[Solved] Logs not forwarding to syslog

thesnooze · 2014-09-14 22:47:03

I just noticed that a number of system logs under /var/log are blank. These include mail, cron, auth, and user. The last entries in the archived log files were from the morning of August 30. Other logs like errors, messages, and everything are being filled out just fine. Ownership and permissions are the same for all of these files.

I know there was a syslog-ng update (version 3.5) towards the end of August. I verified that it's running and using the new default config file. Any idea what might be preventing some logs from being filled out but not others?

Last edited by thesnooze (2014-09-16 20:58:18)

rebootl · 2014-09-15 15:33:19

Are you aware of the fact that Arch uses systemd's journal by default ?
https://wiki.archlinux.org/index.php/Systemd#Journal

thesnooze · 2014-09-15 21:02:37

rebootl wrote:

Are you aware of the fact that Arch uses systemd's journal by default ?
https://wiki.archlinux.org/index.php/Systemd#Journal

Thanks for the pointer. I am aware now. I got another response from a reddit thread to look at the journalctl command. It's outputting current entries that should go into those logs, but they're not written out to those files for some reason.

Last edited by thesnooze (2014-09-15 21:02:52)

jasonwryan · 2014-09-15 21:08:09

thesnooze wrote:

but they're not written out to those files for some reason.

Keep reading... https://wiki.archlinux.org/index.php/Sy … ith_syslog

thesnooze · 2014-09-15 22:00:34

jasonwryan wrote:

thesnooze wrote:
but they're not written out to those files for some reason.
Keep reading... https://wiki.archlinux.org/index.php/Sy … ith_syslog

I saw that, but I already have syslog-ng enabled and verified that it's running. I'm using the default configuration for it. Am I missing something that would redirect, say, logged sudo events into /var/log/auth.log ? Thanks!

/etc/syslog-ng/syslog-ng.conf wrote:

@version: 3.5
@include "scl.conf"
#
# /etc/syslog-ng/syslog-ng.conf
#
options {
stats_freq (0);
flush_lines (0);
time_reopen (10);
log_fifo_size (10000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
perm(0640);
group("log");
};
source src {
system();
internal();
};
destination d_authlog { file("/var/log/auth.log"); };
destination d_syslog { file("/var/log/syslog.log"); };
destination d_cron { file("/var/log/crond.log"); };
destination d_daemon { file("/var/log/daemon.log"); };
destination d_kernel { file("/var/log/kernel.log"); };
destination d_lpr { file("/var/log/lpr.log"); };
destination d_user { file("/var/log/user.log"); };
destination d_uucp { file("/var/log/uucp.log"); };
destination d_mail { file("/var/log/mail.log"); };
destination d_news { file("/var/log/news.log"); };
destination d_ppp { file("/var/log/ppp.log"); };
destination d_debug { file("/var/log/debug.log"); };
destination d_messages { file("/var/log/messages.log"); };
destination d_errors { file("/var/log/errors.log"); };
destination d_everything { file("/var/log/everything.log"); };
destination d_iptables { file("/var/log/iptables.log"); };
destination d_acpid { file("/var/log/acpid.log"); };
destination d_console { usertty("root"); };
# Log everything to tty12
destination console_all { file("/dev/tty12"); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { program(syslog-ng); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kernel { facility(kern) and not filter(f_iptables); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_ppp { facility(local2); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not filter(f_iptables); };
filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_iptables { match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); };
filter f_acpid { program("acpid"); };
log { source(src); filter(f_acpid); destination(d_acpid); };
log { source(src); filter(f_authpriv); destination(d_authlog); };
log { source(src); filter(f_syslog); destination(d_syslog); };
log { source(src); filter(f_cron); destination(d_cron); };
log { source(src); filter(f_daemon); destination(d_daemon); };
log { source(src); filter(f_kernel); destination(d_kernel); };
log { source(src); filter(f_lpr); destination(d_lpr); };
log { source(src); filter(f_mail); destination(d_mail); };
log { source(src); filter(f_news); destination(d_news); };
log { source(src); filter(f_ppp); destination(d_ppp); };
log { source(src); filter(f_user); destination(d_user); };
log { source(src); filter(f_uucp); destination(d_uucp); };
#log { source(src); filter(f_debug); destination(d_debug); };
log { source(src); filter(f_messages); destination(d_messages); };
log { source(src); filter(f_err); destination(d_errors); };
log { source(src); filter(f_emergency); destination(d_console); };
log { source(src); filter(f_everything); destination(d_everything); };
log { source(src); filter(f_iptables); destination(d_iptables); };
# Log everything to tty12
#log { source(src); destination(console_all); };

jasonwryan · 2014-09-15 22:15:28

Sorry, I missed that in your OP.

The conf file looks OK (apart from being in quote tags), but I just use the journal, so I can't be sure. Perhaps another syslogger can assist.
You might want to change your thread title to be more explicit about logs not being forwarded to syslog.

Alad · 2014-09-16 01:02:44

This is related to the systemd 216 update:

journald will no longer forward all local data to another
running syslog daemon. This change has been made because
rsyslog (which appears to be the most commonly used syslog
implementation these days) no longer makes use of this, and
instead pulls the data out of the journal on its own. Since
forwarding the messages to a non-existent syslog server is
more expensive than we assumed we have now turned this
off. If you run a syslog server that is not a recent rsyslog
version, you have to turn this option on again
(ForwardToSyslog= in journald.conf).

tl;dr edit /etc/systemd/journald.conf and change

#ForwardToSyslog=no

to

ForwardToSyslog=yes

Do note that if your concern for using syslog is the journal binary format, you can just strings/grep it like any other log (it doesn't change the messages).

Last edited by Alad (2014-09-16 01:03:34)

thesnooze · 2014-09-16 20:57:12

Alad wrote:

This is related to the systemd 216 update:

That solved the issue. Thanks a lot!

Arch Linux

#1 2014-09-14 22:47:03

[Solved] Logs not forwarding to syslog

#2 2014-09-15 15:33:19

Re: [Solved] Logs not forwarding to syslog

#3 2014-09-15 21:02:37

Re: [Solved] Logs not forwarding to syslog

#4 2014-09-15 21:08:09

Re: [Solved] Logs not forwarding to syslog

#5 2014-09-15 22:00:34

Re: [Solved] Logs not forwarding to syslog

#6 2014-09-15 22:15:28

Re: [Solved] Logs not forwarding to syslog

#7 2014-09-16 01:02:44

Re: [Solved] Logs not forwarding to syslog

#8 2014-09-16 20:57:12

Re: [Solved] Logs not forwarding to syslog

Board footer