[syslog-ng] Syslog-ng on OpenBSD

Joe McDonagh joseph.e.mcdonagh at gmail.com
Thu Sep 2 17:51:39 CEST 2010


On 09/02/2010 11:46 AM, Balazs Scheidler wrote:
> On Thu, 2010-09-02 at 11:14 -0400, Joe McDonagh wrote:
>    
>> Nothing is being logged except Log Processing Statistics in
>> /var/log/debug. I am seeing a ton of dropped stuff to my loghost, but
>> what's really alarming is that stuff isn't being logged locally?
>>
>> Sep  2 11:10:02 machine syslog-ng[4179]: Log statistics;
>> dropped='tcp(localhost:61514)=48833', processed='center(queued)=52',
>> processed='center(received)=13', processed='destination(messages)=13',
>> processed='destination(mailinfo)=0',
>> processed='destination(mailwarn)=0', processed='destination(console)=0',
>> processed='destination(mailerr)=0', processed='destination(loghost)=13',
>> processed='destination(authlog)=0', processed='destination(user)=0',
>> processed='destination(lpr)=0', processed='destination(daemon)=0',
>> processed='destination(cron)=0', processed='destination(kern)=0',
>> processed='destination(mail)=0', processed='destination(debug)=13',
>> processed='destination(syslog)=13',
>> processed='destination(console_all)=0', processed='source(src)=13',
>> suppressed='tcp(localhost:61514)=0'
>>
>> This is happening on all my OpenBSD machines I recently setup to use
>> syslog-ng (needed TCP with stunnel in front to send to my log host).
>>
>> This is the config:
>>
>> # This file is managed by puppet as a file in the syslog::client class
>>
>> options { long_hostnames(off); sync(20); use_dns(no);};
>>
>> source src { internal(); pipe("/dev/klog" log_prefix("kernel: "));
>> unix-stream("/dev/log"); };
>>
>> destination authlog { file("/var/log/auth.log"); };
>> destination syslog { file("/var/log/syslog"); };
>> destination cron { file("/var/log/cron.log"); };
>> destination daemon { file("/var/log/daemon.log"); };
>> destination kern { file("/var/log/kern.log"); };
>> destination lpr { file("/var/log/lpr.log"); };
>> destination user { file("/var/log/user.log"); };
>> destination mail { file("/var/log/mail.log"); };
>> destination mailinfo { file("/var/log/mail.info"); };
>> destination mailwarn { file("/var/log/mail.warn"); };
>> destination mailerr { file("/var/log/mail.err"); };
>> destination debug { file("/var/log/debug"); };
>> destination messages { file("/var/log/messages"); };
>> destination console { usertty("root"); };
>> destination console_all { file("/dev/tty12"); };
>> destination loghost { tcp("localhost" port(61514)); };
>>
>> filter f_auth { facility(auth); };
>> filter f_authpriv { facility(auth, authpriv); };
>> filter f_syslog { not facility(authpriv, mail); };
>> filter f_cron { facility(cron); };
>> filter f_daemon { facility(daemon); };
>> filter f_kern { facility(kern); };
>> filter f_lpr { facility(lpr); };
>> filter f_mail { facility(mail); };
>> filter f_user { facility(user); };
>> filter f_debug { not facility(auth, authpriv, mail); };
>> filter f_messages { level(info..warn)
>>           and not facility(auth, authpriv, mail); };
>> filter f_emergency { level(emerg); };
>>
>> filter f_info { level(info); };
>> filter f_notice { level(notice); };
>> filter f_warn { level(warn); };
>> filter f_crit { level(crit); };
>> filter f_err { level(err); };
>>
>> log { source(src); filter(f_authpriv); destination(authlog); };
>> log { source(src); filter(f_syslog); destination(syslog); };
>> log { source(src); filter(f_cron); destination(cron); };
>> log { source(src); filter(f_daemon); destination(daemon); };
>> log { source(src); filter(f_kern); destination(kern); };
>> log { source(src); filter(f_lpr); destination(lpr); };
>> log { source(src); filter(f_mail); destination(mail); };
>> log { source(src); filter(f_user); destination(user); };
>> log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
>> log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
>> log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
>> log { source(src); filter(f_debug); destination(debug); };
>> log { source(src); filter(f_messages); destination(messages); };
>> log { source(src); filter(f_emergency); destination(console); };
>> log { source(src); destination(loghost); };
>>
>> <<EOF>>
>>
>> I'm wondering if my source line is just wrong for OpenBSD. Anybody with
>> a working OpenBSD config care to share?
>>      
> There are two suspicios things:
>
> 1) FreeBSD has moved /dev/log to /var/run/log, didn't OpenBSD do the
> same?
>
> 2) are you sure that unix-stream is needed? last I've checked BSDs used
> unix-dgram. You could validate this by running logger under truss and
> check if it's doing a connect() on the log socket before sending.
>
>    
1) No, OpenBSD has not moved to /var/run/log:

[/var/run] > ls -l /var/run
total 192
srw-rw----  1 root     wheel        0 Aug  3 00:03 bgpd.sock
-rw-r--r--  1 root     wheel        5 Aug  3 00:03 cron.pid
-rw-r--r--  1 root     wheel    57344 Aug  3 00:03 dev.db
-rw-r--r--  1 root     wheel     7110 Aug  3 00:03 dmesg.boot
-rw-r--r--  1 root     wheel        6 Aug  3 00:03 inetd.pid
prw-------  1 root     wheel        0 Aug 23 10:48 isakmpd.fifo
-rw-------  1 root     wheel        6 Aug 23 10:48 isakmpd.pid
-r--r--r--  1 root     wheel     6904 Aug 12 11:14 ld.so.hints
drwxr-xr-x  2 _nagios  _nagios    512 Aug  3 00:03 nagios3
-rw-------  1 root     wheel       69 Aug  3 00:03 sendmail.pid
-rw-r--r--  1 root     wheel        6 Aug  3 00:03 sshd.pid
-rw-r--r--  1 root     wheel        6 Sep  1 11:45 stunnel.pid
-rw-------  1 root     wheel        4 Aug 12 11:15 syslog-ng.pid
-rw-rw-r--  1 root     utmp      7500 Sep  2 11:11 utmp

[/var/run] > ls -l /dev/log /dev/klog
crw-------  1 root  wheel    7,   0 Jul 30 12:40 /dev/klog
srw-rw-rw-  1 root  wheel         0 Aug 12 11:15 /dev/log

2) You rock, fixed it.

-- 
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode
"When the going gets weird, the weird turn pro."



More information about the syslog-ng mailing list