Posts

Posted on

a logging appliance

The IT world is increasingly turning towards appliances: pre-configured systems, which do exactly one job an do it well. Like a household appliance, all you need to do is plug it into your infrastructure, maybe change a setting or two and you are ready to go. While previously appliances always had a co-notation of a hardware box being delivered, the increasing popularity of virtualization enables to build pure software appliances.

One of the things we intend to investigate is create a logging appliance, using VMWare tools. We will set up a standard Linux, use MySQL and Apache with it and install rsyslog and phpLogCon. That in a “ready to use” fashion where only the devices need to be pointed to the right IP address of this virtual box.

This is one of my next projects and feedback on such an effort is very much appreciated.

Posted on

Software hack e-gold download free

Hey, am I getting spammy? Have I been hacked? Or do I change the profession and become a top-notch e-gold hacker? lol… nice idea. But no, not really. But have a look at this post:

Download now : [some random crappy free webhost]

Send us an e-mail ,we will send you the working copy of software & as soon as you make the payment e-gold $50 1234567.We will give you the password .

Get the copy today

GoldTresor is a known software in E-Gold accessing since 2002. Now our software is very stronger than before. It accesses any E-Gold account in a few minutes and give you some ability such as transfer balance or know passphrase. Generally GoldTresor is used for those who forgot their passphrase. Also in new feature of E-Gold site that named AccSent, if you forgot your e-mail or you can’t access e-mail account, this software helps you to find your e-mail address or transfer balance to other account.

Thank you very much
[some random gmail address]

In a conversation I had with a friend of mine who runs the syslog.org forum He pointed me to his site statistics: http://www.syslog.org/forum/index.php?action=stats. While we were talking about site usage, the top notch content item of this deeply technical site drew my attention. It is the spam you can see above.

Mutex, the site owner, once decided keep a sample of the what the forum spammer left for him. Very interestingly, over time this seems to have been evolved into a the top page for egold hack downloads. At least if you do a google search “hack egold download”, his syslog site is right there in the top spot of the search results.

And what I find really interesting is that this spam accounts for nearly 10% of a quality site’s traffic – a leftover just to show off the spammers. And, no, I don’t think he gains much from that traffic, at least I tend to think that folks looking to break into e-gold suddenly turn out to be interested in the beauty of syslog ;)

Posted on

Hubble “Repair” looks good

It looks good for the Hubble space telescope. According to the NASA web site (quote below), the switch to a backup system looks promising. With that, hubble could operate while the ground folks prepare final repair plans. Repairs are scheduled to be carried out as part of the space shuttle’s hubble servicing missing, which now tenatively has been moved to mid-February (some sources say Feb, 17th 2009).

From the NASA site:

The Hubble Space Telescope team completed switching the required hardware modules to their B-sides about 9:30 a.m. this morning and received telemetry that verified they had good data. Everything at this point looks good.

The 486 computer on Hubble was reloaded with data around noon and successfully performed a data dump back to the ground to verify all the loads were proper. At 1:10 p.m. this afternoon the team brought Hubble out of safe mode and placed the 486 computer back in control. Late this afternoon, Gyro #4 (which was needed for safe mode) will be turned off.

The team will reconfigure Side B of the Science Instrument Command & Data Handling (SIC&DH) computer later today and verify it is functioning properly.

Around 6 p.m. this evening the spacecraft will begin executing a pre-science command load, which involves sending normal commands to control the spacecraft and resume communications satellite tracking with the HST high gain antennas.

“We won’t know if we’ve been completely successful until around midnight Wednesday when we demonstrate that the SIC&DH Side B is talking to the instruments and able to pass data to the ground,” said HST Operations Deputy Project Manager Keith Kalinowski at NASA’s Goddard Space Flight Center in Greenbelt, Md.

Posted on

Expedition 18 on the Way to ISS

A new crew that will live and work aboard the International Space Station rocketed into orbit early Sunday aboard a Soyuz spacecraft. U.S. astronaut E. Michael Fincke, Russian cosmonaut Yury Lonchakov and Richard Garriott, a U.S. computer game developer, lifted off from the Baikonur Cosmodrome in Kazakhstan at 2:01 a.m. CDT.

Fincke, the only American to launch twice on a Soyuz, will serve as commander of the six-month Expedition 18 mission. The mission’s main focus will be preparing the station to house six crew members on long-duration missions.

The Expedition 18 crew is scheduled to arrive at the station Tuesday, with docking to the Zarya module scheduled for 3:33 a.m. After the hatches are opened, Expedition 17 Commander Sergey Volkov and spaceflight participant Garriott will become the first children of previous space fliers to greet each other in orbit. Garriott is the son of former NASA astronaut Owen Garriott, who was a member of the Skylab-3 crew in 1973. Volkov is the son of veteran cosmonaut Alexander Volkov, who flew three Soyuz missions.

Garriott will spend nine days on the station under a commercial agreement with the Russian Federal Space Agency. He will return to Earth on Oct. 23 with Volkov and Expedition 17 Flight Engineer Oleg Kononenko, who have worked aboard the station since April 10.

Expedition 17 Flight Engineer Greg Chamitoff, who arrived at the station in June, will be replaced in November by NASA astronaut Sandra Magnus. Space shuttle Endeavour will deliver Magnus and return Chamitoff to Earth.

Endeavour’s November STS-126 mission also will deliver equipment to the station necessary for supporting a six-member crew, including a water recycling system, sleeping quarters, a new kitchen, a second toilet, and an advanced exercise device.

Although they will be in space on Election Day, Chamitoff and Fincke have arranged for the chance to cast their ballots from the station.

Reproduced from JSC News. To obtain it directly, follow the procedure outlined below:

NASA Johnson Space Center Mission Status Reports and other information are available automatically by sending an Internet electronic mail message to listserv@listserver.jsc.nasa.gov. In the body of the message (not the subject line) users should type “subscribe hsfnews” (no quotes). This will add the e-mail address that sent the subscribe message to the news release distribution list. The system will reply with a confirmation via e-mail of each subscription. Once you have subscribed you will receive future news releases via e-mail. To unsubscribe, send an e-mail to listserv@listserver.jsc.nasa.gov with the following command in the body of your e-mail message: “unsubscribe hsfnews” (no quotes) or from another account, besides the account used to subscribe: “unsubscribe hsfnews youremail@yourdomain.com” (no quotes).

Posted on

rsyslog work

I have not blogged that much the past weeks. Rsyslog work is still progressing quite nicely. I am currently working on (large) performance enhancements. Thanks to David Lang for his help on this topic.

I am also hunting another threading bug. This one manifests only when running on high-end hardware and seems to have to do with synchronization. Interestingly, the problem does not show up under valgrind (a memory and threading debugger), which usually points to flaws very well. Hard to find… Especially hard to find because I do not have the right hardware to reproduce it. I managed to get a faster box last week, but still it is not fast enough (and does not have enough cores…) to reliably trigger the problem. Since them, I have seen it a couple of times, but no indication yet of what is going on.

Also, I need to help some other Adiscon projects and do a bit of my consulting chores, so that the time allocated to rsyslog is a bit limited. But, hey, I have worked nearly full time on it this year and it has evolved very well. So I don’t think it is a problem going at a somewhat lower pace for the time being (plus, of course, I hope some other sources of funding will appear which enable me to go back to “full time rsyslog” mode).

In any case, the future has exciting things to come up with. I personally would like to see a customizable message parser, which would enable users to work with different sender formats at the same time.

Posted on

rsyslog and SuSe Linux

I got good news but I unfortunately forgot to blog about it (it has been soooo busy the past weeks…).

Suse now is doing an official rsyslog package. With that, I think there is now a rsyslog package for almost all major distributions available. Unfortunately, some of the current distributions do not have a good one, but it the next version will have. So over time things will be much better.

For now, let’s welcome Novell/SuSe Linux to the camp of those that natively support rsyslog :)

Posted on

Hubble Servicing Missing Postponed

Finally, I can come back to look a bit more at my space interests. My rsyslog project kept me so busy that I couldn’t follow space as much as I liked.

The first thing I see is that the Hubble Servicing missing has been postponed. There is a problem with a critical component inside HST, which, if not fixed, causes fatal problems. Thankfully, the faulty element is designed so that it can be replaced during a servicing mission. Also it was great luck that the component failed now, and not after the (final) hubble servicing mission.

The HST flight has been postponed to early 2009 (NASA tells mid-February as a “no earlier than” date) so that analysis can be completed and repair procedures be created.

As bad as it was, last year’s flight delays now have helped saved Hubble! Why? Simply: if not for the delays, the hubble servicing mission would already have been flown by the time the component failed. That would have been the death of hubble. So bad luck sometimes turns into good luck again :)

Posted on

syslog fragmentation

Hi all, I was asked about the current (and past) state of syslog splitting a single syslog message into multiple smaller messages. The question came up because of a broken syslogd implementation which permits to receive 256 bytes (octets) at most. I thought I re-post my reply to the blog as it may be of interest for you, too. Here we go:

Hi all,

I have now reviewed all of the discussion.

Let me start with the broken receiver. With 255 octets, any (generic)
fragmentation method would need to be ultra-compact which of course is
doable but not (with reasonable overhead) in the context we set up with
the version of syslog-protocol that will turn into a normative RFC.
Note, also, that RFC3164 will be superseded by that RFC once it is out.

As has been described here, fragmentation can either be done at the
protocol layer or at the application layer. In the later case, the
application needs to consider a sensible maximum and needs to emit
message sequences which are somewhat atomic. sendmail seems to do that,
and I know of some other examples, too. Some database servers seem to do
verbose logging in a similar way, in that they log parts of the
statement within different log messages. However, it is often quite
complicated to re-unite those application logs to the original message
(much of the complexity of log analysis stems from that).

A protocol based approach solves these issues. But as it has been
rejected by the syslog-sec WG it is not considered useful by the IETF
syslog community. We may want to try give it another shot, but that
should be done inside the framework layed out in the new IETF series and
as such it would not be a good solution for a broken receiver. Actually,
the new RFC series requires a minimum maximum length of 480 octets
(stemming back to IPv4 UDP available payload size). The recommended
minimum maximum length is 2K and more is permitted if sender and
receiver support it. There is no upper limit per se, but a receiver may
either truncate the message or even discard it as whole. If truncation
happens, it must truncate at the end and without paying any attention to
syntax and semantics of the message. This is specified in [1]’s section
6.1 and it was the result of very elaborate discussions. Most
importantly, the syntax- and semantic-agnostic truncation was a
requirement out of this discussion.

As Tina mentioned, my company Adiscon and me personally are doing
Windows event log to syslog conversion for quite a while. Windows event
messages can be large and keep growing larger. We are converting them to
syslog for over 10 years now and at the time we started the only common
ground was the 1K limit already mentioned. Note that at that time some
implementations could experience serious malfunction if messages over
this size arrived (I remember the Solaris syslogd immediately
segfaulting as one sample of more). We thought about how to best address
the issue. We were tempted to do an app-level split, much as sendmail
does, but refused to do that for two reasons:

1) the messages to be logged did not originate from ourselves (other
than in the sendmail case). This implies that we do not exactly know
what makes sense to put together. While there is a potentially large set
where this can be properly concluded from context, there is also a set
where this is not the case. The later would have required a more
protocol-like generic approach and thus specialised parsers on the end
systems – something we did not really like.

2) this is somewhat similar to the parser problem. In general, log
analysis is even harder if a single logical log entry is distributed
over several physical records. Especially if you take into account that
the order of appearance does not necessarily (in practice almost never)
reflect the order of creation. So processing such a log requires a
consolidation phase. It is especially hard for a human reviewer do this
while reviewing logs and thus considered a big disadvantage.

So we looked at what was available at that time. While the 1K size limit
was universally accepted, most syslog receivers either supported larger
sizes by default, could configured to do so or being recompiled to
handle it (sysklogd, the then-omnipresent syslogd on Linux is a premier
example for the later – #define MAXLINE 1024 needed to be changed and
you were basically done [within UDP constranints]). The real limit
turned out to be the UDP max size, 64K in theory but with different
default/hard coded limits in various stacks. In 2005 a did a bit
research[2] and found that 4K seems to be the typical real-world limit.
But even many years before, allmost every Windows event record fit into
4K (the exception being records with dumps in them…). Also, we already
had plain TCP-based syslog at that time, which did not experience any
size issues.

So the practical solution for our Windows to syslog size problem was
simply to ignore it and tell customers how to configure/recompile their
syslogd. That worked on Windows at least for WinSyslog and Kiwi Syslog.
and on the *nix side at least for sysklogd, syslog-ng, some variants I
don’t remember by name and now rsyslog. We recommended to switch to a
product that supported larger sizes where the stock solution did not do
that. Or we used interim, specialised, receivers who logged data into
separate databases or files.

When I was unable to convince the syslog-sec WG to specify fragmentation
as part of the syslog protocol itself, I was at least able to put that
spirit into the I-D: so we now have the ability to use large sizes if
everybody configures the systems correctly. Part of that spirit, funny
as it may sound, is to place important information early in the packet
as this improves chances it will actually be delivered.

I have to admit this is not a perfect way to do it, but at least it
works if everything is setup up correctly. The current main “problem” is
that RFC 3195 (somewhat vaguely) sets an upper limit of 1K for messages
and also does not talk about truncation. So if there is a RFC3195 system
inside a relay chain, the maximum size for the whole chain goes down to
1K – there is nothing we can do about this. This is also the reason why
a new revision of 3195 is needed. This is underway, as far as I know.
One should also note that this limitation is of no practical importance
for the time being (thus no real “problem”), because 3195 did not find
widespread support. To the best of my knowledge, the only commercially
available implementations are Cisco’s and ours with us also providing
the only (more or less, due to low priority) fully supported 3195
implementation inside an open source syslogd. There was SDSC syslog, but
the project is to the best of my knowledge no longer alive. It also
never spread to become the default syslogd on any important Linux
distribution and can be considered “exotic” at best.

I hope this description is useful for you. The bottom line is that there
is no standard, and there is, at least was, no support for specifying
one. Even if we change that, the end-result will most probably not
support down-level reveivers below the 480 octet limit set forth in the
upcoming RFC series.

Best regards,
Rainer

[1] http://tools.ietf.org/html/draft-ietf-syslog-protocol-23
[2] http://www.monitorware.com/Common/en/articles/ihe-syslog.php

Posted on

back to work…

You know this: the more you like something, the “faster” time elapses. So it turns out to be Thursday of my first week back at work from my summer vacation now ;) This time, I was really lazy and had extremely limited Internet connectivity while I was away. While a bit unusual for me (I was never disconnected for more than 2 days the past 10 years or so…), it turned out to be a good experience (well, some email via PDA flowed, though). As a side-note, it was good the see the rsyslog well alive while I was out of town! Many thanks to all contributors.

As you probably expect, there was a bunch of work waiting for me when I returned. I am still suffering a bit from it. However, I managed to do some work on rsyslog. So I finally managed to get rid of the hardcoded syslog message size limit. This, of course, caused a lot of code to be touched. I did a pre-release on the mailing list, but I do not have the feeling that many tried it. Well, now it is the official devel and we’ll see if we get into interesting parts of trouble.

The next thing on my agenda is the new documentation generation system. I got a lot of help from my friends at Red Hat Japan. Actually, I now need to fully understand the way docbook and the generation process at all works. I guess that will keep my occupied for a while. So please keep watching this blog, even though I may not have so many new posts for the time being.

Posted on

work, friends and personality…

Again, a non-IT post. Well … kind of. I had some discussion with a friend of mine the past days and we thought a bit about what sharing work on an open source project means to each other. I’d like to reproduce my part of the discussion which, I think, covers a lot of those things that I value. If you find it an interesting read and would like to comment – go ahead ;) In any case, you can quickly go to some other place ;)

To me, work (including rsyslog) is much more than just “doing something for a living”. Of course, that aspect is involved, I can’t deny that. But to be good at something, one must love what one does. So any work we conduct should ideally match our interests and be something we can be proud of (which also includes failing to deliver good work should make us ashamed and thus trying to fix the situation). Not everything, even well done, is “good work”. Good work is work that benefits society at large. That doesn’t mean I need to be Einstein – every garbageman also provides a useful service to society (and should be proud in what he does, provided he does it well). As a side-note, in that sense I do not see that any one work is more respectable than any other: people who try similarly hard to provide good service to society, each one with all the capabilities they have, deserve the same respect, no matter how large their contribution to society is being considered by other people. In fact, a highly educated scholar working on something light-hearted is in my opinion much less respectable than a garbageman who tries his very best in fulfilling his duties. As a side-note to the side-note, do not mistake respectability with material earnings: I see that some folks generate very large benefit for society at large. No matter if their motivations makes them respectable, they obviously deserve to earn more than others. Just keep in mind that respect and material things are two totally different aspects…

Back to the importance of work: I do not consider work to be something “external” to me. Instead, it is a very important part of my personality. Not the only one, and I don’t try to assign priorities to different parts of my personality so I can’t say if it is the most important one or not – but that doesn’t really matter, I think. In that sense, if you help me succeeding in my work, you also help me succeeding in growing my personality. You help me being more proud of what I am doing because you help making it better, more well-known and, importantly, more valuable to society at large. And I hope that my contribution to your work (e.g. by providing some basis) will have a similar effect for you. What’s more important is that the borders between “my work” and “your work” go away. So it becomes “our work”, something we jointly work on, and something we are actually being tied together. And, in a sense, part of my personality becomes yours and vice versa. Doesn’t that justify to also care a bit about the person who is behind that shared work? To me, I think so, even though we “know” each other only via electrons traveling a global network…