[syslog-ng]Re: Very strange syslog-ng log forwarding behavior

[Balazs Scheidler]

On Thu, Jul 18, 2002 at 04:53:20PM -0400, Steve Lin wrote:
> I have the following syslog-ng configuration on one machine.
> 
> 
> source s_sys { unix-stream ("/dev/log"); internal(); };
> source s_udp { udp(); };
> 
> destination err { file("/var/log/err.log"); };
> destination external { tcp(xxx.xxx.xxx.xxx); };
> 
> filter err { level(err); };
> 
> log { source(s_sys); source(s_udp); filter(err); destination(err); };
> log { source(s_sys); source(s_udp); filter(err); destination(external); };
> 
> 
> And the following configuration on a second machine I'm trying to forward logs to:
> 
> 
> source s_tcp { tcp(); };
> destination external { file("/var/log/$HOST_err.log"); };
> log { source(s_tcp); destination(external); };
> 
> 
> On the source machine, there is a java process running that is generating lots of ERROR messages to syslog using the Apache log4j java syslog utility.  What I'm seeing is that the ERROR messages are getting logged on the source machine into "/var/log/err.log" but they fail to reach the destination machine.  Now, here's where it gets weird, when I run the following command from command-line:
> 
> logger -p local0.error -t TEST "This is a test ERROR message"
> 
> The generated log message gets logged on the source machine AND it also reaches the destination machine and gets logged correctly.  This is the expected behavior.  So why are the java program generated ERROR logs only getting logged on the source machine and not on the destination machine?
> 
> Any help you could provide is greatly appreciated, thanks.

Try strace-ing both syslog-ng processes as you send a message from Java.

It is interesting how the message looks like
and whether the message is sent to the 2nd syslog-ng or dropped on the first

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1