Trouble with logging to mysql
Hi there, I'm trying to let syslog-ng log to a mysql database, which is somehow not working (anymore). All my network traffic is supposed to be written into a separate logfile as well as into a mysql database. I followed the HowTo on http://gentoo-wiki.com/HOWTO_setup_PHP-Syslog-NG#Syslog-ng_INIT_Script, and altered the configuration to fit my needs. Here it comes: ############################################ source net { udp(ip("0.0.0.0") port(514)); }; destination d_mysql { program("/usr/bin/mysql --reconnect -f -T --user=syslogfeeder --password=PASSWORD syslog >> /var/log/db_log.log 2>&1" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; destination netmessages { file("/var/log/net.log"); }; log { source(net); destination(netmessages); }; log { source(net); destination(d_mysql); }; ############################################## Thing is, logging to the file works nicely. Logging to the database worked up to some date, but since a while (and no one knows exactly since when, because nobody had a look at the database for some time) it doesn't. This might be connected with a system update. I can provide you with information on the versions (the OS is SLES 10.0, all packages come from the standard source; no self-compiled packages installed) of syslog and mysql as soon as I have access to the customers machine again. I'm looking for a sensible way to debug syslog. Running syslog-ng in the foreground didn't help, I can't see any messages related to logging to mysql. It seems that the destination is never touched. Isn't it possible to log on source to two destinations (anymore)? (I think commented out logging to netmessages, but it still didn't work.) Any comments and hints will be helpful. Even RTFM if you point me to a comprehendible one. :-) TNX, Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier
On Fri, 2008-09-05 at 15:12 +0200, Stallmann, Andreas wrote:
Hi there,
I'm trying to let syslog-ng log to a mysql database, which is somehow not working (anymore).
All my network traffic is supposed to be written into a separate logfile as well as into a mysql database. I followed the HowTo on http://gentoo-wiki.com/HOWTO_setup_PHP-Syslog-NG#Syslog-ng_INIT_Script, and altered the configuration to fit my needs. Here it comes:
############################################ source net { udp(ip("0.0.0.0") port(514)); };
destination d_mysql { program("/usr/bin/mysql --reconnect -f -T --user=syslogfeeder --password=PASSWORD syslog >> /var/log/db_log.log 2>&1" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); };
Apart from the specific problem one note I have is that syslog-ng OSE 2.1 can do inserts on its own, without the help of the mysql binary. -- Bazsi
Hello out there, my problem with syslog-ng not logging to mysql still persists. The only hint so far was:
Apart from the specific problem one note I have is that syslog-ng OSE 2.1 can do inserts on its own, without the help of the mysql binary.
Thanks for that one, but unfortunately I'm using version 1.6.8, because that's the version delivered with SLES 10.0. I think I may have narrowed down the problem a bit: I still use the following configuration (syslog-ng.conf): #################syslog-ng.conf######################### source net { udp(ip("0.0.0.0") port(514)); }; destination mysql { #file("/var/log/mysqltest.log" program("/usr/bin/mysql --reconnect -f -T --user=syslogadmin --password=xxxxxx syslog >> /var/log/db_log.log 2>&1" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(net); destination(mysql); }; #################################################### If I use "file" instead of "program" the logging works just fine: The string "INSERT INTO..." is written into the file mysqltest.log. When I copy and paste this line into mysql (using the same program call as in the syslog-ng.conf "program" statement), the insert is done without any problem. Using "program" instead, literally nothing happens. No records are written to mysql, and no problems are reported do the db_log.log file. It is, as the statement was *never* executed. *ARRRRGHHH* I'm pretty sure, that this has worked *before* the servers admin applied a SuSE-Update. Yes, I know, never change a running system. If you have any ideas what's going wrong here and why, please let me know. Thanks a lot, Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier
It is, as the statement was *never* executed. *ARRRRGHHH*
Are you sure that syslog-ng is successful in creating a persistent child running that mysql command line? You should see in "ps -elf" a syslog-ng process with a child process running that mysql command line. The pid of the child process should *not* change over time. If the child pid is changing then this means that the child mysqld is exiting and syslog-ng is creating a new one. This should not be happening if your config is OK. I see that you have already tried sending the output to a file and it looks ok that way. The only other thing I can suggest is to send it to a script of your own instead of mysql and in your script you can see *exactly* what mysql would receive on its stdin. Joe. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Stallmann, Andreas Sent: 17 September 2008 22:07 To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] syslog-ng and "program" function (was: RE: Trouble with logging to mysql) ... If I use "file" instead of "program" the logging works just fine: The string "INSERT INTO..." is written into the file mysqltest.log. When I copy and paste this line into mysql (using the same program call as in the syslog-ng.conf "program" statement), the insert is done without any problem. Using "program" instead, literally nothing happens. No records are written to mysql, and no problems are reported do the db_log.log file. It is, as the statement was *never* executed. *ARRRRGHHH* I'm pretty sure, that this has worked *before* the servers admin applied a SuSE-Update. Yes, I know, never change a running system. If you have any ideas what's going wrong here and why, please let me know. Thanks a lot, Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi Joe!
Are you sure that syslog-ng is successful in creating a persistent child running that mysql command line? You should see in "ps -elf" a syslog-ng process with a child process running that mysql command line. That seems to be it: No mysql-child at all is beeing created. No wonder no records are written to the database.
I see that you have already tried sending the output to a file and it looks ok that way. The only other thing I can suggest is to send it to a script of your own instead of mysql and in your script you can see *exactly* what mysql would receive on its stdin. I'll do that and let you know the results.
Thanks a lot! Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier
Hi! Unfortunately...
The only other thing I can suggest is to send it to a script of your own instead of mysql and in your script you can see *exactly* what mysql would receive on its stdin. ...this didn't work either.
I know it's strange, but it seems that syslog-ng doesn't understand the "program" and "pipe"-directives any more. Well... that's not completely true. It understands them, as fas as it does not complain when I'm using them, but both produce no output AT ALL! The only other major change to the server was, that the admin de-activated IPV6 on the machine. But this shouldn't be a problem, should it? Any further suggestions welcome. TNX in advance Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier
Hello,
Hi!
Unfortunately...
The only other thing I can suggest is to send it to a script of your own instead of mysql and in your script you can see *exactly* what mysql would receive on its stdin. ...this didn't work either.
I know it's strange, but it seems that syslog-ng doesn't understand the "program" and "pipe"-directives any more. Well... that's not completely true. It understands them, as fas as it does not complain when I'm using them, but both produce no output AT ALL!
Sorry, this doesn't make any sense. Show us the following: 1. you full configuration. you can mask proprietary information 2. a capture of the network traffic which proves that the logs arrive to your host 3. a strace output of the syslog-ng daemon which proves that it did receive the packets 4. the resources your syslog-ng daemon is actually using, like `ls -l /proc/[PID]/fd`, netstat output, etc. AFAIK syslog-ng 1.6 fires up the program destination every time it writes a message. So you won't see the program running when there is no traffic on the destination. 2.0 runs the program only once, and starts it again only when the program exited. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Hi!
1. you full configuration. you can mask proprietary information For the full config, have a look at the end of this message.
2. a capture of the network traffic which proves that the logs arrive to your host Network traffic is definetly arriving at my host, because *this* works:
############################################################## source net { udp(ip("0.0.0.0") port(514)); }; destination netlog { file("/var/log/netlog/net.log" template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] '$HOST' '$PRIORITY' $MESSAGE\n")); }; log { source(net); destination(netlog); }; ############################################################## The file /var/log/netlog/net.log is written and has the following content: [2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302013: Built outbound TCP connection 1296007 for proxy :192.168.xx.xx/8080 (192.168.xx.xx/8080) to inside:192.168.xx.xx/39564 (192.168.xx.xx.1/39564) [2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302014: Teardown TCP connection 1296007 for proxy:192.1 68.xxx.xxx/8080 to inside:192.168.xxx.xxx/39564 duration 0:00:00 bytes 1343 TCP FINs etc.
3. a strace output of the syslog-ng daemon which proves that it did receive the packets
Ahem... how many lines of output from strace would you like to see? :-) I have over 2000 in less than a minute... :-) I think you're looking for something like the following: recvfrom(3, "<166>%ASA-6-302016: Teardown UDP"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("192.168.xx.xx")}, [16]) = 125 I can also see my logfile being opened: open("/var/log/netlog/net.log", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0644) = 6 chown32("/var/log/netlog/net.log", 0, 0) = 0 chmod("/var/log/netlog/net.log", 0644) = 0 No hints of any mysql activity, though.
4. the resources your syslog-ng daemon is actually using, like `ls -l /proc/[PID]/fd`, netstat output, etc.
srv-kon-log:/var/log # ls -l /proc/26666/fd/* lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/0 -> /dev/null lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/1 -> /dev/null lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/2 -> /dev/null lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/3 -> socket:[15236977] l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/4 -> /var/log/messages lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/5 -> socket:[15236978] l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/6 -> /var/log/netlog/net.log l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/7 -> /var/log/warn lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/8 -> /dev/xconsole l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/9 -> /dev/tty10 srv-kon-log:/var/log # netstat -an | grep 514 udp 0 0 0.0.0.0:514 0.0.0.0:* And now for the full config. Here it comes: ######################################################################## ##### options { long_hostnames(off); sync(1); log_fifo_size(16384); time_reopen(10); dns_cache(yes); perm(0644); stats(43200); use_fqdn(yes); use_dns(yes); chain_hostnames(no); keep_hostname(yes); }; source src { internal(); unix-dgram("/dev/log"); }; source net { udp(ip("0.0.0.0") port(514)); }; filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, filter f_acpid { match('^\[acpid\]:'); }; filter f_netmgm { match('^NetworkManager:'); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; destination console { file("/dev/tty10" group(tty) perm(0620)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); }; log { source(src); filter(f_console); destination(xconsole); }; destination newscrit { file("/var/log/news/news.crit" log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err" log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice" log { source(src); filter(f_newsnotice); destination(newsnotice); }; destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); }; destination acpid { file("/var/log/acpid"); }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); }; destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; destination netlog { file("/var/log/netlog/net.log" template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] '$HOST' '$PRIORITY' $MESSAGE\n")); }; log { source(net); destination(netlog); }; destination mysql { #file("/var/log/mysqltest.log" program("/usr/bin/mysql --reconnect -f -T --user=syslogadmin --password=xxxxx syslog >> /var/log/db_log.log 2>&1" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(net); destination(mysql); }; ######################################################################## ####### By the way, I also tried destination mysql { program("/usr/bin/mysql -u=syslogadmin -p=xxxxx syslog" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; with the same (=no) effect. Please let me know, if and where I made any mistakes. Thanks a lot for your help! Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier
Hi,
2. a capture of the network traffic which proves that the logs arrive to your host Network traffic is definetly arriving at my host, because *this* works:
############################################################## source net { udp(ip("0.0.0.0") port(514)); }; destination netlog { file("/var/log/netlog/net.log" template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] '$HOST' '$PRIORITY' $MESSAGE\n")); }; log { source(net); destination(netlog); }; ##############################################################
The file /var/log/netlog/net.log is written and has the following content:
[2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302013: Built outbound TCP connection 1296007 for proxy :192.168.xx.xx/8080 (192.168.xx.xx/8080) to inside:192.168.xx.xx/39564 (192.168.xx.xx.1/39564) [2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302014: Teardown TCP connection 1296007 for proxy:192.1 68.xxx.xxx/8080 to inside:192.168.xxx.xxx/39564 duration 0:00:00 bytes 1343 TCP FINs etc.
OK, so syslog-ng gets the log from the network. Your config seems valid to me, so I fear I can't help you further :( You could try to start syslog-ng in verbose mode to see whether it complains about the destination. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Hi all!
OK, so syslog-ng gets the log from the network. Your config seems valid to me, so I fear I can't help you further :( I'm working around that problem by writing to a file and parsing it (from cron) with a perl script to the database. Works nicely. If anyone is interested, I'd ask my employer, if I may publish it.
TNX again for your inspiration, Andreas -- CONET Solutions GmbH Andreas Stallmann, Senior Berater Theodor-Heuss-Allee 19, 53773 Hennef Tel.: +49 2242-939-677, Fax: +49 2242-939-393 Internet: http://www.conet.de, mailto: astallmann@conet.de ----------------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman), Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier
participants (4)
-
Balazs Scheidler
-
Fegan, Joe
-
Geller, Sandor (IT)
-
Stallmann, Andreas