DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st November 2017
cbuckingh cbuckingh is offline
Real Name: Buckingham
New User
 
Join Date: Nov 2017
Location: UK
Posts: 5
Default syslog-ng running but not writing logs

Hello forum members,

Am having a bit of trouble getting syslog-ng 3.9.1 to write log files on OpenBSD 6.2. The O/S was installed from scratch, then syslog-ng, then BIND. No other packages except syslog-ng and BIND dependencies have been installed. No binaries or libs from BIND conflict or replace any from the syslog-ng installation.

The configuration was copied over from another OpenBSD system running an older syslog-ng. The required changes to the .conf file were made so that syslog-ng with supervisor starts and remains running. By killing the syslog-ng process I was able to test that the supervisor process restarts syslog-ng. The rc.d script starts, stops and restarts syslog-ng as expected. /usr/local/sbin/syslog-ng -s returns no errors, indicating that the config file is sane. In /var/log the only thing it writes are kernel and syslog-ng start/stop messages.

In an effort to find the problem, a stub syslog-ng.conf file was created with the following contents:
Code:
@version: 3.9.1
source s_local {
        unix-dgram("/dev/log");
        file("/dev/klog" program_override("kernel: "));
        internal();
        };
#
destination catchall { file(/var/log/catchall); };
log { source(s_local);  destination(catchall);  };
The permissions and ownership on /var, /var/log, /var/run, and /etc are correct according to /etc/mtree/special. Syslog-ng starts so that it retains root permissions (default) and creates /dev/log if it does not exist. My syslog_ng_flags are:
Code:
"-R /var/run/syslog_ng.persist -c /var/run/syslog_ng.ctl -p /var/run/syslog_ng.pid"
The output of syslog-ng -V is:
Code:
syslog-ng 3.9.1
Installer-Version: 3.9.1
Revision:
Module-Directory: /usr/local/lib/syslog-ng
Module-Path: /usr/local/lib/syslog-ng
Available-Modules: affile,afprog,afsocket,afsql,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,curl,date,dbparser,disk-buffer,geoip-plugin,graphite,kvformat,linux-kmsg-format,pseudofile,system-source,add-contextual-data,json-plugin,syslogformat
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-Linux-Caps: off
On my hunt I foud a message on NARKIVE where a user was having the same problem with syslog-ng 3.6 on OpenBSD 5.9, there was no solution. There was a reply saying: "With the changes in 5.6 using sendsyslog(2), only syslogd picks up local syslog. Search the openbsd-ports list for syslog-ng to see some comments on it.". A further search turned up nothing. This begs the question: Is this the same problem and if so, how did this package make it onto the official OpenBSD package mirror-sites?

Many thanks in advance.
CB
Reply With Quote
  #2   (View Single Post)  
Old 21st November 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hello, and welcome!

Disclaimer: I've never used a 3rd party syslog tool.

Packages are built from Ports. And this Port (sysutils/syslog-ng) has a maintainer, Steven Mestdagh, who supports the application's implementation on OpenBSD. You can obtain his Email address with $ pkg_info syslog-ng, and ask him to review your implementation problem.
Reply With Quote
  #3   (View Single Post)  
Old 21st November 2017
cbuckingh cbuckingh is offline
Real Name: Buckingham
New User
 
Join Date: Nov 2017
Location: UK
Posts: 5
Default

Hello,

Thank you for your Welcome, information and the speedy reply. Will contact Steven and see what he says. Any solution will be posted here so it can help others.

Cheers,
CB
Reply With Quote
  #4   (View Single Post)  
Old 21st November 2017
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 405
Default

Hello and welcome with us.

Quote:
Originally Posted by cbuckingh View Post
Any solution will be posted here so it can help others.
Thanks, that would really be appreciated
__________________
ThinkPad W500 P8700 6GB HD3650 - faultry
ThinkStation P700 2x2620v3 32GB 1050ti 3xSSD 1xHDD
Reply With Quote
  #5   (View Single Post)  
Old 29th November 2017
cbuckingh cbuckingh is offline
Real Name: Buckingham
New User
 
Join Date: Nov 2017
Location: UK
Posts: 5
Default

A bit of an update:

In an effort to determine exactly when the problem started, I set up 5 OBSD (5.[5-9]) VM servers from scratch. The last version under which I could get syslog-ng to work under was OBSD 5.5 with syslog-ng 3.4.7, installed from OBSD package mirrors. After subscribing to the syslog-ng forums I have found no help from that avenue either. Having tried sending several e-mails from different e-mail addresses to the developer responsible for the syslog-ng package, I only receive an error from shear.ucar.edu each time. Lastly I sent an e-mail to the Admins of the OpenBSD forum requesting info on the best OBSD forum (5 in total) to register in for my problem, but it went un-answered.

It would interest me if any forum member has had success in running syslog-ng on OBSD 5.5 or later, in particular versions 6.[0-2]. It begs the question: Did the OBSD developers simply compile syslog-ng without testing it under each OBSD version.

Have not had any luck in compiling syslog-ng myself, maybe I will set up a new VM for that.

Cheers,
Christopher
Reply With Quote
  #6   (View Single Post)  
Old 29th November 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The best place to take this would be the ports@ mailing list. Steven is still active there, as far as I know. You can let him know via your message to ports@ that your attempts to reach him directly resulted in bounced mail.
Reply With Quote
  #7   (View Single Post)  
Old 29th November 2017
cbuckingh cbuckingh is offline
Real Name: Buckingham
New User
 
Join Date: Nov 2017
Location: UK
Posts: 5
Default

Many Thanks.

Have registered in the relevant forum but I will wait for Steven to make contact before I mention the e-mail problem.

Cheers,
Christopher
Reply With Quote
  #8   (View Single Post)  
Old 29th November 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It isn't a forum. It is a mailing list. If your mail to Steven has been returned to you (bounced), he is likely unaware of it.
Reply With Quote
  #9   (View Single Post)  
Old 29th November 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I see you published to the ports@ mailing list. Your post (plain text Email) was a copy/paste of the top post in this thread, and included vBulletin markup language, which will not be helpful to Email readers. You may not get a lot of positive response to your post, as it is difficult to read in plain text. Calling the mailing list subscribers "forum members" may not have helped plead your case.
Reply With Quote
Old 1st December 2017
cbuckingh cbuckingh is offline
Real Name: Buckingham
New User
 
Join Date: Nov 2017
Location: UK
Posts: 5
Default

When I said forum it was in the old sense of the word, as I am a bit older, I understand the definition as "a medium (such as a newspaper or online service) of open discussion or expression of ideas" as indicated in the Webster and Oxford dictionaries.

The reason I sent a duplicate to the OBSD list is so that the same facts were in that post as here. Your point on the copy/paste having carried over the vBulletin markup language is noted and will be avoided in future.

It was confirmed by Stu on the OBSD ports list, since OBSD 5.6 syslogd indeed uses sendsyslog and not /dev/log. After he offered a couple of suggestions I choose to have syslogd send everything to localhost on a TCP high-port. Syslog-ng was then configured to receive messages from localhost on the same port and not /dev/log. It is not pretty but maybe it is just until Balabit or OBSD developers adapt the software. In the end all the messages are going to their correct files.

Many Thanks.
Reply With Quote
Old 1st December 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'm very glad you were able to deploy a working solution.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD 5.2 & Syslog-ng CyberJet OpenBSD Installation and Upgrading 22 31st January 2019 08:22 PM
wierd logs in pf kondziq FreeBSD Security 6 19th June 2010 04:27 PM
Syslog-ng Monitor plexter OpenBSD Packages and Ports 8 5th February 2010 09:38 PM
tftp logs syrushcw FreeBSD General 1 25th June 2008 04:06 PM
How do I get network logs? Johnny2Bad FreeBSD General 2 22nd May 2008 05:37 PM


All times are GMT. The time now is 04:27 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick