Bug 34863 - Unreliable rsyslog transport loses log messages.
Unreliable rsyslog transport loses log messages.
Status: CLOSED FIXED
Product: Univention Corporate Client (UCC)
Classification: Unclassified
Component: Client management
unspecified
Other Linux
: P5 normal
: UCC 2.0
Assigned To: Janek Walkenhorst
Moritz Muehlenhoff
: interim-3
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-16 16:33 CEST by Janek Walkenhorst
Modified: 2014-06-12 09:19 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janek Walkenhorst univentionstaff 2014-05-16 16:33:08 CEST
From rsyslog.conf(5):

= Remote machine =
There  are  three  ways  to  forward message: the traditional UDP transport, which is extremely lossy but standard, the plain TCP based transport which loses messages only during certain situations but is widely available and the RELP transport which does not lose messages but is currently available only as  part  of rsyslogd 3.15.0 and above.

To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). To forward it via plain tcp, prepend two at signs ("@@"). To  forward via RELP, prepend the string ":omrelp:" in front of the hostname.

The template:
 /etc/univention/templates/files/etc/rsyslog.d/100-ucc.conf
contains:
 print "*.* @%s:514" % syslogServer
which results in UDP transport being configured:
 *.* @10.200.12.180:514
.

Using the RELP should be investigated because log entries being lost (without indication) goes against the reason for logs.
Comment 1 Janek Walkenhorst univentionstaff 2014-05-19 12:02:59 CEST
The following configuration needs to be done:

Change /etc/rsyslog.d/ucc.conf to be:
  $ModLoad imrelp
  $InputRELPServerRun 514
  $template DynaFile,"/var/log/univention/ucc-clients/syslog-%HOSTNAME%.log"
  :inputname, isequal, "imrelp" ?DynaFile
  & ~

Change firewall rule to allow TCP instead of UDP.

Change in /etc/univention/templates/files/etc/rsyslog.d/100-ucc.conf:
  if syslogServer:
      print "$ModLoad omrelp"
      print "*.* :omrelp:%s:514" % syslogServer

Install rsyslog-relp package on client and server.
Comment 2 Moritz Muehlenhoff univentionstaff 2014-05-19 12:07:13 CEST
Should be fixed to have complete syslogs
Comment 3 Janek Walkenhorst univentionstaff 2014-05-19 18:03:20 CEST
The package ucc-pxe-boot now depends on rsyslog-relp and configures rsyslog to listen for logs via RELP in addition to UDP.

The package univention-corporate-client now depends on rsyslog-relp and configures rsyslog to use RELP.

The package univention-ucc-initramfs now configures rsyslog to use RELP.
Comment 4 Moritz Muehlenhoff univentionstaff 2014-05-20 07:29:32 CEST
(In reply to Janek Walkenhorst from comment #3)
> The package ucc-pxe-boot now depends on rsyslog-relp and configures rsyslog
> to listen for logs via RELP in addition to UDP.

This broke the package installation since rsyslog-relp is only in unmaintained. The rsyslog binaries(and the librelp binaries) have been copied to the ucc-integration scope. Bug 34872 was filed for moving the package to maintained in UCS.
Comment 5 Moritz Muehlenhoff univentionstaff 2014-05-20 09:12:05 CEST
Both the client and the server package are now configured to use RELP. Confirmed via Wireshark (there's no dedicated RELP dissector, but the log TCP messages appear in the log). I've added a changelog entry.

The log messages are complete and cover the whole boot going back to the initial kernel bootup log:

May 20 08:54:12 thinthin kernel: [    0.000000] Initializing cgroup subsys cpuset
May 20 08:54:12 thinthin kernel: [    0.000000] Initializing cgroup subsys cpu
May 20 08:54:12 thinthin kernel: [    0.000000] Initializing cgroup subsys cpuacct
May 20 08:54:12 thinthin kernel: [    0.000000] Linux version 3.13.0-24-generic (buildd@komainu) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #47-Ubuntu SMP Fri May 2 23:31:42 UTC
 2014 (Ubuntu 3.13.0-24.47-generic 3.13.9)
May 20 08:54:12 thinthin kernel: [    0.000000] KERNEL supported cpus:
May 20 08:54:12 thinthin kernel: [    0.000000]   Intel GenuineIntel
May 20 08:54:12 thinthin kernel: [    0.000000]   AMD AuthenticAMD
May 20 08:54:12 thinthin kernel: [    0.000000]   NSC Geode by NSC
May 20 08:54:12 thinthin kernel: [    0.000000]   Cyrix CyrixInstead
May 20 08:54:12 thinthin kernel: [    0.000000]   Centaur CentaurHauls
May 20 08:54:12 thinthin kernel: [    0.000000]   Transmeta GenuineTMx86
May 20 08:54:12 thinthin kernel: [    0.000000]   Transmeta TransmetaCPU
May 20 08:54:12 thinthin kernel: [    0.000000]   UMC UMC UMC UMC
May 20 08:54:12 thinthin kernel: [    0.000000] e820: BIOS-provided physical RAM map:
May 20 08:54:12 thinthin kernel: [    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009e7ff] usable
May 20 08:54:12 thinthin kernel: [    0.000000] BIOS-e820: [mem 0x000000000009e800-0x000000000009ffff] reserved
May 20 08:54:12 thinthin kernel: [    0.000000] BIOS-e820: [mem 0x00000000000d2000-0x00000000000d3fff] reserved
Comment 6 Moritz Muehlenhoff univentionstaff 2014-06-12 09:19:56 CEST
UCC 2.0 has been released:
 http://docs.univention.de/release-notes-ucc-2.0.html

If this error occurs again, please use "Clone This Bug".