[SOLVED] Syslog messages randomly logging to std out

LVsFINEST · 07-12-2016, 11:01 AM

My ssh sessions keep getting over ran by syslog messages spewing to std out and I cannot figure out why.

The server runs syslog-ng and ingests remote syslogs from many devices on the network. Everything logs to a file and/or forwards to another syslog daemon, however there is *NO* config to log to std out.

Oddly, it doesn't spew every syslog message to std out but rather only ONE specific syslog message. I'm wondering if maybe there are some characters within this particular message that are somehow making it log to std out...? The messages originate from a NetScreen firewall and samples are below.

In any case, this syslog server has been fine for 6+ years and this phenomena has only appeared within the past couple of weeks. The NetScreen firewall has had the same config for years as well.

I have checked the syslog-ng.conf file for syntax errors and non are reported.

I verified syslog-ng was also not updated in any recent yum updates either.

Does anybody have any ideas on how I can track down WHY messages are spewing to std out and/or how to cease this from happening?

--Sample Messages

From syslog-ng:
Jul 12 08:18:51 firewall02 firewall02: NetScreen device_id=firewall02 [Root]system-emergency-00005: SYN flood! From 195.62.53.194:49406 to xxx.xxx.xxx.xxx:48708, proto TCP (zone Untrust int untrust). Occurred 1 times. (2016-07-12 08:18:42)

From std out:
2016 Jul 12 08:18:51 firewall02 NetScreen device_id=firewall02 [Root]system-emergency-00005: SYN flood! From 195.62.53.194:49406 to xxx.xxx.xxx.xxx:62403, proto TCP (zone Untrust int untrust). Occurred 1 times. (2016-07-12 08:18:42)

Thanks in advance.

Tarikc · 07-12-2016, 11:03 AM

I'm taking a wild guess.

But system-emergency-00005 is very urgent for real and you really need to know about it.

So the system send it in front of you to take action.

Cheers!

LVsFINEST · 07-12-2016, 12:34 PM

Quote:

Originally Posted by Tarikc

I'm taking a wild guess.

But system-emergency-00005 is very urgent for real and you really need to know about it.

So the system send it in front of you to take action.

Cheers!

Thank you sir for the nudge in the right direction! You're absolutely correct and I apparently lied about my syslog-ng.conf containing no stdout clauses.

Offending lines in syslog-ng.conf:

Code:

destination d_mlal { usertty("*"); };
filter f_emerg { level(emerg); };
log { source(s_all); filter(f_emerg); destination(d_mlal); };

It blows my mind I have never ran into this before though. Either these SYN flood logs have never been generated before (doubtful) or they never generated in the volume they're generating now so I didn't notice them previously (more likely).

In any case, problem solved.