New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syslog-ng memory leak #394

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 5 comments

Comments

Projects
None yet
1 participant
@GoogleCodeExporter
Copy link

GoogleCodeExporter commented Mar 24, 2015

SecurityOnion uses syslog-ng version 3.3.4.dfsg-2ubuntu1 that has a known 
memory leak.

What steps will reproduce the problem?
1. let SecurityOnion run for a while
(2. run Bro and ELSA)
3. syslog-ng's memory usage will increase indefinitely

What is the expected output? What do you see instead?

expected: syslog-ng's memory usage shouldn't increase indefinitely

Are you using the new Security Onion 12.04?

Version 12.04.3

Did you install from the ISO image or did you install your own version of 
Ubuntu and then add our PPA and packages?

Install from ISO image.

---

syslog-ng 3.3.4.dfsg-2ubuntu1 is shipped with Ubuntu 12.04. It has a known 
memory leak, and it won't be patched in ubuntu 12.04
(see 
http://www.engardelinux.org/modules/index/list_archives.cgi?list=syslog-ng-users
&page=0036.html&month=2013-04)

Upgrading syslog-ng to 3.3.11 fixes the issue. I used the packages from 
http://packages.madhouse-project.org/ubuntu/, and also installed the libivykis 
dependency from there.

(Ubuntu Saucy includes syslog-ng 3.3.9 and ivykis 0.36.2. It seems those 
packages can be backported to 12.04 without many issues. I did not confirm 
3.3.9 fixes the issue)

Original issue reported on code.google.com by RamTilgh...@gmail.com on 20 Sep 2013 at 4:20

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

GoogleCodeExporter commented Mar 24, 2015

Please see this discussion on our mailing list:
https://groups.google.com/d/topic/security-onion/9N-XTBH4qjE/discussion

During the course of discussion, I noticed that one of the memory leaks is due 
to "reload".  Would it help if we changed our daily "reload" to a "restart"?

Original comment by doug.bu...@gmail.com on 20 Sep 2013 at 4:25

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

GoogleCodeExporter commented Mar 24, 2015

It would do as a work-around.

FYI I'm running with a backported syslog-ng 3.3.9 from Ubuntu 13.10 now for a 
couple of days and it seems to work fine.

Original comment by RamTilgh...@gmail.com on 23 Sep 2013 at 6:27

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

GoogleCodeExporter commented Mar 24, 2015

aaron gee-clough reports that changing "reload" to "restart" worked for him.  
Will push this change in the next update of the NSM scripts.

Original comment by doug.bu...@gmail.com on 23 Sep 2013 at 7:05

  • Changed state: Accepted
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

GoogleCodeExporter commented Mar 24, 2015

Thanks!

Can confirm the "restart" also works for me.

Original comment by RamTilgh...@gmail.com on 24 Sep 2013 at 6:15

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

GoogleCodeExporter commented Mar 24, 2015

Tested by JP Bourget and David Zawdie.

Published:
http://securityonion.blogspot.com/2013/10/new-nsmsetup-packages-now-available.ht
ml

Original comment by doug.bu...@gmail.com on 10 Oct 2013 at 12:05

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment