syslog-ng running but not writing logs
Hello forum members, Having spent a couple of weeks on this problem I thought someone might be able to help getting syslog-ng 3.9.1 to write log files on OpenBSD 6.2. The O/S was a fresh install, then syslog-ng and lastly BIND. No other packages except syslog-ng and BIND dependencies have been installed. No binaries or libs from BIND conflict or replace any from the syslog-ng installation. The .conf file was copied over from an older OpenBSD system, also running an older WORKING syslog-ng (3.1.1). The required changes to the .conf were made so that syslog-ng 3.9.1 with supervisor starts and remains running. By killing the syslog-ng process I was able to test that the supervisor process restarts syslog-ng. The rc.d script starts, stops and restarts syslog-ng as expected. /usr/local/sbin/syslog-ng -s returns no errors, indicating that the config file is sane. In /var/log the only thing it writes are syslog-ng start/stop messages. In an effort to localise the problem, a stub syslog-ng.conf was created with the following contents: @version: 3.9.1 source s_local { unix-dgram("/dev/log"); }; # destination catchall { file(/var/log/catchall); }; log { source(s_local); destination(catchall); }; The permissions and ownership on /var, /var/log, /var/run, and /etc are correct according to the OpenBSD /etc/mtree/special file. Syslog-ng starts retaining root permissions (default) and creates /dev/log if it does not exist. The syslog_ng_flags I use are: "-R /var/run/syslog_ng.persist -c /var/run/syslog_ng.ctl -p /var/run/syslog_ng.pid"Have tried running without any flags to see if that would help, but did not help. The output of syslog-ng -V is: syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory: /usr/local/lib/syslog-ng Module-Path: /usr/local/lib/syslog-ng Available-Modules: affile,afprog,afsocket,afsql,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,curl,date,dbparser,disk-buffer,geoip-plugin,graphite,kvformat,linux-kmsg-format,pseudofile,system-source,add-contextual-data,json-plugin,syslogformat Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off On my hunt I foud a message on NARKIVE where a user was having the same problem with syslog-ng 3.6 on OpenBSD 5.9, there was no solution. There was a reply saying: "With the changes in 5.6 using sendsyslog(2), only syslogd picks up local syslog. Search the openbsd-ports list for syslog-ng to see some comments on it.". After a further search I turned up nothing that would help. Have also tried to compile syslog-ng 3.12 from source to see if that might help solve the problem, but no success on OpenBSD. Many thanks in advance. CB
Try /dev/log or /dev/klog ? https://man.openbsd.org/syslogd.8 *syslogd* opens a UDP socket, as specified in */etc/services*, for sending forwarded messages. By default all incoming data on this socket is discarded. If insecure mode is switched on with *-u*, it will also read messages from the socket. *syslogd* also opens and reads messages from the UNIX-domain socket */dev/log*, and from the special device */dev/klog* (to read kernel messages), and from sendsyslog(2) <https://man.openbsd.org/sendsyslog.2> (to read messages from userland processes). On Wed, Nov 22, 2017 at 6:49 AM, <buckingham@nym.hush.com> wrote:
Hello forum members,
Having spent a couple of weeks on this problem I thought someone might be able to help getting syslog-ng 3.9.1 to write log files on OpenBSD 6.2.
The O/S was a fresh install, then syslog-ng and lastly BIND. No other packages except syslog-ng and BIND dependencies have been installed. No binaries or libs from BIND conflict or replace any from the syslog-ng installation.
The .conf file was copied over from an older OpenBSD system, also running an older WORKING syslog-ng (3.1.1). The required changes to the .conf were made so that syslog-ng 3.9.1 with supervisor starts and remains running. By killing the syslog-ng process I was able to test that the supervisor process restarts syslog-ng. The rc.d script starts, stops and restarts syslog-ng as expected. /usr/local/sbin/syslog-ng -s returns no errors, indicating that the config file is sane.
In /var/log the only thing it writes are syslog-ng start/stop messages. In an effort to localise the problem, a stub syslog-ng.conf was created with the following contents:
@version: 3.9.1 source s_local { unix-dgram("/dev/log"); }; # destination catchall { file(/var/log/catchall); }; log { source(s_local); destination(catchall); };
The permissions and ownership on /var, /var/log, /var/run, and /etc are correct according to the OpenBSD /etc/mtree/special file. Syslog-ng starts retaining root permissions (default) and creates /dev/log if it does not exist. The syslog_ng_flags I use are:
"-R /var/run/syslog_ng.persist -c /var/run/syslog_ng.ctl -p /var/run/syslog_ng.pid"
Have tried running without any flags to see if that would help, but did not help.
The output of syslog-ng -V is:
syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory: /usr/local/lib/syslog-ng Module-Path: /usr/local/lib/syslog-ng Available-Modules: affile,afprog,afsocket,afsql,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,curl,date,dbparser,disk-buffer,geoip-plugin,graphite,kvformat,linux-kmsg-format,pseudofile,system-source,add-contextual-data,json-plugin,syslogformat Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off
On my hunt I foud a message on NARKIVE where a user was having the same problem with syslog-ng 3.6 on OpenBSD 5.9, there was no solution. There was a reply saying: "With the changes in 5.6 using sendsyslog(2), only syslogd picks up local syslog. Search the openbsd-ports list for syslog-ng to see some comments on it.".
After a further search I turned up nothing that would help.
Have also tried to compile syslog-ng 3.12 from source to see if that might help solve the problem, but no success on OpenBSD.
Many thanks in advance. CB
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Many Thanks for your reply. As in my original message, the stub config that I am using to test is indicated, so yes unix-dgram("/dev/log") is there. In the original config I have both the unix-dgram("/dev/log") and file("/dev/klog" follow-freq(0) program_override("kernel: ") flags(no-parse)) but still no logs. You pointed me to the OBSD syslogd man page but it is unclear how syslogd affects the syslog-ng software, syslogd is disabled on the system(s). The syslog-ng is stand-alone, it only collects "localhost" logs which are check-summed and backed-up on a regular basis. There is no udp involved. The problem does not occur on some older OBSD releases. In an effort to test this with a newer OBSD, I set up a OBSD 5.5 VM with syslog-ng 3.4.7 and it works perfect, as it does with 4.[8-9]. The same config file was used on each of the servers with only minor changes. Maybe I will have to set up OBSD 5.[6-9] VMs to find out exactly when things changed. Cheers, Chris On 27/11/2017 at 1:21 PM, "Scot" wrote:Try /dev/log or /dev/klog ? https://man.openbsd.org/syslogd.8 syslogd opens a UDP socket, as specified in _/etc/services_, for sending forwarded messages. By default all incoming data on this socket is discarded. If insecure mode is switched on with -u, it will also read messages from the socket. syslogd also opens and reads messages from the UNIX-domain socket _/dev/log_, and from the special device _/dev/klog_ (to read kernel messages), and from sendsyslog(2) (to read messages from userland processes). On Wed, Nov 22, 2017 at 6:49 AM, wrote: Hello forum members, Having spent a couple of weeks on this problem I thought someone might be able to help getting syslog-ng 3.9.1 to write log files on OpenBSD 6.2. The O/S was a fresh install, then syslog-ng and lastly BIND. No other packages except syslog-ng and BIND dependencies have been installed. No binaries or libs from BIND conflict or replace any from the syslog-ng installation. The .conf file was copied over from an older OpenBSD system, also running an older WORKING syslog-ng (3.1.1). The required changes to the .conf were made so that syslog-ng 3.9.1 with supervisor starts and remains running. By killing the syslog-ng process I was able to test that the supervisor process restarts syslog-ng. The rc.d script starts, stops and restarts syslog-ng as expected. /usr/local/sbin/syslog-ng -s returns no errors, indicating that the config file is sane. In /var/log the only thing it writes are syslog-ng start/stop messages. In an effort to localise the problem, a stub syslog-ng.conf was created with the following contents: @version: 3.9.1 source s_local { unix-dgram("/dev/log"); }; # destination catchall { file(/var/log/catchall); }; log { source(s_local); destination(catchall); }; The permissions and ownership on /var, /var/log, /var/run, and /etc are correct according to the OpenBSD /etc/mtree/special file. Syslog-ng starts retaining root permissions (default) and creates /dev/log if it does not exist. The syslog_ng_flags I use are: "-R /var/run/syslog_ng.persist -c /var/run/syslog_ng.ctl -p /var/run/syslog_ng.pid"Have tried running without any flags to see if that would help, but did not help. The output of syslog-ng -V is: syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory: /usr/local/lib/syslog-ng Module-Path: /usr/local/lib/syslog-ng Available-Modules: affile,afprog,afsocket,afsql,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,curl,date,dbparser,disk-buffer,geoip-plugin,graphite,kvformat,linux-kmsg-format,pseudofile,system-source,add-contextual-data,json-plugin,syslogformat Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: off On my hunt I foud a message on NARKIVE where a user was having the same problem with syslog-ng 3.6 on OpenBSD 5.9, there was no solution. There was a reply saying: "With the changes in 5.6 using sendsyslog(2), only syslogd picks up local syslog. Search the openbsd-ports list for syslog-ng to see some comments on it.". After a further search I turned up nothing that would help. Have also tried to compile syslog-ng 3.12 from source to see if that might help solve the problem, but no success on OpenBSD. Many thanks in advance. CB ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
buckingham@nym.hush.com
-
Scot