If 384.11 solves the blank kernel lines then I'm probably going to not bother trying to strip the blank lines. It seems too risky. I'll give this solution a try though on 384.10 so that if it reappears we have a known solution.I've only been on A4 for 10 hours, running the local NTP server. I haven't had syslog-ng restarting, and no blank kernel lines.
Also, tryCode:filter f_empty { match("^ *$"); };
# link to messages if not already a symlink
if [ ! -L "/tmp/syslog.log" ]
then
#/tmp/syslog.log is running and we don't want to read the startup messages from the prior reboot
rm -f /opt/var/log/startupmessages
#cat the syslog to startupmessages so they will be read in by syslog-ng
cat /tmp/syslog.log > /opt/var/log/startupmessages
rm -f /tmp/syslog.log /tmp/syslog.log-1
ln -s /opt/var/log/messages /tmp/syslog.log
fi
I'm still on 10_2 where would I insert that line, syslog-ng.conf or in a new syslog-ng "helper" file or filter file in syslog-ng.d?I've only been on A4 for 10 hours, running the local NTP server. I haven't had syslog-ng restarting, and no blank kernel lines.
Also, tryCode:filter f_empty { match("^ *$"); };
You'd have to create a filter file in syslog-ng.d. But it would need a destination and log statement also, not just simply the one line.I'm still on 10_2 where would I insert that line, syslog-ng.conf or in a new syslog-ng "helper" file or filter file in syslog-ng.d?
I was just making a suggestion for how to trap a blank line. Syslog-ng is supposed to drop them anyway, so this is a filter that traps for two or more spaces. I think @cmkelley is right to let 11 settle first before we see what might need to be done.I'm still on 10_2 where would I insert that line, syslog-ng.conf or in a new syslog-ng "helper" file or filter file in syslog-ng.d?
Apr 25 18:25:43 RT-AC86U-4608 kernel: net_ratelimit: 1547 callbacks suppressed
Apr 25 18:25:43 RT-AC86U-4608 kernel: protocol 0800 is buggy, dev eth0
Apr 25 18:25:53 RT-AC86U-4608 kernel: device eth0 left promiscuous mode
Seems unlikely to be coincidence, but it could be a third process affecting both of them. I wouldn't know how to track that down.I this a clue to the blank kernel lines in the webGUI syslog? The blank lines stopped for just over 30 minutes, with these showing instead with 4 - 8 per second. I trimmed this back to just three messages or cloudflare blocks my post.
These stopped and blank kernel lines are back.Code:Apr 25 18:25:43 RT-AC86U-4608 kernel: net_ratelimit: 1547 callbacks suppressed Apr 25 18:25:43 RT-AC86U-4608 kernel: protocol 0800 is buggy, dev eth0 Apr 25 18:25:53 RT-AC86U-4608 kernel: device eth0 left promiscuous mode
Well 11_A4 does not remove them, but I see no issues with scribe after 2 1/2 hours. I did not dig deeply into the delayed start of syslog-ng, but I see no effects of it looking through all the logs, including the original syslog until syslog-ng loads. (shrug)If 384.11 solves the blank kernel lines then I'm probably going to not bother trying to strip the blank lines. It seems too risky. I'll give this solution a try though on 384.10 so that if it reappears we have a known solution.
I'm okay with that possibility. If something keeps restarting syslogd and klogd, I want to kill them again and have another go at it. Hopefully nothing should keep restarting them indefinitely.Not sure about line 679. You have a two minute loop that waits until klogd and syslogd are both running; if they are not the loop keeps going. If they are, you restart syslog-ng, which will kill them, and returns to the loop to set the clock at 6. But kill_logger will take some non-trivial time to move and cat the (possibly long) messages file before it returns. If in the six seconds they are restarted, you will go around again and possibly never exit.
Syslog-ng keeps a destination file open for 60 seconds in case new log messages need to be written; this is the default time-reap() parameter. Could that be what is hanging on to messages?
I think you are mis-reading the lines in scribe. The move and cat the message file only happens if both syslogd and klogd restart themselves in that 6 second period. Just instead of checking once at the end of 6 seconds to see if they've restarted, it checks once a second for 6 seconds.I follow not waiting for another 118 seconds. What I meant was you reset the counter to 6, go around again and move and cat the file, and then perhaps reset the counter again to 6, so it might never time out of the 120 second loop. As opposed to killing the processes, waiting 6, and if they aren't running, true out of the function.
I agree restarting should close out an open file. If you do scribe restart when syslog-ng is running, you get different process ids, unlike when you issue syslog-ng -Fevd when syslog-ng is already running, which keeps the same process numbers. In any case, unless I'm actively doing something, I only get a daily diversion logrotate message and a daily QOS persistence check into my messages file, and no process restarts that I can tell. I get about 15,000 pixelserv messages in that 24 hours. So while everything is running, I really can't tell if something is holding on to the messages file.
So, pretty sure I've found the issue ... it's reading from /dev/kmsg (i.e. the system() source) instead of /proc/kmsg. Reverting that fixed the holding on to the messages file issue I was hacking around by mv and cat (i.e. I was able to remove that bit of ugliness), and also a message dumping problem I saw when klogd and syslogd were restarted. The downside is the old partial message issue is back, although by copying some directives from the expansion of the system() source, so far they've all been proceeded by "Error processing log message:" so at least it seems to be flagging them. EDIT:I follow not waiting for another 118 seconds. What I meant was you reset the counter to 6, go around again and move and cat the file, and then perhaps reset the counter again to 6, so it might never time out of the 120 second loop. As opposed to killing the processes, waiting 6, and if they aren't running, true out of the function.
I agree restarting should close out an open file. If you do scribe restart when syslog-ng is running, you get different process ids, unlike when you issue syslog-ng -Fevd when syslog-ng is already running, which keeps the same process numbers. In any case, unless I'm actively doing something, I only get a daily diversion logrotate message and a daily QOS persistence check into my messages file, and no process restarts that I can tell. I get about 15,000 pixelserv messages in that 24 hours. So while everything is running, I really can't tell if something is holding on to the messages file.
Just thought I'd drop in again to mention my setup with klogd still running (I also wrote my own similar service-start script loop to kill syslogd - actually it calls scribe's own rc.func-syslog-ng, albeit an older versoin without the killall klogd) and it hasn't missed a beat. Was thinking that if you were inclined to do so with scribe, it should allow both 2.6 kernal and the HND kernel to read the kernel (klogd) messages without issue as they are then just collecting from the same place.So, pretty sure I've found the issue ... it's reading from /dev/kmsg (i.e. the system() source) instead of /proc/kmsg. Reverting that fixed the holding on to the messages file issue I was hacking around by mv and cat (i.e. I was able to remove that bit of ugliness), and also a message dumping problem I saw when klogd and syslogd were restarted. The downside is the old partial message issue is back, although by copying some directives from the expansion of the system() source, so far they've all been proceeded by "Error processing log message:" so at least it seems to be flagging them. EDIT:BONUS! I can reliably filter the partial messages.EDIT2: And currently marking all Skynet (IPTables) messages as errors. Fun.
All that said, I'm dog tired and reluctant to push the changes until I've had a fresher think about them. EDIT: Proven to be a good idea, I found a major logic error that would have filled up small thumb drives very quickly. Ooops.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!