You are not logged in.

Pages: 1

#1 Today 01:35:46

darose
Member
Registered: 2004-04-13
Posts: 160

syslog-ng not writing to /var/log files

Some time ago, syslog-ng stopped writing to the log files in /var/log.  Near as I can tell, it looks like was done intentionally: i.e., that the default syslog configuration was intentionally set to disable this (see https://gitlab.archlinux.org/archlinux/ … ng.install ) and that if you need to update the default configuration to make it write to log files again.  However I can't seem to find correct information on exactly how to update the configuration to enable it again.  Legacy methods, such as configuring journald for "ForwardToSyslog=yes", or setting up a socket /run/systemd/journal/syslog don't seem to work, and look like they might even be deprecated.  It sounds like /etc/syslog-ng/syslog-ng.conf needs to get updated somehow, but I'm not sure what updates to make to it to turn this on again.  The Arch wiki has some instructions on this as well (https://wiki.archlinux.org/title/Syslog … md_journal and https://wiki.archlinux.org/title/System … ith_syslog) but they don't seem to fix the problem either.

Anyone have a working syslog-ng configuration that's successfully writing to /var/log files that can share how it should be done?

Thanks,
DR

Last edited by darose (Today 01:40:25)

Offline

#2 Today 03:59:28

marmis
Member
From: Campinas, São Paulo
Registered: 2018-01-23
Posts: 7

Re: syslog-ng not writing to /var/log files

Hi, @darose, nice to see you again! I can share mine:

@version: 4.10
@include "scl.conf"

# See https://syslog-ng.github.io/admin-guide/090_Global_options/000_Global_options
options {
  # log files
  owner("root");
  group("log");
  perm(0640);
  create_dirs(yes);
  dir_owner("root");
  dir_group("log");
  dir_perm(0755);
  # performance
  threaded(yes);
  log_fifo_size(10000);
  flush_lines(0);
  time_reopen(10);
  stats(freq(0));
  # networking
  keep_hostname(yes);
  chain_hostnames(off);
  dns_cache(no);
  use_dns(no);
  use_fqdn(no);
};

filter nftables_ulogd {
  facility(local2) and program('^ulogd$');
};
filter nftables_kernel {
  facility(kern) and message('(^| )IN=') and message('(^| )OUT=');
};

# Local stream
log system {
  source {
    system();
    internal();
  };

  # Emergency messages
  log emerg {
    filter {
      level(emerg)
    };
    destination {
      usertty("*");
    };
    # TODO: email?
  };
  # Everything
  log all {
    destination {
      file("/var/log/syslog/all.log");
      # # Log everything to tty12
      # file("/dev/tty12");
    };
  };
  # Error logs
  log errors {
    filter {
      level(err..emerg);
    };
    destination {
      file("/var/log/syslog/errors.log");
    };
  };
  # Authentication
  log auth {
    filter {
      facility(auth, authpriv);
    };
    destination {
      file("/var/log/syslog/auth.log");
    };
    flags(final);
  };
  # Packet Filter
  log nftables {
    filter {
      filter(nftables_kernel) or filter(nftables_ulogd);
    };
    destination {
      file("/var/log/syslog/nftables.log");
    };
    flags(final);
  };
  # DNS Statistics
  log unbound {
    filter {
      program('^unbound$');
    };
    destination {
      file("/var/log/syslog/unbound.log");
    };
    flags(final);
  };
  # Kernel logs
  log kernel {
    filter {
      facility(kern);
    };
    destination {
      file("/var/log/syslog/kernel.log");
    };
    flags(final);
  };
  # Internal logs
  log syslog {
    filter {
      program('^syslog-ng$');
    };
    destination {
      file("/var/log/syslog/syslog.log");
    };
    flags(final);
  };
  # Podman logs
  log containers {
    filter {
      program('^podman$') or program('^container/.+');
    };
    destination {
      file("/var/log/syslog/containers.log");
    };
    flags(final);
  };
  # Service logs
  log daemon {
    filter {
      facility(daemon);
    };
    destination {
      file("/var/log/syslog/daemon.log");
    };
    flags(final);
  };
  # User logs
  log user {
    filter {
      facility(user);
    };
    destination {
      file("/var/log/syslog/user.log");
    };
    flags(final);
  };
  # Timers, hopefully
  log cron {
    filter {
      facility(cron);
    };
    destination {
      file("/var/log/syslog/cron.log");
    };
    flags(final);
  };
  # Unmatched logs
  log other {
    destination {
      file("/var/log/syslog/other.log");
    };
    flags(final);
  };
};

# log network {
#   source s_network {
#     # uncomment to open port 514 to receive messages
#     default-network-drivers(
#       # NOTE: TLS support
#       #
#       # the default-network-drivers() source driver opens the TLS
#       # enabled ports as well, however without an actual key/cert
#       # pair they will not operate and syslog-ng would display a
#       # warning at startup.
#       #
#       tls(key-file("/path/to/ssl-private-key") cert-file("/path/to/ssl-cert"))
#     );
#   };
#   destination {
#     file("/var/log/syslog/network.log");
#   };
# };

As for services, I have syslog-ng@default.service, without syslog.service or syslog.socket, and I have /etc/systemd/journald.conf.d/syslog.conf to keep all logs in syslog-ng:

[Journal]
Storage=auto
SystemMaxUse=1G
RuntimeMaxUse=100M
MaxFileSec=1month
ForwardToSyslog=yes

I also have logrotate running here (I can share that if you want) and everything is working for me. The logs end up /var/log/syslog/*.log and are eventually rotated to /var/log/archive/syslog/*.log-*.xz. My only extra setup is with ulogd for NFLog, adding a log_tag for Podman and an extra journald namespace to hide noisy logs, but none of that is required for syslog-ng to work.

Offline

Pages: 1

Board footer

Powered by FluxBB