[syslog-ng]Embarrassing newbie question

rich coco racoco@sockeye.com
Wed, 22 Jan 2003 10:55:28 -0500 

--------------090300080306070607020709
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

I have installed syslog-ng on two RedHat PCs (7.0 and 8.0).
I first stopped syslogd/klogd. ran "syslog-ng -s" to verify that
the syntax of my cfg file was ok and then ran syslog-ng.

I even ran syslog-ng in debug mode, in the foreground.
 it spews a bunch of output to stdout as it parses the cfg file (i believe),
but then gets silent afterwards...even as I run logger(1).

Nothing ever appears in any log file! same result on both systems,
so i have to assume it is something silly I am not doing right.
Here is my painfully simple cfg file:

    source src { pipe("/proc/kmsg"); unix-stream("/dev/log"); internal(); };
    destination messages { file("/var/log/messages"); };

    # Log anything of level debug or higher.
    filter f_messages { level(debug); };
    log { source(src); filter(f_messages); destination(messages); };

i tried testing this by running logger(1), which I understand
writes output to /dev/log. Nothing ever appears in /var/log/messages.
In fact, no files in /var/log *ever* get written.

Well, actually, i am leaving something out...and it is very strange
but probably a key clue:

when i shutdown syslog-ng and restart syslogd/klogd, I *do* get
output in /var/log/messages. A bunch of lines announcing the startup
of syslogd/klogd and, at *after* those entries, a single line announcing
the shutdown of syslog-ng (the *only* output I *ever* get from syslog-ng):

    Jan 21 21:08:48 ape syslog: syslogd startup succeeded
    Jan 21 21:08:48 ape kernel: klogd 1.3-3, log source = /proc/kmsg
    started.
    Jan 21 21:08:48 ape kernel: Inspecting /boot/System.map-2.2.19-7.0.1
    Jan 21 21:08:48 ape syslog: klogd startup succeeded
    Jan 21 21:08:48 ape kernel: Loaded 7296 symbols from
    /boot/System.map-2.2.19-7.0.1.
    Jan 21 21:08:48 ape kernel: Symbols match kernel version 2.2.19.
    Jan 21 21:08:48 ape kernel: Loaded 409 symbols from 12 modules.
    Jan 21 21:08:26 ape syslog-ng: syslog-ng shutdown succeeded

Notice that the timestamp of the last line is 22 seconds EARLIER THAN 
the timestamp
of the preceeding line! No doubt 22 seconds passed between the time I 
stopped
syslog-ng and restarted syslogd/klogd. But how/why did the syslog-ng 
appear *after*
the syslogd/klogd startup announcements? Some strange buffering of 
syslog-ng output?
Why isn't syslog-ng monitoring /dev/log as I asked it to? Did I ask it 
incorrectly? Is it writing
output to somewhere I cannot see?

HELP! this is making me nuts!!!


--------------090300080306070607020709
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

  


I have installed syslog-ng on two RedHat PCs (7.0 and 8.0).

I first stopped syslogd/klogd. ran "syslog-ng -s" to verify that

the syntax of my cfg file was ok and then ran syslog-ng.



I even ran syslog-ng in debug mode, in the foreground.

 it spews a bunch of output to stdout as it parses the cfg file (i believe),

but then gets silent afterwards...even as I run logger(1).



Nothing ever appears in any log file! same result on both systems,

so i have to assume it is something silly I am not doing right.

Here is my painfully simple cfg file:


source src { pipe("/proc/kmsg"); unix-stream("/dev/log"); internal();
};

destination messages { file("/var/log/messages"); };

  

# Log anything of level debug or higher.

filter f_messages { level(debug); };

log { source(src); filter(f_messages); destination(messages); };




i tried testing this by running logger(1), which I understand
writes output to /dev/log. Nothing ever appears in /var/log/messages.
In fact, no files in /var/log *ever* get written.

Well, actually, i am leaving something out...and it is very strange
but probably a key clue:

when i shutdown syslog-ng and restart syslogd/klogd, I *do* get
output in /var/log/messages. A bunch of lines announcing the startup
of syslogd/klogd and, at *after* those entries, a single line announcing
the shutdown of syslog-ng (the *only* output I *ever* get from syslog-ng):



Jan 21 21:08:48 ape syslog: syslogd startup succeeded

Jan 21 21:08:48 ape kernel: klogd 1.3-3, log source = /proc/kmsg started.

Jan 21 21:08:48 ape kernel: Inspecting /boot/System.map-2.2.19-7.0.1

Jan 21 21:08:48 ape syslog: klogd startup succeeded

Jan 21 21:08:48 ape kernel: Loaded 7296 symbols from /boot/System.map-2.2.19-7.0.1.

Jan 21 21:08:48 ape kernel: Symbols match kernel version 2.2.19.

Jan 21 21:08:48 ape kernel: Loaded 409 symbols from 12 modules.

Jan 21 21:08:26 ape syslog-ng: syslog-ng shutdown succeeded

  



Notice that the timestamp of the last line is 22 seconds EARLIER THAN the
timestamp 

of the preceeding line! No doubt 22 seconds passed between the time I stopped


syslog-ng and restarted syslogd/klogd. But how/why did the syslog-ng appear
*after*

the syslogd/klogd startup announcements? Some strange buffering of syslog-ng
output?

Why isn't syslog-ng monitoring /dev/log as I asked it to? Did I ask it incorrectly?
Is it writing

output to somewhere I cannot see?



HELP! this is making me nuts!!!





--------------090300080306070607020709--