Two instances of syslog-ng on the same host?
Hi wizards. Apologies if this is an FAQ or something, but I've dug all around and failed to find the answer. I have a system on which, for reasons I'd rather not go into here, it makes sense to run two instances of syslog-ng, one for standard logging of local events, the other acting as a proxy for a flock of other systems. The proxy starts first, very early in the init sequence, the regular one starts later. This all worked great with syslog-ng 2, but I recently upgraded to version 3.1.1 and I can't get it to work correctly. The proxy instance is supposed to only be listening on a tcp socket, but it seems to also be opening the AF_UNIX socket to /dev/log. This causes the launch of the main instance to fail. I've been through the docs, but it's not obvious to me how to get syslog-ng to start without opening the socket to /dev/log. Hints? Thanks in advance...
Yes, that should work just fine. I run a box with 4 syslog instances and they all place nice together. My setup isnt exactly the same, but I have no problems which you are experiencing. My setup: I have a master syslog-ng process that does nothing but accept connections from remote hosts and from the local system. That process then relays the messages to other local syslog-ng processes which do the actual work (lots and lots of parsing). I only included the options and source sections as theyre the only ones that matter. Master syslog-ng process that accepts from local & remote & forwards to other local processes @version: 3.0 # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # options { time_reopen(1); use_dns(no); use_fqdn(yes); keep_hostname(yes); create_dirs(yes); perm(0644); dir_perm(0755); log_iw_size(50000); log_fifo_size(100000); #time_sleep(1); }; source s_sys { file("/proc/kmsg" program-override("kernel")); unix-stream ("/dev/log"); internal(); }; source s_net { tcp(ip(0.0.0.0) port(514) max-connections(1000)); udp(ip(0.0.0.0) port(514)); }; syslog-ng that accepts the forwarded messages @version: 3.0 # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # options { time_reopen(1); long_hostnames(off); use_dns(no); use_fqdn(no); keep_hostname(yes); create_dirs(yes); perm(0644); dir_perm(0755); #log_fetch_limit(100000); #log_iw_size(200000); #log_fifo_size(400000); flush_lines(50); flush_timeout(5000); #stats_freq(10); #stats_level(2); #time_sleep(1); }; source s_master { #syslog(ip(127.0.0.1) port(515) transport('tcp') so_keepalive(yes) log_iw_size(1000)); tcp(ip(127.0.0.1) port(515) flags('syslog-protocol')); }; source s_syslog { internal(); }; Sent: Saturday, June 26, 2010 6:08:42 PM From: John R. Dunning <jrd@jrd.org> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Two instances of syslog-ng on the same host?
Hi wizards. Apologies if this is an FAQ or something, but I've dug all around and failed to find the answer.
I have a system on which, for reasons I'd rather not go into here, it makes sense to run two instances of syslog-ng, one for standard logging of local events, the other acting as a proxy for a flock of other systems.
The proxy starts first, very early in the init sequence, the regular one starts later.
This all worked great with syslog-ng 2, but I recently upgraded to version 3.1.1 and I can't get it to work correctly. The proxy instance is supposed to only be listening on a tcp socket, but it seems to also be opening the AF_UNIX socket to /dev/log. This causes the launch of the main instance to fail.
I've been through the docs, but it's not obvious to me how to get syslog-ng to start without opening the socket to /dev/log. Hints? Thanks in advance... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
From: "Patrick H." <syslogng@feystorm.net> Date: Sat, 26 Jun 2010 19:33:10 -0600 Yes, that should work just fine. Well, ok, then I'm dense. Here's the config for the proxy: ---------------------------------------------------------------- # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.5 2005/05/12 05:46:10 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux # contributed by Michael Sterrett # added by jrd 6/24/10 @version: 3.0 options { chain_hostnames(no); keep_hostname(yes); log_fifo_size(40000); flush_lines(10000); stats_freq(43200); # Stats message every 12 hours }; source s_node { tcp(max-connections(1000) port(1514) ); }; #source ignore #{ # internal(); #}; destination ssp { tcp ("ssp" port(1514)); }; log { source(s_node); destination(ssp); }; ---------------------------------------------------------------- and here's the config for the main instance: ---------------------------------------------------------------- @version: 3.0 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3,v 1.1 2010/04/06 02:11:35 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux options { chain_hostnames(no); # The default action of syslog-ng is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats_freq(43200); }; source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); }; destination messages { file("/var/log/messages"); }; # By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # ...if you intend to use /dev/console for programs like xconsole # you can comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); }; log { source(src); destination(messages); }; log { source(src); destination(console_all); }; ---------------------------------------------------------------- When I launch the second instance I still get * Starting syslog-ng ...Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (125)' Error initializing source driver; source='src', id='src#0' Error initializing message pipeline; * Failed to start syslog-ng This is gentoo, btw. Further hints? Thanks in advance....
The second instance youre trying to launch is using the first instance's config. Error initializing source driver; source='src', id='src#0' From that message you can see its trying to initialize the source callced 'src'. In your second config, your source is called 's_node', the first instance is called 'src'. Make sure youre passing the proper '-f' option to syslog-ng when you start it. Sent: Saturday, June 26, 2010 8:18:22 PM From: John R. Dunning <jrd@jrd.org> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] ***SPAM*** Re: Two instances of syslog-ng on the same host?
From: "Patrick H." <syslogng@feystorm.net> Date: Sat, 26 Jun 2010 19:33:10 -0600
Yes, that should work just fine.
Well, ok, then I'm dense.
Here's the config for the proxy:
---------------------------------------------------------------- # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.5 2005/05/12 05:46:10 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux # contributed by Michael Sterrett
# added by jrd 6/24/10 @version: 3.0
options { chain_hostnames(no); keep_hostname(yes);
log_fifo_size(40000); flush_lines(10000);
stats_freq(43200); # Stats message every 12 hours };
source s_node { tcp(max-connections(1000) port(1514) ); };
#source ignore #{ # internal(); #};
destination ssp { tcp ("ssp" port(1514)); };
log { source(s_node); destination(ssp); }; ----------------------------------------------------------------
and here's the config for the main instance:
----------------------------------------------------------------
@version: 3.0 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3,v 1.1 2010/04/06 02:11:35 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux
options { chain_hostnames(no);
# The default action of syslog-ng is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats_freq(43200); };
source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # ...if you intend to use /dev/console for programs like xconsole # you can comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); };
log { source(src); destination(messages); }; log { source(src); destination(console_all); }; ----------------------------------------------------------------
When I launch the second instance I still get
* Starting syslog-ng ...Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (125)' Error initializing source driver; source='src', id='src#0' Error initializing message pipeline;
* Failed to start syslog-ng
This is gentoo, btw.
Further hints? Thanks in advance.... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
From: "Patrick H." <syslogng@feystorm.net> Date: Sat, 26 Jun 2010 20:27:41 -0600 The second instance youre trying to launch is using the first instance's config. Error initializing source driver; source='src', id='src#0' From that message you can see its trying to initialize the source callced 'src'. In your second config, your source is called 's_node', the first instance is called 'src'. Make sure youre passing the proper '-f' option to syslog-ng when you start it. Pretty sure I am. It's the second config (the one for the "main" instance) which has a source called "src". It's the proxy one (the first one) which has a source called "s_node". The start for the proxy uses -f <special-proxy-conf> whereas the start for the main one just lets it default to syslog-ng.conf.
From: "John R. Dunning" <jrd@jrd.org> Date: Sat, 26 Jun 2010 22:42:05 -0400 From: "Patrick H." <syslogng@feystorm.net> Date: Sat, 26 Jun 2010 20:27:41 -0600 The second instance youre trying to launch is using the first instance's config. Error initializing source driver; source='src', id='src#0' From that message you can see its trying to initialize the source callced 'src'. In your second config, your source is called 's_node', the first instance is called 'src'. Make sure youre passing the proper '-f' option to syslog-ng when you start it. Pretty sure I am. It's the second config (the one for the "main" instance) which has a source called "src". It's the proxy one (the first one) which has a source called "s_node". The start for the proxy uses -f <special-proxy-conf> whereas the start for the main one just lets it default to syslog-ng.conf. Anybody got any further ideas on this? I fear my next step is to start running the thing under gdb and try to work out why the proxy instance still wants to open /dev/log. Would like to avoid that if possible...
I can assure you that running multiple instances of syslog-ng does not share the /dev/log We run up to 8 instances on the same host (it's complicated, but for us it is what we want). As long as you give the correct config file to correct instance, all is good. If you want to discuss /etc/init.d scripts off-line, I am willing to do that. Evan. ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of John R. Dunning [jrd@jrd.org] Sent: Monday, June 28, 2010 6:25 PM To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] Two instances of syslog-ng on the same host? From: "John R. Dunning" <jrd@jrd.org> Date: Sat, 26 Jun 2010 22:42:05 -0400 From: "Patrick H." <syslogng@feystorm.net> Date: Sat, 26 Jun 2010 20:27:41 -0600 The second instance youre trying to launch is using the first instance's config. Error initializing source driver; source='src', id='src#0' From that message you can see its trying to initialize the source callced 'src'. In your second config, your source is called 's_node', the first instance is called 'src'. Make sure youre passing the proper '-f' option to syslog-ng when you start it. Pretty sure I am. It's the second config (the one for the "main" instance) which has a source called "src". It's the proxy one (the first one) which has a source called "s_node". The start for the proxy uses -f <special-proxy-conf> whereas the start for the main one just lets it default to syslog-ng.conf. Anybody got any further ideas on this? I fear my next step is to start running the thing under gdb and try to work out why the proxy instance still wants to open /dev/log. Would like to avoid that if possible... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Sat, 2010-06-26 at 22:42 -0400, John R. Dunning wrote:
From: "Patrick H." <syslogng@feystorm.net> Date: Sat, 26 Jun 2010 20:27:41 -0600
The second instance youre trying to launch is using the first instance's config. Error initializing source driver; source='src', id='src#0' From that message you can see its trying to initialize the source callced 'src'. In your second config, your source is called 's_node', the first instance is called 'src'. Make sure youre passing the proper '-f' option to syslog-ng when you start it.
Pretty sure I am.
It's the second config (the one for the "main" instance) which has a source called "src". It's the proxy one (the first one) which has a source called "s_node".
The start for the proxy uses -f <special-proxy-conf> whereas the start for the main one just lets it default to syslog-ng.conf.
Well, the string "/dev/log" can only come from a config file, so I'd strongly suspect that there's something wrong with the configuration file being used. You could confirm that the good one is being used by checking the command line arguments, or if those look sane, by validating via strace, that syslog-ng is indeed opening the intended configuration file. -- Bazsi
participants (4)
-
Balazs Scheidler
-
Evan Rempel
-
John R. Dunning
-
Patrick H.