[syslog-ng] syslog-ng Digest, Vol 169, Issue 1

Simon Tyler simon.tyler at aon.com
Wed May 1 19:41:23 UTC 2019


Hi Kohan,

It appears that modules are not loading?

[root at ip-10-8-41-60 syslog-ng]# syslog-ng -V
syslog-ng 3.2.5
Installer-Version: 3.2.5
Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116
Compile-Date: Jul 25 2014 15:20:50
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: off
Enable-SQL: on
Enable-Linux-Caps: off
Enable-Pcre: on
Enable-Pacct: off

-------------------------------------------------------------
I tried putting full path to modules.conf in scl.conf:

[root at ip-10-8-41-60 syslog-ng]# cat scl.conf
#############################################################################
# Copyright (c) 2010 BalaBit IT Ltd, Budapest, Hungary
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published
# by the Free Software Foundation, or (at your option) any later version.
#
# As an additional exemption you are allowed to compile & link against the
# OpenSSL libraries as published by the OpenSSL project. See the file
# COPYING for details.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
#############################################################################
#
# This file is placed into /etc/syslog-ng in order to make it trivial to
# include in user written syslog-ng.conf files.  It sets up 'scl-root' and
# `include-path`, then includes all SCL supplied plugins.
#

@define scl-root "`syslog-ng-data`/include/scl"
@define include-path "`include-path`:`syslog-ng-data`/include"

#@include 'modules.conf'
@include '/etc/syslog-ng/modules.conf'
@include 'scl/system/plugin.conf'
@include 'scl/pacct/plugin.conf'
@include 'scl/syslogconf/plugin.conf'

---------------------------------------------------
Debug it seems to be trying to open modules, and it knows where they live:
[root at ip-10-8-41-60 syslog-ng]# syslog-ng --debug
Trying to open module; module='syslogformat', filename='/lib64/syslog-ng/libsyslogformat.so'
Trying to open module; module='basicfuncs', filename='/lib64/syslog-ng/libbasicfuncs.so'
Trying to open module; module='afsocket', filename='/lib64/syslog-ng/libafsocket.so'
Trying to open module; module='affile', filename='/lib64/syslog-ng/libaffile.so'
Trying to open module; module='afprog', filename='/lib64/syslog-ng/libafprog.so'
Trying to open module; module='afuser', filename='/lib64/syslog-ng/libafuser.so'
Trying to open module; module='dbparser', filename='/lib64/syslog-ng/libdbparser.so'
Trying to open module; module='csvparser', filename='/lib64/syslog-ng/libcsvparser.so'
Trying to open module; module='afsql', filename='/lib64/syslog-ng/libafsql.so'
Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1'
Global value changed; define='scl-root', value='/usr/share/syslog-ng/include/scl'
Global value changed; define='include-path', value='/etc/syslog-ng:/usr/share/syslog-ng/include'
Starting to read include file; filename='/etc/syslog-ng/modules.conf', depth='2'
Global value changed; define='autoload-compiled-modules', value='0'
Trying to open module; module='syslogformat', filename='/lib64/syslog-ng/libsyslogformat.so'
Attempted to register the same plugin multiple times, ignoring; context='format', name='syslog'
Trying to open module; module='basicfuncs', filename='/lib64/syslog-ng/libbasicfuncs.so'
Attempted to register the same plugin multiple times, ignoring; context='template-func', name='echo'
Attempted to register the same plugin multiple times, ignoring; context='template-func', name='grep'
Attempted to register the same plugin multiple times, ignoring; context='template-func', name='if'
Trying to open module; module='afsocket', filename='/lib64/syslog-ng/libafsocket.so'
Attempted to register the same plugin multiple times, ignoring; context='source', name='unix-stream'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='unix-stream'
Attempted to register the same plugin multiple times, ignoring; context='source', name='unix-dgram'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='unix-dgram'
Attempted to register the same plugin multiple times, ignoring; context='source', name='tcp'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='tcp'
Attempted to register the same plugin multiple times, ignoring; context='source', name='tcp6'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='tcp6'
Attempted to register the same plugin multiple times, ignoring; context='source', name='udp'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='udp'
Attempted to register the same plugin multiple times, ignoring; context='source', name='udp6'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='udp6'
Attempted to register the same plugin multiple times, ignoring; context='source', name='syslog'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='syslog'
Trying to open module; module='affile', filename='/lib64/syslog-ng/libaffile.so'
Attempted to register the same plugin multiple times, ignoring; context='source', name='file'
Attempted to register the same plugin multiple times, ignoring; context='source', name='pipe'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='file'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='pipe'
Trying to open module; module='afprog', filename='/lib64/syslog-ng/libafprog.so'
Attempted to register the same plugin multiple times, ignoring; context='source', name='program'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='program'
Trying to open module; module='afuser', filename='/lib64/syslog-ng/libafuser.so'
Attempted to register the same plugin multiple times, ignoring; context='destination', name='usertty'
Trying to open module; module='dbparser', filename='/lib64/syslog-ng/libdbparser.so'
Attempted to register the same plugin multiple times, ignoring; context='parser', name='db-parser'
Trying to open module; module='csvparser', filename='/lib64/syslog-ng/libcsvparser.so'
Attempted to register the same plugin multiple times, ignoring; context='parser', name='csv-parser'
Finishing include; filename='/etc/syslog-ng/modules.conf', depth='2'
Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2'
Trying to open module; module='confgen', filename='/lib64/syslog-ng/libconfgen.so'
Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2'
Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2'
Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2'
Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2'
Trying to open module; module='confgen', filename='/lib64/syslog-ng/libconfgen.so'
Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2'
Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1'
Error parsing source, source plugin network not found in /etc/syslog-ng/syslog-ng.conf at line 85, column 2:

        network(
        ^^^^^^^
---------------------------------------------------------------
It is not clear to me what the name is for network module; here are the modules in the file system:
[root at ip-10-8-41-60 syslog-ng]# ls /lib64/syslog-ng/
libaffile.so  libafsocket-notls.so  libafsql.so   libbasicfuncs.so  libconvertfuncs.so  libdbparser.so  libsyslogformat.so
libafprog.so  libafsocket.so        libafuser.so  libconfgen.so     libcsvparser.so     libdummy.so

Thank you for your advice,




Simon Tyler  |  Senior Systems Administrator - PathWise Solutions Group
Aon
225 King Street West, Suite 1000  |  Toronto, ON M5V 3M2, Canada
t +1.416.263.7755  |  m +1.416.564.4855  |  f +1.416.979.7724
simon.tyler at aon.com
PLEASE NOTE that my email address has changed to simon.tyler at aon.com



-----Original Message-----
From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: Wednesday, May 01, 2019 12:47 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 169, Issue 1

Send syslog-ng mailing list submissions to
	syslog-ng at lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
	syslog-ng-request at lists.balabit.hu

You can reach the person managing the list at
	syslog-ng-owner at lists.balabit.hu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."


Today's Topics:

   1.  source plugin network not found/problems getting syslog-ng
      to listen on tcp port (Simon Tyler)
   2. Re:  source plugin network not found/problems getting
      syslog-ng to listen on tcp port (Péter)


----------------------------------------------------------------------

Message: 1
Date: Wed, 1 May 2019 15:22:26 +0000
From: Simon Tyler <simon.tyler at aon.com>
To: "syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] source plugin network not found/problems getting
	syslog-ng to listen on tcp port
Message-ID:
	<DM5P170MB0015DD8BF273A79D22817BAAFB3B0 at DM5P170MB0015.NAMP170.PROD.OUTLOOK.COM>
	
Content-Type: text/plain; charset="utf-8"

Hello,

I'm new to syslog-ng, and I'm having some trouble just getting it to listen on a tcp port. I've tried several different configurations. Some of the start up with no error, but a netstat or lsof command shows that there is no open /listening tcp port associated with the process. I'm pretty sure my mistake is basic or fundamental, but I haven't had much luck finding specific details to resolve this issue; there is a fair amount of material to comb through. I've tried several different tutorials.

I want a central log server that accepts logs from multiple sources, so I started by trying to configure it to listen on a tcp port, I'm thinking 514 because we don't use rshell anywhere, but it doesn't really matter what port.

The current error I'm getting is:

[root at ip-10-8-41-60 syslog-ng]# service syslog-ng start
Error parsing source, source plugin network not found in /etc/syslog-ng/syslog-ng.conf at line 85, column 2:

        network(
        ^^^^^^^

The section of the config file related to networking is below; I've commented out several attempts.

# s_net = Network listener. This is listening on TCP port 514, no UDP
#source s_net { tcp(port(514) max-connections(5000)); udp();};

#source s_net {
#       tcp(ip(10.8.41.60) port(514));
#};

#source s_net {
#       network(ip(10.8.41.60) port(514));
#};

#source s_network {
#       default-network-drivers();
#};

#source s_syslog { syslog(
#               ip(10.8.41.60) port(514) transport("tcp")); };

source s_network {
        network(
                ip("10.8.41.60")
                transport("tcp")
                listen-backlog(2048)
                );
};

There is a line at the top of the file:
@include "scl.conf"

I've attached the entire file.

Any guidance would be very much appreciated,

Simon Tyler  |  Senior Systems Administrator - PathWise Solutions Group
Aon
225 King Street West, Suite 1000  |  Toronto, ON M5V 3M2, Canada
t +1.416.263.7755  |  m +1.416.564.4855  |  f +1.416.979.7724
simon.tyler at aon.com<mailto:simon.tyler at aon.com>
PLEASE NOTE that my email address has changed to simon.tyler at aon.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190501/4cfbf496/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog-ng.conf
Type: application/octet-stream
Size: 4159 bytes
Desc: syslog-ng.conf
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190501/4cfbf496/attachment-0001.obj>

------------------------------

Message: 2
Date: Wed, 1 May 2019 18:46:41 +0200
From: Péter, Kókai <peter.kokai at oneidentity.com>
To: "Syslog-ng users' and developers' mailing list"
	<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] source plugin network not found/problems
	getting syslog-ng to listen on tcp port
Message-ID:
	<CABxQCphBGgTm47G=KVSB67Ri6BRKUZYgX-HvAj1SrS9ofMoaoQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hello,

It either looks for a wrong place for the network module or that actually
really not installed.

You could run the following: syslog-ng -V
That should provide something like this:

syslog-ng 3.20.1.317.g98479aa
Config version: 3.20
Installer-Version: 3.20.1.317.g98479aa
Revision: 3.20.1.317.g98479aa
Module-Directory: /tmp/install/lib/syslog-ng
Module-Path: /tmp/install/lib/syslog-ng
Include-Path: /tmp/install/share/syslog-ng/include
Available-Modules:
xml,tags-parser,system-source,sdjournal,syslogformat,stardate,snmptrapd_parser,riemann,mod-python,pseudofile,pacctformat,map_value_pairs,linux-kmsg-format,kvformat,json-plugin,http,hook-commands,graphite,tfgetent,geoip2-plugin,geoip-plugin,examples,disk-buffer,dbparser,date,csvparser,cryptofuncs,confgen,cef,basicfuncs,appmodel,afuser,afstomp,afsql,afsocket,afprog,affile,afamqp,add_contextual_data
Enable-Debug: on
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-Linux-Caps: on
Enable-Systemd: on

Check if the "Available-Modules" line has the *afsocket*, if the *afsocket*
is not listed there, try to look in the "Module-Path:" directory for
*libafsocket.so", if it is missing maybe it is actually in a different
package, you may need to install something like syslog-ng-mod-afsocket.

If you find the *libafsocket.so* in the directory I would run
syslog-ng --module-registry -dvt (possibly past its result here) or look
for error message as why it cannot load *libafsocket.so*.


--
Kokan

On Wed, May 1, 2019 at 5:22 PM Simon Tyler <simon.tyler at aon.com> wrote:

> Hello,
>
>
>
> I’m new to syslog-ng, and I’m having some trouble just getting it to
> listen on a tcp port. I’ve tried several different configurations. Some of
> the start up with no error, but a netstat or lsof command shows that there
> is no open /listening tcp port associated with the process. I’m pretty sure
> my mistake is basic or fundamental, but I haven’t had much luck finding
> specific details to resolve this issue; there is a fair amount of material
> to comb through. I’ve tried several different tutorials.
>
>
>
> I want a central log server that accepts logs from multiple sources, so I
> started by trying to configure it to listen on a tcp port, I’m thinking 514
> because we don’t use rshell anywhere, but it doesn’t really matter what
> port.
>
>
>
> The current error I’m getting is:
>
>
>
> [root at ip-10-8-41-60 syslog-ng]# service syslog-ng start
>
> Error parsing source, source plugin network not found in
> /etc/syslog-ng/syslog-ng.conf at line 85, column 2:
>
>
>
>         network(
>
>         ^^^^^^^
>
>
>
> The section of the config file related to networking is below; I’ve
> commented out several attempts.
>
>
>
> # s_net = Network listener. This is listening on TCP port 514, no UDP
>
> #source s_net { tcp(port(514) max-connections(5000)); udp();};
>
>
>
> #source s_net {
>
> #       tcp(ip(10.8.41.60) port(514));
>
> #};
>
>
>
> #source s_net {
>
> #       network(ip(10.8.41.60) port(514));
>
> #};
>
>
>
> #source s_network {
>
> #       default-network-drivers();
>
> #};
>
>
>
> #source s_syslog { syslog(
>
> #               ip(10.8.41.60) port(514) transport("tcp")); };
>
>
>
> source s_network {
>
>         network(
>
>                 ip("10.8.41.60")
>
>                 transport("tcp")
>
>                 listen-backlog(2048)
>
>                 );
>
> };
>
>
>
> There is a line at the top of the file:
>
> @include "scl.conf"
>
>
>
> I’ve attached the entire file.
>
>
>
> Any guidance would be very much appreciated,
>
>
>
> *Simon Tyler  *|  Senior Systems Administrator - PathWise Solutions Group
> Aon
> 225 King Street West, Suite 1000  |  Toronto, ON M5V 3M2, Canada
> t +1.416.263.7755  |  m +1.416.564.4855  |  f +1.416.979.7724
> *simon.tyler at aon.com <simon.tyler at aon.com>*
>
> *PLEASE NOTE that my email address has changed to simon.tyler at aon.com
> <http://simon.tyler@aon.com>*
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190501/715578b1/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng


------------------------------

End of syslog-ng Digest, Vol 169, Issue 1
*****************************************


More information about the syslog-ng mailing list