running syslog-ng and syslogd concurrently?
Hi There - I am new to this group so I thank you in advance for any help. We are in the process of evaluating syslog-ng for a replacement for normal syslogd. However it is desired for a few months to have syslog-ng and syslogd running on the same box with syslog-ng simply not handling the normal 'syslog traffic' (udp/514). We currently have a 30 day eval license to test out syslog-ng. We are using a sun t1000 box as an fyi. When we install syslog-ng the install script informs us that syslogd will be removed as a service?!?! Has anybody ever run syslogd (in either agent or server mode) on the same machine with syslogd running. Any guidance there would be highly appreciated. We are not in the position to do a hard cross over to syslog-ng for our production environment. Thanks in advance. Matt
Hello I using this configuration option: source s_all { internal(); unix-stream("/dev/log" max-connections(1000)); file("/proc/kmsg" log_prefix("kernel: ")); udp(port(514)); tcp(port(5140) keep-alive(no)); }; but i always get this error message: Nov 27 10:30:32 s_all@nagios syslog-ng[14962]: Number of allowed concurrent connections exceeded; num='10', max='10' Any idea, how can i resolve this error? Best Regards csaba
On Thu, 2008-11-27 at 11:33 +0100, Mártha Csaba wrote:
Hello
I using this configuration option:
source s_all {
internal(); unix-stream("/dev/log" max-connections(1000)); file("/proc/kmsg" log_prefix("kernel: ")); udp(port(514)); tcp(port(5140) keep-alive(no)); };
Increase the tcp source driver max-connections parameter insted of the unix-stream: source s_all { internal(); unix-stream("/dev/log" max-connections(1000)); file("/proc/kmsg" log_prefix("kernel: ")); udp(port(514)); tcp(port(5140) keep-alive(no) max-connections(1000)); }; Best wishes, Peter Höltzl -- Höltzl Péter IT biztonsági tanácsadó holtzl.peter@balabit.hu +36 20 366 9667 BalaBit IT Security 1115 Budapest XI. Bártfai u. 54. Tel +36 1 371 0540 Fax +36 1 208 0875 Az üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstõl védett. Az üzenetet kizárólag a címzett, illetve az általa meghatalmazottak használhatjak fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy telefonon, vagy e-mail-ben értesítse errõl az üzenet küldõjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréböl. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie.
Matt Camuto schrieb:
Has anybody ever run syslogd (in either agent or server mode) on the same machine with syslogd running. Any guidance there would be highly appreciated. We are not in the position to do a hard cross over to syslog-ng for our production environment.
Have not done this myself but some hints: The problem is that the message sources (kernel log buffer, syslog socket, UDP ports) should only be read by one daemon. Thus you should use syslogd to receive messages from the regular sources and let it log everything to an additional fifo or a local socket. (The capabilities are system dependend, if your syslogd does not support fifos then you could use socat to pipe to a socket). Then configure syslog-ng to use this new fifo/socket as a source. -- Martin
Hi Martin Thanks for this advice. I was thinking something along these lines. However the problem was that during the installation itself it removed the syslogd deamon so I need to work around that issue and then make the appropriate modifications to the syslog-ng.conf files. For the initial impl I think we would want to just use 'non default' protocol/port on syslog-ng and use standard syslogd for everything else. This seems easy enough with the syslog-ng conf files. We will juat have to work on the installation script problems I guess. Maybe there is a way to non remove syslogd during install but we did not remember having that option at install time. Thanks for the advice. matt -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Schütte Sent: Thursday, November 27, 2008 4:24 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] running syslog-ng and syslogd concurrently? Matt Camuto schrieb:
Has anybody ever run syslogd (in either agent or server mode) on the same machine with syslogd running. Any guidance there would be highly appreciated. We are not in the position to do a hard cross over to syslog-ng for our production environment.
Have not done this myself but some hints: The problem is that the message sources (kernel log buffer, syslog socket, UDP ports) should only be read by one daemon. Thus you should use syslogd to receive messages from the regular sources and let it log everything to an additional fifo or a local socket. (The capabilities are system dependend, if your syslogd does not support fifos then you could use socat to pipe to a socket). Then configure syslog-ng to use this new fifo/socket as a source. -- Martin ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Wed, 2008-11-26 at 13:52 -0800, Matt Camuto wrote:
Hi There –
I am new to this group so I thank you in advance for any help. We are in the process of evaluating syslog-ng for a replacement for normal syslogd. However it is desired for a few months to have syslog-ng and syslogd running on the same box with syslog-ng simply not handling the normal ‘syslog traffic’ (udp/514). We currently have a 30 day eval license to test out syslog-ng. We are using a sun t1000 box as an fyi.
When we install syslog-ng the install script informs us that syslogd will be removed as a service?!?!
Has anybody ever run syslogd (in either agent or server mode) on the same machine with syslogd running. Any guidance there would be highly appreciated. We are not in the position to do a hard cross over to syslog-ng for our production environment.
Well, I guess you are using the new syslog-ng 3.0 installer, which does way more than the previous ones to make it easier to deploy syslog-ng. But you are right, its model is to disable the stock syslogd and replace it with syslog-ng. However it is possible to skip the installation script, in which case only the binaries are loaded to the machine and no installation is performed. If you run the installation program with the --noexec argument, the embedded installation script will not be run, but still the contents of the archive are extracted. Basically the .run file is a self-extracting tar file. Once you have the binaries, you are free to change your system in a way that lets you run both syslogd and syslog-ng at the same time. Since their files on the disk do not conflict, and it is possible to create configurations for both that do not conflict, it is certainly possible to run the two in parallel. -- Bazsi
Thank you - This is what I was looking for. I will work with my architecture team to try to get this to work. I think it should be fine. Matt ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler [bazsi@balabit.hu] Sent: Friday, November 28, 2008 2:51 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] running syslog-ng and syslogd concurrently? On Wed, 2008-11-26 at 13:52 -0800, Matt Camuto wrote:
Hi There –
I am new to this group so I thank you in advance for any help. We are in the process of evaluating syslog-ng for a replacement for normal syslogd. However it is desired for a few months to have syslog-ng and syslogd running on the same box with syslog-ng simply not handling the normal ‘syslog traffic’ (udp/514). We currently have a 30 day eval license to test out syslog-ng. We are using a sun t1000 box as an fyi.
When we install syslog-ng the install script informs us that syslogd will be removed as a service?!?!
Has anybody ever run syslogd (in either agent or server mode) on the same machine with syslogd running. Any guidance there would be highly appreciated. We are not in the position to do a hard cross over to syslog-ng for our production environment.
Well, I guess you are using the new syslog-ng 3.0 installer, which does way more than the previous ones to make it easier to deploy syslog-ng. But you are right, its model is to disable the stock syslogd and replace it with syslog-ng. However it is possible to skip the installation script, in which case only the binaries are loaded to the machine and no installation is performed. If you run the installation program with the --noexec argument, the embedded installation script will not be run, but still the contents of the archive are extracted. Basically the .run file is a self-extracting tar file. Once you have the binaries, you are free to change your system in a way that lets you run both syslogd and syslog-ng at the same time. Since their files on the disk do not conflict, and it is possible to create configurations for both that do not conflict, it is certainly possible to run the two in parallel. -- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (5)
-
Balazs Scheidler
-
HÖLTZL Péter
-
Martin Schütte
-
Matt Camuto
-
Mártha Csaba