syslog-ng
Sylog does not update logs after update from 4.6 to 4.8
Sylog fails to update logs after updating from 4.6 to 4.8. Downdating to 4.6 restores updating.
Linux acer 6.10.10-artix1-1 #1 SMP PREEMPT_DYNAMIC Fri, 13 Sep 2024 03:28:40 +0000 x86_64 GNU/Linux
Configuration
$ sudo cat syslog-ng.conf
@version: 4.6
@include "scl.conf"
#
# /etc/syslog-ng/syslog-ng.conf
#
options {
stats_freq (0);
flush_lines (0);
time_reopen (10);
log_fifo_size (10000);
chain_hostnames (off);
dns_cache (no);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
perm(0640);
group("log");
};
source src {
system();
internal();
};
destination d_authlog { file("/var/log/auth.log"); };
destination d_syslog { file("/var/log/syslog.log"); };
destination d_cron { file("/var/log/crond.log"); };
destination d_daemon { file("/var/log/daemon.log"); };
destination d_kernel { file("/var/log/kernel.log"); };
destination d_lpr { file("/var/log/lpr.log"); };
destination d_user { file("/var/log/user.log"); };
destination d_uucp { file("/var/log/uucp.log"); };
destination d_mail { file("/var/log/mail.log"); };
destination d_news { file("/var/log/news.log"); };
destination d_ppp { file("/var/log/ppp.log"); };
destination d_debug { file("/var/log/debug.log"); };
destination d_messages { file("/var/log/messages.log"); };
destination d_errors { file("/var/log/errors.log"); };
destination d_everything { file("/var/log/everything.log"); };
destination d_iptables { file("/var/log/iptables.log"); };
destination d_acpid { file("/var/log/acpid.log"); };
destination d_console { usertty("root"); };
# Log everything to tty12
destination console_all { file("/dev/tty12"); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { program(syslog-ng); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kernel { facility(kern) and not filter(f_iptables); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_ppp { facility(local2); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not filter(f_iptables); };
filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_iptables { match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); };
filter f_acpid { program("acpid"); };
log { source(src); filter(f_acpid); destination(d_acpid); };
log { source(src); filter(f_authpriv); destination(d_authlog); };
log { source(src); filter(f_syslog); destination(d_syslog); };
log { source(src); filter(f_cron); destination(d_cron); };
log { source(src); filter(f_daemon); destination(d_daemon); };
log { source(src); filter(f_kernel); destination(d_kernel); };
log { source(src); filter(f_lpr); destination(d_lpr); };
log { source(src); filter(f_mail); destination(d_mail); };
log { source(src); filter(f_news); destination(d_news); };
log { source(src); filter(f_ppp); destination(d_ppp); };
log { source(src); filter(f_user); destination(d_user); };
log { source(src); filter(f_uucp); destination(d_uucp); };
#log { source(src); filter(f_debug); destination(d_debug); };
log { source(src); filter(f_messages); destination(d_messages); };
log { source(src); filter(f_err); destination(d_errors); };
log { source(src); filter(f_emergency); destination(d_console); };
log { source(src); filter(f_everything); destination(d_everything); };
log { source(src); filter(f_iptables); destination(d_iptables); };
# Log everything to tty12
#log { source(src); destination(console_all); };
If you collect logs from a pipe source, you should update to syslog-ng 4.8.1, which fixes a problem introduced in 4.8.0.
Sorry, I was on 4.8.1 and had to downgrade to 4.6.0-9 to get it working. No idea what If you collect logs from a pipe source, means, I just install and hope it works. :)
So I found this when I updated to v8.1:
NOTE: As of package version 4.8.0-1, syslog-ng ships with a configuration
where all logging is disabled. To re-enable logging with
please update your configuration in /etc/syslog-ng/syslog-ng.conf.
So I went through the new configuration file and re-enabled everything shown as 'log {}'
Now I am getting an error:
Error invoking seek on file; filename='/dev/kmsg', error='Invalid argument (22)'
Of course I still get the errors:
Error opening plugin module; module='afmongodb'
Error opening plugin module; module='afsmtp'
Error opening plugin module; module='afamqp'
Error opening plugin module; module='kafka'
Error opening plugin module; module='redis'
Since, in all cases, isyslog-ng says 'cannot open shared object file: No such file or directory' I presume these should all be Warnings, at the most, certainly not errors.
I will have to see if anything is being logged now.
As a final comment: Is it really wise to allow the installation of a syslog facility that logs absolutely nothing by default?
Now I am getting an error:
Error invoking seek on file; filename='/dev/kmsg', error='Invalid argument (22)'
this must be investigated, seems to me a similar issue we had with the above mentioned pipe reading thanks for the report
With syslog-ng running:
$ syslog-ng -V
syslog-ng 4 (4.8.1.dirty)
Config version: 4.2
Installer-Version: 4.8.1.dirty
Revision:
Compile-Date: Oct 5 2024 18:09:14
Module-Directory: /usr/lib/syslog-ng
Module-Path: /usr/lib/syslog-ng
Include-Path: /usr/share/syslog-ng/include
Error opening plugin module; module='afmongodb', error='libmongoc-1.0.so.0: cannot open shared object file: No such file or directory'
Error opening plugin module; module='afsmtp', error='libesmtp.so.6.2.0: cannot open shared object file: No such file or directory'
Error opening plugin module; module='afamqp', error='librabbitmq.so.4: cannot open shared object file: No such file or directory'
Error opening plugin module; module='kafka', error='librdkafka.so.1: cannot open shared object file: No such file or directory'
Error opening plugin module; module='redis', error='libhiredis.so.1.1.0: cannot open shared object file: No such file or directory'
Available-Modules: stardate,hook-commands,otel,kvformat,bigquery,afprog,http,azure-auth-header,correlation,map-value-pairs,tags-parser,geoip2-plugin,rate-limit-filter,pseudofile,timestamp,afsnmp,afuser,afsql,syslogformat,metrics-probe,loki,afsocket,secure-logging,basicfuncs,confgen,cryptofuncs,add-contextual-data,graphite,xml,cloud_auth,tfgetent,regexp-parser,examples,csvparser,appmodel,system-source,linux-kmsg-format,affile,json-plugin,afstomp,disk-buffer,mod-python,cef
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-Linux-Caps: on
Enable-Systemd: off
About the rest:
NOTE: As of package version 4.8.0-1, syslog-ng ships with a configuration where all logging is disabled. To re-enable logging with please update your configuration in /etc/syslog-ng/syslog-ng.conf.
This was a decision of Arch Linux maintainers. The details are here, it sounds strange: https://gitlab.archlinux.org/archlinux/packaging/packages/syslog-ng/-/commit/f3bc8611b2bc434f052c14ff3b69bcbe44ffe9b2
Error opening plugin module; module='afmongodb'
Indeed, these plugins are not installed currently, they are not real errors in this specific case.
Once you install the necessary optional dependencies of the syslog-ng Arch package, those errors (warnings actually) will disappear and the given plugin will start working.
Thank you for your response to my queries.
This was a decision of Arch Linux maintainers ... the quote seems to be about adding a message about the fact that logging is disabled my default. May be I have misunderstood. My, later, questions was "Is it really wise to allow the installation of a syslog facility that logs absolutely nothing by default?"
Indeed, these plugins are not installed currently, they are not real errors in this specific case.
So I would suggest that you don't report them as Errors, report them as Warnings or not at all? The error would only occur if the shared object file existed and the module was not available.
Thank you for your response to my queries.
This was a decision of Arch Linux maintainers ...the quote seems to be about adding a message about the fact that logging is disabled my default. May be I have misunderstood. My, later, questions was "Is it really wise to allow the installation of a syslog facility that logs absolutely nothing by default?"
As @MrAnno mentioned this is not related to the version of syslog-ng you can access here, it is because you are using a packaged version of it which is maintained by a completely different team. You should ask this on their site
Indeed, these plugins are not installed currently, they are not real errors in this specific case.So I would suggest that you don't report them as Errors, report them as Warnings or not at all? The error would only occur if the shared object file existed and the module was not available.
This is also related to their package you are using, it is a prebuilt package with a feature set the package maintainers decided to use.
I suggest you to build your own version of syslog-ng that surely will contain all of, and only those of the components you really need.