<div dir="auto">The /proc based file does not have the same format as systemd uses it although it should be the same bytes, just formatted differently.<div dir="auto"><br></div><div dir="auto">I tried to creatively match bytes from your boot id with the systemd entries (like byte ordering mismatch, etc) but they indeed look like different values.</div><div dir="auto"><br></div><div dir="auto">If you look at the logs using "journalctl -fb" does that display log messages?</div><div dir="auto"><br></div><div dir="auto">Obviously this shouldn't happen. I have a work in progress PR to resolve the 'time-goes-backward' problem, here.</div><div dir="auto"><br></div><div dir="auto"><a href="https://github.com/syslog-ng/syslog-ng/pull/4245">https://github.com/syslog-ng/syslog-ng/pull/4245</a><br></div><div dir="auto"><br></div><div dir="auto">Got distracted with various stuff ATM, but testing/feedback helps there too.</div><div dir="auto"><br></div><div dir="auto">Also, as a workaround, journald can be bypassed if you don't need the journals themselves, that gets rid off a lot of complexity. </div><div dir="auto"><br></div><div dir="auto">This can be done by forcing /dev/log to be processed by syslog-ng instead of the journald. One probably needs to change the socket activation unit for journald, and tell syslog-ng to use /dev/log even in light of running a systemd based setup.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 11, 2023, 00:37 Alexandre Santos <<a href="mailto:ASantos@infinera.com">ASantos@infinera.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="m_-6289419030915364794WordSection1">
<p class="MsoNormal"><span style="color:#7030a0">From the last tests with info that was provided regarding journald polling, it seems that the system is hitting this problem:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0"><a href="https://github.com/syslog-ng/syslog-ng/issues/2836" target="_blank" rel="noreferrer">https://github.com/syslog-ng/syslog-ng/issues/2836</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">Still, the last time I catch the problem, I have the following:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">root@machine:/ # cat /proc/sys/kernel/random/boot_id<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">e473e508-6bce-412a-b7b8-ff44b5dbea9b<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">root@machine:/ # journalctl --list-boots<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">-1 8f5414009b064ef68186e2b91a9f251d Tue 2023-01-10 02:41:58 CST—Tue 2023-01-10 02:42:32 CST<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">0 a74228741b0240ba93621f15bd58b4c4 Tue 2023-01-10 02:57:57 CST—Wed 2023-01-11 19:39:20 CST<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">The boot id does not match any of the journal boots. So restart of syslog-ng does not clear the problem.<u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="color:#7030a0">Do you know how can this happen?<u></u><u></u></span></b></p>
<p class="MsoNormal"><span style="color:#7030a0"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">Regarding your questions:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">1) systemd 241 (241)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">2)</span> <span style="color:#7030a0">
syslog-ng 3.36.1<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">3) Yes<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">4) Yes, it is quite loaded.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0">Thanks, Alex<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#7030a0"><u></u> <u></u></span></p>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>> <b>
On Behalf Of </b>Balazs Scheidler<br>
<b>Sent:</b> 1 de novembro de 2022 06:49<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Local sources seem not to be working<u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">Ok, I've now read the relevant code to see how the journald polling operates and now have a general understanding.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">Couple of questions and notes.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">1) which version of of systemd do you have? (Debian buster currently has 247.3-6~bpo10+1), is that right?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">2) syslog-ng 3.36.1, right?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">3) you are using flow-control + disk buffer<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">4) your system seems to be lightly loaded, you seem to have had ~30 messages/sec in the journal between stalling and recovering via SIGHUP (based on the "processed" counts and the last timestamp)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">syslog-ng uses the libsystemd library to poll for changes, which in turn uses inotify to watch the directories and files that make up the journal. You should see the inotify fd in the lsof output. I have mine like this:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">syslog-ng 3233 root 11r a_inode 0,14 0 10439 inotify<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">You should also have a couple of "eventpoll" fd's open, in lsof output this should look like this:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">syslog-ng 3233 root 3u a_inode 0,14 0 10439 [eventpoll]<br>
syslog-ng 3233 root 13u a_inode 0,14 0 10439 [eventpoll]<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">As you can see, I have two of these eventpoll fds, #3 is the main one, usually that comes first.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">If you do an strace on the syslog-ng process (command was "strace -s 256 -f -p <syslogng-pid> -o aaa"), you can see the epoll being manipulated:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"># we are grepping for all epoll operations with fd #3<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal">$ grep 'epoll.*(3' aaa<br>
3233 07:12:55.542368 epoll_wait(3, [{EPOLLIN, {u32=1319656488, u64=94426175659048}}], 10, 921) = 1 <0.462260><br>
3233 07:12:56.005163 epoll_ctl(3, EPOLL_CTL_DEL, 11, 0x7ffecc73736c) = 0 <0.000007><br>
3233 07:12:56.005265 epoll_wait(3, <unfinished ...><br>
625546 07:12:56.005555 epoll_ctl(3, EPOLL_CTL_MOD, 4, {EPOLLIN|EPOLLONESHOT, {u32=1319484192, u64=94426175486752}}) = 0 <0.000008><br>
3233 07:12:56.005778 epoll_ctl(3, EPOLL_CTL_ADD, 11, {EPOLLIN, {u32=1319656488, u64=94426175659048}} <unfinished ...><br>
3233 07:12:56.005864 epoll_wait(3, <unfinished ...><br>
625546 07:12:56.006049 epoll_ctl(3, EPOLL_CTL_MOD, 4, {EPOLLIN|EPOLLONESHOT, {u32=1319484192, u64=94426175486752}}) = 0 <0.000006><br>
3233 07:12:56.006114 epoll_wait(3, [{EPOLLIN, {u32=1319656488, u64=94426175659048}}], 10, -1) = 1 <0.250790><br>
3233 07:12:56.257450 epoll_ctl(3, EPOLL_CTL_DEL, 11, 0x7ffecc73736c) = 0 <0.000009><br>
3233 07:12:56.257518 epoll_wait(3, <unfinished ...><br>
625546 07:12:56.257828 epoll_ctl(3, EPOLL_CTL_MOD, 4, {EPOLLIN|EPOLLONESHOT, {u32=1319484192, u64=94426175486752}}) = 0 <0.000021><br>
3233 07:12:56.258144 epoll_ctl(3, EPOLL_CTL_ADD, 11, {EPOLLIN, {u32=1319656488, u64=94426175659048}} <unfinished ...><br>
3233 07:12:56.258250 epoll_wait(3, <unfinished ...><br>
625546 07:12:56.258411 epoll_ctl(3, EPOLL_CTL_MOD, 4, {EPOLLIN|EPOLLONESHOT, {u32=1319484192, u64=94426175486752}}) = 0 <0.000013><br>
3233 07:12:56.258496 epoll_wait(3, [{EPOLLIN, {u32=1319484552, u64=94426175487112}}], 10, -1) = 1 <0.203908><br>
3233 07:12:56.462711 epoll_wait(3, [{EPOLLIN, {u32=1319656488, u64=94426175659048}}], 10, 1000) = 1 <0.123872><br>
3233 07:12:56.587406 epoll_ctl(3, EPOLL_CTL_DEL, 11, 0x7ffecc73736c) = 0 <0.000015><br>
3233 07:12:56.587542 epoll_wait(3, <unfinished ...><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">From those events, you can see that syslog-ng deletes and adds fd #11 (which is my inotify descriptor) and fd #4 (which is an event). If I zoom in to fd 11 in addition to epoll:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">$ egrep '(\(11)|(epoll.*\(3)' aaa<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"># first event and its reaction:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">3233 07:12:55.542368 epoll_wait(3, [{EPOLLIN, {u32=1319656488, u64=94426175659048}}], 10, 921) = 1 <0.462260><br>
3233 07:12:56.004800 read(11, "\3\0\0\0\2\0\0\0\0\0\0\0\20\0\0\0system.journal\0\0", 272) = 32 <0.000019><br>
3233 07:12:56.005090 read(11, 0x7ffecc7372a0, 272) = -1 EAGAIN (Resource temporarily unavailable) <0.000006><br>
3233 07:12:56.005163 epoll_ctl(3, EPOLL_CTL_DEL, 11, 0x7ffecc73736c) = 0 <0.000007><br>
3233 07:12:56.005265 epoll_wait(3, <unfinished ...><br>
625546 07:12:56.005555 epoll_ctl(3, EPOLL_CTL_MOD, 4, {EPOLLIN|EPOLLONESHOT, {u32=1319484192, u64=94426175486752}}) = 0 <0.000008><br>
3233 07:12:56.005595 fcntl(11, F_GETFD) = 0x1 (flags FD_CLOEXEC) <0.000007><br>
3233 07:12:56.005618 fcntl(11, F_GETFL) = 0x800 (flags O_RDONLY|O_NONBLOCK) <0.000006><br>
3233 07:12:56.005659 setsockopt(11, SOL_SOCKET, SO_OOBINLINE, [1], 4) = -1 ENOTSOCK (Socket operation on non-socket) <0.000007><br>
3233 07:12:56.005778 epoll_ctl(3, EPOLL_CTL_ADD, 11, {EPOLLIN, {u32=1319656488, u64=94426175659048}} <unfinished ...><br>
3233 07:12:56.005864 epoll_wait(3, <unfinished ...><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"># second event and its reaction:<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal">625546 07:12:56.006049 epoll_ctl(3, EPOLL_CTL_MOD, 4, {EPOLLIN|EPOLLONESHOT, {u32=1319484192, u64=94426175486752}}) = 0 <0.000006><br>
3233 07:12:56.006114 epoll_wait(3, [{EPOLLIN, {u32=1319656488, u64=94426175659048}}], 10, -1) = 1 <0.250790><br>
3233 07:12:56.256994 read(11, "\3\0\0\0\2\0\0\0\0\0\0\0\20\0\0\0system.journal\0\0", 272) = 32 <0.000026><br>
3233 07:12:56.257416 read(11, 0x7ffecc7372a0, 272) = -1 EAGAIN (Resource temporarily unavailable) <0.000008><br>
3233 07:12:56.257450 epoll_ctl(3, EPOLL_CTL_DEL, 11, 0x7ffecc73736c) = 0 <0.000009><br>
3233 07:12:56.257518 epoll_wait(3, <unfinished ...><br>
625546 07:12:56.257828 epoll_ctl(3, EPOLL_CTL_MOD, 4, {EPOLLIN|EPOLLONESHOT, {u32=1319484192, u64=94426175486752}}) = 0 <0.000021><br>
3233 07:12:56.257940 fcntl(11, F_GETFD) = 0x1 (flags FD_CLOEXEC) <0.000011><br>
3233 07:12:56.257978 fcntl(11, F_GETFL) = 0x800 (flags O_RDONLY|O_NONBLOCK) <0.000009><br>
3233 07:12:56.258017 setsockopt(11, SOL_SOCKET, SO_OOBINLINE, [1], 4) = -1 ENOTSOCK (Socket operation on non-socket) <0.000011><br>
3233 07:12:56.258144 epoll_ctl(3, EPOLL_CTL_ADD, 11, {EPOLLIN, {u32=1319656488, u64=94426175659048}} <unfinished ...><br>
3233 07:12:56.258250 epoll_wait(3, <unfinished ...><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">please notice that syslog-ng reads fd #11 right after epoll indicates there's an event available. The read() has a payload which can be decoded according to struct inotify_event.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">In both cases, after the thread "625546" starts executing, we use the journald APIs to fetch the message. It's not v ery visible from the strace as sdjournal seems to access the files via mmap or something, but you should definitely see
the disk buffer being written as messages get delivered, since you are using a reliable disk buffer (which you may not need btw, but that's a separate discussion).<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The reasons we might stall could be:<u></u><u></u></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal">
the file is not modified at all (this could be ruled out)<u></u><u></u></li><li class="MsoNormal">
we don't poll the inotify fd (you can confirm this via strace as above)<u></u><u></u></li><li class="MsoNormal">
we do poll the fd, but we don't read the events from it (again strace helps here)<u></u><u></u></li><li class="MsoNormal">
we do poll fd fd and read the events but somehow we don't respond to it properly (this is probably a bug)<u></u><u></u></li><li class="MsoNormal">
our worker wakes up in response to the event but then it doesn't consume messages from the journal (this is probably a bug)<u></u><u></u></li></ul>
<div>
<p class="MsoNormal">If we are not polling the inotify fd, that means that the systemd-journal() source might be suspended. This can happen for example because of flow control:<u></u><u></u></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal">
a source is suspended if some of its flow-controlled destinations are unable to consume the messages it produces. in your case, you have a disk buffer and that consumes all messages up to its capacity. I didn't see disk buffers that were full (the queued counters
are all zero), you were also saying that those same files are being written, messages delivered normally.<u></u><u></u></li><li class="MsoNormal">
if for some reason we are stuck in the "suspended" state and the wakeup mechanism does not work (this is probably a bug)<u></u><u></u></li></ul>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">With all this said, can you please confirm that we are polling the inotify fd from our main thread and that you can see the inotify event being consumed? Or you don't see that all.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Of course while syslog-ng is working, this should operate normally. The trick is to look at it when it is stalled.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks and again sorry for this to take so long.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Tue, Nov 1, 2022 at 6:36 AM Balazs Scheidler <<a href="mailto:bazsi77@gmail.com" target="_blank" rel="noreferrer">bazsi77@gmail.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal">sorry, no I didn't. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I just looked at your configs, If I see correctly then in the error situation the local logs are stalled, counters are not incremented. The journald "processed" counter stays at 85558, while immediately after reload it goes to 271377, which
seems to indicate that for some reason we are not getting updates on the journals.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I am reading the code to understand how we poll the journal and I hope I'll have some input how to debug this.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Bazsi<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Mon, Oct 31, 2022 at 5:15 PM Alexandre Santos <<a href="mailto:ASantos@infinera.com" target="_blank" rel="noreferrer">ASantos@infinera.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:#7030a0">Hi,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:#7030a0">Did you have a chance to analyze this?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:#7030a0">Thanks & Regards,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:#7030a0">Alex</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:#7030a0"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor">
<p class="MsoNormal"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>>
<b>On Behalf Of </b>Alexandre Santos<br>
<b>Sent:</b> 16 de setembro de 2022 14:38<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Local sources seem not to be working<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Hi Balazs,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Do you have any other idea of how to debug this?<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">From the last time I was able to reproduce the problem, I found the following:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><i>New developments, on this.</i><u></u><u></u></p>
<p class="MsoNormal"><i>After another test this time with no remote destinations configured, the issue happened again:</i><u></u><u></u></p>
<p class="MsoNormal"><i>In attachment I am sending:</i><u></u><u></u></p>
<p class="MsoNormal"><i>- The stats in error condition: 42116.inerror.stats.txt, where ‘src.journald;s_src#0;journal;a;stamp;1651142246’</i><u></u><u></u></p>
<p class="MsoNormal"><i>- The stats in error condition after some time: 42116.inerror.15m.stats.txt where ‘src.journald;s_src#0;journal;a;stamp;1651142246’
</i><u></u><u></u></p>
<p class="MsoNormal"><i>- The stats after recovering the system with reload: 42116.after.stats.txt</i><u></u><u></u></p>
<p class="MsoNormal"><i>- The syslog-ng configuration: 42116.no.remote.dest.syslog-ng.conf</i><u></u><u></u></p>
<p class="MsoNormal"><i> </i><u></u><u></u></p>
<p class="MsoNormal"><i>It seems the ‘src.journald;s_src#0;journal;a;stamp;1651142246’did not changed. Does this means that last read timestamp from journal did not changed?</i><u></u><u></u></p>
<p class="MsoNormal"><i>Logs from the UDP source are still being written to the /var/log/… files.</i><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Cheers,<u></u><u></u></p>
<p class="MsoNormal">Alex<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor">
<p class="MsoNormal"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>>
<b>On Behalf Of </b>Balazs Scheidler<br>
<b>Sent:</b> 1 de julho de 2022 21:02<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Local sources seem not to be working<u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">This means that we are indeed polling the journal ourselves and not rely on journald to forward the logs to us.<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">If the error occurs, try to look at the syslog-ng statistic counters (syslog-ng-ctl stats) to see if your output queue is full. This could cause back pressure and reading to stop.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Also, enabling debug/trace messages of syslog-ng could be helpful. You can also do that via syslog-ng-ctl, no restart is needed. The trace output should be excluded from your normal
log processing pipeline, as it can be quite overwhelming in volume.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I don't really have any other ideas at the moment. Still on vacation. :)<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">On Thu, Jun 30, 2022, 19:43 Alexandre Santos <<a href="mailto:ASantos@infinera.com" target="_blank" rel="noreferrer">ASantos@infinera.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid windowtext 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal">Hi Balazs,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Thanks for the feedback!<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">It is definitely using journald, as you can see below.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">When you say “Try to remove the syslog-ng persist file and check if reading the journal restarts.”, this is to do when the system in the error condition, right?<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Regards,<u></u><u></u></p>
<p class="MsoNormal">Alex<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">source s_src {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">#Start Block source generator system</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">channel {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> source {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">systemd-journal();</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> }; # source</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">channel {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> channel {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> parser {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">#Start Block parser generator app-parser</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">channel {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> junction {</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">channel { filter { tags('.app.doesnotexist'); }; flags(final); }; };</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">}</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">#End Block parser generator app-parser</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">;</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> };</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> flags(final);</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> };</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> channel { flags(final); };</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">};</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">}; # channel</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">#End Block source generator system</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">;</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> internal();</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas"> syslog(ip(19.88.4.17) transport("udp") port(514) keep-alive(no));</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:Consolas">};</span></b><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor">
<p class="MsoNormal"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>>
<b>On Behalf Of </b>Balazs Scheidler<br>
<b>Sent:</b> 26 de junho de 2022 06:37<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Local sources seem not to be working<u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I haven't seen anything like this. We are reading the journal files using libsystemd.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Try to remove the syslog-ng persist file and check if reading the journal restarts.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Also there's can be two ways of local messages getting to syslog-ng,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">1) /dev/log forwarding<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">2) reading the journal files<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">The first one is actively done by journald. Which one syslog-ng uses is automatically detected by our system() source.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">To see which one syslog-ng is trying to use, try to run it with --preprocess-into=some-file and check how system() source is expanded.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I am unable to check the source code at the moment, so this is all from the top-of-my-head, but I hope this already helps to troubleshoot the issue.<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">On Fri, Jun 24, 2022, 18:21 Alexandre Santos <<a href="mailto:ASantos@infinera.com" target="_blank" rel="noreferrer">ASantos@infinera.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid windowtext 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal">Hi<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Any news regarding this issue?<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Making a recap of the findings:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<ul type="disc">
<li class="MsoNormal">
Using a Debian 10 buster with first release with 3.36.1;<u></u><u></u></li></ul>
<ul type="disc">
<li class="MsoNormal">
After some time “system()” source logs are not getting written to the destinations;<u></u><u></u></li><li class="MsoNormal">
The log messages from other sources, internal() and syslog(…) continue to work fine, being written to the destinations;<u></u><u></u></li><li class="MsoNormal">
One the things I noticed is that the socket to the journal seems to vanish during the error situation:<u></u><u></u></li></ul>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">It seems that somehow syslog-ng in unable to read from linux journal.<u></u><u></u></p>
<p class="MsoNormal"><b>Have you ever experienced this problem?</b><u></u><u></u></p>
<p class="MsoNormal"><b>Do know what can be wrong with the system?</b><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">root@machine:~# lsof /run/log/journal/98101a328524447d88917bea845a8966/system*</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root mem REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root mem REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root 16u REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root 24u REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">syslog-ng 3201 root mem REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">syslog-ng 3201 root mem REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">syslog-ng 3201 root 14r REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">syslog-ng 3201 root 15r REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root mem REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root mem REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root 5r REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root 6r REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">root@ machine:~# lsof /run/log/journal/98101a328524447d88917bea845a8966/system*</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root mem REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root mem REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root 16u REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">systemd-j 1723 root 24u REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root mem REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root mem REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root 5r REG 0,19 8388608 31745 /run/log/journal/98101a328524447d88917bea845a8966/system.journal</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">journalct 6861 root 6r REG 0,19 8388608 26165
<a href="mailto:/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal" target="_blank" rel="noreferrer">
/run/log/journal/98101a328524447d88917bea845a8966/system@3721b31246e54dc0baab1ac0f68c3f43-0000000000000001-000581d7e3fe20ba.journal</a></span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Thanks in advance,<u></u><u></u></p>
<p class="MsoNormal">Alex<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor">
<p class="MsoNormal"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>>
<b>On Behalf Of </b>Alexandre Santos<br>
<b>Sent:</b> 19 de maio de 2022 09:25<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Local sources seem not to be working<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Hi Szilard,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">There is no filter:<u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">source syslog_ng_src {</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> internal();</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">};</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">destination d_localfile_syslog_ng {</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> program("/opt/machine/local/bin/write_with_rotation.sh /var/log/syslog-ng-internal.log 10 10"</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> flags(syslog-protocol)</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> suppress(5)</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> disk-buffer(</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> mem-buf-size(2097152)</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> disk-buf-size(4194304)</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> reliable(yes)</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> dir("/tmp")</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> )</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> );</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">};</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">log {</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> source(syslog_ng_src);</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> destination(d_localfile_syslog_ng);</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> flags(flow-control);</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas">};</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:Consolas"> </span><u></u><u></u></p>
<p class="MsoNormal">Thanks and Regards,<u></u><u></u></p>
<p class="MsoNormal">Alex<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;border-color:currentcolor currentcolor">
<p class="MsoNormal"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>>
<b>On Behalf Of </b>Szilard Parrag (sparrag)<br>
<b>Sent:</b> 19 de maio de 2022 08:59<br>
<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a><br>
<b>Subject:</b> Re: [syslog-ng] Local sources seem not to be working<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div style="border:solid #9c6500 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#ffeb9c">
<b><span style="font-size:10.0pt;color:#9c6500">CAUTION:</span></b><span style="font-size:10.0pt;color:black"> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content
is safe.</span><u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Hi Alex,</span><u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">We've checked it too and syslog-ng does not release the file descriptor of journald even with flow-control
<span style="background:white">enabled</span>.</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> </span><u></u><u></u></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Also, your internal logs seem rather terse, maybe there is a filter which filters out the important parts. Could you please check it?</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Szilard</span><u></u><u></u></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">______________________________________________________________________________<br>
Member info: <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Hx4vnC4ovnJHzP%2FOvBhwD7JynP2dgYKQg6e%2BeK7xEaY%3D&reserved=0" target="_blank" rel="noreferrer">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jiIrysNzV3agMWDR%2FwQn%2FZ7WvyXYmUODE%2BcsF8MYzCM%3D&reserved=0" target="_blank" rel="noreferrer">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=epn0Ap2nNzhsEahBAh2JNwLerEIaHKab6gweveZ8l1Q%3D&reserved=0" target="_blank" rel="noreferrer">
http://www.balabit.com/wiki/syslog-ng-faq</a><u></u><u></u></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">______________________________________________________________________________<br>
Member info: <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Hx4vnC4ovnJHzP%2FOvBhwD7JynP2dgYKQg6e%2BeK7xEaY%3D&reserved=0" target="_blank" rel="noreferrer">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jiIrysNzV3agMWDR%2FwQn%2FZ7WvyXYmUODE%2BcsF8MYzCM%3D&reserved=0" target="_blank" rel="noreferrer">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=epn0Ap2nNzhsEahBAh2JNwLerEIaHKab6gweveZ8l1Q%3D&reserved=0" target="_blank" rel="noreferrer">
http://www.balabit.com/wiki/syslog-ng-faq</a><u></u><u></u></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">______________________________________________________________________________<br>
Member info: <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Hx4vnC4ovnJHzP%2FOvBhwD7JynP2dgYKQg6e%2BeK7xEaY%3D&reserved=0" target="_blank" rel="noreferrer">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jiIrysNzV3agMWDR%2FwQn%2FZ7WvyXYmUODE%2BcsF8MYzCM%3D&reserved=0" target="_blank" rel="noreferrer">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C01%7Casantos%40infinera.com%7C14e11b4e57564fdd257808dabbd54209%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C638028821866307428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=epn0Ap2nNzhsEahBAh2JNwLerEIaHKab6gweveZ8l1Q%3D&reserved=0" target="_blank" rel="noreferrer">
http://www.balabit.com/wiki/syslog-ng-faq</a><u></u><u></u></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<br>
-- <u></u><u></u></p>
<div>
<p class="MsoNormal">Bazsi<u></u><u></u></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<br>
-- <u></u><u></u></p>
<div>
<p class="MsoNormal">Bazsi<u></u><u></u></p>
</div>
</div>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>