<div dir="ltr">syslog-ng-ctl fails with<div><div style="color:rgb(80,0,80);font-size:12.8px"><b> /usr/lib/systemd/system/syslo<wbr>g-ng.service </b></div><div style="color:rgb(80,0,80);font-size:12.8px">ExecStart=/usr/sbin/syslog-ng --control /var/run/syslog-ng.ctl -F $SYSLOGNG_OPTS -p /var/run/syslogd.pid<br></div><div style="color:rgb(80,0,80);font-size:12.8px"><br></div></div><div style="color:rgb(80,0,80);font-size:12.8px">Looks like syslog-ng-ctl does NOT work when added as a CLI option. Probably need to be added to an env file /etc/sysconfig. </div><div style="color:rgb(80,0,80);font-size:12.8px"><br></div><div style="color:rgb(80,0,80)"><div><font face="monospace, monospace" size="1"><b># ps -ef | grep syslog</b></font></div><div><font face="monospace, monospace" size="1">root 14293 1 24 12:37 ? 00:00:01 /usr/sbin/syslog-ng --control /var/run/syslog-ng.ctl -F -p /var/run/syslogd.pid</font></div><div><font face="monospace, monospace" size="1">root 14316 14120 0 12:37 pts/0 00:00:00 grep --color=auto syslog</font></div><div><b><span style="font-family:monospace,monospace;font-size:x-small"># lsof -p 14293 | grep ctl</span><br></b></div><div><font face="monospace, monospace" size="1">syslog-ng 14293 root 5u unix 0xffff880310fbd800 0t0 41294162 /var/run/syslog-ng.ctl</font></div><div><font face="monospace, monospace" size="1"><b># lsof /var/run/syslog-ng.ctl</b></font></div><div><font face="monospace, monospace" size="1">COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME</font></div><div><font face="monospace, monospace" size="1">syslog-ng 14293 root 5u unix 0xffff880310fbd800 0t0 41294162 /var/run/syslog-ng.ctl</font></div><div><font face="monospace, monospace" size="1"><b># syslog-ng-ctl stats</b></font></div><div><font face="monospace, monospace" size="1">Error connecting control socket, socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Connection refused'</font></div><div><font face="monospace, monospace" size="1"><b># ls -al /var/lib/syslog-ng/syslog-ng.ctl</b></font></div><div><font face="monospace, monospace" size="1">srwxr-xr-x. 1 root root 0 Oct 17 17:19 /var/lib/syslog-ng/syslog-ng.ctl</font></div><div><font face="monospace, monospace" size="1"><b># ls -al /var/run/syslog-ng.ctl</b></font></div><div><font face="monospace, monospace" size="1">srwxr-xr-x. 1 root root 0 Oct 18 12:37 /var/run/syslog-ng.ctl</font></div></div><div style="color:rgb(80,0,80);font-size:12.8px"><br></div><div style="color:rgb(80,0,80);font-size:12.8px"><br></div><div style="color:rgb(80,0,80);font-size:12.8px">I shutdown syslog-ng removed the file and the ctl file from the <b style="font-size:12.8px">syslo<wbr>g-ng.service </b></div><div><span style="color:rgb(80,0,80);font-size:12.8px">Looks like the default is </span><font color="#500050"><span style="font-size:12.8px">/var/lib/syslog-ng/syslog-ng.ctl everything runs fine with that. </span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><div><b><font face="monospace, monospace" size="1"># lsof -p 27812 |grep ctl</font></b></div><div><font face="monospace, monospace" size="1">syslog-ng 27812 root 5u unix 0xffff88033269a400 0t0 41025397 /var/lib/syslog-ng/syslog-ng.ctl</font></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">One thing I did notice is query "*" adds .<b>written </b>metric for each destination which is missing from syslog-ng-ctl stats (maybe expected I didn't cross ref). </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div></font></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 18, 2017 at 2:16 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">That socket should be opened, even without the control option. So if you get that error, that means its somewhere else, or we didnt open it for some reason<div dir="auto">Can you run lsof on the syslog-ng process? That should display the control socket.</div><div dir="auto"><br></div><div dir="auto">Also, syslog-ng-ctl reload would use the very same socket. Does that work?</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Oct 17, 2017 21:01, "Scot" <<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">CentOS 7 <div><br></div><div>I added --control /var/run/syslog-ng.ctl to</div><div><br></div><div><b> /usr/lib/systemd/system/syslo<wbr>g-ng.service </b></div><div>ExecStart=/usr/sbin/syslog-ng --control /var/run/syslog-ng.ctl -F $SYSLOGNG_OPTS -p /var/run/syslogd.pid<br></div><div><br></div><div><br></div><div><div> syslog-ng-ctl query get /var/run/syslog-ng.ctl</div><div>Error connecting control socket, socket='/var/lib/syslog-ng/sys<wbr>log-ng.ctl', error='Connection refused'</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 17, 2017 at 2:44 PM, Scot <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Where are the query options documented ? Been looking Google, Balabit for an hour. <div>man pages have nothing. </div></div><div class="m_-774956583906356627m_-5596758692502971312HOEnZb"><div class="m_-774956583906356627m_-5596758692502971312h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 17, 2017 at 11:42 AM, Czanik, Péter <span dir="ltr"><<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br></div><br></div>If you work with syslog-ng-ctl you can give "jo" ( JSON output: <a href="https://github.com/jpmens/jo" target="_blank">https://github.com/jpmens/jo</a> ) a try. I only did some basic tests, but it seems to me that it can turn the output of "syslog-ng-ctl query" into JSON.<br><br></div>Bye,<br></div><div class="gmail_extra"><br clear="all"><div><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>Balabit / syslog-ng upstream<br><a href="https://www.balabit.com/blog/author/peterczanik/" target="_blank">https://www.balabit.com/blog/a<wbr>uthor/peterczanik/</a><br><a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a></div></div></div></div><div><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111h5">
<br><div class="gmail_quote">On Tue, Oct 17, 2017 at 5:20 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Difficult, the whole problem is naming of the name value pairs. <div dir="auto"><br></div><div dir="auto">The idea behind stats is to generate all name value pairs in one message, and this simply does not scale. You are almost certainly interested in a set of values or an aggregate of a set, and not everything.</div><div dir="auto"><br></div><div dir="auto">Just set stats-level() to 3, and look at the stats message.</div><div dir="auto"><br></div><div dir="auto">I am not saying its impossible, just that it requires some thought.</div></div><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598HOEnZb"><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598h5"><div class="gmail_extra"><br><div class="gmail_quote">On Oct 17, 2017 17:09, "Scot" <<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">How about an output modifier ? </div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 17, 2017 at 11:02 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>the issue with the internal stats() message is that if you have a lot of counters that message is truncated. Also, it is pretty difficult to parse.<br><br></div>So I would vote for the "poll syslog-ng-ctl and generate messages" solution. <br></div><div><br></div><div>BTW: the internal PE team did something in this area, they created some sort of internal source that does this polling, but I am not sure how that works. Possibly there's documentation :)</div><span class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776HOEnZb"><font color="#888888"><div><br></div></font></span></div><div class="gmail_extra"><span class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776HOEnZb"><font color="#888888"><br clear="all"><div><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div></font></span><div><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776h5">
<br><div class="gmail_quote">On Tue, Oct 17, 2017 at 4:37 PM, Scot <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Doesn't stats_freq() set an interval to log stats to syslog already?<div><strong style="color:rgb(29,89,135);font-size:1.5em;font-family:"Droid Sans",Verdana,Helvetica,sans-serif"><br></strong></div><div><span style="color:rgb(29,89,135);font-family:"Droid Sans",Verdana,Helvetica,sans-serif">Description:</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> The period between two </span><span class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">STATS</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> messages in seconds. </span><span class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">STATS</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> are log messages sent by syslog-ng, containing </span><span class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">stat</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)">istics about dropped log messages. Set to </span><code class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-userinput" style="color:rgb(0,0,0);font-family:Courier,fixed">0</code><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)">to disable the </span><span class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">STATS</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> messages.</span><div><div><br></div><div>So </div><div>internal_src -> format > elasticsearch -> syslog-ng_stats index ? </div></div></div></div><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115HOEnZb"><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 16, 2017 at 11:01 AM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have a perl script that collects some stats and logs them to syslog again. The syslog stream gets sent to ES, so they end up there, but as a syslog line, not a specific statistic item for things like grafana.<div><div class="m_-774956583906356627m_-5596758692502971312m_2148975397784407111m_-6391468022677808598m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741h5"><br>
<br>
On 10/15/2017 05:57 PM, Scot wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
Looked around for a few hours and didn't see anything.<br>
<br>
Has anyone worked on sending syslog-ng stats to ES ?<br>
I see several ways I could but wondering if anyone has already. A push method directly from syslog-ng would be awesome.<br>
<br>
Scot<br>
<br>
</blockquote>
<br></div></div>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</blockquote></div><br></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>