RE: Help needed for missing log entries

From: Dave Sobel (dave@evolvetech.com)
Date: Fri Mar 08 2002 - 22:48:47 CET

Next message: jagan krishnaraj: "Request for Info"

Previous message: Christian von Roques: "Re: Help needed for missing log entries"
In reply to: Christian von Roques: "Re: Help needed for missing log entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Christian:

Thanks for the assistance. This is a good theory, but I'm pretty sure
it's not what is occurring.

I have done nothing to set the ipop3d or imapd to make them chroot-ed --
in fact, being as they can access mail in /var/spool/mail and also
create directories in /home/<username>/, I'm pretty confident they have
not been isolated.

I also have verified the existence of /dev/log , so any daemon should be
able to access it:

dave@server:~$ cd /dev
dave@server:/dev$ ls -l log
srw-rw-rw- 1 root root 0 Mar 6 23:24 log=

Any additional thoughts are very much welcomed.

Dave

-----Original Message-----
From: Christian von Roques [mailto:roques@mti.ag]
Sent: Friday, March 08, 2002 9:41 AM
To: Dave Sobel
Cc: infodrom-sysklogd@lists.infodrom.org
Subject: Re: Help needed for missing log entries

"Dave Sobel" <dave@evolvetech.com> wrote that some of the messages
logged from ipop3d and imapd are missing in his syslog.

There are two transports which might be used to transport log-messages
from the logging applications (in this case ipop3d or imapd) to
syslogd: If the unix domain socket /dev/log exists the library used by
the application first tries to send the message through this socket.
As tne man-page unix(7) sais: ``Unix sockets are always reliable and
don't reorder datagrams.'' If the unix domain socket /dev/log is
unavailable, the library tries to send the message through an IP
datagram (UDP) socket to localhost:514. But, UDP is an unreliable
protocol and might silently drop some messages, e.g. if the receiving
socket's receive buffer is full.

If ipop3d or imapd are logging through UDP it can happen that
messages are lost.

If ipop3d or imapd are running chroot(2)ed (e.g. to /var/spool/imap),
they can't access /dev/log and have to use UDP to transmit their
messages. When they try to reach /dev/log, they will actually try to
reach /dev/log in their changed root (e.g. /var/spool/imap/dev/log).
You can/should tell syslogd to create an additional logging socket to
be used by these daemons (e.g. by starting syslogd like: syslogd -a
/var/spool/imap/dev/log ), so that they can reach syslogd through a
reliable unix domain socket.

Christian.

Next message: jagan krishnaraj: "Request for Info"
Previous message: Christian von Roques: "Re: Help needed for missing log entries"
In reply to: Christian von Roques: "Re: Help needed for missing log entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Mar 08 2002 - 22:49:00 CET