[syslog-ng] syslog-ng running but not writing logs

buckingham at nym.hush.com buckingham at nym.hush.com
Mon Nov 27 16:58:43 UTC 2017


Many Thanks for your reply. As in my original message, the stub config
that I am using to test is indicated, so yes unix-dgram("/dev/log") is
there. In the original config I have both the unix-dgram("/dev/log")
and file("/dev/klog" follow-freq(0) program_override("kernel: ")
flags(no-parse)) but still no logs.

You pointed me to the OBSD syslogd man page but it is unclear how
syslogd affects the syslog-ng software, syslogd is disabled on the
system(s). The syslog-ng is stand-alone, it only collects "localhost"
logs which are check-summed and backed-up on a regular basis. There is
no udp involved.

The problem does not occur on some older OBSD releases. In an effort
to test this with a newer OBSD, I set up a OBSD 5.5 VM with syslog-ng
3.4.7 and it works perfect, as it does with 4.[8-9]. The same config
file was used on each of the servers with only minor changes. Maybe I
will have to set up OBSD 5.[6-9] VMs to find out exactly when things
changed.

Cheers,
Chris
On 27/11/2017 at 1:21 PM, "Scot"  wrote:Try /dev/log or /dev/klog ? 
https://man.openbsd.org/syslogd.8
syslogd opens a UDP socket, as specified in _/etc/services_, for
sending forwarded messages. By default all incoming data on this
socket is discarded. If insecure mode is switched on with -u, it will
also read messages from the socket. syslogd also opens and reads
messages from the UNIX-domain socket _/dev/log_, and from the special
device _/dev/klog_ (to read kernel messages), and from sendsyslog(2)
(to read messages from userland processes).

On Wed, Nov 22, 2017 at 6:49 AM,   wrote:
Hello forum members,

Having spent a couple of  weeks on this problem I thought someone
might be able to help getting  syslog-ng 3.9.1 to write log files on 
OpenBSD 6.2.

The O/S was a fresh install, then syslog-ng and lastly  BIND. No other
packages except syslog-ng and BIND dependencies have been  installed.
No binaries or libs from BIND conflict or replace any from  the
syslog-ng installation.
 The .conf file was copied over from an older OpenBSD system, also
running an  older WORKING syslog-ng (3.1.1). The required changes to
the .conf were made so  that syslog-ng 3.9.1 with supervisor starts
and remains running. By killing  the syslog-ng process I was able to
test that the supervisor process  restarts syslog-ng. The rc.d script
starts, stops and restarts syslog-ng  as expected.
/usr/local/sbin/syslog-ng -s returns no errors, indicating  that the
config file is sane.

In /var/log the only thing it  writes are syslog-ng start/stop
messages. In an effort to localise the  problem, a stub syslog-ng.conf
was created with the following contents:
	@version: 3.9.1 source s_local {         unix-dgram("/dev/log");     
   }; # destination catchall { file(/var/log/catchall); }; log {
source(s_local);  destination(catchall);  };
The  permissions and ownership on /var, /var/log, /var/run, and /etc
are  correct according to the OpenBSD /etc/mtree/special file. 
Syslog-ng starts retaining  root permissions (default) and creates
/dev/log if it does not  exist. The syslog_ng_flags I use are:
	"-R /var/run/syslog_ng.persist -c /var/run/syslog_ng.ctl -p
/var/run/syslog_ng.pid"Have tried running without any flags to see if
that would help, but did not help.

The output of syslog-ng -V is:
	syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory:
/usr/local/lib/syslog-ng Module-Path: /usr/local/lib/syslog-ng
Available-Modules:
affile,afprog,afsocket,afsql,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,curl,date,dbparser,disk-buffer,geoip-plugin,graphite,kvformat,linux-kmsg-format,pseudofile,system-source,add-contextual-data,json-plugin,syslogformat
Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6:
on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps:
off
On my hunt I foud a message on NARKIVE where a user was having the
same  problem with syslog-ng 3.6 on OpenBSD 5.9, there was no
solution. There  was a reply saying: "With the changes in 5.6 using
sendsyslog(2), only  syslogd picks up local syslog. Search the
openbsd-ports list for  syslog-ng to see some comments on it.".

 After a further search I turned up  nothing that would help.

Have also tried to compile syslog-ng 3.12 from source to see if that
might help solve the problem, but no success on OpenBSD.
 Many thanks in advance.
 CB

______________________________________________________________________________
 Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
 Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
 FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171127/1db775b8/attachment-0001.html>


More information about the syslog-ng mailing list