Restarting syslog-ng - Message about "db-parser()"

248 views
Skip to first unread message

Ryan John Peck

unread,
Jul 1, 2015, 3:11:05 PM7/1/15
to securit...@googlegroups.com
Restarted syslog-ng on my sensor and noticed a few odd lines -

$ sudo service syslog-ng restart
* Stopping system logging syslog-ng [ OK ]
* Starting system logging syslog-ng WARNING: Configuration file format is too old, please update it to use the 3.3 format as some constructs might operate inefficiently;
WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp()/udp() window size changes;
WARNING: The default behaviour for injecting messages in db-parser() has changed in version 3.3 from internal to pass-through, use an explicit inject-mode(internal) option for old behaviour;
[ OK ]

Not sure too sure about the usage here - but I didn't recognize the warning and thought I'd bring it up.

Shane Castle

unread,
Jul 2, 2015, 6:33:30 AM7/2/15
to securit...@googlegroups.com
See replies below.

On 7/1/2015 21:11, Ryan John Peck wrote:
> Restarted syslog-ng on my sensor and noticed a few odd lines -
>
> $ sudo service syslog-ng restart
> * Stopping system logging syslog-ng [ OK ]
> * Starting system logging syslog-ng

> WARNING: Configuration file format is too old, please update it to use the 3.3 format as some constructs might operate inefficiently;

This is caused by the "Version" entry in the config. It is set to 3.2.

> WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp()/udp() window size changes;
> WARNING: The default behaviour for injecting messages in db-parser() has changed in version 3.3 from internal to pass-through, use an explicit inject-mode(internal) option for old behaviour;

As far as I know, these are general messages that are printed pointing
to two of the major changes between 3.2 and 3.3, but they may be used in
the config file. I don"t have access to a SO szstem right now to check.

These may safely be ignored for now, though. I wouldn't change the
Version in the config til I know for certain that deprecated usages are
not present in it.

--
Shane Castle

Pete

unread,
Jul 13, 2015, 10:55:21 AM7/13/15
to securit...@googlegroups.com
On Thursday, 2 July 2015 06:33:30 UTC-4, Shane Castle wrote:
> On 7/1/2015 21:11, Ryan John Peck wrote:
> > WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp()/udp() window size changes;
> > WARNING: The default behaviour for injecting messages in db-parser() has changed in version 3.3 from internal to pass-through, use an explicit inject-mode(internal) option for old behaviour;
>
> As far as I know, these are general messages that are printed pointing
> to two of the major changes between 3.2 and 3.3, but they may be used in
> the config file. I don"t have access to a SO szstem right now to check.

Shane, if you haven't had a chance to look into this yet, here are the only hits I got for the two keywords mentioned:

#destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };

parser p_db {
db-parser(file("/opt/elsa/node/conf/patterndb.xml"));
};

The first is commented out, and the second is in the p_db function that is called as part of the log section where all the bro files are sourced. I don't speak syslogeese, so don't know the effects of it, but I can verify that changing the version to 3.3 at the top of the file does eliminate the warnings...

It also looks like the syslog-ng update restored logging to all the normal files in /var/log, which is a plus for me.. I prefer digging through them with grep over trying to figure out what they were by rooting around in ELSA. :(
--
Pete

Doug Burks

unread,
Jul 14, 2015, 6:19:09 AM7/14/15
to securit...@googlegroups.com
On Mon, Jul 13, 2015 at 10:55 AM, Pete <peti...@gmail.com> wrote:
> On Thursday, 2 July 2015 06:33:30 UTC-4, Shane Castle wrote:
>> On 7/1/2015 21:11, Ryan John Peck wrote:
>> > WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp()/udp() window size changes;
>> > WARNING: The default behaviour for injecting messages in db-parser() has changed in version 3.3 from internal to pass-through, use an explicit inject-mode(internal) option for old behaviour;
>>
>> As far as I know, these are general messages that are printed pointing
>> to two of the major changes between 3.2 and 3.3, but they may be used in
>> the config file. I don"t have access to a SO szstem right now to check.
>
> Shane, if you haven't had a chance to look into this yet, here are the only hits I got for the two keywords mentioned:
>
> #destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };
>
> parser p_db {
> db-parser(file("/opt/elsa/node/conf/patterndb.xml"));
> };
>
> The first is commented out, and the second is in the p_db function that is called as part of the log section where all the bro files are sourced. I don't speak syslogeese, so don't know the effects of it, but I can verify that changing the version to 3.3 at the top of the file does eliminate the warnings...

I've created the following issue:

securityonion-elsa-extras: set version 3.3 in syslog-ng.conf #776
https://github.com/Security-Onion-Solutions/security-onion/issues/776


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages