3

I have spent lot of time to figure this one out, but no success. I'm fairly new to Linux application management and logging.

Problem:

Not able to log data to /var/log/messages when starting syslog-ng using systemd. But when syslog-ng is started from shell, it logs fine to /var/log/messages. I'm using logger utility to test this.

After doing some research and I think I may have found the problem, but don't know how to fix it.

When systemd starts the process, syslog-ng reads from /run/systemd/journal/syslog socket instead of /dev/log/ and logger utility writes messages to /dev/log. I have changed the below entry in syslog-ng.conf file.

source src {
    system();
    internal();
};

to

source src {
    unix-dgram("/dev/log");
    internal();
};

Also, I have set below line in journald.conf and restarted it.

ForwardToSyslog=yes

This is the lsof output for process started with systemd 

syslog-ng 23425 root    3u     unix 0xffff881fce1f1e00      0t0  9281890 /run/systemd/journal/syslog

and process started on shell manually

syslog-ng 19482 root    6u     unix 0xffff881fcdd5c380      0t0 10168394 /dev/log
hteejus
  • 51
  • 2
  • 5
  • Hi, which version of syslog-ng are you using? Newer versions should collect logs directly from the journal without problems. – Robert Fekete Apr 10 '18 at 09:31
  • syslog-ng 3.5.6 Installer-Version: 3.5.6 Revision: Compile-Date: Aug 13 2014 13:54:36 Available-Modules: system- source,cryptofuncs,afstomp,csvparser,afsocket-notls,affile,afuser,dbparser,basicfuncs,afsocket,syslogformat,afsocket-tls,afprog,confgen,linux-kmsg-format Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on – hteejus Apr 10 '18 at 11:55
  • 3.5 had some issues with systemd, I'd recommend updating to a newer version. You can find a list of package sources here: https://syslog-ng.com/3rd-party-binaries – Robert Fekete Apr 10 '18 at 12:29
  • 2
    I'm not sure but this entry **ForwardToSyslog=yes** in **journald.conf** helped. May be I didn't restart systemd-journald earlier (sytemctl restart systemd-journald). Thanks for the help Rob. I'm good now. – hteejus Apr 10 '18 at 14:22

1 Answers1

1

Switch out unix-dgram("/dev/log"); for unix-stream("/dev/log"); , then do service syslog-ng reload.

The unix-stream() and unix-dgram() drivers open an AF_UNIX socket and start listening on it for messages. The unix-stream() driver is primarily used on Linux and uses SOCK_STREAM semantics (connection oriented, no messages are lost), while unix-dgram() is used on BSDs and uses SOCK_DGRAM semantics

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/26

** For a list of different operating system message sources, see: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/26

Aven_Zerrock
  • 27
  • 2