September 2009 - syslog-ng - lists.balabit.hu

freebsd /dev/klog logging
by Jan Schaumann 04 Sep '09

04 Sep '09

Hello, I seem to have problems getting any messages from /dev/klog when using syslog-ng 3.0.3. My syslog-ng.conf file looks like this: === template t_default { template("${DATE} <${FACILITY}.${PRIORITY}> ${HOST} ${MSG}\n"); }; destination d_tmp { file("/var/log/klog" template(t_default)); }; source s_klog { file("/dev/klog"); }; log { source(s_klog); destination(d_tmp); }; === I have a kernel module that just calls log(9) to generate a message on /dev/klog. It loads fine, and the message does appear in the dmesg(8), but nothing is written to /var/log/klog. Likewise, messages from ipfw(8) do not show up in that file. I'm quite sure I'm missing something... but what? Many thanks in advance, -Jan

7 15

facility 'security'
by Jan Schaumann 04 Sep '09

04 Sep '09

Hello, It appears that syslog-ng does not correctly identify the 'security' facility: $ logger -p security.info oink yields: Aug 25 10:46:43 <d.info> syslog1 oink Note the false facility "d". In src/syslog-names.c, the mapping for 'security' is done thusly: {"security", LOG_AUTH}, /* DEPRECATED */ FreeBSD, however, appears to still use LOG_SECURITY, which leads to syslog-ng falsely categorizing the incoming messages. I'd be able to deal with this if it actually did fall back to LOG_AUTH, but for some reason it shows up as facility "d" (which seems like a string comparison gone awry). -Jan

3 4

multiline messages via unix socket
by Max Arnold 04 Sep '09

04 Sep '09

Hello all! Can someone look at this bugreport: http://bugs.python.org/issue6444 In short, when multiline log messages sent via /dev/log socket they are splitted into multiple log entries. Only first entry will have proper timestamp and facility. This behavior differs from sysklogd and metalog, where multiple lines are concatenated. Even syslog-ng itself concatenates them when used via udp socket. Tested on syslog-ng-2.1.3. Thanks.

2 3

Milliseconds in timestamp and black magic
by Sergei Zhirikov 02 Sep '09

02 Sep '09

Hi, I'm observing something mysterious with milliseconds in timestamps. I set frac_digits() in the global options and then I have a rewriter and a template. Something like this: options { frac_digits(3); }; source s { internal(); } rewrite r { set("$ISODATE", value("MYDATE")); }; template t { template("$ISODATE ($MYDATE) $HOST $MSGHDR$MESSAGE\n"); }; destination d { file("/var/log/test.log" template(t)); }; log { source(s); rewrite(r); destination(d); }; To my total surprise the expanded value of $ISODATE in the log file contains fraction part, but the value of $MYDATE does not! Aren't they supposed to be the same because of the rewrite rule? Or am I doing something wrong? (I'm using syslog-ng 3.0.4 on Linux). -- Thanks, Sergei.

4 5