PDA

View Full Version : syslog-ng.conf.in does not take effect



peetoo
11-Jun-2013, 03:58
Hi,

i'm trying to integrate a SLES 10 server to a syslog server for centralized logging.

I followed the steps in this article: http://www.novell.com/coolsolutions/feature/18044.html
However it doesn't work. If I "logger user.notice test" i can see the test message in /var/log/messages but no log was send to the loghost. And tcpdump captures no packets.

Then i noticed there are 3 files under /etc/syslog-ng:
-rw-r--r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf
-rw-r--r-- 1 root root 5638 Jun 11 10:43 syslog-ng.conf.SuSEconfig
-rw-r--r-- 1 root root 5656 Jun 11 10:43 syslog-ng.conf.in

Everytime when i change syslog-ng.conf.in and run SuSEconfig, syslog-ng.conf.SuSEconfig is changed accordingly. The syslog-ng.conf doesn't change at all. I tried to edit syslog-ng.conf directly (although not recommend, i know) and restart syslog-ng by /etc/init.d/syslog restart. Magic happened, it worked.

I feel uncomfortable about it because I made it work by a "forbidden" way. Could anyone explain why the recommended way not work? Any thing i did wrong?

Thanks

ab
11-Jun-2013, 13:38
The article was written for SLES 9 and while I see a note in there about
SLES 10 I've never noticed this issue before and have always modified the
syslog-ng.conf file directly (perhaps incorrectly, and perhaps only
getting by with some good luck). Could you post the contents of your
/etc/sysconfig/syslog file? I notice in there I have a parameter that
tells suseconfig whether or not it should be controlling the
syslog-ng.conf file and it defaults to 'Yes' (meaning it sounds like it
should work the same way as SLES 9). If I run SuSEconfig --module
syslog-ng I do not get any new syslog-ng.conf.SuSEconfig file as you do,
which is another interesting point; my server is OES 2 SP2 which is based
on SLES 10.SP3.

By the way, SLES 11 no longer has this syslog-nt.conf.in file so things
are simpler.

Good luck.

ab
11-Jun-2013, 13:38
> By the way, SLES 11 no longer has this syslog-nt.conf.in file so things
> are simpler.

Typo... I meant syslog-ng.conf.in of course.

Good luck.

smflood
11-Jun-2013, 15:39
On 11/06/2013 13:38, ab wrote:

> The article was written for SLES 9 and while I see a note in there about
> SLES 10 I've never noticed this issue before and have always modified the
> syslog-ng.conf file directly (perhaps incorrectly, and perhaps only
> getting by with some good luck).

Tut tut!

> Could you post the contents of your
> /etc/sysconfig/syslog file? I notice in there I have a parameter that
> tells suseconfig whether or not it should be controlling the
> syslog-ng.conf file and it defaults to 'Yes' (meaning it sounds like it
> should work the same way as SLES 9). If I run SuSEconfig --module
> syslog-ng I do not get any new syslog-ng.conf.SuSEconfig file as you do,
> which is another interesting point; my server is OES 2 SP2 which is based
> on SLES 10.SP3.

Use "grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog" to quickly
check whether SuSEconfig will generate syslog-ng.conf from
syslog-ng.conf.in.

> By the way, SLES 11 no longer has this syslog-nt.conf.in file so things
> are simpler.

Indeed.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.
------------------------------------------------------------------------

smflood
11-Jun-2013, 15:47
On 11/06/2013 04:04, peetoo wrote:

> i'm trying to integrate a SLES 10 server to a syslog server for
> centralized logging.
>
> I followed the steps in this article:
> http://www.novell.com/coolsolutions/feature/18044.html
> However it doesn't work. If I "logger user.notice test" i can see the
> test message in /var/log/messages but no log was send to the loghost.
> And tcpdump captures no packets.
>
> Then i noticed there are 3 files under /etc/syslog-ng:
> -rw-r--r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf
> -rw-r--r-- 1 root root 5638 Jun 11 10:43 syslog-ng.conf.SuSEconfig
> -rw-r--r-- 1 root root 5656 Jun 11 10:43 syslog-ng.conf.in
>
> Everytime when i change syslog-ng.conf.in and run SuSEconfig,
> syslog-ng.conf.SuSEconfig is changed accordingly. The syslog-ng.conf
> doesn't change at all. I tried to edit syslog-ng.conf directly (although
> not recommend, i know) and restart syslog-ng by /etc/init.d/syslog
> restart. Magic happened, it worked.
>
> I feel uncomfortable about it because I made it work by a "forbidden"
> way. Could anyone explain why the recommended way not work? Any thing i
> did wrong?

When you run "SuSEconfig --module syslog-ng" do you get any errors?

syslog-ng.conf.SuSEconfig can be created if you have modified
syslog-ng.conf rather than syslog-ng.conf.in.

I also think that syslog-ng.conf.SuSEconfig is created from
syslog-ng.conf.in to check syntax, etc. If no errors then syslog-ng.conf
is created (and syslog-ng.conf.SuSEconfig should be removed).

Either way, running "SuSEconfig --module syslog-ng" should reveal the
reason.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.
------------------------------------------------------------------------

peetoo
11-Jun-2013, 23:09
On 11/06/2013 04:04, peetoo wrote:


When you run "SuSEconfig --module syslog-ng" do you get any errors?

syslog-ng.conf.SuSEconfig can be created if you have modified
syslog-ng.conf rather than syslog-ng.conf.in.

I also think that syslog-ng.conf.SuSEconfig is created from
syslog-ng.conf.in to check syntax, etc. If no errors then syslog-ng.conf
is created (and syslog-ng.conf.SuSEconfig should be removed).

Either way, running "SuSEconfig --module syslog-ng" should reveal the
reason.


First with /etc/sysconfig/syslog
srv:~ # grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog
SYSLOG_NG_CREATE_CONFIG="yes"
srv:~ #

here is the outcome of "SuSEconfig --module syslog-ng"

srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool...
Running module syslog-ng only
Reading /etc/sysconfig and updating the system...
Executing /sbin/conf.d/SuSEconfig.syslog-ng...
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok

ATTENTION: You have modified //etc/syslog-ng/syslog-ng.conf. Leaving it untouched...
You can find my version in //etc/syslog-ng/syslog-ng.conf.SuSEconfig...

Finished.
srv:/etc/syslog-ng #

The "ATTENTION" does look suspicious, but still I don't know why......

smflood
12-Jun-2013, 11:57
On 11/06/2013 23:14, peetoo wrote:

> First with /etc/sysconfig/syslog
> srv:~ # grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog
> SYSLOG_NG_CREATE_CONFIG="yes"

So that confirms SuSEconfig is being used to "manage" the configuration
for syslog-ng.

> here is the outcome of "SuSEconfig --module syslog-ng"
>
> srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
> Starting SuSEconfig, the SuSE Configuration Tool...
> Running module syslog-ng only
> Reading /etc/sysconfig and updating the system...
> Executing /sbin/conf.d/SuSEconfig.syslog-ng...
> Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok
>
> ATTENTION: You have modified //etc/syslog-ng/syslog-ng.conf. Leaving
> it untouched...
> You can find my version in
> //etc/syslog-ng/syslog-ng.conf.SuSEconfig...
>
> Finished.
> srv:/etc/syslog-ng #
>
> The "ATTENTION" does look suspicious, but still I don't know why......

Well there's your reason, syslog-ng.conf has been edited.

It might be worth using diff to check the differences between
syslog-ng.conf and syslog-ng.conf.SuSEconfig and then you could edit
syslog-ng.conf.in accordingly. Once you're happy that
syslog-ng.conf.SuSEconfig is correct (based on syslog-ng.conf.in) then
you should be able to rename syslog-ng.conf to something else
(syslog-ng.conf.bak perhaps) and then rename syslog-ng.conf.SuSEconfig
to syslog-ng.conf.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.
------------------------------------------------------------------------

peetoo
13-Jun-2013, 01:03
It worked.
It looks that syslog-ng.conf.SuSEconfig is just a middle file. When I modified syslog-ng.conf.in to be consistent with syslog-ng.conf and do "SuSEconfig --module syslog-ng", I got this:
srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool...
Running module syslog-ng only
Reading /etc/sysconfig and updating the system...
Executing /sbin/conf.d/SuSEconfig.syslog-ng...
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok
Finished.
srv:/etc/syslog-ng #

But if I ls in /etc/syslog-ng, there is no syslog-ng.conf.SuSEconfig any more.
srv:/etc/syslog-ng # ll
total 32
-rw-r--r-- 1 root root 6967 Jun 13 11:28 syslog-ng.conf
-rw-r--r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf.bak
-rw-r--r-- 1 root root 6985 Jun 13 11:27 syslog-ng.conf.in
-rw-r--r-- 1 root root 5459 Jul 6 2007 syslog-ng.conf.in.bak
srv:/etc/syslog-ng #