[syslog-ng] Collecting logs from a chrooted appli

[Geller, Sandor (IT)]

Hi,

> i'm curretly trying to get the logs of a chrooted application
> wich is under (/var/appli/) and logging in a file called
> appli.log (/var/appli/dev/log/appli.log). I tryed to create a
> /dev/log directory (and a /dev/log stream too, when the file

Well, /dev/log shouldn't be a directory. It should be a socket
which programs could use by calling openlog/sendlog libc
functions. syslog-ng will create the socket for you, you
shouldn't do it yourself.

> didn't work) where the appli is logging. The application
> logging is ok, the file or stream work, but syslog-ng can't
> duplicate and create the appli.log in /var/log/appli.log or
> send tcp to the remote syslog server as well.
>
> In the syslog-ng.conf i Tryed to add a local source :
>
> source src_applilog { file("/var/appli/dev/log/appli.log"); };

Which version of syslog-ng are you using BTW?

> (or for the stream) source src_applilog { unix-stream("/dev/log"); };

This might be incorrect, /var/appli/dev/log would be the correct one

> then duplicating the log :
>
> destination appli { file("/var/log/appli.log"); };
>
> then statement :
>
> log { source(src_applilog); destination(appli); };
>
> I don't want to filter anything in this log, but even if a
> tryed tu setup a unix-stream in /var/appli/dev/log with the
> application logging in this stream, nothing get the job done.

You should use strace to check whether the application tries to
connect to the socket at all. In addition you could also check
with lsof which sockets/ files syslog-ng is using.

> I must duplicate the log outside the chroot (local then
> remote with a tcp syslog server listening).

This should work without problems, it's a very common setup.

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.