syslog-ng vs. SEC problems after upgrading to 2.1.3
Hi everyone! I've been running syslog-ng and SEC (Simple Event Correlator, http://www.estpak.ee/~risto/sec/) on several Arch Linux (www.archlinux.org) servers for few years now. After upgrading to syslog-ng 2.1.3 things suddenly stopped working on all five servers with identical configuration. Here's what's going on: The syslog-ng part of the deal goes like this (from /etc/syslog- ng.conf): destination d_sec { program("/usr/bin/perl /usr/share/sec/sec.pl - input=\"-\" -conf=/usr/local/etc/sec.conf"); }; log { source(src); destination(d_sec); }; This setup has been working fine all these years; it's been sending all incoming syslog messages to SEC, which has been parsing the messages just fine. After upgrading to syslog-ng 2.1.3, SEC stopped receiving anything from syslog-ng. These messages are being logged to /var/log/everything every 10 minutes: Jan 28 13:36:14 2 syslog-ng[19411]: Log statistics; dropped='program(/ usr/bin/perl /usr/share/sec/sec.pl -input="-" -conf=/usr/local/etc/ sec.conf)=0', processed='center(queued)=255119', processed='center(received)=123603', processed='destination(d_sec)=123603', processed='destination(acpid)=0', processed='destination(console)=0', processed='destination(debug)=0', processed='destination(mail)=5485', processed='destination(user)=309', processed='destination(uucp)=0', processed='destination(messages)=1163', processed='destination(ppp)=0', processed='destination(news)=0', processed='destination(iptables)=92399', processed='destination(everything)=6778', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=123', processed='destination(authlog)=24426', processed='destination(errors)=5', processed='destination(kernel)=147', processed='destination(daemon)=681', processed='destination(console_all)=0', processed='source(src)=123603', suppressed='program(/usr/bin/perl /usr/ share/sec/sec.pl -input="-" -conf=/usr/local/etc/sec.conf)=0' ps aux tells me that SEC is running fine, but it seems syslog-ng doesn't want to speak to it properly. I have no idea where to go from here. Any tips, anyone? Thanks in advance! Yours, Jyri
On Sat, 2009-01-31 at 11:18 +0200, Jyri Hovila wrote:
Hi everyone!
I've been running syslog-ng and SEC (Simple Event Correlator, http://www.estpak.ee/~risto/sec/) on several Arch Linux (www.archlinux.org) servers for few years now. After upgrading to syslog-ng 2.1.3 things suddenly stopped working on all five servers with identical configuration.
Here's what's going on:
The syslog-ng part of the deal goes like this (from /etc/syslog- ng.conf):
destination d_sec { program("/usr/bin/perl /usr/share/sec/sec.pl - input=\"-\" -conf=/usr/local/etc/sec.conf"); }; log { source(src); destination(d_sec); };
This setup has been working fine all these years; it's been sending all incoming syslog messages to SEC, which has been parsing the messages just fine.
After upgrading to syslog-ng 2.1.3, SEC stopped receiving anything from syslog-ng. These messages are being logged to /var/log/everything every 10 minutes:
Jan 28 13:36:14 2 syslog-ng[19411]: Log statistics; dropped='program(/ usr/bin/perl /usr/share/sec/sec.pl -input="-" -conf=/usr/local/etc/ sec.conf)=0', processed='center(queued)=255119', processed='center(received)=123603', processed='destination(d_sec)=123603', processed='destination(acpid)=0', processed='destination(console)=0', processed='destination(debug)=0', processed='destination(mail)=5485', processed='destination(user)=309', processed='destination(uucp)=0', processed='destination(messages)=1163', processed='destination(ppp)=0', processed='destination(news)=0', processed='destination(iptables)=92399', processed='destination(everything)=6778', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=123', processed='destination(authlog)=24426', processed='destination(errors)=5', processed='destination(kernel)=147', processed='destination(daemon)=681', processed='destination(console_all)=0', processed='source(src)=123603', suppressed='program(/usr/bin/perl /usr/ share/sec/sec.pl -input="-" -conf=/usr/local/etc/sec.conf)=0'
ps aux tells me that SEC is running fine, but it seems syslog-ng doesn't want to speak to it properly.
I have no idea where to go from here. Any tips, anyone?
Could you please strace the syslog-ng/sec processes to see if there's any communication going on? I mean, syslog-ng _thinks_ that it has actually sent messages to sec, but if it does not turn up there, something silly is really going on. So I'll know more if I can see the strace. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Jyri Hovila