[syslog-ng] ECONNREFUSED on /dev/log

Scheidler, Balázs balazs.scheidler at balabit.com
Sat Feb 20 14:24:33 CET 2016


Hi,

can you run syslog-ng with --preprocess-into=/dev/stdout so that we can see
what system() is being expanded to?

This is usually caused by the fact that either /dev/log is not opened at
all or it is using SOCK_DGRAM instead of SOCK_STREAM. the syslog client
built into glibc tries with both SOCK_STREAM and SOCK_DGRAM sockets, but
logger does not use the glibc implementation. I saw logger with both socket
types, however it seems as if it only uses the transport default to a given
distribution's syslogd.

This can be caused by a couple of things:

1) maybe syslog-ng thinks you are running systemd and opens a different
socket for this reason
2) a bug in the system() source
3) something completely different.

You might want to lsof the syslog-ng process only and see which socket it
does open.

Bazsi



-- 
Bazsi

On Sat, Feb 20, 2016 at 11:24 AM, Árpád Magosányi <mag at magwas.rulez.org>
wrote:

> Hi!
>
> "strace logger hello" output contains this line:
> connect(3, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = -1
> ECONNREFUSED (Connection refused)
>
> I see logs in /dev/xconsole, just cannot emit a log line with logger.
> What could be the cause?
>
> additional info:
>
> # cat /etc/syslog-ng/syslog-ng.conf
> @version: 3.3
> @include "scl.conf"
> # First, set some global options.
> options { chain_hostnames(off); flush_lines(0); use-dns(persist_only);
> dns-cache-hosts(/etc/hosts);use_fqdn(no);
>       owner("root"); group("adm"); perm(0640); stats_freq(0);
> time_reap(1000);
>       bad_hostname("^gconfd$");
> };
> source s_src {
>        system();
>        internal();
> };
>
> #destination d_net { tcp("91.143.88.140" port(10000)
> tls(ca-dir("/etc/ssl") cert-file("/etc/ssl/newcert.pem")
> key_file("/etc/ssl/private/newkey.pem") )); };
> destination d_net { tcp("infra.edemokraciagep.org" port(10000)
> tls(ca-dir("/etc/ssl") peer-verify(optional-untrusted))); };
>
> destination d_messages { file("/var/log/messages");};
>
> destination d_xconsole { pipe("/dev/xconsole"); };
> destination d_apache_console { pipe("/dev/apacheconsole"); };
>
>
> filter apache_log { program("apache"); };
> filter non_apache_log { not program("apache"); };
>
> destination d_vhost_gepnarancs { file("/var/log/vhost_gepnarancs"); };
> filter f_gepnarancs { program("apache:php:gepnarancs") or
> message("gepnarancs"); };
> log { source(s_src); filter(f_gepnarancs);
> destination(d_vhost_gepnarancs); };
>
> log { source(s_src); destination(d_messages); };
>
> log { source(s_src); filter(non_apache_log) ; destination(d_xconsole); };
>
> log { source(s_src); filter(apache_log); destination(d_apache_console); };
>
> log { source(s_src); destination(d_net); };
>
> @include "/etc/syslog-ng/conf.d/"
>
> ---------------------------------
> # lsof |grep /dev/xconsole
> syslog-ng  2608            root   15u     FIFO                0,5
> 0t0      19564 /dev/xconsole
> cat        2641            root    3r     FIFO                0,5
> 0t0      19564 /dev/xconsole
> ---------------------------------
> # lsof |grep /dev/log
> [no output]
> ---------------------------------
> # dpkg -l syslog-ng
> Desired=Unknown/Install/Remove/Purge/Hold
> |
>
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name
> Version                       Architecture                  Description
>
> +++-================================================-=============================-=============================-======================================================================================================
> ii  syslog-ng
> 3.5.6-2                       all                           Enhanced
> system logging daemon (metapackage)
> --------------------------------
> # ls -l /dev/log
> srw-rw-rw- 1 root root 0 Feb 20 11:03 /dev/log
> --------------------------------
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160220/c83196cd/attachment.htm 


More information about the syslog-ng mailing list