Hi all, I have update the syslog-ng to 3.8 ( yum remove syslog-ng && yum install syslog-ng ) and change from MySQL to Mongo DB and now when i restart i have the following errors: Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' I'm using mutual self certification and the certificates are there in the directories "ca.d" "cert.d". Do i have to re-create all the certificates now or can i fix this somehow. P.S. This problem i have on the Syslog-NG Server, they all send messages to this server. So if i have to change the certificate here i will have to change on the clients too. :( Any hints on this ?
the error message clearly says that the port 6514 is already occupied. maybe an old instance of syslog-ng is still running. try investigating with netstat -antp to see which process keeps that opened. -- Bazsi On Thu, Apr 21, 2016 at 11:51 AM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
Hi all, I have update the syslog-ng to 3.8 ( yum remove syslog-ng && yum install syslog-ng ) and change from MySQL to Mongo DB and now when i restart i have the following errors:
Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' I'm using mutual self certification and the certificates are there in the directories "ca.d" "cert.d". Do i have to re-create all the certificates now or can i fix this somehow.
P.S. This problem i have on the Syslog-NG Server, they all send messages to this server. So if i have to change the certificate here i will have to change on the clients too. :(
Any hints on this ?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, It show me that it's a syslog-ng ... i have done this before i have not mention in the post. The port is used by Syslog-ng. *netstat -antp | grep 6514** **tcp 0 0 0.0.0.0:6514 0.0.0.0:* LISTEN 15632/syslog-ng** * * **type syslog-ng** **syslog-ng is hashed (/sbin/syslog-ng) /sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off /sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off *So i have no other idea to see what is in the background... Kind regards Ivan On 04/21/2016 12:00 PM, Scheidler, Balázs wrote:
the error message clearly says that the port 6514 is already occupied. maybe an old instance of syslog-ng is still running.
try investigating with netstat -antp to see which process keeps that opened.
-- Bazsi
On Thu, Apr 21, 2016 at 11:51 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi all, I have update the syslog-ng to 3.8 ( yum remove syslog-ng && yum install syslog-ng ) and change from MySQL to Mongo DB and now when i restart i have the following errors:
Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' I'm using mutual self certification and the certificates are there in the directories "ca.d" "cert.d". Do i have to re-create all the certificates now or can i fix this somehow.
P.S. This problem i have on the Syslog-NG Server, they all send messages to this server. So if i have to change the certificate here i will have to change on the clients too. :(
Any hints on this ?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
try systemctl reload syslog-ng. On 04/21/2016 12:05 PM, Ivan Adji - Krstev wrote:
Hi,
It show me that it's a syslog-ng ... i have done this before i have not mention in the post. The port is used by Syslog-ng.
*netstat -antp | grep 6514** **tcp 0 0 0.0.0.0:6514 0.0.0.0:* LISTEN 15632/syslog-ng** * * **type syslog-ng** **syslog-ng is hashed (/sbin/syslog-ng)
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
*So i have no other idea to see what is in the background...
Kind regards Ivan
On 04/21/2016 12:00 PM, Scheidler, Balázs wrote:
the error message clearly says that the port 6514 is already occupied. maybe an old instance of syslog-ng is still running.
try investigating with netstat -antp to see which process keeps that opened.
-- Bazsi
On Thu, Apr 21, 2016 at 11:51 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi all, I have update the syslog-ng to 3.8 ( yum remove syslog-ng && yum install syslog-ng ) and change from MySQL to Mongo DB and now when i restart i have the following errors:
Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' I'm using mutual self certification and the certificates are there in the directories "ca.d" "cert.d". Do i have to re-create all the certificates now or can i fix this somehow.
P.S. This problem i have on the Syslog-NG Server, they all send messages to this server. So if i have to change the certificate here i will have to change on the clients too. :(
Any hints on this ?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Nirmoy -- SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Maxfeldstr. 5 D-90409 Nürnberg / Phone: +49-911-740 18-4
No still same problem ... On 04/21/2016 01:04 PM, Nirmoy Das wrote:
try systemctl reload syslog-ng.
On 04/21/2016 12:05 PM, Ivan Adji - Krstev wrote:
Hi,
It show me that it's a syslog-ng ... i have done this before i have not mention in the post. The port is used by Syslog-ng.
*netstat -antp | grep 6514** **tcp 0 0 0.0.0.0:6514 0.0.0.0:* LISTEN 15632/syslog-ng** * * **type syslog-ng** **syslog-ng is hashed (/sbin/syslog-ng)
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
*So i have no other idea to see what is in the background...
Kind regards Ivan
On 04/21/2016 12:00 PM, Scheidler, Balázs wrote:
the error message clearly says that the port 6514 is already occupied. maybe an old instance of syslog-ng is still running.
try investigating with netstat -antp to see which process keeps that opened.
-- Bazsi
On Thu, Apr 21, 2016 at 11:51 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi all, I have update the syslog-ng to 3.8 ( yum remove syslog-ng && yum install syslog-ng ) and change from MySQL to Mongo DB and now when i restart i have the following errors:
Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' I'm using mutual self certification and the certificates are there in the directories "ca.d" "cert.d". Do i have to re-create all the certificates now or can i fix this somehow.
P.S. This problem i have on the Syslog-NG Server, they all send messages to this server. So if i have to change the certificate here i will have to change on the clients too. :(
Any hints on this ?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Nirmoy
lsof -i :6514 Will show you what process is bound to the port.
On Apr 21, 2016, at 7:20 AM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
No still same problem ...
On 04/21/2016 01:04 PM, Nirmoy Das wrote:
try systemctl reload syslog-ng.
On 04/21/2016 12:05 PM, Ivan Adji - Krstev wrote:
Hi,
It show me that it's a syslog-ng ... i have done this before i have not mention in the post. The port is used by Syslog-ng.
*netstat -antp | grep 6514** **tcp 0 0 0.0.0.0:6514 0.0.0.0:* LISTEN 15632/syslog-ng** * * **type syslog-ng** **syslog-ng is hashed (/sbin/syslog-ng)
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
*So i have no other idea to see what is in the background...
Kind regards Ivan
On 04/21/2016 12:00 PM, Scheidler, Balázs wrote:
the error message clearly says that the port 6514 is already occupied. maybe an old instance of syslog-ng is still running.
try investigating with netstat -antp to see which process keeps that opened.
-- Bazsi
On Thu, Apr 21, 2016 at 11:51 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com> <mailto:akivanradix@gmail.com> <mailto:akivanradix@gmail.com>> wrote:
Hi all, I have update the syslog-ng to 3.8 ( yum remove syslog-ng && yum install syslog-ng ) and change from MySQL to Mongo DB and now when i restart i have the following errors:
Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' I'm using mutual self certification and the certificates are there in the directories "ca.d" "cert.d". Do i have to re-create all the certificates now or can i fix this somehow.
P.S. This problem i have on the Syslog-NG Server, they all send messages to this server. So if i have to change the certificate here i will have to change on the clients too. :(
Any hints on this ?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
Nirmoy
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I have the following results... lsof -i :6514 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME syslog-ng 2411 root 12u IPv4 16262 0t0 TCP *:syslog-tls (LISTEN) So its syslog-tls .... is it possible to have some modules uninstalled. As i did *yum remove syslog-ng *than *yum install syslog-ng* On 04/21/2016 01:55 PM, Scot Needy wrote:
lsof -i :6514
Will show you what process is bound to the port.
On Apr 21, 2016, at 7:20 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
No still same problem ...
On 04/21/2016 01:04 PM, Nirmoy Das wrote:
try systemctl reload syslog-ng.
On 04/21/2016 12:05 PM, Ivan Adji - Krstev wrote:
Hi,
It show me that it's a syslog-ng ... i have done this before i have not mention in the post. The port is used by Syslog-ng.
*netstat -antp | grep 6514** **tcp 0 0 0.0.0.0:6514 0.0.0.0:* LISTEN 15632/syslog-ng** * * **type syslog-ng** **syslog-ng is hashed (/sbin/syslog-ng)
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
/sbin/syslog-ng -V syslog-ng 3.8.0alpha0 Installer-Version: 3.8.0alpha0 Revision: Module-Directory: //usr/lib64/syslog-ng Module-Path: //usr/lib64/syslog-ng Available-Modules: confgen,afuser,afprog,graphite,dbparser,sdjournal,kvformat,disk-buffer,affile,cef,pseudofile,csvparser,afamqp,basicfuncs,afsocket,syslogformat,date,json-plugin,linux-kmsg-format,cryptofuncs,system-source,afstomp,afmongodb Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
*So i have no other idea to see what is in the background...
Kind regards Ivan
On 04/21/2016 12:00 PM, Scheidler, Balázs wrote:
the error message clearly says that the port 6514 is already occupied. maybe an old instance of syslog-ng is still running.
try investigating with netstat -antp to see which process keeps that opened.
-- Bazsi
On Thu, Apr 21, 2016 at 11:51 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi all, I have update the syslog-ng to 3.8 ( yum remove syslog-ng && yum install syslog-ng ) and change from MySQL to Mongo DB and now when i restart i have the following errors:
Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' I'm using mutual self certification and the certificates are there in the directories "ca.d" "cert.d". Do i have to re-create all the certificates now or can i fix this somehow.
P.S. This problem i have on the Syslog-NG Server, they all send messages to this server. So if i have to change the certificate here i will have to change on the clients too. :(
Any hints on this ?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Nirmoy
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the *syslog-ng -Fevd* [2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline; On 04/21/2016 03:40 PM, Scot Needy wrote:
kill -9 2411
On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
2411
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the syslog-ng -Fevd
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote:
kill -9 2411
On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
2411
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
maybe you have two sources binding on the same port? On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy <scotrn@gmail.com> wrote:
I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the *syslog-ng -Fevd*
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote:
kill -9 2411
On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
2411
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Or the module does not die on stop and tries to start another.
On Apr 21, 2016, at 11:20 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
maybe you have two sources binding on the same port?
On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy <scotrn@gmail.com <mailto:scotrn@gmail.com>> wrote: I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the syslog-ng -Fevd
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote:
kill -9 2411
On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
2411
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi yes i start to put the file but i have some other problems... anyway here it's the config file ( syslog-ng.conf ) @version:3.8 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (1000); # log_iw_size(100); log_fetch_limit(100); # chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); #unix-stream("/dev/log"); internal(); network( port(6514) # tcp(port(5140)); # file("/proc/kmsg" log_prefix("kernel: ")); transport("tls") tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem") cert_file("/etc/syslog-ng/cert.d/servercert.pem") ca_dir("/etc/syslog-ng/ca.d")) ); }; destination d_mongodb { mongodb( servers("localhost:27017") # database("syslog") uri('mongodb://localhost/syslog-ng') collection("messages") value-pairs( scope("selected-macros" "nv-pairs" "sdata") ) ); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_mongodb); }; log { source(s_sys); filter(f_default); destination(d_mongodb); }; log { source(s_sys); filter(f_auth); destination(d_mongodb); }; log { source(s_sys); filter(f_mail); destination(d_mongodb); }; log { source(s_sys); filter(f_emergency); destination(d_mongodb); }; log { source(s_sys); filter(f_news); destination(d_mongodb); }; log { source(s_sys); filter(f_boot); destination(d_mongodb); }; log { source(s_sys); filter(f_cron); destination(d_mongodb); }; log { source(s_sys); destination(d_mongodb); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: On 04/21/2016 06:12 PM, Scot Needy wrote:
Or the module does not die on stop and tries to start another.
On Apr 21, 2016, at 11:20 AM, Balazs Scheidler <bazsi77@gmail.com <mailto:bazsi77@gmail.com>> wrote:
maybe you have two sources binding on the same port?
On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy <scotrn@gmail.com <mailto:scotrn@gmail.com>> wrote:
I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the *syslog-ng -Fevd*
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote:
kill -9 2411
On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
2411
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
All of my conf files are included in scl.conf is scl.conf and @include "/etc/syslog-ng/conf.d/*.conf loading the same module twice ?
On Apr 21, 2016, at 1:58 PM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
Hi yes i start to put the file but i have some other problems... anyway here it's the config file ( syslog-ng.conf )
@version:3.8 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); # log_iw_size(100); log_fetch_limit(100); # chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); #unix-stream("/dev/log"); internal(); network( port(6514) # tcp(port(5140)); # file("/proc/kmsg" log_prefix("kernel: ")); transport("tls") tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem") cert_file("/etc/syslog-ng/cert.d/servercert.pem") ca_dir("/etc/syslog-ng/ca.d")) ); };
destination d_mongodb { mongodb( servers("localhost:27017") # database("syslog") uri('mongodb://localhost/syslog-ng') collection("messages") value-pairs( scope("selected-macros" "nv-pairs" "sdata") ) ); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_mongodb); }; log { source(s_sys); filter(f_default); destination(d_mongodb); }; log { source(s_sys); filter(f_auth); destination(d_mongodb); }; log { source(s_sys); filter(f_mail); destination(d_mongodb); }; log { source(s_sys); filter(f_emergency); destination(d_mongodb); }; log { source(s_sys); filter(f_news); destination(d_mongodb); }; log { source(s_sys); filter(f_boot); destination(d_mongodb); }; log { source(s_sys); filter(f_cron); destination(d_mongodb); };
log { source(s_sys); destination(d_mongodb); };
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
On 04/21/2016 06:12 PM, Scot Needy wrote:
Or the module does not die on stop and tries to start another.
On Apr 21, 2016, at 11:20 AM, Balazs Scheidler <bazsi77@gmail.com <mailto:bazsi77@gmail.com>> wrote:
maybe you have two sources binding on the same port?
On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy < <mailto:scotrn@gmail.com>scotrn@gmail.com <mailto:scotrn@gmail.com>> wrote: I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev < <mailto:akivanradix@gmail.com>akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the syslog-ng -Fevd
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote:
kill -9 2411
On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev < <mailto:akivanradix@gmail.com>akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
2411
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng>http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
in scl.conf file there is nothing except this line *@include 'scl/*/*.conf'* So i don't think so.? I get your point that tls on port 6514 may be used twice but can't find anything like that ... it is the same config file that i have used before removing the old version and putting the new one. From 3.5 to 3.8. On 04/21/2016 08:58 PM, Scot Needy wrote:
All of my conf files are included in scl.conf is scl.conf and @include "/etc/syslog-ng/conf.d/*.conf loading the same module twice ?
On Apr 21, 2016, at 1:58 PM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi yes i start to put the file but i have some other problems... anyway here it's the config file ( syslog-ng.conf )
@version:3.8 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); # log_iw_size(100); log_fetch_limit(100); # chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); #unix-stream("/dev/log"); internal(); network( port(6514) # tcp(port(5140)); # file("/proc/kmsg" log_prefix("kernel: ")); transport("tls") tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem") cert_file("/etc/syslog-ng/cert.d/servercert.pem") ca_dir("/etc/syslog-ng/ca.d")) ); };
destination d_mongodb { mongodb( servers("localhost:27017") # database("syslog") uri('mongodb://localhost/syslog-ng' <mongodb://localhost/syslog-ng%27>) collection("messages") value-pairs( scope("selected-macros" "nv-pairs" "sdata") ) ); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_mongodb); }; log { source(s_sys); filter(f_default); destination(d_mongodb); }; log { source(s_sys); filter(f_auth); destination(d_mongodb); }; log { source(s_sys); filter(f_mail); destination(d_mongodb); }; log { source(s_sys); filter(f_emergency); destination(d_mongodb); }; log { source(s_sys); filter(f_news); destination(d_mongodb); }; log { source(s_sys); filter(f_boot); destination(d_mongodb); }; log { source(s_sys); filter(f_cron); destination(d_mongodb); };
log { source(s_sys); destination(d_mongodb); };
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
On 04/21/2016 06:12 PM, Scot Needy wrote:
Or the module does not die on stop and tries to start another.
On Apr 21, 2016, at 11:20 AM, Balazs Scheidler <bazsi77@gmail.com <mailto:bazsi77@gmail.com>> wrote:
maybe you have two sources binding on the same port?
On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy <scotrn@gmail.com> wrote:
I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the *syslog-ng -Fevd*
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote:
kill -9 2411
> On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev > <akivanradix@gmail.com> wrote: > > 2411
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Also i have change the port and again the same problem/error i have. Is this some kind of bug in this new version as i can see there is not much downloads
in scl.conf file there is nothing except this line *@include 'scl/*/*.conf'* So i don't think so.? I get your point that tls on port 6514 may be used twice but can't find anything like that ... it is the same config file that i have used before removing the old version and putting the new one. From 3.5 to 3.8.
On 04/21/2016 08:58 PM, Scot Needy wrote:
All of my conf files are included in scl.conf is scl.conf and @include "/etc/syslog-ng/conf.d/*.conf loading the same module twice ?
On Apr 21, 2016, at 1:58 PM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi yes i start to put the file but i have some other problems... anyway here it's the config file ( syslog-ng.conf )
@version:3.8 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); # log_iw_size(100); log_fetch_limit(100); # chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); #unix-stream("/dev/log"); internal(); network( port(6514) # tcp(port(5140)); # file("/proc/kmsg" log_prefix("kernel: ")); transport("tls") tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem") cert_file("/etc/syslog-ng/cert.d/servercert.pem") ca_dir("/etc/syslog-ng/ca.d")) ); };
destination d_mongodb { mongodb( servers("localhost:27017") # database("syslog") uri('mongodb://localhost/syslog-ng' <mongodb://localhost/syslog-ng%27>) collection("messages") value-pairs( scope("selected-macros" "nv-pairs" "sdata") ) ); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_mongodb); }; log { source(s_sys); filter(f_default); destination(d_mongodb); }; log { source(s_sys); filter(f_auth); destination(d_mongodb); }; log { source(s_sys); filter(f_mail); destination(d_mongodb); }; log { source(s_sys); filter(f_emergency); destination(d_mongodb); }; log { source(s_sys); filter(f_news); destination(d_mongodb); }; log { source(s_sys); filter(f_boot); destination(d_mongodb); }; log { source(s_sys); filter(f_cron); destination(d_mongodb); };
log { source(s_sys); destination(d_mongodb); };
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
On 04/21/2016 06:12 PM, Scot Needy wrote:
Or the module does not die on stop and tries to start another.
On Apr 21, 2016, at 11:20 AM, Balazs Scheidler <bazsi77@gmail.com <mailto:bazsi77@gmail.com>> wrote:
maybe you have two sources binding on the same port?
On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy <scotrn@gmail.com> wrote:
I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the *syslog-ng -Fevd*
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote: > kill -9 2411 > >> On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev >> <akivanradix@gmail.com> wrote: >> >> 2411 > > > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
And is like creating two sockets ... when i do lsof i have the following output lsof | grep LISTEN syslog-ng 14265 root 12u IPv4 315900 0t0 TCP *:syslog-tls (LISTEN) syslog-ng 14265 14266 root 12u IPv4 315900 0t0 TCP *:syslog-tls (LISTEN) and when i do netstat -antp | grep 6514 tcp 0 0 0.0.0.0:6514 0.0.0.0:* LISTEN 14265/syslog-ng so they have the same pid. Also when i stop syslog-ng there is nothing. Thanks ! On 04/22/2016 11:50 AM, Ivan Adji - Krstev wrote:
Also i have change the port and again the same problem/error i have. Is this some kind of bug in this new version as i can see there is not much downloads
in scl.conf file there is nothing except this line *@include 'scl/*/*.conf'* So i don't think so.? I get your point that tls on port 6514 may be used twice but can't find anything like that ... it is the same config file that i have used before removing the old version and putting the new one. From 3.5 to 3.8.
On 04/21/2016 08:58 PM, Scot Needy wrote:
All of my conf files are included in scl.conf is scl.conf and @include "/etc/syslog-ng/conf.d/*.conf loading the same module twice ?
On Apr 21, 2016, at 1:58 PM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi yes i start to put the file but i have some other problems... anyway here it's the config file ( syslog-ng.conf )
@version:3.8 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); # log_iw_size(100); log_fetch_limit(100); # chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); #unix-stream("/dev/log"); internal(); network( port(6514) # tcp(port(5140)); # file("/proc/kmsg" log_prefix("kernel: ")); transport("tls") tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem") cert_file("/etc/syslog-ng/cert.d/servercert.pem") ca_dir("/etc/syslog-ng/ca.d")) ); };
destination d_mongodb { mongodb( servers("localhost:27017") # database("syslog") uri('mongodb://localhost/syslog-ng' <mongodb://localhost/syslog-ng%27>) collection("messages") value-pairs( scope("selected-macros" "nv-pairs" "sdata") ) ); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_mongodb); }; log { source(s_sys); filter(f_default); destination(d_mongodb); }; log { source(s_sys); filter(f_auth); destination(d_mongodb); }; log { source(s_sys); filter(f_mail); destination(d_mongodb); }; log { source(s_sys); filter(f_emergency); destination(d_mongodb); }; log { source(s_sys); filter(f_news); destination(d_mongodb); }; log { source(s_sys); filter(f_boot); destination(d_mongodb); }; log { source(s_sys); filter(f_cron); destination(d_mongodb); };
log { source(s_sys); destination(d_mongodb); };
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
On 04/21/2016 06:12 PM, Scot Needy wrote:
Or the module does not die on stop and tries to start another.
On Apr 21, 2016, at 11:20 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
maybe you have two sources binding on the same port?
On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy <scotrn@gmail.com> wrote:
I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
> On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev > <akivanradix@gmail.com> wrote: > > It is the same ... if i restart the syslog-ng after that ill > get the same error. If i stop the syslog-ng that port is not > used anymore ... > Here is the output of the *syslog-ng -Fevd* > > [2016-04-21T16:02:41.478174] WARNING: Starting with > syslog-ng 3.6, the system() source performs JSON parsing of > messages starting with the '@cim:' prefix. No additional > action is needed; > [2016-04-21T16:02:41.478635] Module loaded and initialized > successfully; module='sdjournal' > [2016-04-21T16:02:41.478776] Finishing include; > content='source confgen system', depth='1' > [2016-04-21T16:02:41.479601] Module loaded and initialized > successfully; module='afsocket' > [2016-04-21T16:02:41.481135] Module loaded and initialized > successfully; module='afmongodb' > [2016-04-21T16:02:41.481914] Module loaded and initialized > successfully; module='affile' > [2016-04-21T16:02:41.482779] Module loaded and initialized > successfully; module='afuser' > [2016-04-21T16:02:41.484211] Unable to detect fully > qualified hostname for localhost, use_fqdn() will use the > short hostname; > [2016-04-21T16:02:41.484252] Compiling #unnamed sequence > [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] > [2016-04-21T16:02:41.484264] Compiling s_sys reference > [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] > [2016-04-21T16:02:41.484276] Compiling s_sys sequence > [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] > [2016-04-21T16:02:41.484286] Compiling #unnamed > junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] > [2016-04-21T16:02:41.484295] Compiling #unnamed > sequence [log] at [source confgen system:2:5] > [2016-04-21T16:02:41.484304] Compiling #unnamed > sequence [source] at [source confgen system:2:5] > [2016-04-21T16:02:41.484314] Compiling #unnamed > junction [log] at [source confgen system:2:13] > [2016-04-21T16:02:41.484323] Compiling > #unnamed single [log] at [source confgen system:3:1] > [2016-04-21T16:02:41.484337] Compiling #unnamed > single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] > [2016-04-21T16:02:41.484347] Compiling #unnamed > single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] > [2016-04-21T16:02:41.484363] Compiling f_auth reference > [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] > [2016-04-21T16:02:41.484374] Compiling f_auth sequence > [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] > [2016-04-21T16:02:41.484383] Compiling #unnamed single > [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] > [2016-04-21T16:02:41.484393] Compiling d_mongodb reference > [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] > [2016-04-21T16:02:41.484403] Compiling d_mongodb > sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] > [2016-04-21T16:02:41.484413] Compiling #unnamed > junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] > [2016-04-21T16:02:41.484422] Compiling #unnamed > single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] > [2016-04-21T16:02:41.484434] Compiling #unnamed sequence > [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] > [2016-04-21T16:02:41.484445] Compiling s_sys reference > [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] > [2016-04-21T16:02:41.484456] Compiling f_emergency > reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] > [2016-04-21T16:02:41.484467] Compiling f_emergency > sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] > [2016-04-21T16:02:41.484476] Compiling #unnamed single > [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] > [2016-04-21T16:02:41.484486] Compiling d_mongodb reference > [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] > [2016-04-21T16:02:41.484497] Compiling #unnamed sequence > [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] > [2016-04-21T16:02:41.484506] Compiling s_sys reference > [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] > [2016-04-21T16:02:41.484517] Compiling d_mongodb reference > [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] > [2016-04-21T16:02:41.484873] Seeking the journal to the last > cursor position; > cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' > [2016-04-21T16:02:41.485562] Module loaded and initialized > successfully; module='syslogformat' > [2016-04-21T16:02:41.485834] Error binding socket; > addr='AF_INET(0.0.0.0:6514)', error='Address already in use > (98)' > [2016-04-21T16:02:41.485874] Error initializing message > pipeline; > > > On 04/21/2016 03:40 PM, Scot Needy wrote: >> kill -9 2411 >> >>> On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev >>> <akivanradix@gmail.com> wrote: >>> >>> 2411 >> >> >> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
As a test try to load a minimal conf with no includes and add them manually using a full path. I had to do that to troubleshoot java module.
On Apr 21, 2016, at 6:39 PM, Ivan Adji - Krstev <akivanradix@gmail.com> wrote:
in scl.conf file there is nothing except this line @include 'scl/*/*.conf' So i don't think so.? I get your point that tls on port 6514 may be used twice but can't find anything like that ... it is the same config file that i have used before removing the old version and putting the new one. From 3.5 to 3.8.
On 04/21/2016 08:58 PM, Scot Needy wrote:
All of my conf files are included in scl.conf is scl.conf and @include "/etc/syslog-ng/conf.d/*.conf loading the same module twice ?
On Apr 21, 2016, at 1:58 PM, Ivan Adji - Krstev <akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
Hi yes i start to put the file but i have some other problems... anyway here it's the config file ( syslog-ng.conf )
@version:3.8 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); # log_iw_size(100); log_fetch_limit(100); # chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); #unix-stream("/dev/log"); internal(); network( port(6514) # tcp(port(5140)); # file("/proc/kmsg" log_prefix("kernel: ")); transport("tls") tls( key_file("/etc/syslog-ng/cert.d/serverkey.pem") cert_file("/etc/syslog-ng/cert.d/servercert.pem") ca_dir("/etc/syslog-ng/ca.d")) ); };
destination d_mongodb { mongodb( servers("localhost:27017") # database("syslog") uri('mongodb://localhost/syslog-ng' <mongodb://localhost/syslog-ng%27>) collection("messages") value-pairs( scope("selected-macros" "nv-pairs" "sdata") ) ); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_mongodb); }; log { source(s_sys); filter(f_default); destination(d_mongodb); }; log { source(s_sys); filter(f_auth); destination(d_mongodb); }; log { source(s_sys); filter(f_mail); destination(d_mongodb); }; log { source(s_sys); filter(f_emergency); destination(d_mongodb); }; log { source(s_sys); filter(f_news); destination(d_mongodb); }; log { source(s_sys); filter(f_boot); destination(d_mongodb); }; log { source(s_sys); filter(f_cron); destination(d_mongodb); };
log { source(s_sys); destination(d_mongodb); };
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
On 04/21/2016 06:12 PM, Scot Needy wrote:
Or the module does not die on stop and tries to start another.
On Apr 21, 2016, at 11:20 AM, Balazs Scheidler <bazsi77@gmail.com <mailto:bazsi77@gmail.com>> wrote:
maybe you have two sources binding on the same port?
On Thu, Apr 21, 2016 at 4:36 PM, Scot Needy < <mailto:scotrn@gmail.com>scotrn@gmail.com <mailto:scotrn@gmail.com>> wrote: I don’t see your conf files but I suspect it’s trying to load the tls module twice ?
On Apr 21, 2016, at 10:04 AM, Ivan Adji - Krstev < <mailto:akivanradix@gmail.com>akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote:
It is the same ... if i restart the syslog-ng after that ill get the same error. If i stop the syslog-ng that port is not used anymore ... Here is the output of the syslog-ng -Fevd
[2016-04-21T16:02:41.478174] WARNING: Starting with syslog-ng 3.6, the system() source performs JSON parsing of messages starting with the '@cim:' prefix. No additional action is needed; [2016-04-21T16:02:41.478635] Module loaded and initialized successfully; module='sdjournal' [2016-04-21T16:02:41.478776] Finishing include; content='source confgen system', depth='1' [2016-04-21T16:02:41.479601] Module loaded and initialized successfully; module='afsocket' [2016-04-21T16:02:41.481135] Module loaded and initialized successfully; module='afmongodb' [2016-04-21T16:02:41.481914] Module loaded and initialized successfully; module='affile' [2016-04-21T16:02:41.482779] Module loaded and initialized successfully; module='afuser' [2016-04-21T16:02:41.484211] Unable to detect fully qualified hostname for localhost, use_fqdn() will use the short hostname; [2016-04-21T16:02:41.484252] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484264] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:128:7] [2016-04-21T16:02:41.484276] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:29:1] [2016-04-21T16:02:41.484286] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:29:15] [2016-04-21T16:02:41.484295] Compiling #unnamed sequence [log] at [source confgen system:2:5] [2016-04-21T16:02:41.484304] Compiling #unnamed sequence [source] at [source confgen system:2:5] [2016-04-21T16:02:41.484314] Compiling #unnamed junction [log] at [source confgen system:2:13] [2016-04-21T16:02:41.484323] Compiling #unnamed single [log] at [source confgen system:3:1] [2016-04-21T16:02:41.484337] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:32:2] [2016-04-21T16:02:41.484347] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:33:2] [2016-04-21T16:02:41.484363] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:128:22] [2016-04-21T16:02:41.484374] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:112:1] [2016-04-21T16:02:41.484383] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:112:22] [2016-04-21T16:02:41.484393] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:128:38] [2016-04-21T16:02:41.484403] Compiling d_mongodb sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:57:1] [2016-04-21T16:02:41.484413] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:57:24] [2016-04-21T16:02:41.484422] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:58:5] [2016-04-21T16:02:41.484434] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484445] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:133:7] [2016-04-21T16:02:41.484456] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:133:22] [2016-04-21T16:02:41.484467] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:114:1] [2016-04-21T16:02:41.484476] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:114:22] [2016-04-21T16:02:41.484486] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:133:43] [2016-04-21T16:02:41.484497] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484506] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:152:7] [2016-04-21T16:02:41.484517] Compiling d_mongodb reference [destination] at [/etc/syslog-ng/syslog-ng.conf:152:22] [2016-04-21T16:02:41.484873] Seeking the journal to the last cursor position; cursor='s=9383cb3eb8ee41eda3468d9841333aef;i=131c;b=0f07653f04794e14beeeebb18131926b;m=214f74fdf;t=530ff299a3a8e;x=d0f0c56745dc963a' [2016-04-21T16:02:41.485562] Module loaded and initialized successfully; module='syslogformat' [2016-04-21T16:02:41.485834] Error binding socket; addr='AF_INET(0.0.0.0:6514)', error='Address already in use (98)' [2016-04-21T16:02:41.485874] Error initializing message pipeline;
On 04/21/2016 03:40 PM, Scot Needy wrote: > kill -9 2411 > >> On Apr 21, 2016, at 7:58 AM, Ivan Adji - Krstev < <mailto:akivanradix@gmail.com>akivanradix@gmail.com <mailto:akivanradix@gmail.com>> wrote: >> >> 2411 > > > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> >
______________________________________________________________________________ Member info: <https://lists.balabit.hu/mailman/listinfo/syslog-ng>https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng>http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: <http://www.balabit.com/wiki/syslog-ng-faq>http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: <http://www.balabit.com/support/documentation/?product=syslog-ng>http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (5)
-
Balazs Scheidler
-
Ivan Adji - Krstev
-
Nirmoy Das
-
Scheidler, Balázs
-
Scot Needy