[syslog-ng] Forwarding system startup messages

Scheidler, Balázs balazs.scheidler at balabit.com
Mon Aug 24 08:11:45 CEST 2015


Are you sure it's syslog-ng that writes /var/log/syslog ?

Sometimes early startup is handled by a different logger.

Try to disable syslog-ng from starting up, boot the system and start
syslog-ng manually. The kernel messages should be sitting in the dmesg
buffer and syslog-ng should process them as soon as it starts.

If it shows the same symptoms try to look at syslog-ng stats counters. Well
you can do those even without the reboot game.

$ syslog-ng-ctl stats

Try to look for the processed counter for /proc/kmsg
On Aug 24, 2015 3:48 AM, "Saurabh Shukla" <saurabh at purestorage.com> wrote:

> I don't think clearing kernel buffers is an issue here since syslog-ng is
> seeing the kernel messages during system boot up and logging them to
> /var/log/syslog. However, it fails to forward them to the remote server. So
> there is some issue with buffering messages for the remote destination.
>
> -- Saurabh
>
> On Sat, Aug 22, 2015 at 12:00 PM, Scheidler, Balázs <
> balazs.scheidler at balabit.com> wrote:
>
>> Hmm. You don't even use /dev/kmsg or system, so this setup should work.
>> Don't you happen to run anything that could read /proc/kmsg or clear the
>> kernel ringbuffer behind the backs of syslog-ng?
>> On Aug 22, 2015 8:11 PM, "Saurabh Shukla" <saurabh at purestorage.com>
>> wrote:
>>
>>> Can you show your source declaration?
>>>
>>> I am using the syslog-ng.conf from here -
>>> https://github.com/balabit/syslog-ng/blob/syslog-ng-3.6.4/debian/syslog-ng.conf
>>>
>>> Do you use systemd journal?
>>>
>>> No.
>>>
>>>
>>> On Sat, Aug 22, 2015 at 3:10 AM, Scheidler, Balázs <
>>> balazs.scheidler at balabit.com> wrote:
>>>
>>>> Can you show your source declaration? Do you use systemd journal?
>>>> On Aug 22, 2015 2:56 AM, "Saurabh Shukla" <saurabh at purestorage.com>
>>>> wrote:
>>>>
>>>>> I am running syslog-ng 3.6.4 and I have the following destination and
>>>>> log path configured that forwards all messages to the destination:
>>>>>
>>>>> destination remote {
>>>>>     network("remote.example.com" port(514) transport(tcp)
>>>>> log_fifo_size(2048));
>>>>> };
>>>>> log { source(s_all); destination(remote); flags(flow-control);};
>>>>>
>>>>> When the system reboots, I see that startup messages from the kernel
>>>>> are logged into /var/log/syslog.
>>>>> syslog-ng establishes a connection to the remote destination around 10
>>>>> sec after the first message was logged into /var/log/syslog. However, it
>>>>> fails to forward any message that was logged into /var/log/syslog during
>>>>> the first 10 seconds even though I have the output buffer and flow control
>>>>> configured.
>>>>>
>>>>> Is this a bug in syslog-ng or am I missing some configuration steps?
>>>>>
>>>>> Thanks,
>>>>> -- Saurabh
>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation:
>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150824/6fbd1216/attachment.htm 


More information about the syslog-ng mailing list