[syslog-ng] File destination is not being written, when it can not bind remote host address

Wed Jul 29 10:33:07 UTC 2020

Hello Alex,

 Your second log path (where the remote destination configured) applies flow-control:

    log {
        source(s_src);
        rewrite(r_host);
        filter(f_remote_test_udp);
        destination(d_test_udp);
        flags(flow-control);
    };

Since your remote destination is not available, when all the related buffers got filled the s_src source will be suspended. When a source is in a suspended state, Syslog-ng will not read logs from it. There is no problem with your local file, simply there is "no new logs" to write.

Best regards,
Laci

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com>
Sent: Wednesday, July 29, 2020 10:51
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] File destination is not being written, when it can not bind remote host address

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

I do not know if this a seen issue or not. I am using syslog-ng version 3.19 on a Debian 10.
I have the configuration which is attached in this email: syslog-ng.conf, that has one local file destination and one remote host destination.

1. Start the syslog-ng
The localip of syslog destination is not available and therefore I have these errors, as expected:
syslog-ng[1482]: [2020-07-27T12:58:00.069422] Error binding socket; addr='AF_INET(10.0.2.6:0)', error='Cannot assign requested address (99)'
syslog-ng[1482]: [2020-07-27T12:58:00.069439] Initiating connection failed, reconnecting; time_reopen='60'

2. After some time running syslog-ng stops sending the logs to the local file. Why?

3. If I reload the syslog-ng configuration, without the remote destination, the old logs are immediately flushed to the local file.
Jul 27 15:05:55 localhost syslog-ng[29680]: [2020-07-27T15:05:55.378019] Incoming log entry from journal; message='[2020-07-27T13:44:06.890952] Outgoing message; message=\'<30>1 2020-07-27T13:44:06.772+00:00 localhost syslog-ng 29680 - - [2020-07-27T13:44:06.772722] Processing the time zone file (32bit part); filename=\\'/usr/share/zoneinfo/UTC\\'\x0a\''
Jul 27 15:05:55 localhost syslog-ng[29680]: [2020-07-27T15:05:55.378032] json-parser(): no marker at the beginning of the message, skipping JSON parsing ; input='[2020-07-27T13:44:06.890952] Outgoing message; message=\'<30>1 2020-07-27T13:44:06.772+00:00 localhost syslog-ng 29680 - - [2020-07-27T13:44:06.772722] Processing the time zone file (32bit part); filename=\\'/usr/share/zoneinfo/UTC\\'\x0a\'', marker='@cim:'

Is this a new issue?
Is there any configuration to prevent this?

In attachment also the journalctl of syslog-ng in debug mode (syslog-ng -Fvde).

Thanks and regards,
Alex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200729/3ae0cf89/attachment.html>