app-admin/syslog-ng-3.0.4 permanently takes 100% CPU, making it unusable. Use tags: # equery u app-admin/syslog-ng [ Searching for packages matching app-admin/syslog-ng... ] [ Colour Code : set unset ] [ Legend : Left column (U) - USE flags from make.conf ] [ : Right column (I) - USE flags packages was installed with ] [ Found these USE variables for app-admin/syslog-ng-3.0.4 ] U I - - caps : Use Linux capabilities library to control privilege - - hardened : activate default security enhancements for toolchain (gcc, glibc, binutils) - - ipv6 : Adds support for IP version 6 + + pcre : Adds support for Perl Compatible Regular Expressions - - selinux : !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur - - spoof-source : Enable support for spoofed source addresses - - sql : Enable support for SQL destinations + + ssl : Adds support for Secure Socket Layer connections - - static : !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically - - tcpd : Adds support for TCP wrappers
Created attachment 213587 [details] emerge --info
Did you try converting /etc/syslog-ng/syslog-ng.conf to the 3.0 format? You can use `syslog-ng -sf /etc/syslog-ng/syslog-ng.conf' to check the configuration. In my experience that usually solves the problem. Still assigning this one because I think a tweak to the init.d script might help find this kind of problem before syslog-ng is actually run.
I did convert the config file to the new format. Configuration check does generate a warning: # syslog-ng -sf /etc/syslog-ng/syslog-ng.conf WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; However, the exactly the same warning is generated if the configuration check is done on one of the sample files installed as a part of app-admin/syslog-ng-3.0.4 package: # syslog-ng -sf /tmp/syslog-ng.conf.gentoo.hardened.3.0 WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; Attaching my syslog-ng.conf file.
Created attachment 213651 [details] syslog-ng.conf
Nothing jumps out at me from looking at your config. A couple things to try: Give 3.0.5 a shot a see if it still happens. If it still doesn't work correctly, post your config to the syslog-ng mailing list (https://lists.balabit.hu/mailman/listinfo/syslog-ng) and see if upstream can help.
What if you substituted file for pipe? I've seen at least two systems that had the CPU usage problem that got fixed by s|pipe|file|.
Could you please give an example of using pipes that might fix the CPU usage?
(In reply to comment #4) > Created an attachment (id=213651) [details] > syslog-ng.conf > Please try out with the following modifications. -#destination console_all { file("/dev/console"); }; -destination console { pipe("/dev/console"); }; +destination console_all { file("/dev/console"); }; Tell me if it helps.
(In reply to comment #3) > I did convert the config file to the new format. > > Configuration check does generate a warning: > > # syslog-ng -sf /etc/syslog-ng/syslog-ng.conf > WARNING: the match() filter without the use of the value() option is deprecated > and hinders performance, please update your configuration; > > However, the exactly the same warning is generated if the configuration check > is done on one of the sample files installed as a part of > app-admin/syslog-ng-3.0.4 package: > > # syslog-ng -sf /tmp/syslog-ng.conf.gentoo.hardened.3.0 > WARNING: the match() filter without the use of the value() option is deprecated > and hinders performance, please update your configuration; > > Attaching my syslog-ng.conf file. > Note that in syslog-ng version 2.1 and earlier, the match() filter was applied only to the text of the message, excluding the headers. This functionality has been moved to the message() filter. So in this case you can simply change the match() filter to message() filter.
(In reply to comment #8) > (In reply to comment #4) > > Created an attachment (id=213651) [details] [details] > > syslog-ng.conf > > > > Please try out with the following modifications. > > -#destination console_all { file("/dev/console"); }; > -destination console { pipe("/dev/console"); }; > +destination console_all { file("/dev/console"); }; > > Tell me if it helps. > I forgot to say that this is just a workaround. A fix for this issue is already in the Balabit's repo, but it isn't released yet, however you could try to backport the commit to 3.0.4 and 3.0.5. It is just only a oneliner. The commit is here: http://git.balabit.hu/?p=bazsi/syslog-ng-3.0.git;a=commitdiff;h=81f27c22e3f6b0f8f6148bdc6e98d1491b80d128
It is fixed in 3.0.6 and 3.1.1 which are in the three now.
Indeed.