You are not logged in.
Hi guys and girls!
I've been running the combination of syslog-ng and SEC (Simple Event Correlator, http://www.estpak.ee/~risto/sec/). After the latest syslog-ng upgrade (2.1.3-2) things stopped working.
Here's what's going on:
The syslog-ng part of the deal goes like this:
destination d_sec { program("/usr/bin/perl /usr/share/sec/sec.pl -input=\"-\" -conf=/usr/local/etc/sec.conf"); }; log { source(src); destination(d_sec); };
That's obviously from /etc/syslog-ng.conf. What it does is that it sends all incoming syslog messages to SEC with certain parameters. This configuration has been working fine for at least several months, on many servers.
After I upgraded to syslog-ng 2.1.3-2, SEC stopped receiving anything from syslog-ng. These messages are being logged to /var/log/everything every 10 minutes:
Jan 28 13:36:14 2 syslog-ng[19411]: Log statistics; dropped='program(/usr/bin/perl /usr/share/sec/sec.pl -input="-" -conf=/usr/local/etc/sec.conf)=0', processed='center(queued)=255119', processed='center(received)=123603', processed='destination(d_sec)=123603', processed='destination(acpid)=0', processed='destination(console)=0', processed='destination(debug)=0', processed='destination(mail)=5485', processed='destination(user)=309', processed='destination(uucp)=0', processed='destination(messages)=1163', processed='destination(ppp)=0', processed='destination(news)=0', processed='destination(iptables)=92399', processed='destination(everything)=6778', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=123', processed='destination(authlog)=24426', processed='destination(errors)=5', processed='destination(kernel)=147', processed='destination(daemon)=681', processed='destination(console_all)=0', processed='source(src)=123603', suppressed='program(/usr/bin/perl /usr/share/sec/sec.pl -input="-" -conf=/usr/local/etc/sec.conf)=0'
ps aux tells me that SEC is running fine, but it seems syslog-ng doesn't want to speak to it.
I have no idea where to go from here. Any ideas, anyone?
- Jyri
Last edited by Jyri-poika (2009-01-28 11:47:31)
Offline