<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
I think it's not syslog-ng, but logrotate that's having an issue.<br>
Check your config files under /etc/logrotate.d, I think there are multiple configurations for the same file(s), like /var/log/messages.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
You can disable the other configuration file by adding the .disabled suffix to the filename.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
It's not just syslog-ng affected based on your logs, but xferlog too.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Gábor</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> John Covici <covici@ccs.covici.com><br>
<b>Sent:</b> Monday, December 13, 2021 14:52<br>
<b>To:</b> Gabor Nagy (gnagy) <Gabor.Nagy@oneidentity.com><br>
<b>Cc:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] syslog-ng no longer receiving kernel messages</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Well here is the preprocessor output for source local<br>
<br>
source {<br>
systemd-journal();<br>
<br>
}; # source<br>
<br>
But what I did was to use the default conf file till early this<br>
morning and then I restored my original configuration file and it<br>
seems to be working again with the exception that every day, I always<br>
get complaints from syslog-ng saying<br>
error: syslog-ng:6 duplicate log entry for /var/log/messages<br>
error: found error in file syslog-ng, skipping<br>
error: xferlog:1 duplicate log entry for /var/log/xferlog<br>
error: found error in file xferlog, skipping<br>
<br>
Am I doing something wrong?<br>
<br>
<br>
On Mon, 13 Dec 2021 06:36:08 -0500,<br>
Gabor Nagy (gnagy) wrote:<br>
><br>
> [1 <text/plain; us-ascii (quoted-printable)>]<br>
> Hello!<br>
><br>
> Do I understand it right, that while journalctl can read (kernel) messages, syslog-ng doesn't get them (at least not all of them)?<br>
> As I understood the problem is more general than kernel messages as only a few messages reach /var/log/messages too.<br>
><br>
> I didn't find any issues with the config.<br>
> We can check a few things first, and see how should we proceed:<br>
><br>
> * check the actual driver of system() source: system() source is a wrapper that expands to platform-specific drivers (e.g. it could systemd, or directly reading /dev/log).<br>
> please run "syslog-ng --preprocess-into=/tmp/preprocessed.conf".<br>
> In the generated preprocessed config, look for the<br>
> "Start Block source generator system" string and check the underlying lines to see what is the actual driver.<br>
> On Linux where systemd is available, it should be:<br>
><br>
> #Start Block source generator system<br>
> channel {<br>
> source {<br>
> systemd-journal();<br>
><br>
> }; # source<br>
> * check incoming message rate to see if any message is coming in:<br>
> run "syslog-ng-ctl stats | grep local" # local is a source statement in your config<br>
> * check internal logs of syslog-ng:<br>
> you have internal() source in your config, so you can check syslog-ng's internal log.<br>
> I would suggest to redirect it first to a separate file.<br>
> * send a test message into your system log with logger:<br>
> run "logger --rfc3164 test message" and see if you see it in both journalctl output and in syslog-ng's output file too.<br>
><br>
> Regards,<br>
> Gabor<br>
> ________________________________<br>
> From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of John Covici <covici@ccs.covici.com><br>
> Sent: Friday, December 10, 2021 18:35<br>
> To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
> Subject: [syslog-ng] syslog-ng no longer receiving kernel messages<br>
><br>
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
><br>
><br>
> Hi folks.<br>
><br>
> I am having a problem that syslog-ng no longer gets any kernel<br>
> messages. It seems to get other messages, but not kernel messages.<br>
><br>
> Here is what happened.<br>
><br>
> In an update from kernel 5.10.70 to 5.10.82, I enabled the kernel<br>
> race condition sanitizer. I looked at its output and decided that it<br>
> would not do me any good, so I took that out and recompiled the<br>
> kernel. However after rebooting the system, syslog-ng only gives me a<br>
> few messages from when the kernel sanitizer was active in my<br>
> /var/log/messages and the same for /var/log/kernel.<br>
><br>
> I am using systemd, so I have the jernal and it is OK, all messages<br>
> are posted correctly there.<br>
><br>
> Here is my /etc/syslog-ng/syslog-ng.conf .<br>
><br>
> @version: 3.34<br>
> # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/3.4/syslog-ng.conf.gentoo,v 1.2 2013/06/02 01:18:35 mr_bones_ Exp $<br>
> #<br>
> # Syslog-ng default configuration file for Gentoo Linux<br>
><br>
> # <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.gentoo.org%2Fshow_bug.cgi%3Fid%3D426814&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764913996%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=vOe8DZTB0H3Q3OG1U0WoCVcYI%2F%2F%2BrPK1E2qd8b3mvg4%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.gentoo.org%2Fshow_bug.cgi%3Fid%3D426814&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764913996%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=vOe8DZTB0H3Q3OG1U0WoCVcYI%2F%2F%2BrPK1E2qd8b3mvg4%3D&reserved=0</a><br>
> @include "scl.conf"<br>
><br>
><br>
> options { dir_perm(0755); perm(0644); chain_hostnames(no);<br>
> threaded(yes);<br>
> chain_hostnames(no);<br>
><br>
> # The default action of syslog-ng is to log a STATS line<br>
> # to the file every 10 minutes. That's pretty ugly after a while.<br>
> # Change it to every 12 hours so you get a nice daily update of<br>
> # how many messages syslog-ng missed (0).<br>
> stats_freq(43200);<br>
> # The default action of syslog-ng is to log a MARK line<br>
> # to the file every 20 minutes. That's seems high for most<br>
> # people so turn it down to once an hour. Set it to zero<br>
> # if you don't want the functionality at all.<br>
> mark_freq(0);<br>
> keep_hostname(yes); };<br>
><br>
> source local {<br>
> system() ; internal();<br>
> };<br>
> # *.emerg *<br>
><br>
> filter f_9 {<br>
> level(emerg);<br>
> };<br>
><br>
> destination d_6 {<br>
> usertty("*");<br>
> };<br>
><br>
> log { source(local); filter(f_9); destination(d_6); };<br>
><br>
> # kern.=debug /var/log/kernel<br>
><br>
> filter f_1 {<br>
> facility(kern) and level(debug..emerg);<br>
> };<br>
><br>
> destination d_1 {<br>
> file("/var/log/kernel" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_1); destination(d_1); };<br>
><br>
> # kern.err /dev/console<br>
><br>
> filter f_2 {<br>
> facility(kern) and level(err..emerg);<br>
> };<br>
><br>
> destination d_2 {<br>
> file("/dev/console" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_2); destination(d_2); };<br>
><br>
> # *.debug;mail.none;news.none;authpriv.none /var/log/messages<br>
><br>
> filter f_3 {<br>
> level(debug..emerg);<br>
> };<br>
><br>
> filter f_4 {<br>
> not facility(mail);<br>
> };<br>
><br>
> filter f_5 {<br>
> not facility(news);<br>
> };<br>
><br>
> filter f_6 {<br>
> not facility(authpriv);<br>
> };<br>
><br>
> destination d_3 {<br>
> file("/var/log/messages" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_3); filter(f_4); filter(f_5); filter(f_6); destination(d_3); flags(final flow-control); };<br>
><br>
> # authpriv.* /var/log/secure<br>
><br>
> filter f_7 {<br>
> facility(authpriv) and level(debug..emerg);<br>
> };<br>
><br>
> destination d_4 {<br>
> file("/var/log/secure" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_7); destination(d_4); };<br>
><br>
> # mail.* /var/log/maillog<br>
><br>
> filter f_8 {<br>
> facility(mail) and level(debug..emerg);<br>
> };<br>
><br>
> destination d_5 {<br>
> file("/var/log/maillog" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_8); destination(d_5); };<br>
><br>
><br>
> # news.=crit /var/log/news/news.crit<br>
><br>
> filter f_10 {<br>
> facility(news) and level(crit..emerg);<br>
> };<br>
><br>
> destination d_7 {<br>
> file("/var/log/news/news.crit" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_10); destination(d_7); };<br>
><br>
> # news.=err /var/log/news/news.err<br>
><br>
> filter f_11 {<br>
> facility(news) and level(err..emerg);<br>
> };<br>
><br>
> destination d_8 {<br>
> file("/var/log/news/news.err" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_11); destination(d_8); };<br>
><br>
> # news.notice /var/log/news/news.notice<br>
><br>
> filter f_12 {<br>
> facility(news) and level(notice..emerg);<br>
> };<br>
><br>
> destination d_9 {<br>
> file("/var/log/news/news.notice" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_12); destination(d_9); };<br>
><br>
> # local7.* /var/log/boot.log<br>
><br>
> filter f_13 {<br>
> facility(local7) and level(debug..emerg);<br>
> };<br>
><br>
> destination d_10 {<br>
> file("/var/log/boot.log" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_13); destination(d_10); };<br>
><br>
> # local0.* /var/log/dhcpcd.log<br>
><br>
> filter f_14 {<br>
> facility(local0) and level(debug..emerg);<br>
> };<br>
><br>
><br>
> So, what have I been doing wrong, or is it something else?<br>
><br>
> Thanks in advance for any suggestions.<br>
><br>
><br>
> destination d_11 {<br>
> file("/var/log/dhcpcd.log" create_dirs(yes));<br>
> };<br>
><br>
> log { source(local); filter(f_14); destination(d_11); };<br>
><br>
><br>
> --<br>
> Your life is like a penny. You're going to lose it. The question is:<br>
> How do<br>
> you spend it?<br>
><br>
> John Covici wb2una<br>
> covici@ccs.covici.com<br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764913996%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Fg0ux4K6lH9EW0EthCYVbxMUDnIEa4WGbyIHQuW3RG0%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764913996%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Fg0ux4K6lH9EW0EthCYVbxMUDnIEa4WGbyIHQuW3RG0%3D&reserved=0</a><br>
> Documentation: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764923990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=LFF7%2FpjVIdzfDgfReFHsHG45sL%2BYkDZKYphvebKJvcM%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764923990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=LFF7%2FpjVIdzfDgfReFHsHG45sL%2BYkDZKYphvebKJvcM%3D&reserved=0</a><br>
> FAQ: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764923990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fE5zyc%2FP70So9Lh6%2FRRB%2FLlX0rC5ZvSX6DK%2BnKTXpzk%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Ca2e46b4838d44693b0a808d9be3fdc4d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637750003764923990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fE5zyc%2FP70So9Lh6%2FRRB%2FLlX0rC5ZvSX6DK%2BnKTXpzk%3D&reserved=0</a><br>
><br>
> [2 <text/html; us-ascii (quoted-printable)>]<br>
<br>
--<br>
Your life is like a penny. You're going to lose it. The question is:<br>
How do<br>
you spend it?<br>
<br>
John Covici wb2una<br>
covici@ccs.covici.com<br>
</div>
</span></font></div>
</body>
</html>