[syslog-ng] Syslog-ng, centos7 and systemd seem to hate each other

Scheidler, Balázs balazs.scheidler at balabit.com
Sun Feb 19 12:49:49 UTC 2017


Well, you can name filters the way you want, so unless you show this
excerpt from the config, I am unable to help you.

On Feb 19, 2017 7:53 AM, "Anil Panchal" <anil.panchal8181 at gmail.com> wrote:

> Hi
>
> It is a one of the filter & configured in our syslog.ng environment
> i.e.syslog-ng .conf file.
> It is configured in syslog forwarding rules for the destination server.
>
> Thanks
> Anil
> On 19-Feb-2017 12:52 am, "Scheidler, Balázs" <balazs.scheidler at balabit.com>
> wrote:
>
>> Hi,
>>
>> Where do you see this f_undebug ?
>>
>> On Feb 18, 2017 9:21 AM, "Anil Panchal" <anil.panchal8181 at gmail.com>
>> wrote:
>>
>>> Hi Guy's,
>>> I have one question here for you..
>>> What does filter (f_undebug) is used for..? what is the purpose of this
>>> function in syslog-ng.conf file specially in syslog forwarding rules..?
>>>
>>> Can someone help me on this..?
>>>
>>> Thanks in Advance..!!
>>>
>>> Thanks
>>> Anil Panchal
>>> On 17-Feb-2017 10:49 pm, "Jordan Ladora" <vicepresjoebiden at gmail.com>
>>> wrote:
>>>
>>>> Yes, selinux indeed was the issue. Not sure why my selinux config in
>>>> the past allowed this, but it was being blocked currently on the default
>>>> port.
>>>>
>>>> Updating the policy with-
>>>>
>>>> sudo semanage port -a -t syslogd_port_t -p tcp 36598
>>>>
>>>> ...allows syslog-ng to log without having to start it manually from the
>>>> terminal (where, as you pointed out, it runs unconfined. Otherwise it runs
>>>> as syslogd_t and by default was limited to ports 514 & 601 and blocked on
>>>> the default tcp 36598).
>>>>
>>>> Thank you!
>>>>
>>>>
>>>> On Thu, Feb 16, 2017 at 6:54 PM, Scheidler, Balázs <
>>>> balazs.scheidler at balabit.com> wrote:
>>>>
>>>>> I have now tested this combination on centos 7, and collecting local
>>>>> log messages do seem to work for me.
>>>>>
>>>>> Please note that syslog-ng will detect whether it is running under
>>>>> systemd at runtime, and it does it this way:
>>>>> ```
>>>>>   if (lstat("/run/systemd/system/", &st) < 0 || !S_ISDIR(st.st_mode))
>>>>> ```
>>>>>
>>>>> e.g. it is checking whether /run/systemd/system is a directory. If it
>>>>> is, the system() source will use systemd-journal() as its source. If this
>>>>> does not exist, it will fall back to /dev/log.
>>>>>
>>>>> syslog-ng would report the result of this check with a debug level
>>>>> message:
>>>>> ```
>>>>>       msg_debug("Systemd is not detected as the running init system");
>>>>> ```
>>>>>
>>>>> or
>>>>>
>>>>> ```
>>>>>       msg_debug("Systemd is detected as the running init system");
>>>>> ```
>>>>>
>>>>> The program destination stuff should really be independent of the init
>>>>> system, but a different AppArmor/SELinux config might be the culprit
>>>>> though. When you launch it from the console, it would be unconfined, but
>>>>> with systemd, a policy might be applied that does NOT allow executing
>>>>> external programs.
>>>>>
>>>>> I hope this helps.
>>>>>
>>>>>
>>>>> --
>>>>> Bazsi
>>>>>
>>>>> On Mon, Feb 13, 2017 at 6:54 AM, Fabien Wernli <wernli at in2p3.fr>
>>>>> wrote:
>>>>>
>>>>>> On Fri, Feb 10, 2017 at 09:32:21PM +0000, Clayton Dukes wrote:
>>>>>> > If I do a 'systemctl stop syslog-ng' and then just simply type
>>>>>> 'syslog-ng' (no foreground, debug, etc. switches) from the command line, it
>>>>>> works fine.
>>>>>> > Rather confusing, but I can't see why the systemctl file is not
>>>>>> working as it should.
>>>>>> > Any ideas?
>>>>>>
>>>>>> try this: in a terminal run `journalctl -f` as root.
>>>>>> In another terminal, run `systemctl start syslog-ng`.
>>>>>>
>>>>>> If you don't see anything useful on the journalctl terminal, try
>>>>>> increasing
>>>>>> the verbosity of syslog-ng (either by editing
>>>>>> `/etc/sysconfig/syslog-ng`,
>>>>>> or by modifying
>>>>>> `/lib/systemd/system/syslog-ng.service` and running `systemctl
>>>>>> daemon-reload`).
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> __________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation: http://www.balabit.com/support
>>>>>> /documentation/?product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>
>>>>> ____________________________________________________________
>>>>> __________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation: http://www.balabit.com/support
>>>>> /documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support
>>>> /documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170219/c5c56fd6/attachment-0001.html>


More information about the syslog-ng mailing list