2

I'm working to implement syslog-ng OSE in my environment. Eventually I'd like to setup a central logging server, but in order to get my feet wet, I'm starting with a simple configuration. I've created a config that contains a single source, a single destination, and a single log. When I execute syslog-ng -F (as a foreground process via the cli) I get the expected results (all system messages are getting logged to /var/log/messages). However, if I run it as a daemon (via systemctl) I don't receive all the expected system messages. What's odd is that I'm still receiving messages from the kernel facility. Here's my simple config:

@version:3.5 @include "scl.conf" source s_sys { system(); internal(); }; destination d_mesg { file("/var/log/messages"); }; log { source(s_sys); destination(d_mesg); };

As you can see, I don't have any filters set. I've verified that the service is running via systemctl status syslog-ng and it is. I've made sure and stopped and removed all other logging daemons as well.

syslog-ng.service - System Logger Daemon Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2016-02-28 17:15:07 EST; 21min ago Docs: man:syslog-ng(8) Main PID: 3416 (syslog-ng) CGroup: /system.slice/syslog-ng.service └─3416 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid

My OS is CentOS 7.2 Any help would be greatly appreciated

Improve this question
1
  • 2
    So it looks like on CentOS and RHEL7, the system logging facility is journald which by default doesn't forward system messages to syslog (or syslog-ng). Once I uncommented the line "ForwardToSyslog=yes" in the file "/etc/systemd/journald.conf" and restarted the services, everything started coming up Mihouse!" Commented Feb 29, 2016 at 0:57

2 Answers 2

Reset to default
0

NevDull, thanks for your input. It has helped me with the following problem that is similar to this topic:

syslog-ng fails to catch messages issued by logger command when running under systemctl administration. But it performs as expected when you go through the terminal as follows:

systemctl stop syslog-nd syslog-ng -Fevd logger -p mail.info "I'm testing..." [need to open a new terminal session] cat /var/log/maillog

As result, you can see your "I'm testing..." message on /var/log/maillog file.

Editing the "/etc/systemd/journald.conf" file as you recommended solved the problem.

Thanks for sharing

Improve this answer
0

Another possible solution is to upgrade syslog-ng to a later version. Starting with syslog-ng 3.7 it can read the systemd journal directly.

https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.