[syslog-ng] line of sendmail log output missing?

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Fri May 4 16:39:48 CEST 2007

> Hi,
> I recently switched from syslogd to syslog-ng on several 
> servers running
> CentOS. While running syslogd, a usual mail delivery appeared in
> /var/log/maillog as follows:
> Apr 22 04:11:07 ws01 sendmail[32181]: l3M8B71l032181: 
> from=<someuser at someremote.domain>, size=2361, class=0, 
> nrcpts=1, 
> msgid=<001901c784c6$9688fea0$018ab484 at maison9tm8hfuv>, 
> proto=ESMTP, relay=root at localhost
> Apr 22 04:11:07 ws01 sendmail[32179]: l3M8Av5T032164: 
> to=<domain_support at somelocal.domain>, delay=00:00:04, 
> xdelay=00:00:00, mailer=virthostmail, pri=121926, 
> relay=somelocal.domain, dsn=2.0.0, stat=Sent (l3M8B71l032181 
> Message accepted for delivery)
> Apr 22 04:11:07 ws01 spamd[24594]: spamd: connection from 
> localhost.localdomain [] at port 50252 
> Apr 22 04:11:07 ws01 spamd[24594]: spamd: setuid to 
> domain_admin at somelocal.domain succeeded 
> Apr 22 04:11:07 ws01 spamd[24594]: spamd: processing message 
> <001901c784c6$9688fea0$018ab484 at maison9tm8hfuv> for 
> domain_admin at somelocal.domain:22003 
> Apr 22 04:11:08 ws01 spamd[24594]: spamd: identified spam 
> (18.5/4.0) for domain_admin at somelocal.domain:22003 in 1.3 
> seconds, 2646 bytes. 
> Apr 22 04:11:08 ws01 spamd[24594]: spamd: result: Y 18 - 
scantime=1.3,size=2646,user=domain_admin at somelocal.com,uid=220
03,required_score=4.0,rhost=localhost.localdomain,raddr=>,rport=50252,mid=<001901c784c6$9688fea0$018ab484 at mais
> Apr 22 04:11:08 ws01 spamd[4109]: prefork: child states: BI 
> Apr 22 04:11:08 ws01 spamd[4109]: spamd: handled cleanup of 
> child pid 24594 due to SIGCHLD 
> Apr 22 04:11:08 ws01 spamd[4109]: spamd: server successfully 
> spawned child process, pid 32189 
> Apr 22 04:11:08 ws01 spamd[4109]: prefork: child states: II 
> Apr 22 04:11:08 ws01 sendmail[32182]: l3M8B71l032181: 
> to=domain_admin, delay=00:00:01, xdelay=00:00:01, 
> mailer=local, pri=32547, dsn=2.0.0, stat=Sent
> Now, after replacing syslogd with syslog-ng, the last line showing the
> delivery by the local mailer ( in this case, procmail ) is absent from
> the log files. I have made sure that levels info through emergency are
> specified for facility mail, and have also checked to see if this
> message was showing up under any other facility ( although I have not
> explicity defined the levels for all facilities ).
> I am rather stumped about where this line of log output is going. Any
> suggestions would be greatly appreciated.

Hi, if you suspect a facility/severity problem then using a fallback log
at the end of the configuration might help you, like this:

log {

Syslog-ng can cache log messages in memory so it might be the case that
the logs gets written with a small delay. Without seeing your actual
configuration it's hard to help you further.. Sendmail isn't modular so
when an openlog was successful (and it was because you see messages from
sendmail) then you're unlikely to hit any log socket connection number
limits which sometimes happen - but this will get logged by syslog-ng
if you use the internal() source.



NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.

More information about the syslog-ng mailing list