I have noticed over the last few weeks, that it seems that I have been dropping information from the kernel log. I am not sure if it is my configuration. I have tried two different ways of accessing information from /proc/kmsg. I have tried pipe without klogd. I have tried file with klogd. It seems to happen at random times. Here is my system information. Linux 2.4.18 Syslog-ng 1.5.17 Here is a copy of my config. options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames(off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); }; destination authlog { file("/var/log/authorize.log"); }; destination syslog { file("/var/log/syslog.log"); }; destination fcron { file("/var/log/fcron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kernel { file("/var/log/kernel.log"); }; destination cups { file("/var/log/cups.log"); }; destination user { file("/var/log/user.log"); }; destination mail { file("/var/log/mail.log"); }; destination fetchmail { file("/var/log/fetchmail.log"); }; destination news { file("/var/log/news.log"); }; destination debug { file("/var/log/debug.log"); }; destination messages { file("/var/log/messages.log"); }; destination everything { file("/var/log/everything.log"); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty12"); }; destination iptables { file("/var/log/iptables.log"); }; destination hacker { file("/var/log/hacker.log"); }; filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_fcron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kernel { facility(kern); }; filter f_cups { facility(lpr); }; filter f_mail { facility(mail); }; filter f_fetchmail { match("fetchmail"); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_everything { level(debug..emerg); }; filter f_iptables { match("IN="); }; filter f_hacker { match("Hacker"); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_fcron); destination(fcron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kernel); destination(kernel); }; log { source(src); filter(f_cups); destination(cups); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_fetchmail); destination(fetchmail); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(f_everything); destination(everything); }; log { source(src); filter(f_iptables); destination(iptables); }; log { source(src); filter(f_hacker); destination(hacker); }; log { source(src); destination(console_all); };
Hi, I think I got the same problem than you. The trick is that syslog-ng is restarted when logs are rotated by logrotate, but not klogd. klogd needs some sort of pipe to a 'syslog' daemon. So, if you restart syslog-ng, klogd still sends data through the pipe to nowhere. klogd needs to be restarted AFTER syslog-ng. So, at rotation time, restart both syslog-ng and klogd. I hope it will help. Sincerely, Mathieu. Quoting Jim Gifford <maillist@jg555.com>:
I have noticed over the last few weeks, that it seems that I have been dropping information from the kernel log. I am not sure if it is my configuration. I have tried two different ways of accessing information from /proc/kmsg. I have tried pipe without klogd. I have tried file with klogd. It seems to happen at random times.
Here is my system information. Linux 2.4.18 Syslog-ng 1.5.17
Here is a copy of my config.
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames(off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination authlog { file("/var/log/authorize.log"); }; destination syslog { file("/var/log/syslog.log"); }; destination fcron { file("/var/log/fcron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kernel { file("/var/log/kernel.log"); }; destination cups { file("/var/log/cups.log"); }; destination user { file("/var/log/user.log"); }; destination mail { file("/var/log/mail.log"); }; destination fetchmail { file("/var/log/fetchmail.log"); }; destination news { file("/var/log/news.log"); }; destination debug { file("/var/log/debug.log"); }; destination messages { file("/var/log/messages.log"); }; destination everything { file("/var/log/everything.log"); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty12"); }; destination iptables { file("/var/log/iptables.log"); }; destination hacker { file("/var/log/hacker.log"); };
filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_fcron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kernel { facility(kern); }; filter f_cups { facility(lpr); }; filter f_mail { facility(mail); }; filter f_fetchmail { match("fetchmail"); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_everything { level(debug..emerg); }; filter f_iptables { match("IN="); }; filter f_hacker { match("Hacker"); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); };
log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_fcron); destination(fcron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kernel); destination(kernel); }; log { source(src); filter(f_cups); destination(cups); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_fetchmail); destination(fetchmail); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(f_everything); destination(everything); }; log { source(src); filter(f_iptables); destination(iptables); }; log { source(src); filter(f_hacker); destination(hacker); }; log { source(src); destination(console_all); };
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-- Mathieu MILLET mailto:htam@nerim.net ----
So if I add the command to stop syslog-ng, do log rotation, then restart it should be fine. I will give it a try tonight. ----- Original Message ----- From: "Mathieu MILLET" <htam@nerim.net> To: <syslog-ng@lists.balabit.hu> Sent: Monday, May 06, 2002 12:55 AM Subject: Re: [syslog-ng]Syslog Dropping Information
Hi,
I think I got the same problem than you. The trick is that syslog-ng is restarted when logs are rotated by logrotate, but not klogd. klogd needs
some
sort of pipe to a 'syslog' daemon. So, if you restart syslog-ng, klogd still sends data through the pipe to nowhere.
klogd needs to be restarted AFTER syslog-ng. So, at rotation time, restart both syslog-ng and klogd.
I hope it will help.
Sincerely, Mathieu.
Quoting Jim Gifford <maillist@jg555.com>:
I have noticed over the last few weeks, that it seems that I have been dropping information from the kernel log. I am not sure if it is my configuration. I have tried two different ways of accessing information from /proc/kmsg. I have tried pipe without klogd. I have tried file with klogd. It seems to happen at random times.
Here is my system information. Linux 2.4.18 Syslog-ng 1.5.17
Here is a copy of my config.
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames(off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination authlog { file("/var/log/authorize.log"); }; destination syslog { file("/var/log/syslog.log"); }; destination fcron { file("/var/log/fcron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kernel { file("/var/log/kernel.log"); }; destination cups { file("/var/log/cups.log"); }; destination user { file("/var/log/user.log"); }; destination mail { file("/var/log/mail.log"); }; destination fetchmail { file("/var/log/fetchmail.log"); }; destination news { file("/var/log/news.log"); }; destination debug { file("/var/log/debug.log"); }; destination messages { file("/var/log/messages.log"); }; destination everything { file("/var/log/everything.log"); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty12"); }; destination iptables { file("/var/log/iptables.log"); }; destination hacker { file("/var/log/hacker.log"); };
filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_fcron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kernel { facility(kern); }; filter f_cups { facility(lpr); }; filter f_mail { facility(mail); }; filter f_fetchmail { match("fetchmail"); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_everything { level(debug..emerg); }; filter f_iptables { match("IN="); }; filter f_hacker { match("Hacker"); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); };
log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_fcron); destination(fcron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kernel); destination(kernel); }; log { source(src); filter(f_cups); destination(cups); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_fetchmail); destination(fetchmail); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(f_everything); destination(everything); }; log { source(src); filter(f_iptables); destination(iptables); }; log { source(src); filter(f_hacker); destination(hacker); }; log { source(src); destination(console_all); };
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-- Mathieu MILLET mailto:htam@nerim.net ----
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
On Mon, May 06, 2002 at 10:23:40AM -0700, Jim Gifford wrote:
So if I add the command to stop syslog-ng, do log rotation, then restart it should be fine. I will give it a try tonight.
The problem is that klogd doesn't recognize that /dev/log was reopened by syslog-ng. syslog-ng doesn't need to be restarted, it's enough to restart klogd after hupping syslog-ng. alternatively fetch kernel messages without using klogd: source s_kern { file("/proc/kmsg" log_prefix("kernel: ")); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Jim Gifford
-
Mathieu MILLET