I miss this/that very important feature from syslog-ng 2.x while it was present in syslog-ng 1.6.

From Bazsi:
syslog-ng 2.x is a complete reimplementation of syslog-ng and even though I plan to make it upward compatible with syslog-ng 1.6, I might have forgotten something. So please post to the mailing list either if you find missing or incompatible features.

Hi, can someone please help me to get the compile right.

OS: RHEL ES 3 update 4

The ./configure went well no errrors.
But the make did not go so well:

Error message(s) :

>> snip
gcc  -g -O2 -Wall -I/usr/local/include/libol -D_GNU_SOURCE   -o
syslog-ng  main
o sources.o center.o filters.o destinations.o log.o cfgfile.o
cfg-grammar.o cfg
lex.o affile.o afsocket.o afunix.o afinet.o afinter.o afuser.o
afstreams.o afpr
gram.o afremctrl.o nscache.o utils.o syslog-names.o macros.o  -lnsl
-lresolv  /
sr/local/lib/libol.a -lnsl -Wl,-Bstatic      -Wl,-Bdynamic
cfg-lex.o(.text+0x45f): In function `yylex':
/root/rpm/syslog-ng/syslog-ng-1.6.8/src/cfg-lex.c:1123: undefined
reference to
yywrap'
cfg-lex.o(.text+0xb33): In function `input':
/root/rpm/syslog-ng/syslog-ng-1.6.8/src/cfg-lex.c:1450: undefined
reference to
yywrap'
collect2: ld returned 1 exit status
make[3]: *** [syslog-ng] Error 1
make[3]: Leaving directory `/root/rpm/syslog-ng/syslog-ng-1.6.8/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/rpm/syslog-ng/syslog-ng-1.6.8/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/root/rpm/syslog-ng/syslog-ng-1.6.8/src'
make: *** [all-recursive] Error 1

As previously noted by another poster this is a problem with the flex version on your system. If you use a flex with a higher version than 2.5.4 you're out of luck, unless you patch the sources. The reason for this is that the people developing flex had the "interesting" idea of changing the way the lexer parses the language file.

 %option noyywrap

 %{
prototype functionname(parameters);
 %}

If I replace my syslog daemon with syslog-ng, what side effects can it have?

Glad you asked, the most common side effect is being happy with a superior syslog daemon.

I'm new to syslog-ng. Is there a way for syslog-ng and syslogd to co-exist? Our servers are managed by another group, and they don't support syslog-ng. Can you pipe all syslogd messages to syslog-ng?

Yes, syslog-ng can accept messages from stock syslogd using the udp() source.

I want a catch-all log destination and can't seem to find out how in the documentation or examples.

Jay Guerette helped out with:

destination catchall {
        file(/var/log/catchall);
};
log {
        source(syslog);
        destination(catchall);
};

I want to replace syslogd *and* klogd on my Linux box with syslog-ng.

Use a source line like this in your conf file to read kernel messages, too.

source src { file("/proc/kmsg"); unix-stream("/dev/log"); internal(); };

Notes:

1. do not run klogd and syslog-ng fetching local kernel messages at the same time. It may cause syslog-ng to block which makes all logging local daemons unusable.

2. Current selinux policy distributed for RHEL4 supports syslog-ng by a boolean named "use_syslogng". But on the not working host (using "pipe"), following happens:

   avc: denied { write } for pid=2190 comm="syslog-ng" name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file

   Please don't use "pipe" at all for /proc/kmsg.

   Thanks to Peter Bieringer for contributing this information

3. If you find yourself getting lots of kernel messages to the console after replacing klogd with syslog-ng: set the kernel's console log level. This is done by klogd but not syslog-ng automatically.

   Something like "dmesg -n4" should help.

I have been trying syslog-ng and extremely happy with the power of using it. I have one question, when using the program option under destination drivers, my PERL script gets launched when I start syslog-ng, but executes once and then dies. I am using this script to page any time I see an log entry, but it only runs the first time it runs.

You can read log messages on your stdin, so instead of fetching a single line and exiting keep reading your input like this:

#!/usr/bin/perl
while (<>) {
        # send to pager
}

Is it possible to create sockets with syslog-ng similar to how you can do so with syslogd? The reason for this being that I'm running some applications chrooted, and need to open a /dev/log socket that is in that chroot-jail.

Of course you can. Just add a source:

source local { unix-stream("/dev/log"); internal(); };
source jail1 { unix-stream("/jail/dns/dev/log"); };
source jail2 { unix-stream("/jail/www/dev/log"); };

source local { 
	unix-stream("/dev/log"); 
	internal(); 
	unix-stream("/jail/dns/dev/log"); 
};

Note that postfix appears to need a log socket in it's chroot jail, or it's logging will stop when you reload syslog-ng:

source postfix { unix-stream("/var/spool/postfix/dev/log" keep-alive(yes)); };

Directories with names like "Error", "SCSI", "", are showing up in the directory that holds the syslogs for the different hosts that we monitor.

From the description it's apparent that logs are being stored in your filesystem with a macro similar to this:

destination std { file( "/var/log/$HOST/$FACILITY"); };

options {
        long_hostnames(off);
	keep_hostname(yes);
	use_dns(no); 
};

source src {
	internal();
	unix-stream("/dev/log" keep-alive(yes));
};

# set it up
destination logip {
	file("/archive/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$MONTH$DAY" 
	owner(syslog-ng) group(syslog-ng) perm(0600) dir_perm(0700) create_dirs(yes)
	template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE\n")  ); 
};

# log it
log {
	source(src);
	destination(logip);
};

DNS: I want to use fully qualified domain names in my logs, I have many different hosts named ns1, or www, and don't want the logs mixed up. Also, I have a question concerning the use_dns option. Is this a global option only, or is there some way to change this per source or destination?

What is with all the "hostname" options?

When syslog-ng receives a message it tries to rewrite the hostname it contains unless keep_hostname is true. If the hostname is to be rewritten (e.g. keep_hostname is false), it checks whether chain_hostnames (or long_hostname which is an alias for chain_hostnames) is true. If chain_hostnames is true, the name of the host syslog-ng received the message from is appended to the hostname, otherwise it's replaced.

	keep_hostname(yes)	keep_hostname(no)
chain_hostname(yes)	server	server/server2
chain_hostname(no)	server	server2

I hope this makes things clear.

I have this config file:

 filter f_local0 { facility(local0); };
 filter f_local1 { facility(local1); };
 destination df_local1 {
         file("/mnt/log/$R_YEAR-$R_MONTH-$R_DAY/$SOURCEIP/local.log"
         template("$FULLDATE <> $PROGRAM <> $MSGONLY\n")
         template_escape(no));
 };
 log {
         source(s_tcp); source(s_internal); source(s_udp); source(s_unix);
         filter(f_local0); filter(f_local1);
         destination(df_local1);
 };

If I understand you correctly then the problem is that you're using two filters which exclude each other however using more filters they are logically AND-ed. If you want to catch messages from local0 and local1 use a filter like this:

filter f_local01 {
	facility(local0) or facility(local1);
};

I archive my logs like this:

file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" 
 owner(root) group(root) perm(0600) dir_perm(0700)  create_dirs(yes) ); 

You don't need syslog-ng to compress them, install bzip2 and run a nightly cronjob like this:

 /usr/bin/find /var/log/HOSTS ! -name "*bz2" -type f ! -path "*`/bin/date +%Y/%m/%d`*" 
  -exec /usr/bin/bzip2 {} \;

# Current policy is:
# Find all non-Archived files that aren't from today, and archive them
# Archive Logs are deleted after 14 days
#
#Changes.   Change -mtime +14 to the number of days to keep

# Archive old logs
/usr/bin/find /var/log/HOSTS ! -name "*.gz" -type f ! -path "*`/bin/date +%Y/%m/%d`*" -exec /usr/bin/gzip {} \;

# Delete old archives
find /var/log/HOSTS/ -daystart -mtime +14 -type f -exec rm {} \;

# Delete empty directories
find /var/log/HOSTS/ -depth -type d -empty -exec rmdir {} \;

My syslog-ng.conf has

destination std { file( "/var/log/$HOST/$YEAR$MONTH/$FACILITY" create_dirs(yes)); };

Yes, you can do this using the owner(), group() and perm() options.
For example:

destination d_file { file("/var/log/$HOST/log" create_dirs(yes) 
 owner("log") group("log") perm(0600)); };

a) I have snmptrapd running so that any trap that it receives should be logged to local1. I have a filter taking anything received via local1 to a specific file:

filter snmptrap {facility(local1);};
destination snmptraps { file("/var/log/snmptraps";};

syslog defaults to 1024 byte long messages, but this value is tunable in syslog-ng 1.5 where you can set it to a higher value.

options { log_msg_size(8192); };

b) Andreas Schulze points out: "We are running snmptrapd and syslog-ng 1.5.x under Solaris 8 and observed exactly the same problem.

Our solution was, to patch snmptrapd to log its messages via a local Unix DGRAM socket and use this socket as message source for syslog-ng. This fix the problem and works pretty fine and very stable for more than one year in our environment.

Basically you're screwed on Solaris, but hopefully other implementations aren't as brain-dead.

It seems I have syslog clients with unsynchronized clocks and I have files that were created with the time macros, and their date is wrong. What I want is the files to be created with the time/date they are received.

It's an option. use_time_recvd() boolean.

options { use_time_recvd(true); };

What conf settings can I use for my syslog-ng.conf file so that messages are written to disk the instant they are received?

Add sync(0) to your config file.

options { sync(0); };

I want to run syslog-ng chrooted and as a non-root user.

Use syslog-ng 1.5.x's own -C and -u flags when starting it.

Can output from programs started by syslog-ng be captured and logged by syslog-ng?

It's on the todo list. As long as it is not implemented, you might try to redirect the program's output to a named pipe like this:

destination d_swatch { program("swatch 2> /var/run/swatch.err"); }; 
 source s_swatch { pipe("/var/run/swatch.err"); };

How much log volume can syslog-ng handle?

The limits to throughput in syslog-ng are similar to that of most other network applications, where network and disk I/O are the limiting factors.

Our log volume has been growing slowly over time, I recently checked my primary
logger and noticed that the raw log volume for this past Monday (the 24-hour
period from midnight to midnight) was 10,982,118,488 bytes, or 10.22GiB.

Peak hourly volume was 913MiB. Peak one-second volume in that hour was 2,626
messages totaling 440KiB, no duplicates.

System specs:
OpenBSD on a Dell 2650 (single 2.8Ghz P4) running syslog-ng 1.6.X.
Logs are written to a Dell PERC 3/Di SCSI RAID-0, as a 2-drive stripe.

I'm using syslog-ng over redirected ports inside an SSH channel and whenever I HUP syslog-ng, the SSH channel closes

syslog-ng closes TCP connections when a SIGHUP is received, but you can change this behaviour with the keep-alive option.

destination remote_tcp { tcp("loghost" port(1514) keep-alive(yes)); };

source tcp_listen { tcp(ip("10.0.0.1") port(5140) keep-alive(yes)); };

I've successfully set up syslog-ng to tunnel through stunnel. I'm having one problem though, all messages come through with a hostname of "localhost", presumably since stunnel is coming from localhost on the syslog server....

Keep the hostname as sent by the remote syslog daemon:

options { keep_hostname(yes); };

I am trying to setup a central log host and am having trouble getting events registered on the central server. It looks like the remote host does connect to the central host but nothing shows in a log anywhere for it.

options {
        long_hostnames(off);
        sync(0);
        stats(43200);
        dns_cache(yes);
        use_fqdn(no);  
        keep_hostname(yes);
        use_dns(yes);      
};

source gateway {
        unix-stream("/dev/log");
        internal();
        udp(ip(0.0.0.0) port(514));
};

source tcpgateway {
        unix-stream("/dev/log");
        internal();
        tcp(ip(0.0.0.0) port(514) max_connections(1000));
};

destination hosts {
        file("/var/log/syslogs/$HOST/$FACILITY"
        owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes));
};

log {
        source(gateway); destination(hosts);
};

log {
        source(tcpgateway); destination(hosts);
};

options {
        long_hostnames(off);
        sync(0);
        stats(43200);
        dns_cache(yes);
        use_fqdn(no);  
        keep_hostname(yes);
        use_dns(yes);      
};

source local {
        unix-stream("/dev/log");
        internal();
};

source gateway {
        udp(ip(0.0.0.0) port(514));

source tcpgateway {
        tcp(ip(0.0.0.0) port(514) max_connections(1000));
};

destination hosts {
        file("/var/log/syslogs/$HOST/$FACILITY"
        owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes));
};

log {
        source(gateway);
	destination(hosts);
};

log {
        source(local);
	destination(hosts);
};

log {
        source(tcpgateway);
	destination(hosts);
};

I am having problems with syslog-ng on an SeLinux aware machine. The kernel will not allow me to open up /proc/kmsg for kernel messages. The error message I get looks like:

These errors are a sign that either the Selinux policies are not syslog-ng aware or have not been enabled yet. Make sure you have the latest policies for your distribution and then use getsebool to see if usesyslogng is turned on

# getsebool use_syslogng
use_syslogng --> inactive
# setsebool -P use_syslogng=1