[syslog-ng] syslog-ng stats to ES ?

Scot scotrn at gmail.com
Wed Oct 18 16:52:05 UTC 2017 

syslog-ng-ctl fails with
* /usr/lib/systemd/system/syslog-ng.service *
ExecStart=/usr/sbin/syslog-ng --control /var/run/syslog-ng.ctl -F
$SYSLOGNG_OPTS -p /var/run/syslogd.pid

Looks like syslog-ng-ctl does NOT work when added as a CLI option.
Probably need to be added to an env file /etc/sysconfig.

*# ps -ef | grep syslog*
root     14293     1 24 12:37 ?        00:00:01 /usr/sbin/syslog-ng
--control /var/run/syslog-ng.ctl -F -p /var/run/syslogd.pid
root     14316 14120  0 12:37 pts/0    00:00:00 grep --color=auto syslog

*# lsof -p 14293  | grep ctl*
syslog-ng 14293 root    5u     unix 0xffff880310fbd800       0t0 41294162
/var/run/syslog-ng.ctl
*# lsof /var/run/syslog-ng.ctl*
COMMAND     PID USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
syslog-ng 14293 root    5u  unix 0xffff880310fbd800      0t0 41294162
/var/run/syslog-ng.ctl
*# syslog-ng-ctl stats*
Error connecting control socket, socket='/var/lib/syslog-ng/syslog-ng.ctl',
error='Connection refused'
*# ls -al /var/lib/syslog-ng/syslog-ng.ctl*
srwxr-xr-x. 1 root root 0 Oct 17 17:19 /var/lib/syslog-ng/syslog-ng.ctl
*# ls -al /var/run/syslog-ng.ctl*
srwxr-xr-x. 1 root root 0 Oct 18 12:37 /var/run/syslog-ng.ctl


I shutdown syslog-ng removed the file and the ctl file from the
*syslog-ng.service  *
Looks like the default is /var/lib/syslog-ng/syslog-ng.ctl  everything runs
fine with that.

*# lsof -p 27812  |grep ctl*
syslog-ng 27812 root    5u     unix 0xffff88033269a400       0t0 41025397
/var/lib/syslog-ng/syslog-ng.ctl

One thing I did notice is query "*" adds .*written *metric for each
destination which is missing from syslog-ng-ctl stats (maybe expected I
didn't cross ref).



On Wed, Oct 18, 2017 at 2:16 AM, Scheidler, Balázs <
balazs.scheidler at balabit.com> wrote:

> That socket should be opened, even without the control option. So if you
> get that error, that means its somewhere else, or we didnt open it for some
> reason
> Can you run lsof on the syslog-ng process? That should display the control
> socket.
>
> Also, syslog-ng-ctl reload would use the very same socket. Does that work?
>
> On Oct 17, 2017 21:01, "Scot" <scotrn at gmail.com> wrote:
>
>> CentOS 7
>>
>> I added --control /var/run/syslog-ng.ctl to
>>
>> * /usr/lib/systemd/system/syslog-ng.service *
>> ExecStart=/usr/sbin/syslog-ng --control /var/run/syslog-ng.ctl -F
>> $SYSLOGNG_OPTS -p /var/run/syslogd.pid
>>
>>
>>  syslog-ng-ctl query get /var/run/syslog-ng.ctl
>> Error connecting control socket, socket='/var/lib/syslog-ng/syslog-ng.ctl',
>> error='Connection refused'
>>
>>
>>
>> On Tue, Oct 17, 2017 at 2:44 PM, Scot <scotrn at gmail.com> wrote:
>>
>>> Where are the query options documented ?   Been looking Google, Balabit
>>> for an hour.
>>> man pages have nothing.
>>>
>>> On Tue, Oct 17, 2017 at 11:42 AM, Czanik, Péter <
>>> peter.czanik at balabit.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> If you work with syslog-ng-ctl you can give "jo" ( JSON output:
>>>> https://github.com/jpmens/jo ) a try. I only did some basic tests, but
>>>> it seems to me that it can turn the output of "syslog-ng-ctl query" into
>>>> JSON.
>>>>
>>>> Bye,
>>>>
>>>> Peter Czanik (CzP) <peter.czanik at balabit.com>
>>>> Balabit / syslog-ng upstream
>>>> https://www.balabit.com/blog/author/peterczanik/
>>>> https://twitter.com/PCzanik
>>>>
>>>> On Tue, Oct 17, 2017 at 5:20 PM, Scheidler, Balázs <
>>>> balazs.scheidler at balabit.com> wrote:
>>>>
>>>>> Difficult, the whole problem is naming of the name value pairs.
>>>>>
>>>>> The idea behind stats is to generate all name value pairs in one
>>>>> message, and this simply does not scale. You are almost certainly
>>>>> interested in a set of values or an aggregate of a set, and not everything.
>>>>>
>>>>> Just set stats-level() to 3, and look at the stats message.
>>>>>
>>>>> I am not saying its impossible, just that it requires some thought.
>>>>>
>>>>> On Oct 17, 2017 17:09, "Scot" <scotrn at gmail.com> wrote:
>>>>>
>>>>>> How about an output modifier ?
>>>>>>
>>>>>> On Tue, Oct 17, 2017 at 11:02 AM, Scheidler, Balázs <
>>>>>> balazs.scheidler at balabit.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> the issue with the internal stats() message is that if you have a
>>>>>>> lot of counters that message is truncated. Also, it is pretty difficult to
>>>>>>> parse.
>>>>>>>
>>>>>>> So I would vote for the "poll syslog-ng-ctl and generate messages"
>>>>>>> solution.
>>>>>>>
>>>>>>> BTW: the internal PE team did something in this area, they created
>>>>>>> some sort of internal source that does this polling, but I am not sure how
>>>>>>> that works. Possibly there's documentation :)
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Bazsi
>>>>>>>
>>>>>>> On Tue, Oct 17, 2017 at 4:37 PM, Scot <scotrn at gmail.com> wrote:
>>>>>>>
>>>>>>>> Doesn't stats_freq() set an interval to log stats to syslog already?
>>>>>>>>
>>>>>>>> Description: The period between two STATS messages in seconds.
>>>>>>>> STATS are log messages sent by syslog-ng, containing statistics
>>>>>>>> about dropped log messages. Set to 0to disable the STATS messages.
>>>>>>>>
>>>>>>>> So
>>>>>>>> internal_src -> format > elasticsearch -> syslog-ng_stats index ?
>>>>>>>>
>>>>>>>> On Mon, Oct 16, 2017 at 11:01 AM, Evan Rempel <erempel at uvic.ca>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> I have a perl script that collects some stats and logs them to
>>>>>>>>> syslog again. The syslog stream gets sent to ES, so they end up there, but
>>>>>>>>> as a syslog line, not a specific statistic item for things like grafana.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 10/15/2017 05:57 PM, Scot wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>   Looked around for a few hours and didn't see anything.
>>>>>>>>>>
>>>>>>>>>> Has anyone worked on sending syslog-ng stats to ES ?
>>>>>>>>>> I see several ways I could but wondering if anyone has already. A
>>>>>>>>>> push method directly from syslog-ng would be awesome.
>>>>>>>>>>
>>>>>>>>>> Scot
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> ____________________________________________________________
>>>>>>>>> __________________
>>>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>>>> Documentation: http://www.balabit.com/support
>>>>>>>>> /documentation/?product=syslog-ng
>>>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> ____________________________________________________________
>>>>>>>> __________________
>>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>>> Documentation: http://www.balabit.com/support
>>>>>>>> /documentation/?product=syslog-ng
>>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ____________________________________________________________
>>>>>>> __________________
>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>> Documentation: http://www.balabit.com/support
>>>>>>> /documentation/?product=syslog-ng
>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> __________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation: http://www.balabit.com/support
>>>>>> /documentation/?product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>>
>>>>> ____________________________________________________________
>>>>> __________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation: http://www.balabit.com/support
>>>>> /documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support
>>>> /documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171018/57e4abf7/attachment-0001.html>

More information about the syslog-ng mailing list