[syslog-ng] syslog-ng vs. SEC problems after upgrading to 2.1.3

Balazs Scheidler bazsi at balabit.hu
Thu Feb 5 11:16:11 CET 2009 

On Sat, 2009-01-31 at 11:18 +0200, Jyri Hovila wrote:
> Hi everyone!
> 
> I've been running syslog-ng and SEC (Simple Event Correlator, http://www.estpak.ee/~risto/sec/) 
>   on several Arch Linux (www.archlinux.org) servers for few years now.  
> After upgrading to syslog-ng 2.1.3 things suddenly stopped working on  
> all five servers with identical configuration.
> 
> Here's what's going on:
> 
> The syslog-ng part of the deal goes like this (from /etc/syslog- 
> ng.conf):
> 
> destination d_sec { program("/usr/bin/perl /usr/share/sec/sec.pl - 
> input=\"-\" -conf=/usr/local/etc/sec.conf"); }; log { source(src);  
> destination(d_sec); };
> 
> This setup has been working fine all these years; it's been sending  
> all incoming syslog messages to SEC, which has been parsing the  
> messages just fine.
> 
> After upgrading to syslog-ng 2.1.3, SEC stopped receiving anything  
> from syslog-ng. These messages are being logged to /var/log/everything  
> every 10 minutes:
> 
> Jan 28 13:36:14 2 syslog-ng[19411]: Log statistics; dropped='program(/ 
> usr/bin/perl /usr/share/sec/sec.pl -input="-" -conf=/usr/local/etc/ 
> sec.conf)=0', processed='center(queued)=255119',  
> processed='center(received)=123603',  
> processed='destination(d_sec)=123603',  
> processed='destination(acpid)=0', processed='destination(console)=0',  
> processed='destination(debug)=0', processed='destination(mail)=5485',  
> processed='destination(user)=309', processed='destination(uucp)=0',  
> processed='destination(messages)=1163',  
> processed='destination(ppp)=0', processed='destination(news)=0',  
> processed='destination(iptables)=92399',  
> processed='destination(everything)=6778',  
> processed='destination(lpr)=0', processed='destination(cron)=0',  
> processed='destination(syslog)=123',  
> processed='destination(authlog)=24426',  
> processed='destination(errors)=5',  
> processed='destination(kernel)=147',  
> processed='destination(daemon)=681',  
> processed='destination(console_all)=0',  
> processed='source(src)=123603', suppressed='program(/usr/bin/perl /usr/ 
> share/sec/sec.pl -input="-" -conf=/usr/local/etc/sec.conf)=0'
> 
> ps aux tells me that SEC is running fine, but it seems syslog-ng  
> doesn't want to speak to it properly.
> 
> I have no idea where to go from here. Any tips, anyone?

Could you please strace the syslog-ng/sec processes to see if there's
any communication going on? I mean, syslog-ng _thinks_ that it has
actually sent messages to sec, but if it does not turn up there,
something silly is really going on.

So I'll know more if I can see the strace.

-- 
Bazsi

More information about the syslog-ng mailing list