Re: garbled packet log messages in syslog

From: raf (raf2@zip.com.au)
Date: Tue Aug 21 2001 - 09:10:40 CEST


Vitaly Fedrushkov wrote:

> Good $daytime,
>
> Anybody seen this: garbled packet log lines in syslog files?
>
> Setup
>
> Machine: (stock) RedHat 7.1 with (stock) kernel 2.4.3-12 and (stock)
> klogd 1.4-0
> Loghost: (stock) RedHat 6.1 with (stock) syslogd 1.3-3
>
> Both machine and loghost are i686 > 500MHz, on a switched 100Base-TX LAN.
>
> ipchains were set up on machine, with packet logging turned on. Then,
> `nmap -sS` (TCP SYN scan) is ran against it. This yields about 2000
> syslog messages in 5 seconds.
>
> Symptom
>
> Several lines in /var/log/messages seem to overlap each other.
>
> 1. The problem manifests itself also on loghost, to a lesser extent.
> 2. Overlapping items are not the same. This probably points to the
> client {sys,k}logd side as error source.
>
> Any ideas? Thanks in advance.

this could easily happen if two or more processes are writing to the same
file without having first opened the file with the O_APPEND flag. even if
O_APPEND was used, if the file is on a file system mounted using NFS,
corruption can still occur.

is your /var/log/messages mounted via NFS?

raf



This archive was generated by hypermail 2.1.2 : Tue Aug 21 2001 - 09:16:05 CEST