unix-stream: ignore non-existent pipe - syslog-ng - lists.balabit.hu

newer
"Reinsert" message into syslog-ng...

unix-stream: ignore non-existent pipe

older
Adding new fields to existing logs

Sergey

9 Oct 2019 9 Oct '19

1:45 a.m.

Hello. Can I configure syslog-ng to ignore non-existing unix-stream? -- Regards, Sergey

Show replies by date

Laszlo Szemere (lszemere)

9 Oct 9 Oct

9:59 a.m.

Hello Sergey, could you please specify if you want to use the unix-stream source driver or the destination driver? And I am not sure about, what do you mean by "ignore". Thank You in advance! Br, Laci ________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Sergey <a_s_y@sama.ru> Sent: Wednesday, October 9, 2019 01:45 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] unix-stream: ignore non-existent pipe CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hello. Can I configure syslog-ng to ignore non-existing unix-stream? -- Regards, Sergey ______________________________________________________________________________ Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7C1dd1801b1703449a681d08d74c49b28c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637061751737083308&sdata=vyRlEthSUoYuimir3DGmgbrrACWGGVdUdWxHm32WnTQ%3D&reserved=0 Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7C1dd1801b1703449a681d08d74c49b28c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637061751737083308&sdata=5%2Bs4AhUp2HqSAuif7EZjzD1X%2FInofCVLeTiOwMRSg%2FU%3D&reserved=0 FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Claszlo.szemere%40oneidentity.com%7C1dd1801b1703449a681d08d74c49b28c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637061751737083308&sdata=H0WiZ6ZJd18Ev5mQoGjfx6px9BGkLi6zZoDLvJlmegY%3D&reserved=0

Sergey

8:43 p.m.

On Wednesday 09 October 2019, Laszlo Szemere (lszemere) wrote:

could you please specify if you want to use the unix-stream source driver or the destination driver?

Sorry for the inaccuracy. The source driver in my case.

And I am not sure about, what do you mean by "ignore".

I would like to make a generic config for systems with and without systemd. "unix-dgram ("/run/systemd/journal/dev-log");" should be added to "source sys" but this absent without systemd and cause error. -- Regards, Sergey

Peter Czanik (pczanik)

8:49 p.m.

Hi, If you use a recent enough syslog-ng (3.6+ or 3.7+) then the system() source automatically detects if your system has /dev/log or journal and collects logs accordingly. Peter Peter Czanik (CzP) <peter.czanik@oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Sergey <a_s_y@sama.ru> Sent: Wednesday, October 9, 2019 11:43 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] unix-stream: ignore non-existent pipe CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. On Wednesday 09 October 2019, Laszlo Szemere (lszemere) wrote:

could you please specify if you want to use the unix-stream source driver or the destination driver?

Sorry for the inaccuracy. The source driver in my case.

And I am not sure about, what do you mean by "ignore".

I would like to make a generic config for systems with and without systemd. "unix-dgram ("/run/systemd/journal/dev-log");" should be added to "source sys" but this absent without systemd and cause error. -- Regards, Sergey ______________________________________________________________________________ Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CPeter.Czanik%40oneidentity.com%7C33dbd4881c174fbcd9da08d74ce89179%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637062434100995437&sdata=Yufzg2RvGblXP1FP3V9l%2BdMuHu8InJpfJpe9xdKR0Og%3D&reserved=0 Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CPeter.Czanik%40oneidentity.com%7C33dbd4881c174fbcd9da08d74ce89179%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637062434100995437&sdata=Jd2DxjHjm1XEHYcoFyu8QWNa7c%2BJzPMihxw8Fxgb0ew%3D&reserved=0 FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CPeter.Czanik%40oneidentity.com%7C33dbd4881c174fbcd9da08d74ce89179%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637062434100995437&sdata=cJJYUj62gquZVvHWeR5zU8YMY%2FWmQkaSX6G%2BLfgmA4Q%3D&reserved=0

Sergey

10 Oct 10 Oct

5:50 p.m.

On Wednesday 09 October 2019, Peter Czanik (pczanik) wrote:

If you use a recent enough syslog-ng (3.6+ or 3.7+) then the system() source automatically detects if your system has /dev/log or journal and collects logs accordingly.

It is not works with 3.8.1: Checking syslog-ng configuration: Error parsing source, source plugin system not found in /etc/syslog-ng/syslog-ng.conf at line 20, column 5: system(); ^^^^^^ # syslog-ng --version syslog-ng 3.8.1 Installer-Version: 3.8.1 Revision: Module-Directory: /usr/lib64/syslog-ng Module-Path: /usr/lib64/syslog-ng Available-Modules: basicfuncs,cef,graphite,csvparser,linux-kmsg-format,affile,disk-buffer,afprog,sdjournal,afsocket,cryptofuncs,syslogformat,kvformat,system-source,confgen,dbparser,pseudofile,add-contextual-data,afstomp,date,afuser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off But it's not very important: it works with 3.22.1. Thanks. I was building 3.8.1 without systemd libraries. Maybe that's the reason. -- Regards, Sergey

Peter Kokai (pkokai)

7:15 a.m.

Hello, There is a *system* source, that aim is to detect on the running system the proper source listening to. (in case of systemd the system source tries to fetch logs from journald) Does that cover your use case ? In case it is not, could you please the cases it cover, and the cases it does not ? Additionally you could always replace the *system* source with writting a system source block of your own described in *{install_prefix}/share/syslog-ng/include/scl/system/plugin.conf* -- Kokan On Wed, Oct 09, 2019 at 10:43:14PM +0400, Sergey wrote:

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

On Wednesday 09 October 2019, Laszlo Szemere (lszemere) wrote:

...
could you please specify if you want to use the unix-stream source driver or the destination driver?

Sorry for the inaccuracy. The source driver in my case.

...
And I am not sure about, what do you mean by "ignore".

I would like to make a generic config for systems with and without systemd. "unix-dgram ("/run/systemd/journal/dev-log");" should be added to "source sys" but this absent without systemd and cause error.

-- Regards, Sergey ______________________________________________________________________________ Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C33dbd4881c174fbcd9da08d74ce89179%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637062434099775985&sdata=No448miaDulZFuA3AvHYj9N3F17xLk6VBmPKVFJDbcw%3D&reserved=0 Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C33dbd4881c174fbcd9da08d74ce89179%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637062434099775985&sdata=yzXFRXSEmfHuvrCg%2BdJUmmJ6FCMRPiomk%2BBi53%2BXuUs%3D&reserved=0 FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C33dbd4881c174fbcd9da08d74ce89179%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637062434099775985&sdata=lUioTMd0YIYMV29wMgWHhDv4BkCI7U7jOmJWXSiNFAE%3D&reserved=0

Sergey

5:55 p.m.

On Thursday 10 October 2019, Peter Kokai (pkokai) wrote:

Does that cover your use case ?

I seems system() source is enough.

In case it is not, could you please the cases it cover, and the cases it does not ?

Maybe some idea will come later. Thanks. -- Regards, Sergey

2189

Age (days ago)

2191

Last active (days ago)

Download

6 comments

4 participants

tags

participants (4)

Laszlo Szemere (lszemere)
Peter Czanik (pczanik)
Peter Kokai (pkokai)
Sergey