<div dir="auto">The problem seems to be that dovecot uses Rfc5424 formatted message on the local log socket.<div dir="auto"><br></div><div dir="auto">Syslog-ng is able to cope with this format, and the system () source has recently been adapted to allow this.</div><div dir="auto"><br></div><div dir="auto">If you are not using the system () source, just add flags(syslog-protocol) to your unix-dgram() driver.</div><div dir="auto"><br></div><div dir="auto">Bazsi</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Mar 21, 2019, 22:57 Stanislav <<a href="mailto:me@rooty.name">me@rooty.name</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I also did a test with following configuration:<br>
<br>
===========<br>
@version: 3.20<br>
<br>
log {<br>
source { internal(); };<br>
if (program("syslog-ng")) {<br>
rewrite { set(":)" value(".FILTER")); };<br>
}<br>
else {<br>
rewrite { set(":(" value(".FILTER")); };<br>
};<br>
<br>
destination { file("/dev/stdout" template("${.FILTER} [${PROGRAM}] <br>
${MESSAGE}\n")); };<br>
};<br>
===========<br>
<br>
The result is pretty much the same, I can see this:<br>
# syslog-ng -F<br>
:) [syslog-ng] syslog-ng starting up; version='3.20.1'<br>
<br>
but that's pretty much it, when I restart dovecot or any other <br>
application I can't see new lines...<br>
<br>
My full syslog-ng configuration: <a href="http://rooty.name/syslog-ng.conf" rel="noreferrer noreferrer" target="_blank">http://rooty.name/syslog-ng.conf</a><br>
<br>
<br>
<br>
> Hey,<br>
> <br>
> There's a syntax error:<br>
> Error parsing log statement, syntax error, unexpected '(', expecting<br>
> ')' in /usr/local/etc/syslog-ng.conf:6:20-6:21<br>
> <br>
> ...assuming it should be like this:<br>
> =============<br>
> @version: 3.20<br>
> <br>
> log {<br>
> source { internal(); };<br>
> if {<br>
> filter{ program("syslog-ng"); };<br>
> rewrite { set(":)" value(".FILTER")); };<br>
> }<br>
> else {<br>
> rewrite { set(":(" value(".FILTER")); };<br>
> };<br>
> <br>
> destination { file("/dev/stdout" template("${.FILTER}\n")); };<br>
> };<br>
> =============<br>
> I'm getting following result:<br>
> <br>
> # syslog-ng -F<br>
> :)<br>
> <br>
> <br>
> Seems like everything should be fine */me confused*...<br>
> <br>
> =============<br>
> <br>
> ok, so what I did next is:<br>
> destination all { file("/var/log/all.log" template("DEBUG ${ISODATE}<br>
> >>>>${PROGRAM}<<<<< ${MESSAGE}\n")); };<br>
> <br>
> and I can see this:<br>
> DEBUG 2019-03-21T23:03:54+02:00 >>>>1<<<<<<br>
> 2019-03-21T23:03:54.538134+02:00 <a href="http://rooty.name" rel="noreferrer noreferrer" target="_blank">rooty.name</a> dovecot 62129 - - master:<br>
> Warning: Killed with signal 15 (by pid=62197 uid=0 code=kill)<br>
> DEBUG 2019-03-21T23:03:54+02:00 >>>>1<<<<<<br>
> 2019-03-21T23:03:54.539049+02:00 <a href="http://rooty.name" rel="noreferrer noreferrer" target="_blank">rooty.name</a> dovecot 62134 - -<br>
> imap(<a href="mailto:me@rooty.name" target="_blank" rel="noreferrer">me@rooty.name</a>)<62147><D8rkEaGEPHesOiU3>: Server shutting down.<br>
> in=27 out=775 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0<br>
> body_count=0 body_bytes=0<br>
> DEBUG 2019-03-21T23:03:56+02:00 >>>>1<<<<<<br>
> 2019-03-21T23:03:56.231605+02:00 <a href="http://rooty.name" rel="noreferrer noreferrer" target="_blank">rooty.name</a> dovecot 62224 - - master:<br>
> Dovecot v2.3.5 (513208660) starting up for imap<br>
> DEBUG 2019-03-21T23:04:00+02:00 >>>>1<<<<<<br>
> 2019-03-21T23:04:00.003944+02:00 <a href="http://rooty.name" rel="noreferrer noreferrer" target="_blank">rooty.name</a> /usr/sbin/cron 62249 - -<br>
> (root) CMD (/usr/home/stan/radio/frame/generate_me.sh)<br>
> <br>
> I'm getting the number "1" not just for "dovecot" app, but also for<br>
> crontab and pretty much for everything else... */me confused even<br>
> more*<br>
> <br>
> <br>
> <br>
>> Hello,<br>
>> <br>
>> Have you tried the configuration I provided ?<br>
>> My guess still that it is not an issue with the *program* filter,<br>
>> could you modify the file destination to also print the *${PROGRAM}*<br>
>> macro, to verify that it contains the value you expect ?<br>
>> <br>
>> --<br>
>> Kokan<br>
>> <br>
>> On Thu, Mar 21, 2019 at 8:57 PM Stanislav <<a href="mailto:me@rooty.name" target="_blank" rel="noreferrer">me@rooty.name</a>> wrote:<br>
>> <br>
>>> nah, I've just tried to replace that with "file( "/dev/klog"<br>
>>> owner(root)<br>
>>> group(wheel) perm(0666) );", didn't work.<br>
>>> <br>
>>> Also I'm getting logs to "/var/log/all.log" from dovecot without any<br>
>>> <br>
>>> issue, it just this filter, I feel something is not right there.<br>
>>> <br>
>>>> Hello,<br>
>>>> <br>
>>>> Is it possible that the *dovcot* application sends those logs via<br>
>>>> */dev/klog* ? Because in your configuration for that source the<br>
>>>> program is replaced with *kernel*.<br>
>>>> <br>
>>>> I tried the *program* filter with freebsd 12 + syslog-ng 3.20.1<br>
>>> with<br>
>>>> the following configuration:<br>
>>>> <br>
>>>> @version: 3.20<br>
>>>> <br>
>>>> log {<br>
>>>> source { internal(); };<br>
>>>> if {<br>
>>>> filter( program("syslog-ng"); };<br>
>>>> rewrite { set(":)" value(".FILTER")); };<br>
>>>> }<br>
>>>> else {<br>
>>>> rewrite { set(":(" value(".FILTER")); };<br>
>>>> }<br>
>>>> <br>
>>>> destination { file("/dev/stdout" template("${.FILTER}\n")); };<br>
>>>> };<br>
>>>> <br>
>>>> starting with syslog-ng -F<br>
>>>> <br>
>>>> The result seemed to be positive => :)<br>
>>>> <br>
>>>> --<br>
>>>> Kokan<br>
>>>> <br>
>>>> On Wed, Mar 20, 2019 at 4:41 AM Stanislav <<a href="mailto:me@rooty.name" target="_blank" rel="noreferrer">me@rooty.name</a>> wrote:<br>
>>>> <br>
>>>>> Greetings,<br>
>>>>> <br>
>>>>> I'm getting this issue after my last package upgrade<br>
>>>>> <br>
>>>>> ======================================<br>
>>>>> Name : syslog-ng<br>
>>>>> Version : 3.20.1<br>
>>>>> Installed on : Mon Mar 11 23:27:29 2019 EET<br>
>>>>> Origin : sysutils/syslog-ng<br>
>>>>> Architecture : FreeBSD:12:amd64<br>
>>>>> Prefix : /usr/local<br>
>>>>> Categories : sysutils<br>
>>>>> Licenses :<br>
>>>>> Maintainer : cy@FreeBSD.org<br>
>>>>> WWW : <a href="http://www.syslog-ng.org/" rel="noreferrer noreferrer" target="_blank">http://www.syslog-ng.org/</a><br>
>>>>> Comment : Powerful syslogd replacement<br>
>>>>> Options :<br>
>>>>> AMQP : off<br>
>>>>> CURL : off<br>
>>>>> DOCS : on<br>
>>>>> GEOIP2 : off<br>
>>>>> IPV6 : off<br>
>>>>> JAVA : off<br>
>>>>> JAVA_MOD : off<br>
>>>>> JSON : on<br>
>>>>> MONGO : off<br>
>>>>> PYTHON : off<br>
>>>>> REDIS : off<br>
>>>>> RIEMANN : off<br>
>>>>> SMTP : off<br>
>>>>> SPOOF : off<br>
>>>>> SQL : off<br>
>>>>> TCP_WRAPPERS : off<br>
>>>>> ======================================<br>
>>>>> <br>
>>>>> I have following configuration:<br>
>>>>> <br>
>>>>> options { chain_hostnames(off); flush_lines(0); threaded(yes);<br>
>>>>> create_dirs(yes); };<br>
>>>>> source local {<br>
>>>>> internal();<br>
>>>>> unix-dgram( "/var/run/log" owner(root) group(wheel)<br>
>>>>> perm(0666) );<br>
>>>>> unix-dgram( "/var/run/logpriv" owner(root)<br>
>>>>> group(wheel)<br>
>>>>> perm(0600) );<br>
>>>>> file( "/dev/klog" program_override("kernel") );<br>
>>>>> };<br>
>>>>> ...<br>
>>>>> destination all { file("/var/log/all.log"); };<br>
>>>>> destination maillog_mda { file("/var/log/maillog-mda"); };<br>
>>>>> ...<br>
>>>>> filter p_mail_imap { program("dovecot"); };<br>
>>>>> ...<br>
>>>>> log { source(local); destination(all); };<br>
>>>>> log { source(local); filter(p_mail_imap);<br>
>>> destination(maillog_mda);<br>
>>>>> };<br>
>>>>> ======================================<br>
>>>>> # ps auxww|grep dovecot<br>
>>>>> root 9648 0.0 0.1 13268 4196 - Is 00:46<br>
>>>>> 0:00.04<br>
>>>>> /usr/local/sbin/dovecot -c /usr/local/etc/dovecot/dovecot.conf<br>
>>>>> dovecot 9651 0.0 0.0 12724 3784 - I 00:46<br>
>>>>> 0:00.01<br>
>>>>> anvil: [2 connections] (anvil)<br>
>>>>> root 15259 0.0 0.0 12796 4168 - I 01:42<br>
>>>>> 0:00.00<br>
>>>>> dovecot/log<br>
>>>>> root 16126 0.0 0.1 13744 5020 - I 01:52<br>
>>>>> 0:00.02<br>
>>>>> dovecot/config<br>
>>>>> dovecot 16127 0.0 0.0 12724 4180 - I 01:52<br>
>>>>> 0:00.01<br>
>>>>> stats: [3 connections] (stats)<br>
>>>>> dovecot 17328 0.0 0.1 21284 12276 - I 02:05<br>
>>>>> 0:00.01<br>
>>>>> auth: [0 wait, 0 passdb, 0 userdb] (auth)<br>
>>>>> ======================================<br>
>>>>> # syslog-ng -s<br>
>>>>> # echo $?<br>
>>>>> 0<br>
>>>>> ======================================<br>
>>>>> <br>
>>>>> I'm getting logs from dovecot program to /var/log/all.log but not<br>
>>>>> /var/log/maillog-mda . As I mentioned before it was working on<br>
>>>>> previous<br>
>>>>> version of syslog-ng .<br>
>>>>> Does anybody have this issue? Just me, lucky?<br>
>>>>> <br>
>>>>> <br>
>>>> <br>
>>> <br>
>> ______________________________________________________________________________<br>
>>>>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>>>>> Documentation:<br>
>>>>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>>>>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
>>>> <br>
>>> <br>
>> ______________________________________________________________________________<br>
>>>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>>>> Documentation:<br>
>>>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>>>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
>>> <br>
>> ______________________________________________________________________________<br>
>>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>>> Documentation:<br>
>>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
>> ______________________________________________________________________________<br>
>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>> Documentation: <br>
>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>