From nobody@FreeBSD.org  Wed Oct 31 02:35:00 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C698F37B40C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 31 Oct 2001 02:34:58 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f9VAYwZ31155;
	Wed, 31 Oct 2001 02:34:58 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200110311034.f9VAYwZ31155@freefall.freebsd.org>
Date: Wed, 31 Oct 2001 02:34:58 -0800 (PST)
From: Romain Griffiths <wid@epita.fr>
To: freebsd-gnats-submit@FreeBSD.org
Subject: syslogd stop processing remote host log after a while
X-Send-Pr-Version: www-1.0

>Number:         31657
>Category:       bin
>Synopsis:       syslogd stop processing remote host log after a while
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 31 02:40:00 PST 2001
>Closed-Date:    Tue Nov 6 02:55:39 PST 2001
>Last-Modified:  Tue Nov 06 02:58:07 PST 2001
>Originator:     Romain Griffiths
>Release:        FreeBSD 4.4-RELEASE #0
>Organization:
EPITA
>Environment:
FreeBSD loghost 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Tue Sep 18 11:57:08 PDT 2001     murray@builder.FreeBSD.org:/usr/src/sys/compile/GENERIC  i386
>Description:
I have a loghost that log syslog message from 2 servers.
After a while (from few minutes to several hours) the syslogd on my loghost stop logging messages.
tcpdump show that servers still send syslog info to the loghost:
11:27:19.111707 ide.syslog > loghost.syslog:  udp 102
but nothing arrive to 
-rw-r--r--  1 root  wheel   18357 Oct 31 10:42 any.log

I have a bad-quality hub to link these machines.

>How-To-Repeat:
on loghost (10.0.0.10):
in rc.conf:
syslogd_flags="-4 -n -a 10.0.0.2 -a 10.0.0.1"
in syslog.conf:

+10.0.0.1					
*.*;security.none		/space1/log/ide/any.log
security.*			/space1/log/ide/security.log

+10.0.0.2					
*.*;mail.none			/space1/log/mail/any.log
mail.*				/space1/log/mail/mail.log

on 10.0.0.1 syslog.conf:
*.*				@10.0.0.10
on 10.0.0.2 syslog.conf:
*.*				@10.0.0.10

>Fix:

>Release-Note:
>Audit-Trail:

From: "Crist J. Clark" <cristjc@earthlink.net>
To: Romain Griffiths <wid@epita.fr>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/31657: syslogd stop processing remote host log after a while
Date: Thu, 1 Nov 2001 22:37:39 -0800

 On Wed, Oct 31, 2001 at 02:34:58AM -0800, Romain Griffiths wrote:
 [snip]
 
 > >Description:
 > I have a loghost that log syslog message from 2 servers.
 > After a while (from few minutes to several hours) the syslogd on my loghost stop logging messages.
 > tcpdump show that servers still send syslog info to the loghost:
 > 11:27:19.111707 ide.syslog > loghost.syslog:  udp 102
 > but nothing arrive to 
 > -rw-r--r--  1 root  wheel   18357 Oct 31 10:42 any.log
 > 
 > I have a bad-quality hub to link these machines.
 > 
 > >How-To-Repeat:
 > on loghost (10.0.0.10):
 > in rc.conf:
 > syslogd_flags="-4 -n -a 10.0.0.2 -a 10.0.0.1"
 > in syslog.conf:
 > 
 > +10.0.0.1					
 > *.*;security.none		/space1/log/ide/any.log
 > security.*			/space1/log/ide/security.log
 > 
 > +10.0.0.2					
 > *.*;mail.none			/space1/log/mail/any.log
 > mail.*				/space1/log/mail/mail.log
 > 
 > on 10.0.0.1 syslog.conf:
 > *.*				@10.0.0.10
 > on 10.0.0.2 syslog.conf:
 > *.*				@10.0.0.10
 
 This is more of something for freebsd-questions.
 
 Can you run syslogd(8) in debug mode (the '-d' option) on the
 server. See if it is receiving those incoming messages at all.
 On a lossy network, there is a chance that the machines sending out
 syslog messages might stop, and not start again, if they think the
 remote server is unreachable. But you would not see the network
 traffic in that case.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From: David Malone <dwmalone@maths.tcd.ie>
To: "Crist J. Clark" <cristjc@earthlink.net>
Cc: freebsd-gnats-submit@FreeBSD.org, wid@epita.fr
Subject: Re: bin/31657: syslogd stop processing remote host log after a while
Date: Fri, 2 Nov 2001 10:13:50 +0000

 On Thu, Nov 01, 2001 at 10:50:04PM -0800, Crist J. Clark wrote:
 >  This is more of something for freebsd-questions.
 
 Actually - I think this might be a duplicate of
 
 	http://www.freebsd.org/cgi/query-pr.cgi?pr=31029
 
 which contains a patch.
 
 	David.

From: "Crist J. Clark" <cristjc@earthlink.net>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@FreeBSD.org, wid@epita.fr
Subject: Re: bin/31657: syslogd stop processing remote host log after a while
Date: Fri, 2 Nov 2001 11:34:27 -0800

 On Fri, Nov 02, 2001 at 10:13:50AM +0000, David Malone wrote:
 > On Thu, Nov 01, 2001 at 10:50:04PM -0800, Crist J. Clark wrote:
 > >  This is more of something for freebsd-questions.
 > 
 > Actually - I think this might be a duplicate of
 > 
 > 	http://www.freebsd.org/cgi/query-pr.cgi?pr=31029
 > 
 > which contains a patch.
 
 I wonder if this isn't what really is happening, but the originator
 claimed he could still see syslog packets going over the wire to the
 server, but the server was not responding. Before we tell him to
 patch, we need to figure out if the packets are getting to the log
 host or not.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->closed 
State-Changed-By: cjc 
State-Changed-When: Tue Nov 6 02:55:39 PST 2001 
State-Changed-Why:  
In a private email, the originator informs me it was a syslog.conf(5) 
configuration issue on the server with name resolution and '+hostname' 
blocks. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31657 
>Unformatted:
