[syslog-ng] Problems with kernel logging

Brian K. Mohr bkmohr@Princeton.EDU
Wed, 17 May 2000 14:17:13 -0400


Sorry if this rehashes old territory--I've seen this issue addressed in
the list archives. Unfortunately, I've reached an impasse.

I'm currently running syslog-ng on a test system, with all logs being
sent to a single file so that I can monitor what syslog-ng is (or isn't)
doing. As far as I can tell, all facilities are being logged except for
'kern.*'. I'm running it on Red Hat 6.2 (intel) as a drop-in replacement
for syslogd (it is started prior to klogd, version 1.3-3). 

As suggested in a prior posting on this topic, I've run 'strace -f' on
klogd with both syslogd and syslog-ng (and ipchains logging all denied
packets so there should be plenty of logging to kern.info) with the
following result:

===syslogd sample===
read(0, "<6>Packet log: input DENY eth0 P"..., 4095) = 121
time([958581388])                       = 958581388
write(1, "<6>May 17 12:36:28 kernel: Packe"..., 146) = 146

===syslog-ng sample===
read(0, "<6>Packet log: input DENY eth0 P"..., 4095) = 114
connect(1, {sin_family=AF_UNIX, path="/dev/log"}, 10) = -1 EPROTOTYPE
(Protocol wrong type for socket)
time([958581560])                       = 958581560
write(1, "<6>May 17 12:39:20 kernel: Packe"..., 139) = -1 ENOTCONN
(Transport endpoint is not connected)

It would appear that klogd is _trying_ to log to /dev/log, but fails
when syslog-ng is running. I do see kernel messages sent from remote
hosts (still running syslogd) in the destination file, just not for the
local host. 

source local { unix-stream("/dev/log"); internal(); }; # no kern.*
source net { udp(ip( port(514)); }; # kern facility OK

Any suggestions? Thanks in advance!


Brian Mohr                            email: bkmohr@princeton.edu
Systems Administrator                 phone: (609) 258-2618
Atmospheric and Oceanic Sciences        fax: (609) 258-2850
Princeton University