Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Nov 29 19:12
    bazsi commented #3844
  • Nov 29 19:05
    kira-syslogng commented #3844
  • Nov 29 18:48
    bazsi commented #3844
  • Nov 29 18:47
    bazsi synchronize #3844
  • Nov 29 18:45
    bazsi synchronize #3844
  • Nov 29 18:40
    kira-syslogng commented #3844
  • Nov 29 18:16
    bazsi synchronize #3844
  • Nov 29 15:27
    MrAnno commented #3845
  • Nov 29 14:47
    kira-syslogng commented #3845
  • Nov 29 14:21
    Barkodcz synchronize #3845
  • Nov 29 12:43
    kira-syslogng commented #3792
  • Nov 29 12:41
    denis96z starred syslog-ng/syslog-ng
  • Nov 29 12:19
    OverOrion synchronize #3792
  • Nov 29 11:28
    kwilczynski starred syslog-ng/syslog-ng
  • Nov 29 09:15
    gaborznagy commented #3847
  • Nov 29 09:14
    gaborznagy commented #3847
  • Nov 29 09:02
    kira-syslogng commented #3851
  • Nov 29 07:46
    mitzkia commented #3851
  • Nov 29 07:41
    kira-syslogng commented #3851
  • Nov 29 07:16
    Kokan commented #3851
Homesh
@Homeshjoshi_twitter
even with docker run --ulimit nofile=60000:60000 I get the same error
László Szemere
@szemere
Hello @Homeshjoshi_twitter ,
just to clarify things. Can you test the ulimit nofile option with a "regular" container? (i.e. ubuntu:latest, or something) To make sure that you do not have any preferences locally which prevents docker from increasing the number of allowed file descriptors?
I tried --ulimit nofile=100:100 locally with syslog-ng and with other contianers and I was able to reproduce your "errno='Too many open files (24)'" issue. (And fix it by increasing ulimit.)
Homesh
@Homeshjoshi_twitter
Hi @szemere , Thanks for response. I am going to try the solution mentioned here "https://medium.com/@ivanermilov/how-to-fix-inotify-cannot-be-used-reverting-to-polling-too-many-open-files-bb1c1437dbf" So I am going to increase the limit on host system as for docker container it seems it share the setting of host, as mentioned here "https://stackoverflow.com/questions/57220658/change-inotify-max-user-instances-limit-in-docker-container" I will update my findings.
Homesh
@Homeshjoshi_twitter
looks like this works for me. Thanks you @MrAnno and @szemere for your help.
László Szemere
@szemere
Great news! Thank You for the feedback!
Homesh
@Homeshjoshi_twitter
Yesterday I capture these logs while I started the syslog-ng container is there any issue with this ?
2021-08-02T18:57:19.123744] Unknown argument, adding it to VARARGS; argument='persist_name', value='"d100"', reference='/etc/syslog-ng/conf.d/100.conf:2:5'
[2021-08-02T18:57:19.133280] Unknown argument, adding it to VARARGS; argument='persist_name', value='"d104"', reference='/etc/syslog-ng/conf.d/104.conf:2:5'
[2021-08-02T18:57:19.134027] Unknown argument, adding it to VARARGS; argument='persist_name', value='"d932"', reference='/etc/syslog-ng/conf.d/932.conf:2:5'
[2021-08-02T18:57:19.135120] Unknown argument, adding it to VARARGS; argument='persist_name', value='"d938"', reference='/etc/syslog-ng/conf.d/938.conf:2:5'
I have to create destination for each log source with logs forwarding to same elasticsearch server hence I am adding e.g persist-name("d100")
László Szemere
@szemere

Hello @Homeshjoshi_twitter , those logs are completely normal.

In more details: They are generated during grammar parsing. In your case they are referring to this line: https://github.com/syslog-ng/syslog-ng/blob/master/scl/elasticsearch/elastic-http.conf#L36

In case of blocks there are named parameters like "index" in case of elasticsearch. And "everything else", alias "VARARGS". The later one is useful because it allows us to pass extra parameters to the underlining http destination, without the need to blindly repeat those options in elastic. As a result reducing the size of the glue code.

Homesh
@Homeshjoshi_twitter
Thanks for the brief answer @szemere
skappen
@skappen

On syslog-ng 3.16.1 suppress option in syslog-ng.conf configured as suppress(600).
When we send identical messages to a destination, message suppression does not work properly.
It logs the same sent message at an interval of 60 seconds.

sending message using logger as
logger -p debug "test messages..."

Aug 10 02:46:40 qafarm2-50 root: test messages...
Aug 10 02:47:40 qafarm2-50 root: test messages...
Aug 10 02:48:40 qafarm2-50 root: test messages...

It does not log "root[24697]: Last message 'test messages...' repeated N times, suppressed by syslog-ng".

When we configure syslog-ng 3.16.1 with option suppress(60) it works as expected.
We have tested syslog-ng version 3.24.1 where issue is not seen, the suppress(600) is working as expected.
Is it a known issue in syslog-ng 3.16.1 also could you help to pin point which commit fixed this issue?

László Szemere
@szemere

Hello @skappen , I do not remember any outstanding issue regarding to the suppress functionality.

Since suppress is implemeneted in logwriter, I tried to narrow down the search with the following command:
git log syslog-ng-3.16.1..syslog-ng-3.24.1 --pretty=oneline --abbrev-commit -- lib/logwriter.c

It gives "only" 32 commits, however none of them suggests me an explicit bug in suppress. I assume it was a side effect of an another code change.

At first, I would narrow down the search area, by testing other releases between 3.16, and 3.24. (If I count it right, it is 3 more release with a binary search.) Do you have the resources to try other versions? Is there any particular reason you can not simply upgrade to the latest version?

skappen
@skappen
Hi @szemere Many thanks. The issue is also reproduced on syslog-ng 3.19.1. I am trying to test other versions between 3.19.1 and 3.24.1 but at present I dont have any live system with versions. I need to build other syslog-ng versions first to verify it. Upgrade is not a plan as it may break other stuffs. So looking to figure out the patch and backport the same.
skappen
@skappen
Hi @szemere I have narrowed i down it further and identified that issue is not seen on syslog-ng-3.23.1 after the commits https://github.com/syslog-ng/syslog-ng/pull/2798/commits. Looks like default time-reap value of 60 seconds in prior versions to syslog-ng-3.23.1 causes this behaviour.
László Szemere
@szemere

Helllo @skappen , Thank you for reporting it back. Based on the linked PR, I figured out that in case when the suppress time is bigger than time_reap, the suppress message is lost.

So the problem still exists, the PR only hides it in your case, by disabling the reap timer when it is not configured explicitly.

I would like to discuss the topic with my colleagues. This looks like an undefined situation for me, at this moment I don't know what could be the expected behavior.

1 reply
Fabien Wernli
@faxm0dem
Hi there, just added this to my base config because I didn't like how docker containers (--log-driver journald) ended up logging using their ID as PROGRAM:
source s_system {
  channel {
    source { system(); };
    # make sure docker containers don't get their PROGRAM set to their CONTAINER_ID
    # dockerd shall be their PROGRAM
    junction {
      channel {
        filter {
          "${.journald.SYSLOG_IDENTIFIER}" != ""
            and
          "${.journald.SYSLOG_IDENTIFIER}" == "${.journald.CONTAINER_ID}"
        };
        rewrite {
          set("${.journald._COMM}", value("PROGRAM"));
        };
      };
      channel {
        flags(fallback);
      };
    };
  };
};
I'm mentioning it here, as it might help others, or why not make it into the s_system SCL
Peter Czanik
@czanik
Thank you!
Balazs Scheidler
@bazsi
did anyone notice that dockerhub is not building our images anymore?
László Várady
@MrAnno

@bazsi
hmm, we wanted to try GitHub's own docker registry anyway (https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry), which seems to be less limited, faster, and currently free. We could use this for dbld images, if it turnes out to be good for us; and in case we want to keep the main syslog-ng image on Docker Hub (balabit/syslog-ng), we could "reverse" the trigger direction between our CI and Docker Hub for that image (by building the image on GitHub, and then pushing it to Docker Hub from GitHub Actions).

subscribing to a Docker Hub Pro plan (or applying for Docker Open Source) would not be a big deal either, but dockerhub has been quite unstable for the past year, so I think the GH container registry might be worth a quick look.

what do you think?

László Várady
@MrAnno
(In the meantime, I filled the "Docker Open Source Community Application" for syslog-ng.)
Balazs Scheidler
@bazsi
I agree, that we should try an alternative and we are running our actions in github anyway, I guess this would be much faster.
László Várady
@MrAnno
Thanks for noticing about the dockerhub build!
I just finished filling out the dockerhub open source application form, we'll see what happens next week :)
Balazs Scheidler
@bazsi
I tried to build one of the dbld images locally and it failed. That's why I have checked.
Sanjay Patel
@San_j_ay_twitter
hello
has anyone get syslog-ng kafka to work?
I cannot figure out how to load kafka module.
Sanjay Patel
@San_j_ay_twitter
I cant find syslog-ng-cfg-db.py file on my server either
Balazs Scheidler
@bazsi
Which version do you have?
Are you sure you have kafka in your build?
Sanjay Patel
@San_j_ay_twitter
@bazsi I have 3.31
how do I verify if kafka is in the build?
Balazs Scheidler
@bazsi
Run syslog-ng --module-registry
Sanjay Patel
@San_j_ay_twitter
not in there
that is my question, how do I add kafka-c to my current install?
Balazs Scheidler
@bazsi
Which platform?
Robert Paschedag
@rpasche

Hi everyone....we are looking for alternatives to logstash and want to test syslog-ng. We are using a lot of filters and grok to - sometimes - create "nested objects" (within elasticsearch). Can someone show me a simple example, howto extract information from within a syslog message (${MESSAGE}) field, so we are able to "create" a new field? Example: Syslog message contains VM some_super_shiny_vm_name has been started. I want to add a new - nested - field like vm.name (JSON: {"vm": {"name": "my_super_shiny_vm_name"}}with the name of the VM ("my_super_shiny_vm_name"), so I could create a json object like

$(format-json message=${MESSAGE} vm.name=${my_new_extracted_field})

Thanks you for help.

6 replies
Joep van Diessen
@joepvand
Hello everyone, i currently have syslog-ng, but i want a way where a custom webinterface can see logs in realtime. does anyone know where to start with this?
2 replies
Sanjay Patel
@San_j_ay_twitter
I cant get syslog-ng to accept messages, when I do tcpdump I an see port open and messages coming in but when I run syslog-ng it does not accept the messages.
Sanjay Patel
@San_j_ay_twitter
I can see the port open but when I do syslog-ng -Fevd it shows no data
László Várady
@MrAnno
@San_j_ay_twitter Could you share the output of syslog-ng -Fevd?
Sanjay Patel
@San_j_ay_twitter
how do I send without flooding?
64 replies
Sanjay Patel
@San_j_ay_twitter
still stuck
tcpdump shows packets coming on udp but syslog-ng not picking them up
László Várady
@MrAnno

Hi,

If I understood your last reply correctly, netcat does not receive messages/packets either.
In case that's true, your issue is not really a syslog-ng configuration issue, it must be something environmental.

Sanjay Patel
@San_j_ay_twitter
@MrAnno it was a IPtable issue. Even with firewall off Ubuntu firewall rules apply. I added this to make it work. iptables -I INPUT -p udp -j ACCEPT. Adding it here incase someone else runs into this issue.
Robert Paschedag
@rpasche
Short question: Is the last pattern .*some kind of "workaround" within the new regexp-parserpattern so a message does not get discarded in case none of the previous pattern finds anything? Because I'm currently testing this new regexp-parser and added several patterns to extract information and noticed, that my message was never written to the destination. This seems to be caused by the fact, that none of my patterns really matched something. So is some kind of last pattern like .* the only chance I do not lose a message or are there flags that I can use to prevent messages to be discarded? Thank you for your help
16 replies
Robert Paschedag
@rpasche
Can you help me once more? I want to convert the syslog-ng TAGS into a JSON array, that should then be used within elasticsearch. Currently, the TAGS are set, but set a a static string (comma separated). I tried it with some rewrite but currently I cannot get it work. So I tried for example
rewrite {
  set("$(explode ',' ${TAGS})", value("tags"));
};
Balazs Scheidler
@bazsi
Just use the list type hint
1 reply