[syslog-ng] Java issue with elasticsearch

Scheidler, Balázs balazs.scheidler at balabit.com
Mon May 28 04:15:47 UTC 2018 

There was a bug that caused errors to be reported incorrectly in case a
block reference (in this case probably elasticsearch2) span multiple lines.
The fix is already in master.

The bug was introduced in 3.15 IIRC, and this PR contains the fix:
https://github.com/balabit/syslog-ng/pull/2035

-- 
Bazsi

On Sun, May 27, 2018 at 6:53 PM, Kókai Péter <peter.kokai at balabit.com>
wrote:

> Hello,
>
> I have tried to reproduce your issue with the included configuration file,
> but it did not cause me the same trouble.
>
> If by any chance you have syslog-ng compiled with debug enabled, in that
> case you can start with an additional flag: '-y' to debug the grammar
> parser. (If yes, please share the result of that debug.)
> (With -V flag you can determine if it is compiled with debug: syslog-ng -V)
>
> If the debug mode is not possible you can still pinpoint where is the
> issue by commenting out lines from configuration.
>
> Or help me to reproduce this on my machine. I have tried to use ubuntu
> 18.04 docker image and installed syslog-ng from this repository:
> http://download.opensuse.org/repositories/home:/laszlo_
> budai:/syslog-ng/xUbuntu_18.04
>
> syslog-ng -V
> syslog-ng 3 (3.15.1)
> Config version: 3.15
> Installer-Version: 3.15.1
> Revision: 3.15.1-1
> Compile-Date: Apr 19 2018 08:29:20
>
>
> --
> Kokan
>
> On Fri, May 25, 2018 at 10:06 PM Komi Elitcha <kmw.elitcha at gmail.com>
> wrote:
>
>> Kokan,
>>
>> Please see attached.
>>
>> Furthermore, the "log {---}" syntax is the one provided from install; i
>> didn't  modify it.
>>
>> Regards,
>>
>> Le 25/05/2018 à 19:52, Kókai Péter a écrit :
>>
>> Hello,
>>
>> Would it be possible to share your configuration file as an attachment,
>> or upload somewhere ?
>>
>> The error message indicates that the parser reached the end of the
>> file(of course it is not), but it requires the ';' to close the previous
>> block. It also points to the place where it found the file end.
>>
>> 177     log { source(s_src); filter(f_crit); destination(d_console); };
>> 178--->
>> 178---> ^
>>
>> Removing that empty line might also help. (It points to the empty line
>> and not to the log)
>>
>> --
>> Kokan
>>
>> On Fri, May 25, 2018 at 9:42 PM Komi Elitcha <kmw.elitcha at gmail.com>
>> wrote:
>>
>>> Hello Kokan,
>>>
>>> I double checked inside '/etc/syslog-ng/syslog-ng.conf' file and i
>>> don't have any '\r' carriage.
>>>
>>> Are you pointing me to another conf file?
>>>
>>> Regards,
>>>
>>> Le 25/05/2018 à 19:10, Kókai Péter a écrit :
>>>
>>> Hello,
>>>
>>> You probably have a '\r' carriage return in your configuration, that is
>>> not supported. Remove it and it should work :)
>>>
>>> --
>>> Kokan
>>>
>>> On Fri, May 25, 2018 at 8:59 PM Komi Elitcha <kmw.elitcha at gmail.com>
>>> wrote:
>>>
>>>> Oups...
>>>>
>>>> Additionally, i'm getting an error saying that syslog-ng-core in not
>>>> configured yet.
>>>>
>>>> I hope i didn't miss anything.
>>>>
>>>> Thanks.
>>>>
>>>> Le 25/05/2018 à 18:39, Komi Elitcha a écrit :
>>>>
>>>> Thank you Gabor,
>>>>
>>>> Your below comments were very helpful and i suspect i've solved the
>>>> java issue (maybe i should open a new thread).
>>>>
>>>> After setting correctly the java env in bashrc, this the output i get
>>>> from #syslog-ng -Fve command:
>>>>
>>>>
>>>> Error parsing config, syntax error, unexpected $end, expecting ';' in
>>>> /etc/syslog-ng/syslog-ng.conf:
>>>> 173     log { source(s_src); filter(f_messages);
>>>> destination(d_messages); };
>>>> 174
>>>> 175     log { source(s_src); filter(f_console);
>>>> destination(d_console_all);
>>>> 176                         destination(d_xconsole); };
>>>> 177     log { source(s_src); filter(f_crit); destination(d_console); };
>>>> 178--->
>>>> 178---> ^
>>>> 179     # All messages send to a remote site
>>>> 180     #
>>>> 181     #log { source(s_src); destination(d_net); };
>>>> 182     log { source(s_net); destination(d_es); flags(flow-control); };
>>>> 183
>>>>
>>>>
>>>> I cannot see any syntax error (regarding the ';') in my syslong-ng.conf
>>>> file. Is there any know bug related to this. Also, i wonder why "log {---}'
>>>> syntaxes are returning errors.
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>>
>>>>
>>>> Le 25/05/2018 à 10:20, Nagy, Gábor a écrit :
>>>>
>>>> Sorry I forgot to link our blog post about common java problems.
>>>> It could help and explain some common errors during installation.
>>>>
>>>> https://syslog-ng.com/blog/troubleshooting-java-support-syslog-ng/
>>>>
>>>> Regards,
>>>> Gabor
>>>>
>>>> On Fri, May 25, 2018 at 11:35 AM, Nagy, Gábor <gabor.nagy at balabit.com>
>>>> wrote:
>>>>
>>>>> Hi Komi!
>>>>>
>>>>> You need the java package for syslog-ng too: "syslog-ng-mod-java".
>>>>> What is the source of the syslog-ng package you installed?
>>>>>
>>>>> You will need additional steps after you have installed the syslog-ng
>>>>> java package.
>>>>> In our admin we have detailed instructions to setup elasticsearch2
>>>>> destination:
>>>>> https://syslog-ng.com/documents/html/syslog-ng-ose-
>>>>> latest-guides/en/syslog-ng-ose-guide-admin/html/
>>>>> configuring-destinations-elasticsearch2.html
>>>>>
>>>>> Feel free to ask if you got stuck!
>>>>>
>>>>> Regards,
>>>>> Gabor
>>>>>
>>>>> On Fri, May 25, 2018 at 10:49 AM, Komi Elitcha <kmw.elitcha at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Good day all,
>>>>>>
>>>>>> I'm new to this mailing list.
>>>>>>
>>>>>> I'm setting up syslong-ng+elasticsearch+kibana on an Ubuntu 18.04;
>>>>>> i'm getting the following output/error from command: ]#syslog-ng -Fve
>>>>>>
>>>>>>
>>>>>> Error parsing destination, destination plugin java not found in block
>>>>>> destination elasticsearch2 (at /usr/share/syslog-ng/include/
>>>>>> scl/elasticsearch/plugin.conf:58:1):
>>>>>> 1
>>>>>> 2----->   java(
>>>>>> 2----->   ^^^^
>>>>>> 3 class_path("/usr/lib/syslog-ng/3.15/java-modules/*.jar:/
>>>>>> usr/lib/syslog-ng/3.15/java-modules/elastic-jest-client/*.
>>>>>> jar:/opt/syslog-ng/jre1.8.0_171/lib//*.jar")
>>>>>> 4 class_name("org.syslog_ng.elasticsearch_v2.
>>>>>> ElasticSearchDestination")
>>>>>> 5           option("index", "*log*")
>>>>>> 6           option("type", "syslog")
>>>>>> 7           option("server", "localhost")
>>>>>>
>>>>>> Included from /etc/syslog-ng/syslog-ng.conf:
>>>>>> 90      # Debian only
>>>>>> 91      destination d_ppp { file("/var/log/ppp.log"); };
>>>>>> 92
>>>>>> 93      # Elasticsearch destination
>>>>>> 94      destination d_es {
>>>>>> 95---->     elasticsearch2(
>>>>>> 95---->     ^^^^^^^^^^^^^^^^
>>>>>> 96                cluster("syslog-ng")
>>>>>> 97                client-lib-dir("/usr/share/elasticsearch/lib/")
>>>>>> 98 client-lib-dir("/opt/syslog-ng/jre1.8.0_171/lib/")
>>>>>> 99                time-zone("UTC")
>>>>>> 100               cluster-url("http://localhost:9200")
>>>>>>
>>>>>>
>>>>>> Any help is welcome.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> __________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>>>> product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>> --
>>>> --
>>>> KE
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support/documentation/?
>>>> product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>> --
>>> --
>>> KE
>>>
>>>
>> --
>> --
>> KE
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?
>> product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180528/da23c0e7/attachment-0001.html>

More information about the syslog-ng mailing list