[syslog-ng]Log Stopage

Gorm Jensen gjensen@magma.ca
Sun, 8 Jul 2001 14:05:29 -0400


This is a multi-part message in MIME format.

------=_NextPart_000_000F_01C107B7.0B841660
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

After upgrading from RH6.1 and syslog-ng-1.4.2 to RH7.1 and
syslog-ng-1.4.11, only the first hit of a series of hits on the firewall is
logged.  Restarting the daemon will cause the next hit to be logged, but no
more than that.  Only the logging of firewall hits is effected.

After a great deal of trial and error, I traced the problem to a specific
destination in the configuration file. I have attached two verions (Linux
text and MS.txt) of the config file.  To simplify the configuraton for
testing, I deleted several other log destinations, filters and actions.  The
anomaly persisted, even with the simplified configuration.

When the lines containing the destination 'whodat' are commented out,
logging proceeds as expected.  When the comments are aranged to include
either one of the lines containing the whodat destination, the logging
reverts to what is described in para one.

Can anyone tell what is required to fix the problem?


------=_NextPart_000_000F_01C107B7.0B841660
Content-Type: application/octet-stream;
	name="syslog-ng.conf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="syslog-ng.conf"

#=0A=
=0A=
# -------- OPTIONS ---------------=0A=
options { long_hostnames(off); sync(0); };=0A=
=0A=
=0A=
# -------- SOURCES ---------------=0A=
source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };=0A=
	#source net { udp(); };=0A=
=0A=
=0A=
# -------- DESTINATIONS -----------=0A=
destination debug { file("/var/log/debug"); };=0A=
destination firewall { file("/var/log/firewall"); };=0A=
destination kern { file("/var/log/kern.log"); };=0A=
destination messages { file("/var/log/messages"); };=0A=
destination syslog { file("/var/log/syslog"); };=0A=
destination whodat { pipe("/etc/whodat-pipe"); };=0A=
=0A=
=0A=
# ----- FILTERS -----------=0A=
filter f_debug { level(debug) and not facility(local0, local3, local7); =
};=0A=
filter f_firewall { level(warning) and match("PROTO=3D"); };=0A=
filter f_kern { facility(kern) and not match("PROTO=3D"); };=0A=
filter f_messages { level(info, notice) \=0A=
        and not facility(auth, authpriv, mail, news, local0, local3); }; =0A=
filter f_syslog { facility(syslog); };=0A=
filter f_whodat { facility(kern); };=0A=
=0A=
=0A=
# ------------- ACTIONS ---------------=0A=
log { source(src); filter(f_debug); destination(debug); };=0A=
#log { source(src); filter(f_firewall); destination(firewall); =
destination(whodat); };=0A=
log { source(src); filter(f_firewall); destination(firewall); };=0A=
#log { source(src); filter(f_whodat); destination(whodat); };=0A=
log { source(src); filter(f_kern); destination(kern); };=0A=
log { source(src); filter(f_messages); destination(messages); };=0A=
log { source(src); filter(f_syslog); destination(syslog); };=0A=

------=_NextPart_000_000F_01C107B7.0B841660
Content-Type: text/plain;
	name="syslog-ng.conf.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="syslog-ng.conf.txt"

#

# -------- OPTIONS ---------------
options { long_hostnames(off); sync(0); };


# -------- SOURCES ---------------
source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
	#source net { udp(); };


# -------- DESTINATIONS -----------
destination debug { file("/var/log/debug"); };
destination firewall { file("/var/log/firewall"); };
destination kern { file("/var/log/kern.log"); };
destination messages { file("/var/log/messages"); };
destination syslog { file("/var/log/syslog"); };
destination whodat { pipe("/etc/whodat-pipe"); };


# ----- FILTERS -----------
filter f_debug { level(debug) and not facility(local0, local3, local7); =
};
filter f_firewall { level(warning) and match("PROTO=3D"); };
filter f_kern { facility(kern) and not match("PROTO=3D"); };
filter f_messages { level(info, notice) \
        and not facility(auth, authpriv, mail, news, local0, local3); }; =

filter f_syslog { facility(syslog); };
filter f_whodat { facility(kern); };


# ------------- ACTIONS ---------------
log { source(src); filter(f_debug); destination(debug); };
#log { source(src); filter(f_firewall); destination(firewall); =
destination(whodat); };
log { source(src); filter(f_firewall); destination(firewall); };
#log { source(src); filter(f_whodat); destination(whodat); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_syslog); destination(syslog); };
------=_NextPart_000_000F_01C107B7.0B841660--