<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Hello!</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Do I understand it right, that while journalctl can read (kernel) messages, syslog-ng doesn't get them (at least not all of them)?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
As I understood the problem is more general than kernel messages as only a few messages reach /var/log/messages too.<br>
<br>
I didn't find any issues with the config.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
We can check a few things first, and see how should we proceed:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<ul>
<li><span>check the actual driver of system() source: system() source is a wrapper that expands to platform-specific drivers (e.g. it could systemd, or directly reading /dev/log).<br>
please run "syslog-ng --preprocess-into=/tmp/preprocessed.conf".<br>
In the generated preprocessed config, look for the<br>
"Start Block source generator system" string and check the underlying lines to see what is the actual driver.<br>
On Linux where systemd is available, it should be:<br>
<br>
#Start Block source generator system
<div>channel {</div>
<div> source {</div>
<div>systemd-journal();</div>
<div><br>
</div>
<span> }; # source</span><br>
</span></li><li><span><span>check incoming message rate to see if any message is coming in:<br>
run "syslog-ng-ctl stats | grep local" # local is a source statement in your config</span></span></li><li><span><span>check internal logs of syslog-ng:<br>
you have internal() source in your config, so you can check syslog-ng's internal log.<br>
I would suggest to redirect it first to a separate file.</span></span></li><li><span><span>send a test message into your system log with logger:<br>
run "logger --rfc3164 test message" and see if you see it in both journalctl output and in syslog-ng's output file too.</span></span></li></ul>
<div><span><span><br>
</span></span></div>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Regards,<br>
Gabor</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of John Covici <covici@ccs.covici.com><br>
<b>Sent:</b> Friday, December 10, 2021 18:35<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] syslog-ng no longer receiving kernel messages</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hi folks.<br>
<br>
I am having a problem that syslog-ng no longer gets any kernel<br>
messages. It seems to get other messages, but not kernel messages.<br>
<br>
Here is what happened.<br>
<br>
In an update from kernel 5.10.70 to 5.10.82, I enabled the kernel<br>
race condition sanitizer. I looked at its output and decided that it<br>
would not do me any good, so I took that out and recompiled the<br>
kernel. However after rebooting the system, syslog-ng only gives me a<br>
few messages from when the kernel sanitizer was active in my<br>
/var/log/messages and the same for /var/log/kernel.<br>
<br>
I am using systemd, so I have the jernal and it is OK, all messages<br>
are posted correctly there.<br>
<br>
Here is my /etc/syslog-ng/syslog-ng.conf .<br>
<br>
@version: 3.34<br>
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/3.4/syslog-ng.conf.gentoo,v 1.2 2013/06/02 01:18:35 mr_bones_ Exp $<br>
#<br>
# Syslog-ng default configuration file for Gentoo Linux<br>
<br>
# <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.gentoo.org%2Fshow_bug.cgi%3Fid%3D426814&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UmY4GoOlx9BBsEzar2GD0JPIgjDQwSQ5dCG6IgR2Yrg%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.gentoo.org%2Fshow_bug.cgi%3Fid%3D426814&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UmY4GoOlx9BBsEzar2GD0JPIgjDQwSQ5dCG6IgR2Yrg%3D&reserved=0</a><br>
@include "scl.conf"<br>
<br>
<br>
options { dir_perm(0755); perm(0644); chain_hostnames(no);<br>
threaded(yes);<br>
chain_hostnames(no);<br>
<br>
# The default action of syslog-ng is to log a STATS line<br>
# to the file every 10 minutes. That's pretty ugly after a while.<br>
# Change it to every 12 hours so you get a nice daily update of<br>
# how many messages syslog-ng missed (0).<br>
stats_freq(43200);<br>
# The default action of syslog-ng is to log a MARK line<br>
# to the file every 20 minutes. That's seems high for most<br>
# people so turn it down to once an hour. Set it to zero<br>
# if you don't want the functionality at all.<br>
mark_freq(0);<br>
keep_hostname(yes); };<br>
<br>
source local {<br>
system() ; internal();<br>
};<br>
# *.emerg *<br>
<br>
filter f_9 {<br>
level(emerg);<br>
};<br>
<br>
destination d_6 {<br>
usertty("*");<br>
};<br>
<br>
log { source(local); filter(f_9); destination(d_6); };<br>
<br>
# kern.=debug /var/log/kernel<br>
<br>
filter f_1 {<br>
facility(kern) and level(debug..emerg);<br>
};<br>
<br>
destination d_1 {<br>
file("/var/log/kernel" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_1); destination(d_1); };<br>
<br>
# kern.err /dev/console<br>
<br>
filter f_2 {<br>
facility(kern) and level(err..emerg);<br>
};<br>
<br>
destination d_2 {<br>
file("/dev/console" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_2); destination(d_2); };<br>
<br>
# *.debug;mail.none;news.none;authpriv.none /var/log/messages<br>
<br>
filter f_3 {<br>
level(debug..emerg);<br>
};<br>
<br>
filter f_4 {<br>
not facility(mail);<br>
};<br>
<br>
filter f_5 {<br>
not facility(news);<br>
};<br>
<br>
filter f_6 {<br>
not facility(authpriv);<br>
};<br>
<br>
destination d_3 {<br>
file("/var/log/messages" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_3); filter(f_4); filter(f_5); filter(f_6); destination(d_3); flags(final flow-control); };<br>
<br>
# authpriv.* /var/log/secure<br>
<br>
filter f_7 {<br>
facility(authpriv) and level(debug..emerg);<br>
};<br>
<br>
destination d_4 {<br>
file("/var/log/secure" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_7); destination(d_4); };<br>
<br>
# mail.* /var/log/maillog<br>
<br>
filter f_8 {<br>
facility(mail) and level(debug..emerg);<br>
};<br>
<br>
destination d_5 {<br>
file("/var/log/maillog" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_8); destination(d_5); };<br>
<br>
<br>
# news.=crit /var/log/news/news.crit<br>
<br>
filter f_10 {<br>
facility(news) and level(crit..emerg);<br>
};<br>
<br>
destination d_7 {<br>
file("/var/log/news/news.crit" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_10); destination(d_7); };<br>
<br>
# news.=err /var/log/news/news.err<br>
<br>
filter f_11 {<br>
facility(news) and level(err..emerg);<br>
};<br>
<br>
destination d_8 {<br>
file("/var/log/news/news.err" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_11); destination(d_8); };<br>
<br>
# news.notice /var/log/news/news.notice<br>
<br>
filter f_12 {<br>
facility(news) and level(notice..emerg);<br>
};<br>
<br>
destination d_9 {<br>
file("/var/log/news/news.notice" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_12); destination(d_9); };<br>
<br>
# local7.* /var/log/boot.log<br>
<br>
filter f_13 {<br>
facility(local7) and level(debug..emerg);<br>
};<br>
<br>
destination d_10 {<br>
file("/var/log/boot.log" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_13); destination(d_10); };<br>
<br>
# local0.* /var/log/dhcpcd.log<br>
<br>
filter f_14 {<br>
facility(local0) and level(debug..emerg);<br>
};<br>
<br>
<br>
So, what have I been doing wrong, or is it something else?<br>
<br>
Thanks in advance for any suggestions.<br>
<br>
<br>
destination d_11 {<br>
file("/var/log/dhcpcd.log" create_dirs(yes));<br>
};<br>
<br>
log { source(local); filter(f_14); destination(d_11); };<br>
<br>
<br>
--<br>
Your life is like a penny. You're going to lose it. The question is:<br>
How do<br>
you spend it?<br>
<br>
John Covici wb2una<br>
covici@ccs.covici.com<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=b3StS3zsS3GhfQY6NWRC5A1Eh5rYAK%2FvOcBu34Vt%2BS0%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=b3StS3zsS3GhfQY6NWRC5A1Eh5rYAK%2FvOcBu34Vt%2BS0%3D&reserved=0</a><br>
Documentation: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=dg2vBO%2Fjr5NmRJiRAe4nPZKL9xN5UBccy0UP3n6icGI%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=dg2vBO%2Fjr5NmRJiRAe4nPZKL9xN5UBccy0UP3n6icGI%3D&reserved=0</a><br>
FAQ: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zq4QgoK%2FT8%2FTKVCVMinHjy6hJu7D0%2BExhKDae6cN0%2Fs%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C92a756514a99462dd0fc08d9bc03825f%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637747545552613402%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zq4QgoK%2FT8%2FTKVCVMinHjy6hJu7D0%2BExhKDae6cN0%2Fs%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>