syslog-ng continues using old filenames after reconfiguration

AndrewShanks · 07-23-2009, 01:11 PM

Hello all,

I've recently tried to change my syslog-ng configuration file to change the names of the logfiles that syslog-ng creates.

My syslog-ng.conf file previously used the rules:

Code:

source s_sys{
     file("/proc/kmsg" log_prefix("kernel: "))
     unix-stream ("/dev/log")
     internal() ;
} ;

destination d_mylog_notice{
   file("/var/log/mylog/$YEAR$MONTH$DAY-Notice.txt"
           template("$MSGONLY\n")
           template_excape(no)
        ) ;
} ;

filter f_mylog_notice_f {facility(local3) and level(notice) :};

log { source(s_sys); filter(f_mylog_notice_f); destination(d_mylog_notice); } ;

and quite happily created logfiles called 20090720-Notice.txt and the like, with user and group as root and permissions -rw-rw----. I then tried to replace the destination lines, as described below:

Code:

destination d_mylog_notice{
   file("/var/log/mylog/$YEAR$MONTH$DAY-Notice.log"
           template("$MSGONLY\n")
           template_excape(no)
           perm(0770)
           group("daemon")
        ) ;
} ;

After rebooting my computer, and running /etc/init.d/syslog-ng restart, syslog-ng was still creating files with the .txt suffix and the old owner and permissions. I tried a recursive grep for "Notice.txt" on the etc directory in case there was some other configuration file overriding the one I'd changed, but couldn't find anything. What am I missing?

Tinkster · 07-23-2009, 01:21 PM

w/o having looked at the man-page ...
shouldn't that say escape?

template_excape(no)

Cheers,
Tink

AndrewShanks · 07-24-2009, 05:41 AM

Well spotted. Unfortunately, that's just an error in transcription rather than in the file itself. Just in case I made any more, I'm copying and pasting the relevant lines from my current file:

Code:

source s_sys { 
	file ("/proc/kmsg" log_prefix("kernel: ")); 
	unix-stream ("/dev/log"); 
	internal(); 
}; 

...

# Notice
destination d_mylog_notice { 
	file("/var/log/mylog/$YEAR$MONTH$DAY-Notice.log"
		template("$MSGONLY\n")
		template_escape(no)
		perm(0770)
                group("daemon") 
	);
};

...

filter f_mylog_notice_f { facility(local3) and level(notice); };

...
log { source(s_sys); filter(f_mylog_notice_f); destination(d_mylog_notice); };

balabit · 07-24-2009, 06:58 AM

Hi, check that syslog-ng is starting with the config file you have edited.

Stop syslog-ng, then start it with the following command:
syslog-ng -f <path/configfile>

Regards,

Robert

AndrewShanks · 07-24-2009, 08:56 AM

Thanks for the help, guys. I tried what you said, Robert, found and fixed a syntax error in my configuration file due to a missing semi-colon, and got the log files I wanted. Starting the syslog-ng daemon via the script /etc/init.d/syslog-ng still caused the syslog-ng daemon to create logs with the old configuration (ending in .txt etc.), so I changed the script from calling syslog-ng with no parameters to calling syslog-ng with the parameter -f /etc/syslog-ng/syslog-ng.conf. I'm getting the result I want now.

However, I'm still curious as to how I managed to pick up the wrong configuration in the first place ,and why explicitly specifying the config file path was necessary, because the man page claims that /etc/syslog-ng/syslog-ng.conf is the default configuration file location.

My /etc/init.d/syslog-ng script is as follows:

Code:

#!/bin/sh
#
# syslog-ng           Starts syslog-ng/klogd
#
# chkconfig: 2345 12 88
# description: syslog-ng (Replacement for Linux syslog daemon)
### BEGIN INIT INFO
# Provides: $syslog-ng
### END INIT INFO

# full path to daemon
INIT_PROG="/usr/local/sbin/syslog-ng"
INIT_NAME=`basename "$INIT_PROG"`

# Source function library
. /etc/rc.d/init.d/functions

[ -f /usr/local/sbin/syslog-ng ] || exit 0
[ -f /sbin/klogd ] || exit 0

# Source config
if [ -f /etc/sysconfig/syslog-ng ] ; then
	. /etc/sysconfig/syslog-ng;
else
	SYSLOGNG_OPTIONS=""
	KLOGD_OPTIONS="-2"
fi

RETVAL=0

umask 077

start() {
	echo -n $"Starting $INIT_NAME: "
	daemon $INIT_PROG $SYSLOGNG_OPTIONS
	RETVAL=$?
	echo
	echo -n "Starting kernel logger: "
	daemon klogd $KLOGD_OPTIONS
	echo
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
	return $RETVAL
}

stop() {
	echo -n $"Shutting down kernel logger: "
	killproc klogd
	echo
	echo -n $"Shutting down $INIT_NAME: "
	killproc $INIT_PROG
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$INIT_NAME
	return $RETVAL
}
	
rhstatus() {
	status $INIT_PROG
	status klogd
}

restart() {
	stop
	start
}

case "$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  status)
	rhstatus
	;;
  restart|reload)
	restart
	;;
  condrestart)
	[ -f /var/lock/subsys/$INIT_PROG ] && restart || :
	;;
  *)
	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
	exit 1
esac

exit $?

and my /etc/sysconfig/syslog-ng script was:

Code:

# Options to syslog-ng
# See syslog-ng(8) for more details
SYSLOGNG_OPTIONS=""
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

and is now:

Code:

# Options to syslog-ng
# See syslog-ng(8) for more details
SYSLOGNG_OPTIONS="-f /etc/syslog-ng/syslog-ng.conf"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

I reiterate that I've got the result I want now (thanks again), and am just asking for help in understanding the scripts and so forth a little better.

balabit · 07-27-2009, 03:06 AM

Hi Andrew,
Glad that it's working now.

It seems that for some reason the init script is not picking up the correctly for some reason.

Please let me know:
- which version of syslog-ng are you using
- on which OS/platform
- the source of the syslog-ng package (e.g., repository of your distro, official package from balabit.com, etc.)

The location of the config file was changed in the 3.x branch, where syslog-ng moved to /opt/syslog-ng for platform-compatibility reasons, but the installer of 3.x should update the init scripts as well.
So I guess it is a bug in the installer (either in the official, or in that of your distro).

Robert