Our syslog-ng was logging and after update it stopped
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Our syslog-ng was logging and after update it stopped
After an update our syslog-ng quit logging. we also built a new syslog server.
I am trying to get it to log to the firewall and then I will set it to log other items. It has worked intermittently. Below is the code dealing with the firewall.
#
source src {
#
# use system() for local logs
#
system();
#
# syslog-ng's internal messages
#
internal();
# FROM -
# <<unresolved question from version 3.3>>
# read kernel messages directly (12.x) or
# does klogd forward them via /dev/log?
#
file ("/proc/kmsg" program_override("kernel"));
#
# the default log socket for local logging:
#
unix-dgram("/dev/log");
# HERE---
# uncomment to process log messages from network:
#udp(ip("0.0.0.0") port(514));
};
source net { udp(ip("0.0.0.0") port(514)); };
#source net_tcp { tcp(ip("0.0.0.0") port(514)); };
#added var to include
include "/var/run/syslog-ng/additional-log-sockets.conf";
Please:
- check what the update contained / changed,
- clean up what you post (unnecessary comments also tend to cloud things),
- post full configs plus any includes,
- test local logging with 'logger' (unclear if that's working or not),
- check the firewall for ACLs,
- run debug mode like 'syslog-ng -Fevd' for clues,
- run tcpdump or tshark to ensure you get messages over the network,
- test remotely with 'loggen' which comes with syslog-ng >= 3.
The syslog server was rebuilt so we do not have that info.
I only posted what dealt with the firewall.
We already tested and it is getting to the syslog server but syslog is not logging it.
The Firewall ACL's have not changed.
Bellow is the full config file:
I have only been working with the firewall at this time. Ounce I get that working I will setup the rest.
I am new to setting this up!
@version:3.5
@include "scl.conf"
#
# /etc/syslog-ng/syslog-ng.conf
#
# File format description can be found in syslog-ng.conf(5)
# and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#
# NOTE: The SuSEconfig script and its syslog-ng.conf.in
# configuration template aren't used any more.
#
# Feel free to edit this file directly.
#
#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
#
# use system() for local logs
#
system();
#
# syslog-ng's internal messages
#
internal();
# FROM -
# <<unresolved question from version 3.3>>
# read kernel messages directly (12.x) or
# does klogd forward them via /dev/log?
#
file ("/proc/kmsg" program_override("kernel"));
#
# the default log socket for local logging:
#
unix-dgram("/dev/log");
# HERE---
# uncomment to process log messages from network:
#udp(ip("0.0.0.0") port(514));
};
source net { udp(ip("0.0.0.0") port(514)); };
#source net_tcp { tcp(ip("0.0.0.0") port(514)); };
#added var to include
include "/var/run/syslog-ng/additional-log-sockets.conf";
#
# Filter definitions
#
filter f_iptables { facility(kern) and message("IN=") and message("OUT="); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables)
or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };
# this is for the old acpid < 1.0.6
filter f_acpid_old { program('^\[acpid\]$'); };
filter f_netmgm { program('NetworkManager') or program('nm-dispatcher'); };
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };
#
# Enable this and adopt IP to send log messages to a log server.
#
#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };
#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };
#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { file("/dev/tty10" suppress(30) owner(-1) group(-1) perm(-1)); };
log { source(src); source(chroots); filter(f_console); destination(console); };
# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); source(chroots); filter(f_alert); destination(root); };
#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); source(chroots); filter(f_news); destination(news); };
#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info" suppress(30)); };
log { source(src); source(chroots); filter(f_mailinfo); destination(mailinfo); };
#
# and also all in one file:
#
destination mail { file("/var/log/mail" suppress(30)); };
log { source(src); source(chroots); filter(f_mail); destination(mail); };
#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid" suppress(30)); };
destination devnull { };
log { source(src); source(chroots); filter(f_acpid); destination(acpid); flags(final); };
#
# if you want more verbose acpid logging, comment the destination(null)
# line and uncomment the destination(acpid) line
#
log { source(src); source(chroots); filter(f_acpid_full); destination(devnull); flags(final); };
# log { source(src); source(chroots); filter(f_acpid_full); destination(acpid); flags(final); };
#
# old acpid < 1.0.6
log { source(src); source(chroots); filter(f_acpid_old); destination(acpid); flags(final); };
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
