Bazsi's Home Automation blog

I like christmas for a number of reasons: in addition to the traditional "meet and have fun with your family", eat lots of delicious food and so on, I like it because this is the season of the year when I have some time to do whatever I feel like. This year I felt like doing some syslog-ng performance analysis. After reading Ulrich Deppert's series about stuff "What every programmer should know about memory" on LWN, I thought I'm more than prepared to improve syslog-ng performance. Before going any further, I'd recommend this reading to any programmer, it's a bit long but every second reading it is worth it. As you need to measure performance in order to improve it, I wrote a tool called "loggen". This program generates messages messages at a user-specifyable rate. Apart from the git repository you can get this tool from the latest syslog-ng snapshots. Loggen supports TCP, UDP and UNIX domain sockets, so really almost everything can be me

We've been busy recently on the syslog-ng front. A new release came out from both the Open Source and Premium Editions, covering various bugfixes, the most important being a fix for an easy denial of service. Please upgrade to at least OSE 2.0.6 and PE 2.1.8, my bugtraq posting has more details. A new release from the syslog-ng documentation was also published, it contains a new chapter on losing messages and another one which explains the "Log statistics" message generated by syslog-ng. And since, I'm writing this entry I wanted to say "Merry Christmas" to all the readers of this blog: Marry Christmas and a Happy New Year. I'm spending the winter holiday with my wife and I'm going to travel a lot around the country to visit relatives. So I'm not sure I can be very productive in the coming days.

I've just seen a post on the loganalysis mailing list how easy it is to implement disk-based buffering with perl and a few hours time. The implementation would be as simple as sending the messages to a file and using a script like "tail -f" to follow the file and send messages to the desired log collectors. Although the scheme that was described would work, I see three important problems: latency: because the solution would work by polling the log file, the latency is severely increased, when you have thousands of log entries per second, a second is a long time. And you don't want to poll more often than every second. disk usage: relaying the data would store everything on the local disk, no upper bound on disk usage, if the disk is full, data is lost load: using an interpreted language and the requirement to store all data on disk puts an enormous load on the system that might be spent better elsewhere. Syslog-ng on the other hand uses a spool file, but this file

I was learning computer programming while at secondary school, at as a school assignment we had to create an accounting system on a venerable IBM 360. We had 386dx computers back then with 2MB RAM, the first Linux encounter at this time required me and my friend to put all of our RAM modules to a single computer to get 4 megs and make it suitable for Linux. This 360 machine had two CPUs, each the size of a large office desk, speed comparable to an 386, had 8MB of RAM. After getting used to the speed it provided (had 8 terminals on a 2400 baud modem) it was fun, completely different to the PCs we've had, but still, interesting. Some of this memories were brought back by our partnership with Patownsend & Associates , a US based company to deliver System i (formerly AS400) and System z (the mainframe) software. Our partnership focuses on the development of a Syslog agent for System i, this way we could extend our syslog-ng Premium Edition offering with support for IBM midrange s

I've started creating a public bugzilla installation for syslog-ng in the last couple of days, however I was interrupted before being to finish it all. I want to move all opened internal tickets to the public installation, but I only managed to review half of them. Not that it is a large task, I just got distracted all the time by my fellow collegues and customers. But that's the life of a software developer, right? :) You can find this at http://bugzilla.balabit.com/ , although it is not yet officially announced. Once I'm done with reviewing/translating tickets, I'll send an official announcement to the mailing list.

As I announced on the syslog-ng mailing list, the official syslog-ng git repositry has moved and has become accessible using the more effective "git" protocol, instead of plain HTTP. The change has been described on the syslog-ng webpage , gitweb is also available.

I've just pushed out an update to syslog-ng, which contains various HP-UX fixes backported from the Premium Edition of syslog-ng. The GPL version of syslog-ng should now work flawlessly on HP-UX. There's one caveat though: there's a buggy system header in HP-UX and gcc 4.x fails to compile it. I copied this header to the gcc private include directory (/usr/local/lib/gcc/hppa2.0w-hp-hpux11.11/4.1.0/include on my system) and applied the following patch: 438a439 > #ifndef _APP32_64BIT_OFF_T 442a444 > #endif (HP-UX diff does not know how to produce unified diffs), the point is that there are two conflicting declarations of a function and the preprocessor conditional above fixes that. Once this patch is in place, and you have the proper build dependencies syslog-ng works fine on HP-UX. As I've just pushed these changes to my git repository, you'll need to wait for another day to get a daily snapshot. But hey "git" is what the pros use :)

Apart from the previous entry I was not posting to this blog for two months. The reason was that I was heavily involved in the development of BalaBit Audit Player, a graphical application to replay RDP/SSH sessions, recorded by our SCB product . BAP became much larger than I originally expected, it's about 20k lines of code, and the end of the development was done in a rush to meet our deadline of Sep 1, 2007. We've slipped a couple of days, but we've released BAP 2.0.0 on 7th September. Then I spent a week in Karlsruhe on the 5th Netfilter Developer's Workshop. I returned to Hungary on Friday, I'm spending the weekend with my parents, and hopefully I can be more active on other things, like the syslog-ng mailing list, or this blog. :) A release of syslog-ng GPL is long due, hopefully I can prepare it next week. I'll also need to schedule some syslog-ng development time as there are some open feature requests by customers.

I've just returned from this year's Netfilter Developer's Workshop , this time held in Karlsruhe, Germany. This year's workshop was the fifth such event, and this time even David S. Miller was there. All in all the organization was wonderful, kudos to the Astaro guys. We've had about 30 attendants, the largest workshop ever. You can read more about the workshop at http://nfws.inl.fr/en/ Krisztian Kovacs and me were trying to push our TProxy4 patches for merging, the future for tproxy seems bright, as everyone was positive. We also have some other, minor patches in the queue, I'm working on finalizing them and submit them for inclusion. These are: SO_MARK socket option to be able to specify the mark field of outgoing packets, generated sent from a given socket an extension to the "addrtype" match to limit the match to the incoming interface the notion of interface groups , that make it possible to match a group of similar interfaces As always, it was

I was spending the last couple of hours to implement a simple SFTP proxy, that is capable of logging file transfers, into our Shell Control Box product line. The core idea behind SCB is to perform RDP/SSH screening independently from the end-systems. This SFTP functionality will be a small bonus: in addition to dumping the SSH traffic to an audit trail, we are going to be able to write log transactions to syslog, which is way easier to analyse, if all you want to know is the list of files accessed via SFTP. I originally thought that SFTP was as simple as FTP, with a transaction being a complete file transfer. On the contrary, SFTP is much closer to NFS (and other network file system protocols) in spirit: in FTP you have a "RETR" command that fetches a complete file, in SFTP you need to open the file and read it separately using a series of "READ" commands. Now I understand how sshfs is possible. I thought I'd let you know :) By the way, syslog-ng 2.0.5 has be

Things were progressing steadily on the syslog-ng front. About 4 weeks ago I released syslog-ng Premium Edition 2.1.5 which was the first version with integrated SQL support. Since then the first production deployments of PE have been done, shaking out some newly introduced bugs in the process (thus the releases 2.1.5a - 2.1.5d). Disk buffering works nicely, especially when combined with the new rate-limit option (throttle), if your backend systems are calibrated to a given rate of incoming messages, syslog-ng can ensure that the limit is never exceeded. Whenever bursts end, syslog-ng feeds the messages towards the back-end systems in their idle time. This introduced some latency though. I've started working on support for the new syslog-protocol work in IETF, but nothing is ready yet. After this is finished, I'm planning to release syslog-ng 2.1 under the GPL license, with some of the new features added. The GPLd branch also saw a couple of fixes, no release though. If you wan

I forgot to mention here that syslog-ng 2.0.4 was released about 10 days ago. Before making an upgrade, be sure to revalidate your max-connections() setting. As previous versions in the 2.0.x tree has failed to enforce this limit. Apart from the usual bunch of bug fixes, this release features case-insensitive regexps and the ability to track logrotated source files. Now you can actually track any log file, even if it is rotated automatically. We have also worked hard on the new syslog-ng webpage. Hopefully no information was lost during the transition. If you miss anything that was present on the old one and not available on the new, please let me know . I'm planning to set up a public bugzilla and a wiki for syslog-ng, so that it will have the standard infrastructure needed for a modern open source projects. Version control, bug tracking and Wiki. On the Premium Edition front, both the syslog-ng Agent program for Windows and syslog-ng has seen a public release. Check out the s

As the readers of this blog might know I've been working on persistent disk-buffering and SQL support recently. The configuration interface of the SQL destination became quite close to the description I gave in my last post . I think from the user side it is pretty neat, no need to rely on the mysql client program or to create "buffer files" that are later fed to the database server. You simply define an SQL destination and tables are created automagically with proper (possibly even disk-based) queueing, flow control and error handling. And by using libdbi we immediately have support for 4 or 5 different database servers. The implementation side was somewhat more intrusive however, the client libraries for various database servers use a blocking I/O model and syslog-ng was completely non-blocking until now. I had to create a separate thread for inserting records to tables, and there came some required changes to syslog-ng to support that: various reference counters and

Two blog spots in a row on two consecutive days, wow :) Things are happening fast these times. Because of my company's efforts to create a commercial fork of syslog-ng, I have somewhat more time to do syslog-ng hacking. This time I've finished persistent disk-buffering, an often requested feature to be released in the commercial version. It means that if a target server is down, then in addition to the in-memory buffers, syslog-ng is able to store messages in a disk-based queue until the connection is restored. What's more, this queue is persistent and syslog-ng keeps its contents accross restarts. One less reason to keep logs locally. :) Next on my list is native SQL support, combined with this disk-buffer feature to cover times when the database is too slow processing INSERTs. I'm thinking along the lines of: destination d_sql { sql(type(pgsql) host("loghost") user("syslog-ng") password("secret-password") database("logs"

We have been using GNU arch the last couple of years as a version control system, however Tom Lords' implementation does not scale well, and some of our software packages have 10 thousands of commits. This means that a single commit operation may take _minutes_. It is awful to wait so much time for a single commit, and it really degrades productivity. I was considering Mercurial, Bazaar-NG and git, however this was not an easy decision, as the "modern" version control systems promote the use of branches over anything else, and our current version control model relied on cherry-picking heavily: developer commits the solution for each bug separately to his/her branch QA people pick patches from developer branches and integrate them to a 'test' branch, once the test was successful, release manager picks patches from the 'test' branch and integrates to mainline, if he doesn't find anything odd during review This worked wonderfully in GNU arch, but new VC s

I've just finished preparations for the release of syslog-ng 2.0.3 and now I consider the 2.0.x branch feature complete. As far as I know there's no feature that was present in 1.6.x and missing from the 2.0.x rewrite. The last missing bits were spoof-source and TCP wrapper support, but as those are present in 2.0.3 I consider syslog-ng 2.0 feature complete. I don't plan to add further code that would cause destabilization. Now some plans about the newly opened 2.1 branch: we (as BalaBit) played with an idea of creating a commercial fork of syslog-ng which could increase the amount of resources that I can allocate to developing syslog-ng code. From 2.1 on, two parallel editions of syslog-ng will become available: syslog-ng 2.1 Open Source Edition: the same as syslog-ng 2.0, available under the GPL syslog-ng 2.1 Premium Edition: a commercial fork of syslog-ng, The two releases will be produced from the same source tree with some of the commercial functionality stripped duri

As a commenter missed spoof-source support from 2.0, I got my act together for an afternoon hacking session and implemented it in the 2.0.x tree. The packet generation for IPv4 packets was straightforward, I could simply "forward-port" it from 1.6.x, after creating the proper place for it in the 2.0.x tree. IPv6 support was a bit more difficult as libnet has a nasty bug with IPv6 and UDP. I was looking at my code for hours, when I tried Google codesearch to check whether I was doing something wrong. Then I've found this . Note the comment above the libnet_build_ipv6() call. I also disabled UDP checksumming and now it works like a charm. The last libnet release was almost 3 years ago, it is not reassuring that its webpage is also down. Too bad, libnet is a fine piece of software, but now as its website is down where can I point syslog-ng users to download libnet from? By the way, I did not announce syslog-ng 2.0.2 here, it was released about a week ago. Nothing fancy, pri

It's been a while since I last posted here. The reason is simple: work and the lack of time. OK, I know, people have time for what they want, but: * We are launching a nifty new product based on Zorp, but with a much tighter focus. A device capable of recording and replaying SSH sessions for audit purposes. * We have decided to migrate from C to C++ for our management interface, as it seems Gtk+ style OO programming in C really requires a skill, and a lot of developers don't have that. C++ holds their hands somewhat. Thus, I've been refreshing my C++ skills and learning gtkmm while writing a prototype. * and of course the "usual" amount of work. I've tried to provide timely response on the syslog-ng mailing list. I'm sorry if you didn't receive an answer/patch from me in time. By the way I released syslog-ng 2.0.2 yesterday. Nothing really important, some portability fixes, some usertty fixes and an option missed in the 1.6.x -> 2.0.x change. Anot