[syslog-ng] Troubleshooting local5.* output

Sean Carolan scarolan at gmail.com
Sun Mar 16 18:23:48 CET 2008 

I am trying to troubleshoot some syslog servers that are not properly
sending local5.* logs to a remote syslog-ng server.  The syslog-ng
server is behaving as it should, and I am able to do this from remote
hosts:

$  logger -p local5.info "My test message here"

This message is correctly written to the local log and remote
syslog-ng server.  The filters on the syslog-ng box work correctly and
the entry is made in the right file for the host.

But there is one file on the client, /var/log/mylogfile.log that is
being filled up by a running java process.  Messages that are written
to this file are *not* being sent to the remote server.  I ran tcpdump
and verified that there are no network packets accompanying these log
entries.

So, maybe someone can help me.  How do I find out how this java
process is writing to the log file, and why are messages not being
forwarded to the remote host?  lsof shows that the only process that
has the /var/log/mylogfile.log open is the syslog daemon.

Here are some configuration files if it helps:

SERVER:
/etc/syslog-ng/syslog-ng.conf (excerpt below)

options
{
 log_fifo_size(8192);

 # garden gnomes shouldn't log (Gnome has a buggy log implementation)
 # needs to be set on client systems, too...
 bad_hostname("gconfd");

 use_time_recvd(no);

 group(logs);
 create_dirs(yes);
 dir_group(logs);
 dir_perm(0750);
 perm(0640);
 chain_hostnames(no);
 keep_hostname(yes);
 stats(3600);
 use_fqdn(yes);
};

source syslog
{
 unix-stream("/dev/log");
 udp(ip(0.0.0.0) port(514));
 tcp(ip(0.0.0.0) port(5149) max-connections(300));
 internal();
};

destination mylogfile.log {
       file(/var/log/syslog-ng/$HOST/mylogfile.log);
};

destination boot.log {
       file(/var/log/syslog-ng/$HOST/boot.log);
};

filter f_local7 {
       facility(local7);
};

filter f_local5 {
       facility(local5);
};

log {
       source(syslog);
       filter(f_local7);
       destination(boot.log);
};

log {
       source(syslog);
       filter(f_local5);
       destination(mylogfile.log);
};


CLIENT
/etc/syslog.conf excerpt

*.*                                                       @syslogngbox
local7.*                                                /var/log/boot.log
local5.*                                                /var/log/mylogfile.log

More information about the syslog-ng mailing list