errors with elasticsearch_http on 2.21 & 3.22
I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything. I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version . I tried apt install syslog-ng-mod-geoip and this broke things badly and I have been trying to recover for the last few hours :( The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error: Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21 Judging from what I found on th ’Net this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest. I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled. That went with out errors but still would not process my config. Aside: At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual. long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’ and that is the name you have to use in the @module. Weird! I then compiled 3.22 since I had the tar file and this behaved the same. rful011@secmgrprd02:~$ cat short.conf @version: 3.21 @include "scl.conf" @module geoip2-plugin source s_loghost { network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); }; destination d_elastic { elasticsearch_http( index("auth_${YEAR}.${MONTH}.${DAY}") type("auth") persist-name("auth") template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") url("http://secesprd01.its.auckland.ac.nz:9200/_bulk") ); }; log { source(s_loghost); destination(d_elastic ); flags(flow-control); }; rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21: 28 file( "/home/rful011/test.log" template(t_db_parsed_test)); 29 }; 30 31 32 destination d_elastic { 33----> elasticsearch_http( 33----> ^^^^^^^^^^^^^^^^^^ 34 index("auth_${YEAR}.${MONTH}.${DAY}") 35 type("auth") 36 persist-name("auth") 37 template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") 38 url("http://secesprd01.its.auckland.ac.nz:9200/_bulk”) rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng --version syslog-ng 3 (3.21.1) Config version: 3.21 Installer-Version: 3.21.1 Revision: Compile-Date: Mar 29 2020 11:57:39 Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off
small correction to the test invocation of syslog-ng below. should be: rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -f ~/short.conf rather than -c. It does not effect the error messages…. It was running on the full config not the stripped down one. R On 29/03/2020, at 4:03 PM, Russell Fulton <r.fulton@auckland.ac.nz<mailto:r.fulton@auckland.ac.nz>> wrote: I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything. I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version . I tried apt install syslog-ng-mod-geoip and this broke things badly and I have been trying to recover for the last few hours :( The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error: Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21 Judging from what I found on th ’Net this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest. I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled. That went with out errors but still would not process my config. Aside: At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual. long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’ and that is the name you have to use in the @module. Weird! I then compiled 3.22 since I had the tar file and this behaved the same. rful011@secmgrprd02:~$ cat short.conf @version: 3.21 @include "scl.conf" @module geoip2-plugin source s_loghost { network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); }; destination d_elastic { elasticsearch_http( index("auth_${YEAR}.${MONTH}.${DAY}") type("auth") persist-name("auth") template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") url("http://secesprd01.its.auckland.ac.nz:9200/_bulk") ); }; log { source(s_loghost); destination(d_elastic ); flags(flow-control); }; rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21: 28 file( "/home/rful011/test.log" template(t_db_parsed_test)); 29 }; 30 31 32 destination d_elastic { 33----> elasticsearch_http( 33----> ^^^^^^^^^^^^^^^^^^ 34 index("auth_${YEAR}.${MONTH}.${DAY}") 35 type("auth") 36 persist-name("auth") 37 template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") 38 url("http://secesprd01.its.auckland.ac.nz:9200/_bulk”) rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng --version syslog-ng 3 (3.21.1) Config version: 3.21 Installer-Version: 3.21.1 Revision: Compile-Date: Mar 29 2020 11:57:39 Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hello, I quickly checked 3.21, and elasticsearch-http with compiled source and it works for me. I attached my console log. It might help if you compare the commands with yours. Just couple of ideas that might have went wrong. When you tried to use from package: the only dependency of elasticsearch-http is the http module. You need to install syslog-ng-mod-http, and not syslog-ng-mod-geoip. Depending where you get the packages: but in 3.22, there were two geoip modules: geoip and geoip2. For example if you use OBS, you would have syslog-ng-mod-geoip and syslog-ng-mod-geoip2. You need to install syslog-ng-mod-geoip2 to use geip2. In 3.26, however, geoip was removed, and only geoip2 remains. The driver was also renamed, but as I see the package remains geoip2. On the other hand, there is still a syslog-ng-mod-geoip package, looking for the original .so file. I do not understand how that could be generated. I will look into that. But I do not think this would be a problem for you. When you compiled from source. Did you install a curl development package? That is necessary for the http module to be compiled. Unless otherwise specified, there is an autodetection, and if libcurl was not found, http module is simply not built. You can force availability by adding `--enable-http` during configure, similarly to that I did in the attached log. At the end of the configure, you need to see yes for http module. [...] HTTP support (module) : yes [...] Was the installation directory clean before you make installed? Is it possible syslog-ng modules could be installed there from a different syslog-ng version? Leftover or injected so-s, might be picked up by syslog-ng, even if they are not from the correct version. That can cause runtime problems. Br, Antal ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Russell Fulton <r.fulton@auckland.ac.nz> Sent: Sunday, March 29, 2020 21:23 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. small correction to the test invocation of syslog-ng below. should be: rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -f ~/short.conf rather than -c. It does not effect the error messages…. It was running on the full config not the stripped down one. R On 29/03/2020, at 4:03 PM, Russell Fulton <r.fulton@auckland.ac.nz<mailto:r.fulton@auckland.ac.nz>> wrote: I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything. I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version . I tried apt install syslog-ng-mod-geoip and this broke things badly and I have been trying to recover for the last few hours :( The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error: Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21 Judging from what I found on th ’Net this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest. I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled. That went with out errors but still would not process my config. Aside: At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual. long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’ and that is the name you have to use in the @module. Weird! I then compiled 3.22 since I had the tar file and this behaved the same. rful011@secmgrprd02:~$ cat short.conf @version: 3.21 @include "scl.conf" @module geoip2-plugin source s_loghost { network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); }; destination d_elastic { elasticsearch_http( index("auth_${YEAR}.${MONTH}.${DAY}") type("auth") persist-name("auth") template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") url("http://secesprd01.its.auckland.ac.nz:9200/_bulk<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecesprd01.its.auckland.ac.nz%3A9200%2F_bulk&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C79eabe24c46e40c8e4d108d7d416a7ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211066100185486&sdata=zq1UUYGy3IE2TF4Lb%2FEwiWWlbZDw5GrYbsuWB2Pe1e0%3D&reserved=0>") ); }; log { source(s_loghost); destination(d_elastic ); flags(flow-control); }; rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21: 28 file( "/home/rful011/test.log" template(t_db_parsed_test)); 29 }; 30 31 32 destination d_elastic { 33----> elasticsearch_http( 33----> ^^^^^^^^^^^^^^^^^^ 34 index("auth_${YEAR}.${MONTH}.${DAY}") 35 type("auth") 36 persist-name("auth") 37 template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") 38 url("http://secesprd01.its.auckland.ac.nz:9200/_bulk”) rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng --version syslog-ng 3 (3.21.1) Config version: 3.21 Installer-Version: 3.21.1 Revision: Compile-Date: Mar 29 2020 11:57:39 Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
A quick correction. After double checking the geoip related removal stuff: it seems fine. I misread the package list. Actually, the last generated syslog-ng-mod-geoip was in 3.23. http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/xUbu... In 3.26, we only have syslog-ng-mod-geoip2. ________________________________ From: Antal Nemes (anemes) <Antal.Nemes@oneidentity.com> Sent: Monday, March 30, 2020 8:48 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction Hello, I quickly checked 3.21, and elasticsearch-http with compiled source and it works for me. I attached my console log. It might help if you compare the commands with yours. Just couple of ideas that might have went wrong. When you tried to use from package: the only dependency of elasticsearch-http is the http module. You need to install syslog-ng-mod-http, and not syslog-ng-mod-geoip. Depending where you get the packages: but in 3.22, there were two geoip modules: geoip and geoip2. For example if you use OBS, you would have syslog-ng-mod-geoip and syslog-ng-mod-geoip2. You need to install syslog-ng-mod-geoip2 to use geip2. In 3.26, however, geoip was removed, and only geoip2 remains. The driver was also renamed, but as I see the package remains geoip2. On the other hand, there is still a syslog-ng-mod-geoip package, looking for the original .so file. I do not understand how that could be generated. I will look into that. But I do not think this would be a problem for you. When you compiled from source. Did you install a curl development package? That is necessary for the http module to be compiled. Unless otherwise specified, there is an autodetection, and if libcurl was not found, http module is simply not built. You can force availability by adding `--enable-http` during configure, similarly to that I did in the attached log. At the end of the configure, you need to see yes for http module. [...] HTTP support (module) : yes [...] Was the installation directory clean before you make installed? Is it possible syslog-ng modules could be installed there from a different syslog-ng version? Leftover or injected so-s, might be picked up by syslog-ng, even if they are not from the correct version. That can cause runtime problems. Br, Antal ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Russell Fulton <r.fulton@auckland.ac.nz> Sent: Sunday, March 29, 2020 21:23 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. small correction to the test invocation of syslog-ng below. should be: rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -f ~/short.conf rather than -c. It does not effect the error messages…. It was running on the full config not the stripped down one. R On 29/03/2020, at 4:03 PM, Russell Fulton <r.fulton@auckland.ac.nz<mailto:r.fulton@auckland.ac.nz>> wrote: I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything. I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version . I tried apt install syslog-ng-mod-geoip and this broke things badly and I have been trying to recover for the last few hours :( The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error: Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21 Judging from what I found on th ’Net this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest. I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled. That went with out errors but still would not process my config. Aside: At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual. long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’ and that is the name you have to use in the @module. Weird! I then compiled 3.22 since I had the tar file and this behaved the same. rful011@secmgrprd02:~$ cat short.conf @version: 3.21 @include "scl.conf" @module geoip2-plugin source s_loghost { network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); }; destination d_elastic { elasticsearch_http( index("auth_${YEAR}.${MONTH}.${DAY}") type("auth") persist-name("auth") template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") url("http://secesprd01.its.auckland.ac.nz:9200/_bulk<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecesprd01.its.auckland.ac.nz%3A9200%2F_bulk&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C79eabe24c46e40c8e4d108d7d416a7ad%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211066100185486&sdata=zq1UUYGy3IE2TF4Lb%2FEwiWWlbZDw5GrYbsuWB2Pe1e0%3D&reserved=0>") ); }; log { source(s_loghost); destination(d_elastic ); flags(flow-control); }; rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21: 28 file( "/home/rful011/test.log" template(t_db_parsed_test)); 29 }; 30 31 32 destination d_elastic { 33----> elasticsearch_http( 33----> ^^^^^^^^^^^^^^^^^^ 34 index("auth_${YEAR}.${MONTH}.${DAY}") 35 type("auth") 36 persist-name("auth") 37 template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") 38 url("http://secesprd01.its.auckland.ac.nz:9200/_bulk”) rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng --version syslog-ng 3 (3.21.1) Config version: 3.21 Installer-Version: 3.21.1 Revision: Compile-Date: Mar 29 2020 11:57:39 Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks Antal! This is truely a weird one. I have now gone through and verified that there are no syslog-ng related packages installed on the machine but no matter which of my compiled versions I run they all behave as if the elasticsearch_http support is missing. My gut feeling is that this is nothing to do with syslog-ng as such, something has happened at the OS level. I have just used locate to find everything with syslog-ng in the path but can’t find anything that should not be there
On 30/03/2020, at 8:27 PM, Antal Nemes (anemes) <Antal.Nemes@oneidentity.com> wrote:
A quick correction. After double checking the geoip related removal stuff: it seems fine. I misread the package list. Actually, the last generated syslog-ng-mod-geoip was in 3.23. http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/xUbu... In 3.26, we only have syslog-ng-mod-geoip2. From: Antal Nemes (anemes) <Antal.Nemes@oneidentity.com> Sent: Monday, March 30, 2020 8:48 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction
Hello,
I quickly checked 3.21, and elasticsearch-http with compiled source and it works for me. I attached my console log. It might help if you compare the commands with yours.
Just couple of ideas that might have went wrong.
When you tried to use from package: the only dependency of elasticsearch-http is the http module. You need to install syslog-ng-mod-http, and not syslog-ng-mod-geoip.
Depending where you get the packages: but in 3.22, there were two geoip modules: geoip and geoip2. For example if you use OBS, you would have syslog-ng-mod-geoip and syslog-ng-mod-geoip2. You need to install syslog-ng-mod-geoip2 to use geip2. In 3.26, however, geoip was removed, and only geoip2 remains. The driver was also renamed, but as I see the package remains geoip2. On the other hand, there is still a syslog-ng-mod-geoip package, looking for the original .so file. I do not understand how that could be generated. I will look into that. But I do not think this would be a problem for you.
When you compiled from source. Did you install a curl development package? That is necessary for the http module to be compiled. Unless otherwise specified, there is an autodetection, and if libcurl was not found, http module is simply not built. You can force availability by adding `--enable-http` during configure, similarly to that I did in the attached log. At the end of the configure, you need to see yes for http module.
[...] HTTP support (module) : yes [...]
Was the installation directory clean before you make installed? Is it possible syslog-ng modules could be installed there from a different syslog-ng version? Leftover or injected so-s, might be picked up by syslog-ng, even if they are not from the correct version. That can cause runtime problems.
Br, Antal
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Russell Fulton <r.fulton@auckland.ac.nz> Sent: Sunday, March 29, 2020 21:23 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
small correction to the test invocation of syslog-ng below. should be:
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -f ~/short.conf
rather than -c. It does not effect the error messages…. It was running on the full config not the stripped down one.
R
On 29/03/2020, at 4:03 PM, Russell Fulton <r.fulton@auckland.ac.nz> wrote:
I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything.
I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version .
I tried apt install syslog-ng-mod-geoip and this broke things badly and I have been trying to recover for the last few hours :(
The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error:
Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21
Judging from what I found on th ’Net this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest.
I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled. That went with out errors but still would not process my config.
Aside: At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual. long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’ and that is the name you have to use in the @module. Weird!
I then compiled 3.22 since I had the tar file and this behaved the same.
rful011@secmgrprd02:~$ cat short.conf @version: 3.21 @include "scl.conf"
@module geoip2-plugin
source s_loghost { network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); };
destination d_elastic { elasticsearch_http( index("auth_${YEAR}.${MONTH}.${DAY}") type("auth") persist-name("auth") template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") url("http://secesprd01.its.auckland.ac.nz:9200/_bulk") ); };
log { source(s_loghost); destination(d_elastic ); flags(flow-control); };
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21: 28 file( "/home/rful011/test.log" template(t_db_parsed_test)); 29 }; 30 31 32 destination d_elastic { 33----> elasticsearch_http( 33----> ^^^^^^^^^^^^^^^^^^ 34 index("auth_${YEAR}.${MONTH}.${DAY}") 35 type("auth") 36 persist-name("auth") 37 template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") 38 url("http://secesprd01.its.auckland.ac.nz:9200/_bulk”)
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng --version syslog-ng 3 (3.21.1) Config version: 3.21 Installer-Version: 3.21.1 Revision: Compile-Date: Mar 29 2020 11:57:39 Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Just another idea that may give a clue. If you start syslog-ng with foreground with debug and trace leve (syslog-ng -Fevdt)l, syslog-ng may print something useful about the plugin loads. Please check if it tells something about the http module. I temporarily moved the libcurl shared libraries, for the sake of example, and I got this: [2020-03-31T07:51:19.908021] Trying to open module; module='http', filename='/home/furiel/workspace/test-syslogng/root/lib/syslog-ng/libhttp.so' [2020-03-31T07:51:19.908166] Error opening plugin module; module='http', error='libcurl.so.4: cannot open shared object file: No such file or directory' Such problem may happen, if syslog-ng is compiled with libcurl installation at nonstandard location: it is not on the load path, and LD_LIBRARY_PATH is not set, or set to a wrong path. This is probably not the case for you, because you use libcurl from package, though. ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Russell Fulton <r.fulton@auckland.ac.nz> Sent: Monday, March 30, 2020 21:26 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Thanks Antal! This is truely a weird one. I have now gone through and verified that there are no syslog-ng related packages installed on the machine but no matter which of my compiled versions I run they all behave as if the elasticsearch_http support is missing. My gut feeling is that this is nothing to do with syslog-ng as such, something has happened at the OS level. I have just used locate to find everything with syslog-ng in the path but can’t find anything that should not be there
On 30/03/2020, at 8:27 PM, Antal Nemes (anemes) <Antal.Nemes@oneidentity.com> wrote:
A quick correction. After double checking the geoip related removal stuff: it seems fine. I misread the package list. Actually, the last generated syslog-ng-mod-geoip was in 3.23. https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.opensuse.org%2Frepositories%2Fhome%3A%2Flaszlo_budai%3A%2Fsyslog-ng%2FxUbuntu_18.04%2Famd64%2F&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=Nyki%2FZEjWMUN%2FgMVWr0lrZFDcbZILqJnd4RsMXgSIRw%3D&reserved=0 In 3.26, we only have syslog-ng-mod-geoip2. From: Antal Nemes (anemes) <Antal.Nemes@oneidentity.com> Sent: Monday, March 30, 2020 8:48 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction
Hello,
I quickly checked 3.21, and elasticsearch-http with compiled source and it works for me. I attached my console log. It might help if you compare the commands with yours.
Just couple of ideas that might have went wrong.
When you tried to use from package: the only dependency of elasticsearch-http is the http module. You need to install syslog-ng-mod-http, and not syslog-ng-mod-geoip.
Depending where you get the packages: but in 3.22, there were two geoip modules: geoip and geoip2. For example if you use OBS, you would have syslog-ng-mod-geoip and syslog-ng-mod-geoip2. You need to install syslog-ng-mod-geoip2 to use geip2. In 3.26, however, geoip was removed, and only geoip2 remains. The driver was also renamed, but as I see the package remains geoip2. On the other hand, there is still a syslog-ng-mod-geoip package, looking for the original .so file. I do not understand how that could be generated. I will look into that. But I do not think this would be a problem for you.
When you compiled from source. Did you install a curl development package? That is necessary for the http module to be compiled. Unless otherwise specified, there is an autodetection, and if libcurl was not found, http module is simply not built. You can force availability by adding `--enable-http` during configure, similarly to that I did in the attached log. At the end of the configure, you need to see yes for http module.
[...] HTTP support (module) : yes [...]
Was the installation directory clean before you make installed? Is it possible syslog-ng modules could be installed there from a different syslog-ng version? Leftover or injected so-s, might be picked up by syslog-ng, even if they are not from the correct version. That can cause runtime problems.
Br, Antal
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Russell Fulton <r.fulton@auckland.ac.nz> Sent: Sunday, March 29, 2020 21:23 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] [FORGED] errors with elasticsearch_http on 2.21 & 3.22 -- correction
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
small correction to the test invocation of syslog-ng below. should be:
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -f ~/short.conf
rather than -c. It does not effect the error messages…. It was running on the full config not the stripped down one.
R
On 29/03/2020, at 4:03 PM, Russell Fulton <r.fulton@auckland.ac.nz> wrote:
I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything.
I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version .
I tried apt install syslog-ng-mod-geoip and this broke things badly and I have been trying to recover for the last few hours :(
The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error:
Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21
Judging from what I found on th ’Net this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest.
I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled. That went with out errors but still would not process my config.
Aside: At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual. long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’ and that is the name you have to use in the @module. Weird!
I then compiled 3.22 since I had the tar file and this behaved the same.
rful011@secmgrprd02:~$ cat short.conf @version: 3.21 @include "scl.conf"
@module geoip2-plugin
source s_loghost { network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); };
destination d_elastic { elasticsearch_http( index("auth_${YEAR}.${MONTH}.${DAY}") type("auth") persist-name("auth") template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") url("https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecesprd01.its.auckland.ac.nz%3A9200%2F_bulk&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=JUEPJlgOFpbUGGl%2FOAIa6h6A1D%2Fd8gr63A1NRHgRdxY%3D&reserved=0") ); };
log { source(s_loghost); destination(d_elastic ); flags(flow-control); };
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21: 28 file( "/home/rful011/test.log" template(t_db_parsed_test)); 29 }; 30 31 32 destination d_elastic { 33----> elasticsearch_http( 33----> ^^^^^^^^^^^^^^^^^^ 34 index("auth_${YEAR}.${MONTH}.${DAY}") 35 type("auth") 36 persist-name("auth") 37 template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n") 38 url("https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecesprd01.its.auckland.ac.nz%3A9200%2F_bulk&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=JUEPJlgOFpbUGGl%2FOAIa6h6A1D%2Fd8gr63A1NRHgRdxY%3D&reserved=0”)
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng --version syslog-ng 3 (3.21.1) Config version: 3.21 Installer-Version: 3.21.1 Revision: Compile-Date: Mar 29 2020 11:57:39 Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off
______________________________________________________________________________ Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=Tk3ABJNBAZP2%2BrQzvNKqa%2Fsn%2Frm%2B8J%2BKhE73sYwByJU%3D&reserved=0 Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=3A%2BM8wi6si9Ox1p6uY6F4rW1XaJ4Yx%2BhJS7nFnUYiqs%3D&reserved=0 FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=bq0EJElx9kfYQ8N2hxY2%2BEQhfdR1FiNwjsOu5M7QUNI%3D&reserved=0
______________________________________________________________________________ Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=Tk3ABJNBAZP2%2BrQzvNKqa%2Fsn%2Frm%2B8J%2BKhE73sYwByJU%3D&reserved=0 Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=3A%2BM8wi6si9Ox1p6uY6F4rW1XaJ4Yx%2BhJS7nFnUYiqs%3D&reserved=0 FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=bq0EJElx9kfYQ8N2hxY2%2BEQhfdR1FiNwjsOu5M7QUNI%3D&reserved=0
______________________________________________________________________________ Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=Tk3ABJNBAZP2%2BrQzvNKqa%2Fsn%2Frm%2B8J%2BKhE73sYwByJU%3D&reserved=0 Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=3A%2BM8wi6si9Ox1p6uY6F4rW1XaJ4Yx%2BhJS7nFnUYiqs%3D&reserved=0 FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C5557745cf0e64ed0839608d7d4e04910%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637211932092640229&sdata=bq0EJElx9kfYQ8N2hxY2%2BEQhfdR1FiNwjsOu5M7QUNI%3D&reserved=0
On 31/03/2020, at 7:05 PM, Antal Nemes (anemes) <Antal.Nemes@oneidentity.com<mailto:Antal.Nemes@oneidentity.com>> wrote: Just another idea that may give a clue. If you start syslog-ng with foreground with debug and trace leve (syslog-ng -Fevdt)l, syslog-ng a couple more data points: /usr/local/syslog-ng-3.26.1/sbin/syslog-ng -Fedv -s -f ~/short.conf gives no errors and includes [2020-04-01T15:06:30.869576] Reading shared object for a candidate module; path='/usr/local/syslog-ng-3.26.1/lib/syslog-ng', fname='libhttp.so', module='http' [2020-04-01T15:06:30.871503] Registering candidate plugin; module='http', context='destination', name='http' endis with: [2020-04-01T15:06:30.892770] Starting to read include file; filename='/usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2020-04-01T15:06:30.893592] Module loaded and initialized successfully; module='confgen' [2020-04-01T15:06:30.894031] Finishing include; filename='/usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2020-04-01T15:06:30.894188] Finishing include; filename='/usr/local/syslog-ng-3.26.1/etc/scl.conf', depth='1' [2020-04-01T15:06:30.894717] Module loaded and initialized successfully; module='afsocket' Error parsing destination statement, destination plugin elasticsearch_http not found in /home/rful011/short.conf:11:3-11:21: 6 network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); 7 }; 8 9 10 destination d_elastic { 11----> elasticsearch_http( 11----> ^^^^^^^^^^^^^^^^^^ and rful011@secmgrprd02:~$ /usr/local/syslog-ng/sbin/syslog-ng -V -s -f ~/short.conf syslog-ng 3 (3.26.1) Config version: 3.22 Installer-Version: 3.26.1 Revision: Compile-Date: Mar 31 2020 08:54:40 Module-Directory: /usr/local/syslog-ng-3.26.1/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.26.1/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.26.1/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,azure-auth-header,basicfuncs,cef,confgen,cryptofuncs,csvparser,timestamp,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off
elasticsearch-http is provided by https://github.com/syslog-ng/syslog-ng/blob/master/scl/elasticsearch/elastic... Make sure that file is installed. Also the name of the block is using a dash, whereas you were using an underscore. I think it should be all the same as we generally convert lot of things from underscore to dashes but I would check this explicitly. On Wed, Apr 1, 2020, 20:49 Russell Fulton <r.fulton@auckland.ac.nz> wrote:
On 31/03/2020, at 7:05 PM, Antal Nemes (anemes) < Antal.Nemes@oneidentity.com> wrote:
Just another idea that may give a clue.
If you start syslog-ng with foreground with debug and trace leve (syslog-ng -Fevdt)l, syslog-ng
a couple more data points:
/usr/local/syslog-ng-3.26.1/sbin/syslog-ng -Fedv -s -f ~/short.conf gives no errors and includes
[2020-04-01T15:06:30.869576] Reading shared object for a candidate module; path='/usr/local/syslog-ng-3.26.1/lib/syslog-ng', fname='libhttp.so', module='http' [2020-04-01T15:06:30.871503] Registering candidate plugin; module='http', context='destination', name='http'
endis with:
[2020-04-01T15:06:30.892770] Starting to read include file; filename='/usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2020-04-01T15:06:30.893592] Module loaded and initialized successfully; module='confgen' [2020-04-01T15:06:30.894031] Finishing include; filename='/usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2020-04-01T15:06:30.894188] Finishing include; filename='/usr/local/syslog-ng-3.26.1/etc/scl.conf', depth='1' [2020-04-01T15:06:30.894717] Module loaded and initialized successfully; module='afsocket' Error parsing destination statement, destination plugin elasticsearch_http not found in /home/rful011/short.conf:11:3-11:21: 6 network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); 7 }; 8 9 10 destination d_elastic { 11----> elasticsearch_http( 11----> ^^^^^^^^^^^^^^^^^^
and
*rful011@secmgrprd02*:*~*$ /usr/local/syslog-ng/sbin/syslog-ng -V -s -f ~/short.conf syslog-ng 3 (3.26.1) Config version: 3.22 Installer-Version: 3.26.1 Revision: Compile-Date: Mar 31 2020 08:54:40 Module-Directory: /usr/local/syslog-ng-3.26.1/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.26.1/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.26.1/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,azure-auth-header,basicfuncs,cef,confgen,cryptofuncs,csvparser,timestamp,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks Balazs I managed to get things working again by reinstalling syslog-ng (3.26.1) using the default install prefix (/usr/local) BTW syslog-ng seems agnostic as to whether there is a - or an _ in the name I have tried both in the conf and both work in this version my previous practice (which I have used for years) was to use a prefix of /usr/local/syslog-ng-<version> and have a symlink in for syslog-ng in /user/local pointing to the current version. With in the real install I moved etc to dist-etc and then linked etc to /etc/syslog-ng/ lrwxrwxrwx 1 root root 15 Mar 31 09:02 /usr/local/syslog-ng-3.26.1/etc -> /etc/syslog-ng/ I now have the weird situation where version installed in /usr/local/syslog-ng-3.26.1/ fails but the one in /usr/local works rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.26.1/sbin/syslog-ng -s -f ~/short.conf Error parsing destination statement, destination plugin elasticsearch-http not found in /home/rful011/short.conf:11:3-11:21: 6 network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); 7 }; 8 9 10 destination d_elastic { 11----> elasticsearch-http( 11----> ^^^^^^^^^^^^^^^^^^ rful011@secmgrprd02:~$ ls -l /usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/elasticsearch/elastic-http.conf -rw-r--r-- 1 rful011 rful011 1901 Jan 25 02:54 /usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/elasticsearch/elastic-http.conf rful011@secmgrprd02:~$ /usr/local/sbin/syslog-ng -s -f ~/short.conf rful011@secmgrprd02:~$ rful011@secmgrprd02:~$ ls -l /usr/local/share/syslog-ng/include/scl/elasticsearch/elastic-http.conf -rw-r--r-- 1 rful011 rful011 1901 Jan 25 02:54 /usr/local/share/syslog-ng/include/scl/elasticsearch/elastic-http.conf Now comes the really weird bit. While writing this I decided to try reinstalling my original 3.21 version by simply doing a make install and this works fine! Which is really weird because that was the first thing I did after I realised things had been broken. My next step was to install 3.22 and then 3.26 in /usr/local/syslog-ng<version>. I then deleted all of them and installed 3.26.1 in /usr/local and that worked. I am happy to spend more time on this if you want to get to the bottom of this even though I have my system back. Like much of the rest of the world I am stuck at home, alone, under fairly strict lockdown so I am happy to contribute something back to the project! Russell On 2/04/2020, at 9:48 AM, Balazs Scheidler <bazsi77@gmail.com<mailto:bazsi77@gmail.com>> wrote: elasticsearch-http is provided by https://github.com/syslog-ng/syslog-ng/blob/master/scl/elasticsearch/elastic... Make sure that file is installed. Also the name of the block is using a dash, whereas you were using an underscore. I think it should be all the same as we generally convert lot of things from underscore to dashes but I would check this explicitly. On Wed, Apr 1, 2020, 20:49 Russell Fulton <r.fulton@auckland.ac.nz> wrote: On 31/03/2020, at 7:05 PM, Antal Nemes (anemes) <Antal.Nemes@oneidentity.com> wrote: Just another idea that may give a clue. If you start syslog-ng with foreground with debug and trace leve (syslog-ng -Fevdt)l, syslog-ng a couple more data points: /usr/local/syslog-ng-3.26.1/sbin/syslog-ng -Fedv -s -f ~/short.conf gives no errors and includes [2020-04-01T15:06:30.869576] Reading shared object for a candidate module; path='/usr/local/syslog-ng-3.26.1/lib/syslog-ng', fname='libhttp.so', module='http' [2020-04-01T15:06:30.871503] Registering candidate plugin; module='http', context='destination', name='http' endis with: [2020-04-01T15:06:30.892770] Starting to read include file; filename='/usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2020-04-01T15:06:30.893592] Module loaded and initialized successfully; module='confgen' [2020-04-01T15:06:30.894031] Finishing include; filename='/usr/local/syslog-ng-3.26.1/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' [2020-04-01T15:06:30.894188] Finishing include; filename='/usr/local/syslog-ng-3.26.1/etc/scl.conf', depth='1' [2020-04-01T15:06:30.894717] Module loaded and initialized successfully; module='afsocket' Error parsing destination statement, destination plugin elasticsearch_http not found in /home/rful011/short.conf:11:3-11:21: 6 network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes)); 7 }; 8 9 10 destination d_elastic { 11----> elasticsearch_http( 11----> ^^^^^^^^^^^^^^^^^^ and rful011@secmgrprd02:~$ /usr/local/syslog-ng/sbin/syslog-ng -V -s -f ~/short.conf syslog-ng 3 (3.26.1) Config version: 3.22 Installer-Version: 3.26.1 Revision: Compile-Date: Mar 31 2020 08:54:40 Module-Directory: /usr/local/syslog-ng-3.26.1/lib/syslog-ng Module-Path: /usr/local/syslog-ng-3.26.1/lib/syslog-ng Include-Path: /usr/local/syslog-ng-3.26.1/share/syslog-ng/include Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,azure-auth-header,basicfuncs,cef,confgen,cryptofuncs,csvparser,timestamp,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off Enable-Systemd: off ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Antal Nemes (anemes)
-
Balazs Scheidler
-
Russell Fulton