[syslog-ng] 3.36.1 new log format of some internal messages

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Wed Apr 6 12:32:03 UTC 2022


I've double-checked, but we didn't change the internal logging format.
I've also checked syslog-ng 3.31.2, 3.35.1 and 3.36.1 with the published syslog-ng docker images [1] (that are using the packages generated during a release), and I didn't see a difference.

I think syslog-ng used stderr (where a timestamp has always been applied) and systemd captures stderr of services, hence the reason journald got the log message.
Then syslog-ng read the same message from journald.
The reason why some messages are sent to stderr is that in the early stages of syslog-ng startup, we don't have an internal source yet.

I've reproduced the same behaviour you mentioned. This is from journald:
Apr 06 13:29:27 minke syslog-ng[44729]: [2022-04-06T13:29:27.915350] WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. Please update it to use the syslog-ng 3.36 format at your time of convenience. To upgrade the configur>
Apr 06 13:29:27 minke syslog-ng[44729]: [2022-04-06T13:29:27.934844] WARNING: The internal_queue_length stat counter has been renamed to internal_source.queued. The old name will be removed in future versions; config-version='3.21'

In short: some of the early internal messages (at config parsing time) will always be logged to stderr, and those will be captured by systemd.

The behaviour though should be the same for both 3.31.2 and 3.36.1.

- Gabor

[1] https://hub.docker.com/r/balabit/syslog-ng

More information about the syslog-ng mailing list