[syslog-ng] [Bug 221] New: syslog-ng 2.1.4 on rhel 5.8

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Thu Feb 14 22:09:54 CET 2013 

https://bugzilla.balabit.com/show_bug.cgi?id=221

           Summary: syslog-ng 2.1.4 on rhel 5.8
           Product: syslog-ng
           Version: 2.1.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: jk_kathi1 at yahoo.com
Type of the Report: ---
   Estimated Hours: 0.0


Red Hat Enterprise Linux Server release 5.8 (Tikanga)
Syslog-ng version : syslog-ng-2.1.4-9.el5
Library installed : libnet-1.1.5-1.el5

/etc/syslog-ng/syslog-ng.conf file settings

options {
        sync (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_dns (no);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};

source s_sys {
        file ("/proc/kmsg" log_prefix("kernel: "));
        unix-stream ("/dev/log");
        internal();
        # udp(ip(0.0.0.0) port(514));
};
source s_file { file("/opt/CA/siteminder/log/smps.log"); };
destination d_file { file("/var/log/messages"); };
destination d_remote_q1 { udp("x.x.x.x" port(514)); };
log { source(s_sys); destination(d_file); };
log { source(s_file); destination(d_file); destination(d_remote_q1); };


Syslog-ng executes fine , able to record all the OS logs . 
When i start syslog-ng the first time it polls the smps.log and forwards all the entries from that file to remote server , but after that any new events
getting logged  does not get processed even when syslog-ng is running in the background.
The issue is  syslog-ng is not able to monitor the App log  smps.log  in real time  .

This happens only for the app log , normal OS events gets processes immediately 
Tried logging a simple mesage using logger 

I did try running syslog-ng in debug mode , these are the results
 /sbin/syslog-ng -Fedv
Syslog connection established; from='AF_INET(0.0.0.0:0)', to='AF_INET(x.x.x.x:514)'
Running application hooks; hook='1'
syslog-ng starting up; version='2.1.4'
EOF occurred while reading; fd='3'
Syslog connection accepted; from='AF_UNIX(anonymous)', to='AF_UNIX(/dev/log)'
Syslog connection accepted; from='AF_UNIX(anonymous)', to='AF_UNIX(/dev/log)'
Incoming log entry; line='<85>Feb 14 15:04:03 sshd[797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.58.99.83 
user=admin'
Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages'
Incoming log entry; line='<86>Feb 14 15:04:06 sshd[797]: Failed password for admin from 10.58.99.83 port 64622 ssh2'
EOF occurred while reading; fd='8'
Closing log reader fd; fd='8'
Syslog connection accepted; from='AF_UNIX(anonymous)', to='AF_UNIX(/dev/log)'
Incoming log entry; line='<86>Feb 14 15:04:16 sshd[797]: Accepted password for admin from 10.58.99.83 port 64622 ssh2'
EOF occurred while reading; fd='8'
Closing log reader fd; fd='8'
EOF occurred while reading; fd='7'
Closing log reader fd; fd='7'
Syslog connection accepted; from='AF_UNIX(anonymous)', to='AF_UNIX(/dev/log)'
Incoming log entry; line='<86>Feb 14 15:04:16 sshd[797]: pam_unix(sshd:session): session opened for user admin by (uid=0)'
Syslog connection accepted; from='AF_UNIX(anonymous)', to='AF_UNIX(/dev/log)'
Incoming log entry; line='<13>Feb 14 15:04:22 admin: Test message'
EOF occurred while reading; fd='8'
Closing log reader fd; fd='8'
Syslog connection accepted; from='AF_UNIX(anonymous)', to='AF_UNIX(/dev/log)'
Incoming log entry; line='<86>Feb 14 15:04:48 su: pam_unix(su-l:session): session opened for user root by admin(uid=500)'
Syslog connection accepted; from='AF_UNIX(anonymous)', to='AF_UNIX(/dev/log)'
Incoming log entry; line='<86>Feb 14 15:05:00 su: pam_unix(su-l:session): session opened for user smuser by admin(uid=0)'

But i do not see any debugs messages for smps.log getting processed ( even though the file is getting updated )

Any ideas
Is this is a shortcoming in syslog-ng 2.1.4 .

I cannot compile the latest version of syslog-ng since there is a limitation on my production system ( cannot compile anything due to security concerns ) 
so i am need of a syslog-ng rpm package other than 2.1.4 that works on RHEL 5    or if i can fix the issue in the existing version

Appreciate any help

Thanks
Kathi


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list