Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 09-01-2010, 02:36 PM   #1
Registered: Jul 2005
Posts: 273

Rep: Reputation: 31
syslog-ng marking all forwarded events as kern.emerg

I'm having some funky behavior where my central syslog-ng server is marking all forwarded events as facility kern, level emerg.

The remote hosts, are CentOS 5 x86_64. They are using the system install syslog. The ones I started with, have nginx web server, patched to send it's log messages under local5.crit for errors, and local5.notice for access logs.

It's syslog.conf looks like so.

# cat /etc/syslog.conf 
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                         /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none        /var/log/messages

# The authpriv file has restricted access.
authpriv.*                      /var/log/secure

# Log all the mail messages in one place.
mail.*                          -/var/log/maillog

# Log cron stuff
cron.*                          /var/log/cron

# Everybody gets emergency messages
*.emerg                         *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                      /var/log/spooler

# Save boot messages also to boot.log
local7.*                        /var/log/boot.log

# nginx local logs
local5.notice                                                   /usr/local/logs/access.log
local5.crit                                                     /usr/local/logs/error.log

# Syslog-ng
*.*                                                     @remoteIP
They are logging locally as expected, and things are coming into the remote host as expected.

(from a strace)

32443 recvfrom(3, "<173>nginx: ScrubbedIP www.fa"..., 8192, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("ScrubbedIP")}, [16]) = 412

What I can't tell is how they are actually coming in (meaning what level / facility).

My central logging server is running the latest syslog-ng. My configs look like...

# cat /etc/syslog-ng/syslog-ng.conf 
# Syslog-ng config

options { 

# Data Sources

# External Syslog
source s_external { 
#	udp();
	udp(ip("") port(514) flags(no_parse)); 

# Where to put Data

# Access Logs
destination d_access_log { file("/syslog-ng/$HOST/access.log"); };

# Error Logs
destination d_error_log { file("/syslog-ng/$HOST/error.log"); };

# Everything else
destination d_log { file("/syslog-ng/$HOST/$FACILITY.$LEVEL"); };

# Data Filters

# Facility local5
filter f_local5 { facility(local5); };

# Level info
filter f_info { level(info); };
# Level notice
filter f_notice { level(notice); };
# Level warn
filter f_warn { level(warn); };
# Level crit
filter f_crit { level(crit); };
# Level err
filter f_err { level(err); };

# Data Logging Locations

# Access Log
log { source(s_external); filter(f_local5); filter(f_notice); destination(d_access_log); };

# Error Log
log { source(s_external); filter(f_local5); filter(f_crit); destination(d_error_log); };

log { source(s_external); destination(d_log); };
The only problem here is that I'm not getting any access.log or error.log. I'm only getting kern.emerg log with EVERYTHING in it (the last log rule).

At this point, I'm pretty sure the config is sane, but maybe I'm missing something.

Any help appreciated.
Old 09-01-2010, 03:51 PM   #2
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
And I just verified that things are coming to my syslog-ng server correctly.

tcpdump port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:47:33.128579 IP scrubbed.syslog > scrubbed.syslog: SYSLOG local5.notice, length: 409
15:47:33.145029 IP scrubbed.syslog > scrubbed.syslog: SYSLOG local5.notice, length: 233
So I'm not sure what syslog-ng is doing to convert this to kern.emerg instead of leaving it local5.notice.


centos, syslog, syslogng

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
AIX syslog options to Supresses the "Message forwarded from <log_host_name>: " string nagendrar AIX 5 06-29-2012 09:10 AM
[SOLVED] how do I stop evdev events being repoted in dmesg, and being logged to syslog GlennsPref Mandriva 1 01-28-2010 12:35 AM
redirect events from syslog server junust Linux - General 1 08-10-2009 05:38 AM
is it possible that hardware support decreased from kern 2.4 to 2.6? (and other kern servnov Linux - Newbie 3 11-11-2004 04:59 PM
Syslog fail events! andykerouac Linux - General 3 01-29-2004 05:15 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:40 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration