Bug 34863 – Unreliable rsyslog transport loses log messages.

Bug 34863 - Unreliable rsyslog transport loses log messages.


Summary:	Unreliable rsyslog transport loses log messages.

Status:	CLOSED FIXED

Product:	Z_Univention Corporate Client (UCC)
Classification:	Unclassified
Component:	Client management
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCC 2.0
Assigned To:	Janek Walkenhorst
QA Contact:	Moritz Muehlenhoff

URL:
Keywords:	interim-3

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-05-16 16:33 CEST by Janek Walkenhorst
Modified:	2014-06-12 09:19 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janek Walkenhorst

2014-05-16 16:33:08 CEST

From rsyslog.conf(5):

= Remote machine =
There  are  three  ways  to  forward message: the traditional UDP transport, which is extremely lossy but standard, the plain TCP based transport which loses messages only during certain situations but is widely available and the RELP transport which does not lose messages but is currently available only as  part  of rsyslogd 3.15.0 and above.

To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). To forward it via plain tcp, prepend two at signs ("@@"). To  forward via RELP, prepend the string ":omrelp:" in front of the hostname.

The template:
 /etc/univention/templates/files/etc/rsyslog.d/100-ucc.conf
contains:
 print "*.* @%s:514" % syslogServer
which results in UDP transport being configured:
 *.* @10.200.12.180:514
.

Using the RELP should be investigated because log entries being lost (without indication) goes against the reason for logs.

Comment 1 Janek Walkenhorst

2014-05-19 12:02:59 CEST

The following configuration needs to be done:

Change /etc/rsyslog.d/ucc.conf to be:
  $ModLoad imrelp
  $InputRELPServerRun 514
  $template DynaFile,"/var/log/univention/ucc-clients/syslog-%HOSTNAME%.log"
  :inputname, isequal, "imrelp" ?DynaFile
  & ~

Change firewall rule to allow TCP instead of UDP.

Change in /etc/univention/templates/files/etc/rsyslog.d/100-ucc.conf:
  if syslogServer:
      print "$ModLoad omrelp"
      print "*.* :omrelp:%s:514" % syslogServer

Install rsyslog-relp package on client and server.

Comment 2 Moritz Muehlenhoff

2014-05-19 12:07:13 CEST

Should be fixed to have complete syslogs

Comment 3 Janek Walkenhorst

2014-05-19 18:03:20 CEST

The package ucc-pxe-boot now depends on rsyslog-relp and configures rsyslog to listen for logs via RELP in addition to UDP.

The package univention-corporate-client now depends on rsyslog-relp and configures rsyslog to use RELP.

The package univention-ucc-initramfs now configures rsyslog to use RELP.

Comment 4 Moritz Muehlenhoff

2014-05-20 07:29:32 CEST

(In reply to Janek Walkenhorst from comment #3)
> The package ucc-pxe-boot now depends on rsyslog-relp and configures rsyslog
> to listen for logs via RELP in addition to UDP.

This broke the package installation since rsyslog-relp is only in unmaintained. The rsyslog binaries(and the librelp binaries) have been copied to the ucc-integration scope. Bug 34872 was filed for moving the package to maintained in UCS.

Comment 5 Moritz Muehlenhoff

2014-05-20 09:12:05 CEST

Both the client and the server package are now configured to use RELP. Confirmed via Wireshark (there's no dedicated RELP dissector, but the log TCP messages appear in the log). I've added a changelog entry.

The log messages are complete and cover the whole boot going back to the initial kernel bootup log:

May 20 08:54:12 thinthin kernel: [    0.000000] Initializing cgroup subsys cpuset
May 20 08:54:12 thinthin kernel: [    0.000000] Initializing cgroup subsys cpu
May 20 08:54:12 thinthin kernel: [    0.000000] Initializing cgroup subsys cpuacct
May 20 08:54:12 thinthin kernel: [    0.000000] Linux version 3.13.0-24-generic (buildd@komainu) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #47-Ubuntu SMP Fri May 2 23:31:42 UTC
 2014 (Ubuntu 3.13.0-24.47-generic 3.13.9)
May 20 08:54:12 thinthin kernel: [    0.000000] KERNEL supported cpus:
May 20 08:54:12 thinthin kernel: [    0.000000]   Intel GenuineIntel
May 20 08:54:12 thinthin kernel: [    0.000000]   AMD AuthenticAMD
May 20 08:54:12 thinthin kernel: [    0.000000]   NSC Geode by NSC
May 20 08:54:12 thinthin kernel: [    0.000000]   Cyrix CyrixInstead
May 20 08:54:12 thinthin kernel: [    0.000000]   Centaur CentaurHauls
May 20 08:54:12 thinthin kernel: [    0.000000]   Transmeta GenuineTMx86
May 20 08:54:12 thinthin kernel: [    0.000000]   Transmeta TransmetaCPU
May 20 08:54:12 thinthin kernel: [    0.000000]   UMC UMC UMC UMC
May 20 08:54:12 thinthin kernel: [    0.000000] e820: BIOS-provided physical RAM map:
May 20 08:54:12 thinthin kernel: [    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009e7ff] usable
May 20 08:54:12 thinthin kernel: [    0.000000] BIOS-e820: [mem 0x000000000009e800-0x000000000009ffff] reserved
May 20 08:54:12 thinthin kernel: [    0.000000] BIOS-e820: [mem 0x00000000000d2000-0x00000000000d3fff] reserved

Comment 6 Moritz Muehlenhoff

2014-06-12 09:19:56 CEST

UCC 2.0 has been released:
 http://docs.univention.de/release-notes-ucc-2.0.html

If this error occurs again, please use "Clone This Bug".