[rsyslog] Rsyslog 4.4.2: server out-of-memory with gnutls

Mr. Demeanour mrdemeanour at jackpot.uk.net
Thu Nov 5 18:02:23 CET 2009 

Rainer Gerhards wrote:
> Thanks, but I wasn't specific enough. For TLS, I also need to client config,
> because I need two machines to reproduce any issues (these two instances are
> also the challenge for the current testbench, what requires hopefully fewer
> than I expect changes ;)).

Sorry, Rainer. Anyway, I sent you the *current* config, i.e. using ptls.

Here are the two configs using gnutls. But NOTE: I'm not using your
default MySQL schema; you can't just drop this into your testlab. It
should work if you ignore the custom MySQL template. I *really* doubt
this has anything to do with MySQL - I've been using this MySQL setup
for a year.

Also note that there's nothing included from /etc/rsyslog.d - that
directory is empty. These are the complete configs.

There are a bunch of *Queue* directives in these files, both active and
commented-out; I started playing around with queues to see if I could
straighten it out that way, but it didn't work. That is, the problem
should occur with a default queueing setup.

====== Start Server =========
#  /etc/rsyslog.conf	Configuration file for rsyslog v3.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

# $DebugPrintTemplateList on
# $ActionFileDefaultTemplate mysql-template
#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging

# $ModLoad ommysql.so

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$ModLoad imklog   # provides kernel logging support (previously done by 
rklogd)

# provides TCP syslog reception
$ModLoad imtcp

# make gtls driver the default
$DefaultNetstreamDriver gtls
# $DefaultNetstreamDriver ptcp

# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/.ssl/gnu-ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/.ssl/saraha-rsyslog-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/.ssl/saraha-rsyslog-key.pem

$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerRun 10514 # start up listener at port 10514

$ModLoad MySQL

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use default timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$WorkDirectory /var/log/rsyslog

$template mysql-template, "insert into logs(host, facility, priority, 
level, tag, datetime, msg) values ('%source%', '%syslogfacility-text%', 
'%syslogpriority-text%', '%syslogseverity-text%', '%programname%', 
'%timereported:::date-mysql%', '%msg%')", sql, mysql

# $template DEBUG,"Debug line with all properties:\nFROMHOST: 
'%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag 
'%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', 
PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', 
STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nrawmsg: '%rawmsg%'\n\n"

###############
#### RULES ####
###############
#Discard some dross messages
# authpriv.info                   ~
:HOSTNAME, isequal, "last"	~

#Discard router access messages for the script on Prajna that collects 
the router logs.
if $msg contains 'User logged in on TELNET (192.168.1.2)' then ~
if $msg contains 'User logged out on TELNET (192.168.1.2)' then ~

# Log everything else to mysql.
$ActionQueueType LinkedList
# Number of elements...
$ActionQueueSize 100
# $ActionQueueFileName mysql
# $ActionQueueMaxDiskSpace 1M
# $ActionQueueHighWaterMark 40
# $ActionQueueLowWaterMark 5


*.* 
 >127.0.0.1,syslog,syslog,syslog;mysql-template

$ActionExecOnlyWhenPreviousIsSuspended on
&				~
$ActionExecOnlyWhenPreviousIsSuspended off

#Log local stuff ONLY to /var/log/syslog
:HOSTNAME, isequal, "prajna"    -/var/log/syslog

====== End Server =========

====== Start Client =========
#  /etc/rsyslog.conf	Configuration file for rsyslog v3.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by 
rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
# $ModLoad imtcp
# $InputTCPServerRun 514

# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/.ssl/gnu-ca-cert.pem

# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
# $DefaultNetstreamDriver ptcp # use default netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############
#Encrypted TCP log to database on Prajna
*.*                             @@87.194.213.229:10514

# *.*                             -/var/log/syslog
====== End Client =========

> 
> Rainer 
> 
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Mr. Demeanour
>> Sent: Thursday, November 05, 2009 5:41 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Rsyslog 4.4.2: server out-of-memory with gnutls
>>
>> Rainer Gerhards wrote:
>>> Can you send me your rsyslog.conf, so that I can run it under the
>> memory
>>> debugger in my lab. I'll also take this as a motivation to finally
>> add
>>> multi-daemon tests to the testbench (what may take me a little
>> while...).
>>
>> This is the server config (some of the remarks are misleading).
>>
>> #  /etc/rsyslog.conf    Configuration file for rsyslog v3.
>> #
>> #                       For more information see
>> #                       /usr/share/doc/rsyslog-
>> doc/html/rsyslog_conf.html
>>
>> # $DebugPrintTemplateList on
>> # $ActionFileDefaultTemplate mysql-template
>> #################
>> #### MODULES ####
>> #################
>>
>> $ModLoad imuxsock # provides support for local system logging
>>
>> # $ModLoad ommysql.so
>>
>> # provides UDP syslog reception
>> $ModLoad imudp
>> $UDPServerRun 514
>> $ModLoad imklog   # provides kernel logging support (previously done by
>> rklogd)
>>
>> # provides TCP syslog reception
>> $ModLoad imtcp
>>
>> # make gtls driver the default
>> # $DefaultNetstreamDriver gtls
>> $DefaultNetstreamDriver ptcp
>>
>> # certificate files
>> $DefaultNetstreamDriverCAFile /etc/rsyslog.d/.ssl/gnu-ca-cert.pem
>> $DefaultNetstreamDriverCertFile /etc/rsyslog.d/.ssl/saraha-rsyslog-
>> cert.pem
>> $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/.ssl/saraha-rsyslog-
>> key.pem
>>
>> # $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
>> # $InputTCPServerStreamDriverAuthMode anon # client is NOT
>> authenticated
>> $InputTCPServerRun 10514 # start up listener at port 10514
>>
>> $ModLoad MySQL
>>
>> ###########################
>> ###########################
>> #### GLOBAL DIRECTIVES ####
>> ###########################
>>
>> #
>> # Use default timestamp format.
>> # To enable high precision timestamps, comment out the following line.
>> #
>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>
>> #
>> # Set the default permissions for all log files.
>> #
>> $FileOwner root
>> $FileGroup adm
>> $FileCreateMode 0640
>> $DirCreateMode 0755
>> $WorkDirectory /var/log/rsyslog
>>
>> $template mysql-template, "insert into logs(host, facility, priority,
>> level, tag, datetime, msg) values ('%source%', '%syslogfacility-text%',
>> '%syslogpriority-text%', '%syslogseverity-text%', '%programname%',
>> '%timereported:::date-mysql%', '%msg%')", sql, mysql
>>
>> # $template DEBUG,"Debug line with all properties:\nFROMHOST:
>> '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag
>> '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%',
>> PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%',
>> STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nrawmsg:
>> '%rawmsg%'\n\n"
>>
>> ###############
>> #### RULES ####
>> ###############
>> #Discard some dross messages
>> # authpriv.info                   ~
>> :HOSTNAME, isequal, "last"      ~
>>
>> #Discard router access messages for the script on Prajna that collects
>> the router logs.
>> if $msg contains 'User logged in on TELNET (192.168.1.2)' then ~
>> if $msg contains 'User logged out on TELNET (192.168.1.2)' then ~
>>
>> # Log everything else to mysql.
>> $ActionQueueType LinkedList
>> # Number of elements...
>> $ActionQueueSize 100
>> # $ActionQueueFileName mysql
>> # $ActionQueueMaxDiskSpace 1M
>> # $ActionQueueHighWaterMark 40
>> # $ActionQueueLowWaterMark 5
>>
>>
>> *.*
>>  >127.0.0.1,syslog,syslog,syslog;mysql-template
>>
>> $ActionExecOnlyWhenPreviousIsSuspended on
>> &                               ~
>> $ActionExecOnlyWhenPreviousIsSuspended off
>>
>> #Log local stuff ONLY to /var/log/syslog
>> :HOSTNAME, isequal, "prajna"    -/var/log/syslog
>>
>>
>> --
>> Jack.
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list