[rsyslog] more 5.1.3 errors (fwd) / invalid fromhost
david at lang.hm
david at lang.hm
Fri Aug 21 12:56:36 CEST 2009
On Fri, 21 Aug 2009, Rainer Gerhards wrote:
>>>> the second problem from my initial e-mail (and the one I mentioned
>> in
>>>> response to the 5.1.4 release) is pointed out by this portion of my
>>>> initial e-mail
>>>>
>>>> <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
>>>> /192.168.243.38 destination=179.50.100.130/11074
>>>>
>>>> 192.168.210.245 192.168.210.245 methane1d-b
>>>>
>>>>
>>>> in addition to not parsing the message correctly and putting the
>>>> hostnmae
>>>> in the syslogtag field, the fromhost is incorrect. this message
>> could
>>>> only
>>>> have gotten here by being relayed from the .219 box. the log file on
>>>> the
>>>> .245 box (which logs *.* to messages) don't show anything like this,
>>>> and
>>>> the methane1d-b box doesn't have any networks in common with the
>> .245
>>>> box
>>>
>>> Is there any possibility that *any* message was previously received
>> from
>>> .245? From what you said, I assume not. I am asking because the
>> problem may
>>> be related to the name lookup reuse technique (which re-uses the
>> sender IP if
>>> it is the same as with the last UDP packet). However, the problem can
>> only be
>>> rooted in that area if .245 is a valid sender at least at times.
>>
>> yes, .245 is a valid sender (in fact, in the main set of mssages I sent
>> initilly all the messages from .245 are legit)
>>
>> all of the sources listed in the config do send messages (for each
>> pair,
>> one is the active relay sending hundreds to thousands of messages/sec
>> while the other is the backup, sending a handful per min)
>
> OK, this looks like it narrows down the code to look at to a relatively small
> portion. Will give that another review.
>
>>> I have also done a source code review right now, but I do not see any
>>> suspicious. Will continue to try a little bit, but that one does
>> probably
>>> need to wait until we can do some debugging in your environment.
>>
>> understood. I may try to go in over the weekend and setup this sort of
>> test.
>
> Do you think this can be easily reproduced? If so, that would be great. I
> could simply comment out some of the code I suspect to cause the bug and so
> we could check both versions and see if it makes a difference...
yes, I can compile and install a new version and run it for a few min.
this problem seems to show up fairly rapidly.
David Lang
More information about the rsyslog
mailing list