PTHREADS. Switch that from 1 to 0. Then, run make clean make make install After that, rsyslogd will run in single-threading mode. Please let me know if the error then persists, too. Please let me know the outcome. Rainer On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > Hi Dusty, > > I first thought this were just a cosmetic problem with the printf. After > some review, I think the non-parsable hostname is really causing the > segfault. I have to admit I am a bit puzzled this did not show up > earlier. Anyhow, I'll see that I can do something against it today. > > Rainer > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > > seem to catch the name from the clients leading to a seg fault. Ideas, > > workarounds? Any help would be greatly appreciated! > > > > > > -Dusty > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > ...... > > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > -1208042912: Message length: 46, File descriptor: 12. > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > > 16:15:38 snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file contains: > > ---------- > > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > Oct 27 16:15:39 snort: | Hash Method: 2 > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > Oct 27 16:15:39 snort: | Rows : 4099 > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 16:15:39 snort: `---------------------------------------------- > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > client messages file contains: > > --------- > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > Config]---------------------- > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 10:00:03 fred snort: > > `---------------------------------------------- > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > /etc/nsm/unicode.map > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From halljer at auburn.edu Fri Oct 28 14:54:19 2005 From: halljer at auburn.edu (Dusty Hall) Date: Fri, 28 Oct 2005 07:54:19 -0500 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> Rainer, First off, I really appreciate your help with this... I just got through trying both ideas but neither work :(. It seg faulted in the same place. I tried running the daemon a little different here and it actually caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the log, thoughts? /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has both revisions applied) Calling selet, active file descriptors (max 12): 3 12 Successful select, descriptor count = 1, Activity on: 12 Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx Message length: 47, File descriptor: 12. logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 snort: GLOBAL CONFIG Segmentation fault server messages file: ----- Oct 28 07:48:38 snort: Writing PID "47582" to file "/var/run//snort_fxp0.pid" Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf Oct 28 07:48:38 snort: ,-----------[Flow Config]---------------------- Oct 28 07:48:38 snort: | Stats Interval: 0 Oct 28 07:48:38 snort: | Hash Method: 2 Oct 28 07:48:38 snort: | Memcap: 10485760 Oct 28 07:48:38 snort: | Rows : 4099 Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) Oct 28 07:48:38 snort: `---------------------------------------------- Oct 28 07:48:38 snort: HttpInspect Config: >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> Dusty, after some more testing, I am now back to thinking that the printf() is just a cosmetic problem. The code I was suspecting to have a bug actually is OK. Anyhow, could you please replace the printf at the start of logmsg(). The new version is: dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", textpri(pri), flags, getRcvFrom(pMsg), msg); This is all on one line. Search for "logmsg:" in the code, that will show you only the to-be-replaced line. I think the problem will persist after applying this patch. If so, I now suspect there is a problem with multithreading. It is experimental, and that everything works well in my lab does not really mean it will in practice. So if the bug persists, I would like you to disable multitasking. This is easy. Just go to your Makefile and find FEATURE_PTHREADS. Switch that from 1 to 0. Then, run make clean make make install After that, rsyslogd will run in single-threading mode. Please let me know if the error then persists, too. Please let me know the outcome. Rainer On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > Hi Dusty, > > I first thought this were just a cosmetic problem with the printf. After > some review, I think the non-parsable hostname is really causing the > segfault. I have to admit I am a bit puzzled this did not show up > earlier. Anyhow, I'll see that I can do something against it today. > > Rainer > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > > seem to catch the name from the clients leading to a seg fault. Ideas, > > workarounds? Any help would be greatly appreciated! > > > > > > -Dusty > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > ...... > > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > -1208042912: Message length: 46, File descriptor: 12. > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > > 16:15:38 snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file contains: > > ---------- > > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > Oct 27 16:15:39 snort: | Hash Method: 2 > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > Oct 27 16:15:39 snort: | Rows : 4099 > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 16:15:39 snort: `---------------------------------------------- > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > client messages file contains: > > --------- > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > Config]---------------------- > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 10:00:03 fred snort: > > `---------------------------------------------- > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > /etc/nsm/unicode.map > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Wed Oct 5 17:35:43 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 5 Oct 2005 17:35:43 +0200 Subject: [rsyslog] rsyslog stable 1.0.2 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3B52@grfint2.intern.adiscon.com> Hi all, rsyslog 1.0.2 has been released. This is a purely bug fixing release for the stable branch. It adresses an issue where the MySQL error handler can lead (and most probably will lead) to an endless loop when an MySQL error occured. This is already fixed in the development branch, so if you run 1.10.2 there is no need to do anything. If you run the stable branch and use the MySQL functionality, updating is advisable. Please note that 1.0.2 does NOT contain any other fix or feature enhancement than the MySQL error handler. The download can be found at http://www.rsyslog.com/Downloads-index-req-getit-lid-20.phtml Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 12 17:48:07 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 12 Oct 2005 17:48:07 +0200 Subject: [rsyslog] rsyslog 1.11.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3BC5@grfint2.intern.adiscon.com> Hi all, I am glad to announce rsyslog 1.11.0 (development branch). This version finally supports the RFC 3195 listener, bringing rsyslog even closer to its initial design goals. The listener supports full RAW and limited COOKED profiles (no relay operations). It is implemented as an optional stand-alone RFC3195-to-local-domain-socket forwarder (named rfc3195d). This allows it to be used with other syslogds, too. The RFC 3195 listener is a major feature improvement for rsyslog. It is build on liblogging (http://www.liblogging.org). It should be noted, however, that there still is much room for improvement in rfc3195d. An implementation of the RFC 3195 sender is still due. However, I will first have a look into eventually multi-threading rsyslogd, as that would relax some of the implications of RFC 3195. Other than the RFC 3195 support, there is a patch for using multiple domain sockets in rsyslogd. I discovered a bug present for a very long time (in fact, it stems back to sysklogd). If you use multiple unix domain sockets, you might be interested in upgrading. There are also some other minor things changed. There is no need to upgrade if you do not need the fix or RFC 3195 support. If anyone actually uses RFC 3195, I would be most interested to hear about it. I hope the release is useful. Best regards, Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 19 18:06:34 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 19 Oct 2005 18:06:34 +0200 Subject: [rsyslog] rsyslog 1.11.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3C5F@grfint2.intern.adiscon.com> Hi all, I have just released rsyslog 1.11.1. The main new feature is support for BSD-style program and hostname blocks. This facilitates rsyslogd usage in multi-host environments and environments migrating from stock BSD syslogd. It is also helpful for any complex logging needs. The release contains some other minor feature enhancements as well bug fixes and stability updates. Full details can be found in the change log at http://www.rsyslog.com/Article44.phtml I hope the release is useful. As always, feedback is appreciated. Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 26 12:37:50 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 26 Oct 2005 12:37:50 +0200 Subject: [rsyslog] rsyslog 1.12.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3CCD@grfint2.intern.adiscon.com> Hi list, I am pleased to announce rsyslog 1.12.0. Its most prominent feature is support for multi-threading. The new threading approach decouples the receiver part and the action part via an in-memory queue. This design allows to buffer message burts before actions are carried out on them. This dramatically decreases the likelyhood of message loss. Multiple threads are also very important to fully utilize the power of multicore machines. Threading has been implemented in the least intrusive way possible. However, concurrency is never an easy thing, so multithreading should be considered experimental for the time being. There are known issues with BSD implementations. For this release, it is not recommended to use multithreading on BSD platforms. I will (hopefully) address this in the next release. Besides multi-threading, rsyslogd has also received a number of fixes, most importantly in the TCP syslog area. If you use TCP syslog, I recommend upgrading to the new released. If you do not want to run the experimental threading code, simply set FEATURE_PTHREADS to 0 in Makefile. The full change log can be found at http://www.rsyslog.com/Article47.phtml The download is available at: http://www.rsyslog.com/Downloads-index-req-getit-lid-22.phtml As always, feedback is appreciated. Rainer Gerhards From rgerhards at hq.adiscon.com Wed Oct 26 12:57:36 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 26 Oct 2005 12:57:36 +0200 Subject: [rsyslog] rsyslog 1.12.0 release announcement - CORRECTION Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3CCE@grfint2.intern.adiscon.com> Hi list, unfortunately, the download link was for the older 1.11.1 release. The correct download link is http://www.rsyslog.com/Downloads-index-req-getit-lid-23.phtml Sorry, Rainer From halljer at auburn.edu Fri Oct 28 00:07:19 2005 From: halljer at auburn.edu (Dusty Hall) Date: Thu, 27 Oct 2005 17:07:19 -0500 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <436109470200003A0000094D@groupwise1.duc.auburn.edu> I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't seem to catch the name from the clients leading to a seg fault. Ideas, workarounds? Any help would be greatly appreciated! -Dusty # /usr/sbin/rsyslogd -d -r 0 -n ...... -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx -1208042912: Message length: 46, File descriptor: 12. -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 16:15:38 snort: GLOBAL CONFIG Segmentation fault server messages file contains: ---------- Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- Oct 27 16:15:39 snort: | Stats Interval: 0 Oct 27 16:15:39 snort: | Hash Method: 2 Oct 27 16:15:39 snort: | Memcap: 10485760 Oct 27 16:15:39 snort: | Rows : 4099 Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) Oct 27 16:15:39 snort: `---------------------------------------------- Oct 27 16:15:39 snort: HttpInspect Config: client messages file contains: --------- Oct 27 10:00:03 fred snort: ,-----------[Flow Config]---------------------- Oct 27 10:00:03 fred snort: | Stats Interval: 0 Oct 27 10:00:03 fred snort: | Hash Method: 2 Oct 27 10:00:03 fred snort: | Memcap: 10485760 Oct 27 10:00:03 fred snort: | Rows : 4099 Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) Oct 27 10:00:03 fred snort: `---------------------------------------------- Oct 27 10:00:03 fred snort: HttpInspect Config: Oct 27 10:00:03 fred snort: GLOBAL CONFIG Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 Oct 27 10:00:03 fred snort: Inspection Type: STATELESS Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: /etc/nsm/unicode.map Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: From rgerhards at hq.adiscon.com Fri Oct 28 08:46:52 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 28 Oct 2005 08:46:52 +0200 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <436109470200003A0000094D@groupwise1.duc.auburn.edu> References: <436109470200003A0000094D@groupwise1.duc.auburn.edu> Message-ID: <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> Hi Dusty, I first thought this were just a cosmetic problem with the printf. After some review, I think the non-parsable hostname is really causing the segfault. I have to admit I am a bit puzzled this did not show up earlier. Anyhow, I'll see that I can do something against it today. Rainer On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > seem to catch the name from the clients leading to a seg fault. Ideas, > workarounds? Any help would be greatly appreciated! > > > -Dusty > > > # /usr/sbin/rsyslogd -d -r 0 -n > ...... > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > -1208042912: Message length: 46, File descriptor: 12. > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > 16:15:38 snort: GLOBAL CONFIG > Segmentation fault > > > server messages file contains: > ---------- > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > Oct 27 16:15:39 snort: | Stats Interval: 0 > Oct 27 16:15:39 snort: | Hash Method: 2 > Oct 27 16:15:39 snort: | Memcap: 10485760 > Oct 27 16:15:39 snort: | Rows : 4099 > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > Oct 27 16:15:39 snort: `---------------------------------------------- > Oct 27 16:15:39 snort: HttpInspect Config: > > > client messages file contains: > --------- > Oct 27 10:00:03 fred snort: ,-----------[Flow > Config]---------------------- > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > Oct 27 10:00:03 fred snort: | Hash Method: 2 > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > Oct 27 10:00:03 fred snort: | Rows : 4099 > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > Oct 27 10:00:03 fred snort: > `---------------------------------------------- > Oct 27 10:00:03 fred snort: HttpInspect Config: > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > /etc/nsm/unicode.map > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Fri Oct 28 09:29:05 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 28 Oct 2005 09:29:05 +0200 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> References: <436109470200003A0000094D@groupwise1.duc.auburn.edu> <1130482011.2186.1.camel@rh9lt.intern.adiscon.com> Message-ID: <1130484544.2186.7.camel@rh9lt.intern.adiscon.com> Dusty, after some more testing, I am now back to thinking that the printf() is just a cosmetic problem. The code I was suspecting to have a bug actually is OK. Anyhow, could you please replace the printf at the start of logmsg(). The new version is: dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", textpri(pri), flags, getRcvFrom(pMsg), msg); This is all on one line. Search for "logmsg:" in the code, that will show you only the to-be-replaced line. I think the problem will persist after applying this patch. If so, I now suspect there is a problem with multithreading. It is experimental, and that everything works well in my lab does not really mean it will in practice. So if the bug persists, I would like you to disable multitasking. This is easy. Just go to your Makefile and find FEATURE_PTHREADS. Switch that from 1 to 0. Then, run make clean make make install After that, rsyslogd will run in single-threading mode. Please let me know if the error then persists, too. Please let me know the outcome. Rainer On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > Hi Dusty, > > I first thought this were just a cosmetic problem with the printf. After > some review, I think the non-parsable hostname is really causing the > segfault. I have to admit I am a bit puzzled this did not show up > earlier. Anyhow, I'll see that I can do something against it today. > > Rainer > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > > seem to catch the name from the clients leading to a seg fault. Ideas, > > workarounds? Any help would be greatly appreciated! > > > > > > -Dusty > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > ...... > > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > -1208042912: Message length: 46, File descriptor: 12. > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > > 16:15:38 snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file contains: > > ---------- > > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > Oct 27 16:15:39 snort: | Hash Method: 2 > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > Oct 27 16:15:39 snort: | Rows : 4099 > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 16:15:39 snort: `---------------------------------------------- > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > client messages file contains: > > --------- > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > Config]---------------------- > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 10:00:03 fred snort: > > `---------------------------------------------- > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > /etc/nsm/unicode.map > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From halljer at auburn.edu Fri Oct 28 14:54:19 2005 From: halljer at auburn.edu (Dusty Hall) Date: Fri, 28 Oct 2005 07:54:19 -0500 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> Rainer, First off, I really appreciate your help with this... I just got through trying both ideas but neither work :(. It seg faulted in the same place. I tried running the daemon a little different here and it actually caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the log, thoughts? /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has both revisions applied) Calling selet, active file descriptors (max 12): 3 12 Successful select, descriptor count = 1, Activity on: 12 Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx Message length: 47, File descriptor: 12. logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 snort: GLOBAL CONFIG Segmentation fault server messages file: ----- Oct 28 07:48:38 snort: Writing PID "47582" to file "/var/run//snort_fxp0.pid" Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf Oct 28 07:48:38 snort: ,-----------[Flow Config]---------------------- Oct 28 07:48:38 snort: | Stats Interval: 0 Oct 28 07:48:38 snort: | Hash Method: 2 Oct 28 07:48:38 snort: | Memcap: 10485760 Oct 28 07:48:38 snort: | Rows : 4099 Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) Oct 28 07:48:38 snort: `---------------------------------------------- Oct 28 07:48:38 snort: HttpInspect Config: >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> Dusty, after some more testing, I am now back to thinking that the printf() is just a cosmetic problem. The code I was suspecting to have a bug actually is OK. Anyhow, could you please replace the printf at the start of logmsg(). The new version is: dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", textpri(pri), flags, getRcvFrom(pMsg), msg); This is all on one line. Search for "logmsg:" in the code, that will show you only the to-be-replaced line. I think the problem will persist after applying this patch. If so, I now suspect there is a problem with multithreading. It is experimental, and that everything works well in my lab does not really mean it will in practice. So if the bug persists, I would like you to disable multitasking. This is easy. Just go to your Makefile and find FEATURE_PTHREADS. Switch that from 1 to 0. Then, run make clean make make install After that, rsyslogd will run in single-threading mode. Please let me know if the error then persists, too. Please let me know the outcome. Rainer On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > Hi Dusty, > > I first thought this were just a cosmetic problem with the printf. After > some review, I think the non-parsable hostname is really causing the > segfault. I have to admit I am a bit puzzled this did not show up > earlier. Anyhow, I'll see that I can do something against it today. > > Rainer > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't > > seem to catch the name from the clients leading to a seg fault. Ideas, > > workarounds? Any help would be greatly appreciated! > > > > > > -Dusty > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > ...... > > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > -1208042912: Message length: 46, File descriptor: 12. > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27 > > 16:15:38 snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file contains: > > ---------- > > Oct 27 16:15:39 snort: ,-----------[Flow Config]---------------------- > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > Oct 27 16:15:39 snort: | Hash Method: 2 > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > Oct 27 16:15:39 snort: | Rows : 4099 > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 16:15:39 snort: `---------------------------------------------- > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > client messages file contains: > > --------- > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > Config]---------------------- > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > Oct 27 10:00:03 fred snort: > > `---------------------------------------------- > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > /etc/nsm/unicode.map > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog