Fwd: (RADIATOR) Incomplete entries in syslog

Mike McCauley mikem at open.com.au
Thu Aug 26 18:48:48 CDT 2004


Hello Jan,

thanks for your note and logs.

I notice that the place where the syslog log cuts off corresponds to a '%c' in 
the original log string. I wonder if this is a coincidence, or whether the 
other examples you have seen also correspond to a % followed by a printf 
special character? Can you check?

Cheers.

On Thursday 26 August 2004 21:16, Jan Tomasek wrote:
> Hi Hugh and Mike,
>
> My original mail was bazilion times forwareded. I'm sorry for messed
> quoting of this email.
>
> >>> Hi Mikey -
> >>>
> >>> Any suggestions for Jan about what to do about it?
> >>
> >> Make sure his syslog client and server is the latest?
>
> Syslog-ng is running localy so client is Radiator 3.9 with all latest
> patches installed. Syslog-ng itself is 1.5.15-1.1 that is latest package
> for Debian/woody. For Debian/unstable is avail.version 1.6.4-1 So no I'm
> not running latest version, but I'm not going to install latest/unstable
> software without exact prove that actual version is bugy. There is relevant
> bug report pending
> (http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=syslog-ng), not even old
> resolved
> (http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=syslog-ng&archive=yes).
>
> >>>> Suspect syslog is getting confused with very long log lines.
>
> It again happen this morning:
>
> Aug 26 05:40:22 radius1 ZW<169><160><221><229><160> Attributes:
> Tunnel-Private-Group-ID = 1:666         Tunnel-Type = 1:VLAN
> Tunnel-Medium-Type = 1:802
>
> This is comlete entry loged by "<Log FILE>..." it is not that long I thing.
>
> Thu Aug 26 05:40:22 2004: DEBUG: Packet dump:
> *** Received from 195.113.144.226 port 1812 ....
> Code:       Access-Accept
> Identifier: 51
> Authentic:  <209><24><222><253><23><15><251>%cZW<169><160><221><229><160>
> Attributes:
>         Tunnel-Private-Group-ID = 1:666
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:802
>
> I think it is some problem in Radiator. I'm running syslog-ng in this
> version on multiple systems, many of them are under very heavy load and I
> never seen in log files corrupted this way. Sadly I'm not able say any way
> how to quickly force radiator to mess log entry. I tried to send thousand
> times access authorization but corrupted log entry never happend. But I
> need to fix it somehow, that packets are hitting in logcheck which I'm is
> examinging log files and come to me.
>
> Attached log files:
>   radius-file.log is log file produced by <Log FILE>
>   radius-syslog.log is ... by <Log SYSLOG>
> just for case you want to examine it yourself.
>
> At this time it isn't serious, few mails peer day are easy to ignore. But
> I'm not will take risk that it will increase in future. It can flood target
> of logcheck mails and also this corrupted messages are not loged on remote
> syslog so are invisible to other administrators and it can become serious
> problem in future.
>
> I hope you will find a solution soon. If I can help you anyhow let me know.
>
> Best regards

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list