Silence syslog-ng upon connection reopening?
Hi, is it possible to silence syslog-ng running on a log client when it reopens a TCP connection to the syslog-ng log server? For example, when you restart syslog-ng on the server due to some configuration change or whatever other reason, syslog-ng on the log client logs this to syslog.err: syslog-ng[13214]: io.c: do_write: write() failed, EOF detected syslog-ng[13214]: pkt_buffer::do_flush(): Error flushing data syslog-ng[13214]: Connection broken to AF_INET(log-server:514), reopening in 10 seconds Can I make syslog-ng NOT log those messages until, let's say, the reopening failed at least N times? The reason is I am using tenshi to monitor the remote logs on the log server in order to alert me about messages with the severities err, crit and emerg. I can, however, add special trash patterns to my tenshi config to disregard the above messages, but I don't feel comfortable about it (for example, when there was a real problem, like a network outage for, let's say, more than 60 seconds). Switching to UDP does not look like a brilliant alternative either ;) Best regards -- Wolfram Schlich
On Thu, 2006-11-23 at 19:35 +0100, Wolfram Schlich wrote:
Hi,
is it possible to silence syslog-ng running on a log client when it reopens a TCP connection to the syslog-ng log server?
For example, when you restart syslog-ng on the server due to some configuration change or whatever other reason, syslog-ng on the log client logs this to syslog.err:
syslog-ng[13214]: io.c: do_write: write() failed, EOF detected syslog-ng[13214]: pkt_buffer::do_flush(): Error flushing data syslog-ng[13214]: Connection broken to AF_INET(log-server:514), reopening in 10 seconds
Can I make syslog-ng NOT log those messages until, let's say, the reopening failed at least N times?
The reason is I am using tenshi to monitor the remote logs on the log server in order to alert me about messages with the severities err, crit and emerg.
I can, however, add special trash patterns to my tenshi config to disregard the above messages, but I don't feel comfortable about it (for example, when there was a real problem, like a network outage for, let's say, more than 60 seconds).
It is not currently possible, and I don't have a good solution right now. -- Bazsi
* Balazs Scheidler <bazsi@balabit.hu> [2006-11-23 19:41]:
On Thu, 2006-11-23 at 19:35 +0100, Wolfram Schlich wrote:
Hi,
is it possible to silence syslog-ng running on a log client when it reopens a TCP connection to the syslog-ng log server?
For example, when you restart syslog-ng on the server due to some configuration change or whatever other reason, syslog-ng on the log client logs this to syslog.err:
syslog-ng[13214]: io.c: do_write: write() failed, EOF detected syslog-ng[13214]: pkt_buffer::do_flush(): Error flushing data syslog-ng[13214]: Connection broken to AF_INET(log-server:514), reopening in 10 seconds
Can I make syslog-ng NOT log those messages until, let's say, the reopening failed at least N times?
The reason is I am using tenshi to monitor the remote logs on the log server in order to alert me about messages with the severities err, crit and emerg.
I can, however, add special trash patterns to my tenshi config to disregard the above messages, but I don't feel comfortable about it (for example, when there was a real problem, like a network outage for, let's say, more than 60 seconds).
It is not currently possible, and I don't have a good solution right now.
What about logging with severity warn instead of err? That would solve the problem for me (I do only get notified immediately about err, crit and emerg). Can it be done without "breaking" other cases where such messages would occur and err would be the most suitable severity? Best regards -- Wolfram Schlich
On Thu, 2006-11-23 at 20:16 +0100, Wolfram Schlich wrote:
* Balazs Scheidler <bazsi@balabit.hu> [2006-11-23 19:41]:
On Thu, 2006-11-23 at 19:35 +0100, Wolfram Schlich wrote:
Hi,
is it possible to silence syslog-ng running on a log client when it reopens a TCP connection to the syslog-ng log server?
For example, when you restart syslog-ng on the server due to some configuration change or whatever other reason, syslog-ng on the log client logs this to syslog.err:
syslog-ng[13214]: io.c: do_write: write() failed, EOF detected syslog-ng[13214]: pkt_buffer::do_flush(): Error flushing data syslog-ng[13214]: Connection broken to AF_INET(log-server:514), reopening in 10 seconds
Can I make syslog-ng NOT log those messages until, let's say, the reopening failed at least N times?
The reason is I am using tenshi to monitor the remote logs on the log server in order to alert me about messages with the severities err, crit and emerg.
I can, however, add special trash patterns to my tenshi config to disregard the above messages, but I don't feel comfortable about it (for example, when there was a real problem, like a network outage for, let's say, more than 60 seconds).
It is not currently possible, and I don't have a good solution right now.
What about logging with severity warn instead of err? That would solve the problem for me (I do only get notified immediately about err, crit and emerg).
Can it be done without "breaking" other cases where such messages would occur and err would be the most suitable severity?
Sorry, but no, syslog-ng uses only four levels internally: MSG_ERROR: LOG_ERR; (error messages) MSG_FATAL: LOG_CRIT; (fatal errors that cause syslog-ng to exit abnormally) MSG_DEBUG: LOG_DEBUG; (debug messages, enabled with -d) MSG_VERBOSE: LOG_NOTICE (verbose mode messages, enabled with -v) MSG_NOTICE: LOG_NOTICE; (informational messages, always enabled) Changing error severities would affect all messages globally. I'm reluctant to change the error messages associated with connection errors anything less than MSG_ERROR. Any in addition, I'm very reluctant to change the 1.6.x codebase, now as 2.0.0 was released. :) -- Bazsi
* Balazs Scheidler <bazsi@balabit.hu> [2006-11-24 09:23]:
On Thu, 2006-11-23 at 20:16 +0100, Wolfram Schlich wrote:
* Balazs Scheidler <bazsi@balabit.hu> [2006-11-23 19:41]:
On Thu, 2006-11-23 at 19:35 +0100, Wolfram Schlich wrote:
Hi,
is it possible to silence syslog-ng running on a log client when it reopens a TCP connection to the syslog-ng log server?
For example, when you restart syslog-ng on the server due to some configuration change or whatever other reason, syslog-ng on the log client logs this to syslog.err:
syslog-ng[13214]: io.c: do_write: write() failed, EOF detected syslog-ng[13214]: pkt_buffer::do_flush(): Error flushing data syslog-ng[13214]: Connection broken to AF_INET(log-server:514), reopening in 10 seconds
Can I make syslog-ng NOT log those messages until, let's say, the reopening failed at least N times? [...]
It is not currently possible, and I don't have a good solution right now.
What about logging with severity warn instead of err? That would solve the problem for me (I do only get notified immediately about err, crit and emerg).
Can it be done without "breaking" other cases where such messages would occur and err would be the most suitable severity?
Sorry, but no, syslog-ng uses only four levels internally:
MSG_ERROR: LOG_ERR; (error messages) MSG_FATAL: LOG_CRIT; (fatal errors that cause syslog-ng to exit abnormally) MSG_DEBUG: LOG_DEBUG; (debug messages, enabled with -d) MSG_VERBOSE: LOG_NOTICE (verbose mode messages, enabled with -v) MSG_NOTICE: LOG_NOTICE; (informational messages, always enabled)
Changing error severities would affect all messages globally. I'm reluctant to change the error messages associated with connection errors anything less than MSG_ERROR.
Ok. Then what about a solution like the one I mentioned in the first place -- only logging such messages if connection reopening failed at least N (configurable number of) times?
Any in addition, I'm very reluctant to change the 1.6.x codebase, now as 2.0.0 was released. :)
Oh, well, switching to 2.x for the log clients would not be a problem :) Best regards -- Wolfram Schlich
participants (2)
-
Balazs Scheidler
-
Wolfram Schlich