[syslog-ng] syslog-ng vs. SEC problems after upgrading to 2.1.3

Jyri Hovila jyri.hovila at turvamies.fi
Sat Jan 31 10:18:27 CET 2009


Hi everyone!

I've been running syslog-ng and SEC (Simple Event Correlator, http://www.estpak.ee/~risto/sec/) 
  on several Arch Linux (www.archlinux.org) servers for few years now.  
After upgrading to syslog-ng 2.1.3 things suddenly stopped working on  
all five servers with identical configuration.

Here's what's going on:

The syslog-ng part of the deal goes like this (from /etc/syslog- 
ng.conf):

destination d_sec { program("/usr/bin/perl /usr/share/sec/sec.pl - 
input=\"-\" -conf=/usr/local/etc/sec.conf"); }; log { source(src);  
destination(d_sec); };

This setup has been working fine all these years; it's been sending  
all incoming syslog messages to SEC, which has been parsing the  
messages just fine.

After upgrading to syslog-ng 2.1.3, SEC stopped receiving anything  
from syslog-ng. These messages are being logged to /var/log/everything  
every 10 minutes:

Jan 28 13:36:14 2 syslog-ng[19411]: Log statistics; dropped='program(/ 
usr/bin/perl /usr/share/sec/sec.pl -input="-" -conf=/usr/local/etc/ 
sec.conf)=0', processed='center(queued)=255119',  
processed='center(received)=123603',  
processed='destination(d_sec)=123603',  
processed='destination(acpid)=0', processed='destination(console)=0',  
processed='destination(debug)=0', processed='destination(mail)=5485',  
processed='destination(user)=309', processed='destination(uucp)=0',  
processed='destination(messages)=1163',  
processed='destination(ppp)=0', processed='destination(news)=0',  
processed='destination(iptables)=92399',  
processed='destination(everything)=6778',  
processed='destination(lpr)=0', processed='destination(cron)=0',  
processed='destination(syslog)=123',  
processed='destination(authlog)=24426',  
processed='destination(errors)=5',  
processed='destination(kernel)=147',  
processed='destination(daemon)=681',  
processed='destination(console_all)=0',  
processed='source(src)=123603', suppressed='program(/usr/bin/perl /usr/ 
share/sec/sec.pl -input="-" -conf=/usr/local/etc/sec.conf)=0'

ps aux tells me that SEC is running fine, but it seems syslog-ng  
doesn't want to speak to it properly.

I have no idea where to go from here. Any tips, anyone?

Thanks in advance!

Yours,

Jyri





More information about the syslog-ng mailing list