syslog-ng
Threads by month
- ----- 2025 -----
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
April 2021
- 12 participants
- 13 discussions
I don't know how that keeps happening, but ignore that one. It's
incomplete. The NEXT message is complete. Sorry.
On 4/8/2021 6:02 PM, Dan Egli wrote:
> I'm still hoping someone on this list can help me out. My syslog-ng
> configuration seems to be mixing things up. I am TRYING to separate
> things, so that anything from sshd goes to /var/log/sshd/sshd.log,
> anything from samba goes to /var/log/samba/log.samba, and anything
> ELSE hitting the syslog is going to /var/log/messages. My problem is,
> the sshd log seems to be picking up samba messsages, and the main log
> (/var/log/messages) is picking up them BOTH. But I have filters in my
> config to say this one, not that one.
>
> If anyone is willing to help me out, the following files are live on
> my web server:
> https://www.newideatest.site/syslog-conf The current
> syslog-ng.conf
> https://www.newideatest.site/system_log Current /var/log/messages
> https://www.newideatest.site/syslog-
1
0
Looks like there's a bug in the lastest version of Thunderbird or
something, because I see three messages that are incomplete copies of
what I am about to send. I will look further into that while I wait for
more advice from you guys.
On 4/7/2021 7:19 PM, Dan Egli wrote:
>
> Those are the only ones I'm seeing in either log. Let me test it a
> bit, see if startup/shutdown messages occur too.
>
> Not only that, I am seeing samba messages in the sshd log, and I
> should not. When I do lsof, it seems the samba daemon is writing it's
> own logs, so it's not surprising that there's no errors in that log.
> But why am I seeing samba messages in sshd.log, and why am I seeing
> samba and sshd in /var/log/messages.
>
> And if what you say about the security/auth is correct, then something
> else is screwy here because I ONLY have auth/info listed. NOT
> authpriv. Frankly, i'd say that it sounds like I need to just change
> to program("sshd") but I'm not sure if that will fix anything. I'll do
> that, just to see.
>
> On 4/7/2021 12:48 PM, SZALAY Attila wrote:
>> Hi Dan,
>>
>> The next important question is that do you see all sshd log messages
>> in /var/log/messages or just some of them. I see two kind of sshd
>> related log message:
>>
>> [2021-04-07T12:29:43.875056] Incoming log entry; line='<38>Apr 7
>> 12:29:43 sshd[30745]: Accepted keyboard-interactive/pam for dan from
>> XXXX port 40747 ssh2'
>> [2021-04-07T12:29:43.878136] Incoming log entry; line='<86>Apr 7
>> 12:29:43 sshd[30745]: pam_unix(sshd:session): session opened for user
>> dan(uid=1001) by (uid=0)'
>>
>> As the two has different values in <>, at least one of them is differ
>> from auth/info.
>>
>> By the way <38> is security(4)/info and <86> is security(10)/info. So
>> both are security/auth message in some way but still different
>> facilities (4 and 6) which is called as auth(4) and authpriv(10)
>> within syslog-ng.
>>
>> On Wed, 2021-04-07 at 12:35 -0600, Dan Egli wrote:
>>> Okay. I captured a couple of minutes worth of syslog-ng running.
>>> It's too big to post (1.5MB) so I put it up on my web server. You
>>> can see it at: https://www.newideatest.site/syslog-out
>>> On 4/7/2021 12:07 PM, SZIGETVÁRI János wrote:
>>> Hello Dan,
>>>
>>> I believe that Bazsi (Balázs) wasn't really looking for the startup
>>> messages about the config being parsed, but instead about the
>>> debug/trace output of the log processing pipeline.
>>> There he would be able to check which filters were run against a
>>> certain message (its actual content too), and what result those
>>> filters returned.
>>> I think that's what he's primarily after.
>>>
>>> Best Regards,
>>> János
>>> --
>>> Janos SZIGETVARI
>>> RHCE, License no. 150-053-692
>>> <https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
>>>
>>> LinkedIn: linkedin.com/in/janosszigetvari
>>> <http://linkedin.com/in/janosszigetvari>
>>> Web: janos.szigetvari.com <https://janos.szigetvari.com>
>>>
>>> __@__˚V˚
>>> Make the switch to open (source) applications, protocols, formats now:
>>> - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
>>> - msn -> jabber protocol (Pidgin, Google Talk)
>>> - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
>>>
>>>
>>> Dan Egli <dan(a)newideatest.site> ezt írta (időpont: 2021. ápr. 7.,
>>> Sze, 20:02):
>>>
>>>> Syslog-ng is NOT complaining about my config at all. I've included
>>>> the output from the -Fedv below. Other than what I would call
>>>> "routine" errors in the scl section, no complaints.
>>>>
>>>> ---------------------------------
>>>> [2021-04-07T11:52:21.151347] Processing @include statement;
>>>> filename='scl.conf',
>>>> include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'
>>>> [2021-04-07T11:52:21.151420] Starting to read include file;
>>>> filename='/etc/syslog-ng/scl.conf', depth='1'
>>>> [2021-04-07T11:52:21.151596] Module loaded and initialized
>>>> successfully; module='appmodel'
>>>> [2021-04-07T11:52:21.151612] Processing @include statement;
>>>> filename='scl/*/*.conf',
>>>> include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'
>>>> [2021-04-07T11:52:21.151782] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151787] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151790] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151792] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151794] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151797] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151799] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2'
>>>> [2021-04-07T11:52:21.151802] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151804] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151807] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151809] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2'
>>>> [2021-04-07T11:52:21.151811] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151814] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151816] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2'
>>>> [2021-04-07T11:52:21.151819] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151821] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151824] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151826] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151906] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151912] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2'
>>>> [2021-04-07T11:52:21.151915] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151917] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151920] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151922] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151925] Adding include file;
>>>> filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151933] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.151993] Reading path for candidate modules;
>>>> path='/usr/lib64/syslog-ng'
>>>> [2021-04-07T11:52:21.152064] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libxml.so', module='xml'
>>>> [2021-04-07T11:52:21.152174] Registering candidate plugin;
>>>> module='xml', context='parser', name='xml'
>>>> [2021-04-07T11:52:21.152200] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libtags-parser.so',
>>>> module='tags-parser'
>>>> [2021-04-07T11:52:21.152263] Registering candidate plugin;
>>>> module='tags-parser', context='parser', name='tags-parser'
>>>> [2021-04-07T11:52:21.152277] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libsystem-source.so',
>>>> module='system-source'
>>>> [2021-04-07T11:52:21.152336] Registering candidate plugin;
>>>> module='system-source', context='source', name='system'
>>>> [2021-04-07T11:52:21.152349] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libsyslogformat.so',
>>>> module='syslogformat'
>>>> [2021-04-07T11:52:21.152414] Registering candidate plugin;
>>>> module='syslogformat', context='format', name='syslog'
>>>> [2021-04-07T11:52:21.152417] Registering candidate plugin;
>>>> module='syslogformat', context='parser', name='syslog-parser'
>>>> [2021-04-07T11:52:21.152428] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libstardate.so',
>>>> module='stardate'
>>>> [2021-04-07T11:52:21.152619] Registering candidate plugin;
>>>> module='stardate', context='template-func', name='stardate'
>>>> [2021-04-07T11:52:21.152661] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libsecure-logging.so',
>>>> module='secure-logging'
>>>> [2021-04-07T11:52:21.152746] Registering candidate plugin;
>>>> module='secure-logging', context='template-func', name='slog'
>>>> [2021-04-07T11:52:21.152760] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libpseudofile.so',
>>>> module='pseudofile'
>>>> [2021-04-07T11:52:21.152832] Registering candidate plugin;
>>>> module='pseudofile', context='destination', name='pseudofile'
>>>> [2021-04-07T11:52:21.152904] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libmap-value-pairs.so',
>>>> module='map-value-pairs'
>>>> [2021-04-07T11:52:21.152989] Registering candidate plugin;
>>>> module='map-value-pairs', context='parser', name='map_value_pairs'
>>>> [2021-04-07T11:52:21.153005] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng',
>>>> fname='liblinux-kmsg-format.so', module='linux-kmsg-format'
>>>> [2021-04-07T11:52:21.153170] Registering candidate plugin;
>>>> module='linux-kmsg-format', context='format', name='linux-kmsg'
>>>> [2021-04-07T11:52:21.153191] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libkvformat.so',
>>>> module='kvformat'
>>>> [2021-04-07T11:52:21.153261] Registering candidate plugin;
>>>> module='kvformat', context='parser', name='kv-parser'
>>>> [2021-04-07T11:52:21.153265] Registering candidate plugin;
>>>> module='kvformat', context='parser', name='linux-audit-parser'
>>>> [2021-04-07T11:52:21.153268] Registering candidate plugin;
>>>> module='kvformat', context='template-func', name='format-welf'
>>>> [2021-04-07T11:52:21.153279] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libhook-commands.so',
>>>> module='hook-commands'
>>>> [2021-04-07T11:52:21.153339] Registering candidate plugin;
>>>> module='hook-commands', context='inner-dest', name='hook-commands'
>>>> [2021-04-07T11:52:21.153343] Registering candidate plugin;
>>>> module='hook-commands', context='inner-src', name='hook-commands'
>>>> [2021-04-07T11:52:21.153355] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libgraphite.so',
>>>> module='graphite'
>>>> [2021-04-07T11:52:21.153408] Registering candidate plugin;
>>>> module='graphite', context='template-func', name='graphite_output'
>>>> [2021-04-07T11:52:21.153418] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libtfgetent.so',
>>>> module='tfgetent'
>>>> [2021-04-07T11:52:21.153468] Registering candidate plugin;
>>>> module='tfgetent', context='template-func', name='getent'
>>>> [2021-04-07T11:52:21.153479] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libexamples.so',
>>>> module='examples'
>>>> [2021-04-07T11:52:21.153646] Registering candidate plugin;
>>>> module='examples', context='source', name='example_msg_generator'
>>>> [2021-04-07T11:52:21.153654] Registering candidate plugin;
>>>> module='examples', context='source', name='example_random_generator'
>>>> [2021-04-07T11:52:21.153660] Registering candidate plugin;
>>>> module='examples', context='source', name='example_diskq_source'
>>>> [2021-04-07T11:52:21.153670] Registering candidate plugin;
>>>> module='examples', context='inner-dest', name='http_test_slots'
>>>> [2021-04-07T11:52:21.153677] Registering candidate plugin;
>>>> module='examples', context='destination', name='example_destination'
>>>> [2021-04-07T11:52:21.153722] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libdisk-buffer.so',
>>>> module='disk-buffer'
>>>> [2021-04-07T11:52:21.153825] Registering candidate plugin;
>>>> module='disk-buffer', context='inner-dest', name='disk_buffer'
>>>> [2021-04-07T11:52:21.153846] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libdbparser.so',
>>>> module='dbparser'
>>>> [2021-04-07T11:52:21.154065] Registering candidate plugin;
>>>> module='dbparser', context='parser', name='db-parser'
>>>> [2021-04-07T11:52:21.154076] Registering candidate plugin;
>>>> module='dbparser', context='parser', name='grouping-by'
>>>> [2021-04-07T11:52:21.154100] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libtimestamp.so',
>>>> module='timestamp'
>>>> [2021-04-07T11:52:21.154260] Registering candidate plugin;
>>>> module='timestamp', context='parser', name='date-parser'
>>>> [2021-04-07T11:52:21.154267] Registering candidate plugin;
>>>> module='timestamp', context='rewrite', name='fix-time-zone'
>>>> [2021-04-07T11:52:21.154270] Registering candidate plugin;
>>>> module='timestamp', context='rewrite', name='set-time-zone'
>>>> [2021-04-07T11:52:21.154279] Registering candidate plugin;
>>>> module='timestamp', context='rewrite', name='guess-time-zone'
>>>> [2021-04-07T11:52:21.154296] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libcsvparser.so',
>>>> module='csvparser'
>>>> [2021-04-07T11:52:21.154366] Registering candidate plugin;
>>>> module='csvparser', context='parser', name='csv-parser'
>>>> [2021-04-07T11:52:21.154381] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libcryptofuncs.so',
>>>> module='cryptofuncs'
>>>> [2021-04-07T11:52:21.154452] Registering candidate plugin;
>>>> module='cryptofuncs', context='template-func', name='uuid'
>>>> [2021-04-07T11:52:21.154459] Registering candidate plugin;
>>>> module='cryptofuncs', context='template-func', name='hash'
>>>> [2021-04-07T11:52:21.154657] Registering candidate plugin;
>>>> module='cryptofuncs', context='template-func', name='sha1'
>>>> [2021-04-07T11:52:21.154662] Registering candidate plugin;
>>>> module='cryptofuncs', context='template-func', name='sha256'
>>>> [2021-04-07T11:52:21.154665] Registering candidate plugin;
>>>> module='cryptofuncs', context='template-func', name='sha512'
>>>> [2021-04-07T11:52:21.154667] Registering candidate plugin;
>>>> module='cryptofuncs', context='template-func', name='md4'
>>>> [2021-04-07T11:52:21.154673] Registering candidate plugin;
>>>> module='cryptofuncs', context='template-func', name='md5'
>>>> [2021-04-07T11:52:21.154689] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libconfgen.so',
>>>> module='confgen'
>>>> [2021-04-07T11:52:21.154788] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libcef.so', module='cef'
>>>> [2021-04-07T11:52:21.154912] Registering candidate plugin;
>>>> module='cef', context='template-func', name='format-cef-extension'
>>>> [2021-04-07T11:52:21.154935] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libbasicfuncs.so',
>>>> module='basicfuncs'
>>>> [2021-04-07T11:52:21.155134] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='grep'
>>>> [2021-04-07T11:52:21.155142] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='if'
>>>> [2021-04-07T11:52:21.155145] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='or'
>>>> [2021-04-07T11:52:21.155148] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='context-lookup'
>>>> [2021-04-07T11:52:21.155150] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='context-length'
>>>> [2021-04-07T11:52:21.155156] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='context-values'
>>>> [2021-04-07T11:52:21.155158] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='echo'
>>>> [2021-04-07T11:52:21.155165] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='length'
>>>> [2021-04-07T11:52:21.155171] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='substr'
>>>> [2021-04-07T11:52:21.155173] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='strip'
>>>> [2021-04-07T11:52:21.155176] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='sanitize'
>>>> [2021-04-07T11:52:21.155178] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='lowercase'
>>>> [2021-04-07T11:52:21.155180] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='uppercase'
>>>> [2021-04-07T11:52:21.155183] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='replace-delimiter'
>>>> [2021-04-07T11:52:21.155185] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='padding'
>>>> [2021-04-07T11:52:21.155201] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='binary'
>>>> [2021-04-07T11:52:21.155204] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='implode'
>>>> [2021-04-07T11:52:21.155207] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='explode'
>>>> [2021-04-07T11:52:21.155209] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='dirname'
>>>> [2021-04-07T11:52:21.155214] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='basename'
>>>> [2021-04-07T11:52:21.155217] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-concat'
>>>> [2021-04-07T11:52:21.155219] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-head'
>>>> [2021-04-07T11:52:21.155222] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-nth'
>>>> [2021-04-07T11:52:21.155224] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-tail'
>>>> [2021-04-07T11:52:21.155227] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-slice'
>>>> [2021-04-07T11:52:21.155230] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-count'
>>>> [2021-04-07T11:52:21.155232] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-append'
>>>> [2021-04-07T11:52:21.155234] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='list-search'
>>>> [2021-04-07T11:52:21.155237] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='+'
>>>> [2021-04-07T11:52:21.155239] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='-'
>>>> [2021-04-07T11:52:21.155241] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='*'
>>>> [2021-04-07T11:52:21.155243] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='/'
>>>> [2021-04-07T11:52:21.155245] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='%'
>>>> [2021-04-07T11:52:21.155248] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='sum'
>>>> [2021-04-07T11:52:21.155255] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='min'
>>>> [2021-04-07T11:52:21.155257] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='max'
>>>> [2021-04-07T11:52:21.155259] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='average'
>>>> [2021-04-07T11:52:21.155261] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='round'
>>>> [2021-04-07T11:52:21.155267] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='ceil'
>>>> [2021-04-07T11:52:21.155272] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='floor'
>>>> [2021-04-07T11:52:21.155275] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='ipv4-to-int'
>>>> [2021-04-07T11:52:21.155277] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='indent-multi-line'
>>>> [2021-04-07T11:52:21.155279] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='dns-resolve-ip'
>>>> [2021-04-07T11:52:21.155281] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='env'
>>>> [2021-04-07T11:52:21.155284] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='template'
>>>> [2021-04-07T11:52:21.155286] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='url-encode'
>>>> [2021-04-07T11:52:21.155288] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='url-decode'
>>>> [2021-04-07T11:52:21.155291] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='base64-encode'
>>>> [2021-04-07T11:52:21.155294] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='iterate'
>>>> [2021-04-07T11:52:21.155297] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='map'
>>>> [2021-04-07T11:52:21.155300] Registering candidate plugin;
>>>> module='basicfuncs', context='template-func', name='filter'
>>>> [2021-04-07T11:52:21.155330] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng',
>>>> fname='libazure-auth-header.so', module='azure-auth-header'
>>>> [2021-04-07T11:52:21.155422] Registering candidate plugin;
>>>> module='azure-auth-header', context='inner-dest',
>>>> name='azure-auth-header'
>>>> [2021-04-07T11:52:21.155440] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libappmodel.so',
>>>> module='appmodel'
>>>> [2021-04-07T11:52:21.155445] Registering candidate plugin;
>>>> module='appmodel', context='root', name='application'
>>>> [2021-04-07T11:52:21.155448] Registering candidate plugin;
>>>> module='appmodel', context='parser', name='app-parser'
>>>> [2021-04-07T11:52:21.155450] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libafuser.so',
>>>> module='afuser'
>>>> [2021-04-07T11:52:21.155549] Registering candidate plugin;
>>>> module='afuser', context='destination', name='usertty'
>>>> [2021-04-07T11:52:21.155565] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libafstomp.so',
>>>> module='afstomp'
>>>> [2021-04-07T11:52:21.155641] Registering candidate plugin;
>>>> module='afstomp', context='destination', name='stomp'
>>>> [2021-04-07T11:52:21.155653] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libafsocket.so',
>>>> module='afsocket'
>>>> [2021-04-07T11:52:21.155816] Registering candidate plugin;
>>>> module='afsocket', context='source', name='unix-stream'
>>>> [2021-04-07T11:52:21.155821] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='unix-stream'
>>>> [2021-04-07T11:52:21.155824] Registering candidate plugin;
>>>> module='afsocket', context='source', name='unix-dgram'
>>>> [2021-04-07T11:52:21.155827] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='unix-dgram'
>>>> [2021-04-07T11:52:21.155829] Registering candidate plugin;
>>>> module='afsocket', context='source', name='tcp'
>>>> [2021-04-07T11:52:21.155832] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='tcp'
>>>> [2021-04-07T11:52:21.155834] Registering candidate plugin;
>>>> module='afsocket', context='source', name='tcp6'
>>>> [2021-04-07T11:52:21.155837] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='tcp6'
>>>> [2021-04-07T11:52:21.155839] Registering candidate plugin;
>>>> module='afsocket', context='source', name='udp'
>>>> [2021-04-07T11:52:21.155841] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='udp'
>>>> [2021-04-07T11:52:21.155844] Registering candidate plugin;
>>>> module='afsocket', context='source', name='udp6'
>>>> [2021-04-07T11:52:21.155846] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='udp6'
>>>> [2021-04-07T11:52:21.155857] Registering candidate plugin;
>>>> module='afsocket', context='source', name='syslog'
>>>> [2021-04-07T11:52:21.155860] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='syslog'
>>>> [2021-04-07T11:52:21.155863] Registering candidate plugin;
>>>> module='afsocket', context='source', name='network'
>>>> [2021-04-07T11:52:21.155865] Registering candidate plugin;
>>>> module='afsocket', context='destination', name='network'
>>>> [2021-04-07T11:52:21.155867] Registering candidate plugin;
>>>> module='afsocket', context='source', name='systemd-syslog'
>>>> [2021-04-07T11:52:21.155886] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libafprog.so',
>>>> module='afprog'
>>>> [2021-04-07T11:52:21.155979] Registering candidate plugin;
>>>> module='afprog', context='source', name='program'
>>>> [2021-04-07T11:52:21.155986] Registering candidate plugin;
>>>> module='afprog', context='destination', name='program'
>>>> [2021-04-07T11:52:21.156000] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng', fname='libaffile.so',
>>>> module='affile'
>>>> [2021-04-07T11:52:21.156140] Registering candidate plugin;
>>>> module='affile', context='source', name='file'
>>>> [2021-04-07T11:52:21.156176] Registering candidate plugin;
>>>> module='affile', context='source', name='pipe'
>>>> [2021-04-07T11:52:21.156181] Registering candidate plugin;
>>>> module='affile', context='source', name='wildcard_file'
>>>> [2021-04-07T11:52:21.156184] Registering candidate plugin;
>>>> module='affile', context='source', name='stdin'
>>>> [2021-04-07T11:52:21.156187] Registering candidate plugin;
>>>> module='affile', context='destination', name='file'
>>>> [2021-04-07T11:52:21.156189] Registering candidate plugin;
>>>> module='affile', context='destination', name='pipe'
>>>> [2021-04-07T11:52:21.156209] Reading shared object for a candidate
>>>> module; path='/usr/lib64/syslog-ng',
>>>> fname='libadd-contextual-data.so', module='add-contextual-data'
>>>> [2021-04-07T11:52:21.156308] Registering candidate plugin;
>>>> module='add-contextual-data', context='parser',
>>>> name='add_contextual_data'
>>>> [2021-04-07T11:52:21.156434] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/apache/apache.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156450] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156674] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/checkpoint/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156687] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156832] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/cisco/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156841] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156931] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/collectd/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.156943] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157022] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/default-network-drivers/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157029] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157074] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/graphite/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157078] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2'
>>>> [2021-04-07T11:52:21.157107] Included file was skipped because of a
>>>> missing module; module='mod-java',
>>>> location='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf:24:1'
>>>> [2021-04-07T11:52:21.157109] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/hdfs/plugin.conf', depth='2'
>>>> [2021-04-07T11:52:21.157114] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157173] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/iptables/iptables.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157179] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157232] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/junos/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157236] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157262] Included file was skipped because of a
>>>> missing module; module='mod-java',
>>>> location='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf:24:1'
>>>> [2021-04-07T11:52:21.157264] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka-java.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157269] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2'
>>>> [2021-04-07T11:52:21.157309] Global value changed;
>>>> define='kafka-implementation', value='kafka-java'
>>>> [2021-04-07T11:52:21.157328] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/kafka/kafka.conf', depth='2'
>>>> [2021-04-07T11:52:21.157336] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157375] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/linux-audit/linux-audit.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157379] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157493] Module loaded and initialized
>>>> successfully; module='confgen'
>>>> [2021-04-07T11:52:21.157512] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/loadbalancer/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157519] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2'
>>>> [2021-04-07T11:52:21.157559] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/mbox/mbox.conf', depth='2'
>>>> [2021-04-07T11:52:21.157565] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157597] Included file was skipped because of a
>>>> missing module; module='pacctformat',
>>>> location='/usr/share/syslog-ng/include/scl/pacct/plugin.conf:24:1'
>>>> [2021-04-07T11:52:21.157600] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157605] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157905] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/paloalto/panos.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157919] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.157969] Global value changed;
>>>> define='balabit.credit-card-regexp',
>>>> value='(:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35d{3})d{11})'
>>>> [2021-04-07T11:52:21.157998] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/rewrite/cc-mask.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158007] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158073] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/snmptrap/snmptrapd-source.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158079] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158120] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/solaris/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.158131] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2'
>>>> [2021-04-07T11:52:21.161593] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/sudo/sudo.conf', depth='2'
>>>> [2021-04-07T11:52:21.161620] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161724] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/sumologic/sumologic.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161729] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161803] Module loaded and initialized
>>>> successfully; module='confgen'
>>>> [2021-04-07T11:52:21.161808] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161815] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161853] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/system/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161860] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161951] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/websense/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.161964] Starting to read include file;
>>>> filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.162008] Finishing include;
>>>> filename='/usr/share/syslog-ng/include/scl/windowseventlog/plugin.conf',
>>>> depth='2'
>>>> [2021-04-07T11:52:21.162024] Global value changed;
>>>> define='java-module-dir', value='/usr/lib64/syslog-ng/java-modules'
>>>> [2021-04-07T11:52:21.162028] Finishing include;
>>>> filename='/etc/syslog-ng/scl.conf', depth='1'
>>>> [2021-04-07T11:52:21.162157] Module loaded and initialized
>>>> successfully; module='system-source'
>>>> [2021-04-07T11:52:21.162188] system(): Enabling Linux kernel log
>>>> device; device='/dev/kmsg', format='linux-kmsg'
>>>> [2021-04-07T11:52:21.162403] Module loaded and initialized
>>>> successfully; module='afsocket'
>>>> [2021-04-07T11:52:21.162936] Module loaded and initialized
>>>> successfully; module='affile'
>>>> [2021-04-07T11:52:21.163175] Module loaded and initialized
>>>> successfully; module='kvformat'
>>>> [2021-04-07T11:52:21.163192] Finishing include; content='block
>>>> parser iptables-parser() at
>>>> /usr/share/syslog-ng/include/scl/iptables/iptables.conf:23', depth='3'
>>>> [2021-04-07T11:52:21.163568] Module loaded and initialized
>>>> successfully; module='csvparser'
>>>> [2021-04-07T11:52:21.164457] Finishing include; content='block
>>>> parser panos-parser() at
>>>> /usr/share/syslog-ng/include/scl/paloalto/panos.conf:29', depth='3'
>>>> [2021-04-07T11:52:21.164880] Module loaded and initialized
>>>> successfully; module='basicfuncs'
>>>> [2021-04-07T11:52:21.164936] Finishing include; content='block
>>>> parser sudo-parser() at
>>>> /usr/share/syslog-ng/include/scl/sudo/sudo.conf:23', depth='3'
>>>> [2021-04-07T11:52:21.164995] Finishing include; content='parser
>>>> generator app-parser', depth='2'
>>>> [2021-04-07T11:52:21.165016] Finishing include; content='source
>>>> generator system', depth='1'
>>>> [2021-04-07T11:52:21.165525] Module loaded and initialized
>>>> successfully; module='syslogformat'
>>>> [2021-04-07T11:52:21.165711] Module loaded and initialized
>>>> successfully; module='linux-kmsg-format'
>>>> [2021-04-07T11:52:21.165966] Running application hooks; hook='1'
>>>> [2021-04-07T11:52:21.165971] Running application hooks; hook='6'
>>>> [2021-04-07T11:52:21.165984] syslog-ng starting up; version='3.30.1'
>>>> [2021-04-07T11:52:21.165989] Running application hooks; hook='2'
>>>> [2021-04-07T11:52:39.961046] Running application hooks; hook='3'
>>>> [2021-04-07T11:52:39.961090] syslog-ng shutting down; version='3.30.1'
>>>> [2021-04-07T11:52:40.061679] Running application hooks; hook='4'
>>>> -----------------------------------------------------------------------------
>>>>
>>>> On 4/7/2021 4:51 AM, Balazs Scheidler wrote:
>>>>
>>>>> can you start syslog-ng in the foreground and look at the startup
>>>>> messages?
>>>>>
>>>>> e.g. stop the background process (via systemd or your init
>>>>> system), and run syslog-ng from a root prompt:
>>>>>
>>>>> # /usr/sbin/syslog-ng -Fedv
>>>>>
>>>>> This should start syslog-ng in the foreground (-F), direct
>>>>> internal messages to stderr (-e), and enable debug/verbose
>>>>> messages. Then look at the messages to see if syslog-ng is
>>>>> complaining about your configuration or not.
>>>>>
>>>>> Cheers,
>>>>> Bazsi
>>>>>
>>>>>
>>>>> On Wed, Apr 7, 2021 at 9:08 AM Dan Egli <dan(a)newideatest.site>
>>>>> <mailto:dan@newideatest.site> wrote:
>>>>>
>>>>>> Don't know how that slipped in there. And syslog-ng never
>>>>>> mentioned it. It's fixed now, and the behavior is unchanged. sshd
>>>>>> messages still appear in /var/log/messages.
>>>>>>
>>>>>>
>>>>>> On 4/7/2021 12:55 AM, Balazs Scheidler wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Apr 7, 2021, 08:06 Dan Egli <dan(a)newideatest.site>
>>>>>>> <mailto:dan@newideatest.site> wrote:
>>>>>>>
>>>>>>>> No joy. I tried swapping it different ways.
>>>>>>>>
>>>>>>>> filter -> source -> destination = combined
>>>>>>>> source -> filter -> destination = combined
>>>>>>>>
>>>>>>>> Here's what my config looks like now, after the second variant:
>>>>>>>>
>>>>>>>> @version: 3.30
>>>>>>>>
>>>>>>>> @include "scl.conf"
>>>>>>>>
>>>>>>>> options {
>>>>>>>> threaded(yes);
>>>>>>>> chain_hostnames(no);
>>>>>>>> stats_freq(43200);
>>>>>>>> mark_freq(3600);
>>>>>>>> };
>>>>>>>>
>>>>>>>> source src { system(); internal(); };
>>>>>>>>
>>>>>>>> filter samba { program("samba"); };
>>>>>>>> filter ssh_messages { facility("AUTH") and level("INFO"); };
>>>>>>>> filter syslog { not filter("ssh_messages") and not
>>>>>>>> filter("samba"); };
>>>>>>>>
>>>>>>>> destination console { file("/dev/tty12"); };
>>>>>>>> destination messages { file("/var/log/messages"); };
>>>>>>>> destination sshd_log { file("/var/log/sshd/sshd.log"); };
>>>>>>>> destination smb_logs { file("/var/log/samba/samba.log"); };
>>>>>>>>
>>>>>>>> log { source(src); filter(samba); destination(smb_logs);
>>>>>>>> flags(final); );
>>>>>>>>
>>>>>>>
>>>>>>> You are using a closing paren instead of a brace. This config
>>>>>>> has a syntax error. Possibly syslog-ng falled back to the
>>>>>>> original config, once it reported a syntax error.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> log { source(src); filter(ssh_messages); destination(sshd_log);
>>>>>>>> flags(final); };
>>>>>>>> log { source(src); filter(syslog); destination(console); };
>>>>>>>> log { source(src); filter(syslog); destination(messages); };
>>>>>>>>
>>>>>>>>
>>>>>>>> Still, sshd messages are appearing in /var/log/messages.
>>>>>>>>
>>>>>>>> On 4/6/2021 11:51 PM, Peter Kokai (pkokai) wrote:
>>>>>>>> > Hello,
>>>>>>>> >
>>>>>>>> > The order in the configuration matters.
>>>>>>>> > log { source(src); destination(console); filter(syslog); };
>>>>>>>> > The message flow is the following in your example source(src)
>>>>>>>> -> destination(console) -> filter(syslog) -> void
>>>>>>>> > The filter recieves messages only after destination, if you
>>>>>>>> switch filter and destination it should be fine.
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > kokan
>>>>>>>> >
>>>>>>>> > ________________________________________
>>>>>>>> > From: syslog-ng <syslog-ng-bounces(a)lists.balabit.hu
>>>>>>>> <mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Dan
>>>>>>>> Egli <dan(a)newideatest.site> <mailto:dan@newideatest.site>
>>>>>>>> > Sent: 07 April 2021 07:17
>>>>>>>> > To: syslog-ng(a)lists.balabit.hu
>>>>>>>> <mailto:syslog-ng@lists.balabit.hu>
>>>>>>>> > Subject: [syslog-ng] Syslog-ng not honoring negative flag
>>>>>>>> >
>>>>>>>> > CAUTION: This email originated from outside of the
>>>>>>>> organization. Do not follow guidance, click links, or open
>>>>>>>> attachments unless you recognize the sender and know the
>>>>>>>> content is safe.
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > I'm having a bit of a problem and hope someone here can help.
>>>>>>>> I'm trying
>>>>>>>> > to separate individual items into specific logs, i.e. ssh
>>>>>>>> events in
>>>>>>>> > sshd.log, samba messages in samba.log, etc...
>>>>>>>> >
>>>>>>>> > I managed to come up with filters that pull out the events I
>>>>>>>> started
>>>>>>>> > with, and they are going into the correct log files. But they
>>>>>>>> are ALSO
>>>>>>>> > going into /var/log/messages even though I specifically have
>>>>>>>> a filter on
>>>>>>>> > that one that says not to include samba or sshd events. I'll
>>>>>>>> copy my
>>>>>>>> > config file here. Hopefully someone can tell me what I did wrong.
>>>>>>>> >
>>>>>>>> > Thanks!
>>>>>>>> >
>>>>>>>> > ---------------------------------------------
>>>>>>>> > @version: 3.30
>>>>>>>> >
>>>>>>>> > @include "scl.conf"
>>>>>>>> >
>>>>>>>> > options {
>>>>>>>> > threaded(yes);
>>>>>>>> > chain_hostnames(no);
>>>>>>>> > stats_freq(43200);
>>>>>>>> > mark_freq(3600);
>>>>>>>> > };
>>>>>>>> >
>>>>>>>> > source src { system(); internal(); };
>>>>>>>> >
>>>>>>>> > filter samba { program("samba"); };
>>>>>>>> > filter ssh_messages { facility("AUTH") and level("INFO"); };
>>>>>>>> > filter syslog { not filter("ssh_messages") and not
>>>>>>>> filter("samba"); };
>>>>>>>> >
>>>>>>>> > destination console { file("/dev/tty12"); };
>>>>>>>> > destination messages { file("/var/log/messages"); };
>>>>>>>> > destination sshd_log { file("/var/log/sshd/sshd.log"); };
>>>>>>>> > destination smb_logs { file("/var/log/samba/samba.log"); };
>>>>>>>> >
>>>>>>>> > log { source(src); destination(smb_logs); filter(samba);
>>>>>>>> flags(final); );
>>>>>>>> > log { source(src); destination(sshd_log); filter(ssh_messages);
>>>>>>>> > flags(final); };
>>>>>>>> > log { source(src); destination(console); filter(syslog); };
>>>>>>>> > log { source(src); destination(messages); filter(syslog); };
>>>>>>>> >
>>>>>>>> >
>>>>>>>> ______________________________________________________________________________
>>>>>>>> > Member info:
>>>>>>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.bal…
>>>>>>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.bal…>
>>>>>>>> > Documentation:
>>>>>>>> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabi…
>>>>>>>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabi…>
>>>>>>>> > FAQ:
>>>>>>>> https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabi…
>>>>>>>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabi…>
>>>>>>>> >
>>>>>>>> >
>>>>>>>> ______________________________________________________________________________
>>>>>>>> > Member info:
>>>>>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>>>>> > Documentation:
>>>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>>>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>>>>> >
>>>>>>>> ______________________________________________________________________________
>>>>>>>> Member info:
>>>>>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>>>>> Documentation:
>>>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ______________________________________________________________________________
>>>>>>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>>>>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-… <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>>>>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Bazsi
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>>
>>>>
>>>
>>> ______________________________________________________________________________
>>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-…
>>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> <http://www.balabit.com/support/documentation/?product=syslog-ng>
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>> <http://www.balabit.com/wiki/syslog-ng-faq>
>>>
>>
>>
>> ______________________________________________________________________________
>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-…
>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>
1
0
Using syslog-ng 3.26 at the moment but can use the latest if the options
are available or easier.
Is there a way to configure the idle timeout for incoming connections.
I have a use case where we want to log from a mobile work force, which
can be anywhere on the internet. This means that our syslog server needs
to be open to the internet. The bad guys are connecting to our port and
not sending anything, just tying up the port.
The port requires a certificate so is "safe", however, the connection is
consumed for approx 2 hours before syslog-ng dropes the connection with
syslog-ng[22490]: Error reading RFC6587 style framed data; fd='3769',
error='Connection timed out (110)'
syslog-ng[22490]: Syslog connection closed; fd='4509',
client='AF_INET()', local='AF_INET()'
Is there a way to configure syslog-ng to drop the connection if it does
not receive the certificate in 60 seconds?
Is there a way to configure syslog-ng to drop the connection if no
syslog messages are received in 10 minutes?
Thanks,
--
Evan
2
1