> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Anders Synstad > Sent: Thursday, March 10, 2011 4:16 PM > To: [email protected] > Subject: Re: [rsyslog] Problem with "corrupt" log message > > I'm still running on 5.6.2 as you mentioned. I've been looking at the > changelogs for the stable 5.x releases, but haven't seen anything that > I > related to this problem.
Well, look again: http://www.rsyslog.com/changelog-for-5-6-4-v5-stable/ http://www.rsyslog.com/changelog-for-5-6-3-v5-stable/ > I am a bit reluctant to deploy the beta releases on my production > servers. ;) Note that 5.7.8 will probably turn into the new stable in two weeks or so (depending on feedback). Maybe it helps to wait until it has reached that state. > Doing some testing at the moment, and will see if I can't open that bug > tracker if I don't get anywhere. Testing is always good :) It helps most if you can provide a minimal config that exposes a problem. In any case, I think you are really wasting your time if you are not trying with 5.6.4 at least. Rainer > > > Regards, > Anders Synstad > Basefarm AS > > On 03/10/2011 04:09 PM, Rainer Gerhards wrote: > > I guess you have lost a couple of updates. I have been working pretty > > aggressively on bugs the past two to three weeks. Those issues that I > knew > > are closed now (except one dangling with ommysql, which I cannot > reproduce > > and currently get not more data on). Please grab the latest 5.7.8 and > see if > > the problem persists. If it does, please open a bug tracker, so that > we can > > work together to find the culprit and fix it :) > > > > Thanks, > > Rainer > > > >> -----Original Message----- > >> From: [email protected] [mailto:rsyslog- > >> [email protected]] On Behalf Of Anders Synstad > >> Sent: Thursday, March 10, 2011 3:37 PM > >> To: [email protected] > >> Subject: Re: [rsyslog] Problem with "corrupt" log message > >> > >> Hello, > >> > >> On 01/20/2011 01:21 PM, Rainer Gerhards wrote: > >>>> -----Original Message----- I'm running latest Rsyslog 5.6.2. I > >>>> pretty much came to the same conclusions as you. > >>>> > >>>> I doubt I can reproduce it. Out of several gigabytes of logs each > >>>> day, this is the first time I've seen it. > >>> > >>> Yup... Maybe this helps: I got some reports from folks who have a > bit > >>> of a problem with 5.6.2 and a very good report came in yesterday. I > >>> am about to look at it. It could be that all of this has a common > >>> reason. But other than that, I do not have any advise right now... > >>> > >> > >> Did these reports give any results regarding this issue? > >> > >> I've been trying to dig a bit more in our logs, and I've seen it > happen > >> more than once now. It's however a bit hard to locate these corrupt > >> lines in the logs as they differ slightly. > >> > >> I also did a quick attempt at some tcpdumping, but without knowing a > bit > >> more what I'm looking for, it's too much data going thru the system > at > >> the moment to be just staring at it. > >> > >> The bits of configuration related to these logsfiles are: > >> > >> $ModLoad imudp # Standard input module for UDP > >> $ModLoad imtcp # Standard input module for TCP > >> > >> $template t-network,"/var/log/network.%$myhostname%.log" > >> $template bf-default,"%timegenerated:::date-rfc3339% %fromhost% > >> %rawmsg:::drop-last-lf%\n" > >> > >> # Ruleset: network > >> $Ruleset network-udp-10514 > >> $RulesetCreateMainQueue on > >> *.* -?t-network;bf-default > >> > >> $RuleSet network-tcp-10514 > >> $RulesetCreateMainQueue on > >> *.* -?t-network;bf-default > >> > >> $InputUDPServerBindRuleset network-udp-10514 > >> $UDPServerRun 10514 > >> > >> $InputTCPServerBindRuleset network-tcp-10514 > >> $InputTCPServerRun 10514 > >> > >> > >> > >> I'm using load balancing (active/passive) and different vips on the > LB > >> to point logs from different systems to different ports on my > central > >> loghost. And all in all, this is working very nicely :) > >> > >> But as you can see, both tcp and udp is logged to the same file, and > I > >> almost willing to bet my right pinky that the problem is related to > this. > >> > >> Another example of a broken log: > >>> 2011-03-08T12:50:45.973537+01:00 > >>> osl3-lb05b-v2011-03-08T12:50:46.126028+01:00 > >>> some.fw.net<164>Mar 08 2011 12:50:46: > >>> %ASA-4-106023: Deny tcp src outside:x.x.x.x/6000 dst > >>> some.lb-lnk:x.x.x.x/3389 by access-group > >>> new-test-fw-lb-lnk_out [0x4da29309, 0x0] > >> > >> > >> > >> > >> Regards, > >> Anders Synstad > >> Basefarm AS > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
