I’m using syslog-ng to filter logs before sending them to Splunk, but logging suddenly stops and I don’t understand why.<\/p>\n

Advertisement

Close

systemctl status syslog-ng<\/p>\n

Advertisement

Close

says running<\/p>\n

syslog-ng-ctl stats give me:<\/p>\n

Error connecting control socket, socket=‘/var/lib/syslog-ng/syslog-ng.ctl’, error=‘Permission denied’<\/p>\n

I’m running it on Ubuntu 20.04 as root.<\/p>\n

Logs keeps getting written to the file but are not sent over UDP.<\/p>\n

If I restart syslog-ng it still fails, if I reboot the machine logging is restored.<\/p>\n

What could be the issue?<\/p>\n

My config:<\/p>\n

@version: 3.25\n@include \"scl.conf\"\n# First, set some global options.\noptions {\n chain_hostnames(off);\n flush_lines(0);\n use_dns(no);\n use_fqdn(no);\n dns_cache(no);\n owner(\"root\");\n group(\"adm\");\n perm(0640);\n create_dirs (yes);\n dir-perm(0700);\n stats_freq(0);\n bad_hostname(\"^gconfd$\");\n};\n@include \"/etc/syslog-ng/conf.d/*.conf\"\n\n####CONF.D##########\n##########\n # Source #\n##########\nsource s_udp {\n udp();\n};\n##########\n # Filter #\n##########\n# filters are all like that\nfilter remove_matching_logs { not match(\"string\" value(MSG)); };\n#...\n############\n # Template #\n############\ntemplate no_head {\n template (\"${MSGHDR}${MSG}\\n\"); template_escape(no);\n};\n\n###############\n # Destination #\n###############\ndestination d_splunk {\n  udp(\"192.168.200.11\" port(514) template(no_head));\n};\ndestination d_file {\n file(\"/var/log/syslogtemp\" template(no_head));\n};\n##############\n # Log Action #\n##############\nlog {\n source(s_udp);\n filter(remove_matching_logs);\n#...\n destination(d_splunk);\n destination(d_file);\n};\n\n<\/code><\/pre>","upvoteCount":9,"answerCount":2,"datePublished":"2021-06-30T07:11:00.000Z","author":{"@type":"Person","name":"spiceuser-l0kcb","url":"https://community.spiceworks.com/u/spiceuser-l0kcb"},"suggestedAnswer":[{"@type":"Answer","text":"
I’m using syslog-ng to filter logs before sending them to Splunk, but logging suddenly stops and I don’t understand why.<\/p>\n
systemctl status syslog-ng<\/p>\n
says running<\/p>\n
syslog-ng-ctl stats give me:<\/p>\n
Error connecting control socket, socket=‘/var/lib/syslog-ng/syslog-ng.ctl’, error=‘Permission denied’<\/p>\n
I’m running it on Ubuntu 20.04 as root.<\/p>\n
Logs keeps getting written to the file but are not sent over UDP.<\/p>\n
If I restart syslog-ng it still fails, if I reboot the machine logging is restored.<\/p>\n
What could be the issue?<\/p>\n
My config:<\/p>\n
@version: 3.25\n@include \"scl.conf\"\n# First, set some global options.\noptions {\n chain_hostnames(off);\n flush_lines(0);\n use_dns(no);\n use_fqdn(no);\n dns_cache(no);\n owner(\"root\");\n group(\"adm\");\n perm(0640);\n create_dirs (yes);\n dir-perm(0700);\n stats_freq(0);\n bad_hostname(\"^gconfd$\");\n};\n@include \"/etc/syslog-ng/conf.d/*.conf\"\n\n####CONF.D##########\n##########\n # Source #\n##########\nsource s_udp {\n udp();\n};\n##########\n # Filter #\n##########\n# filters are all like that\nfilter remove_matching_logs { not match(\"string\" value(MSG)); };\n#...\n############\n # Template #\n############\ntemplate no_head {\n template (\"${MSGHDR}${MSG}\\n\"); template_escape(no);\n};\n\n###############\n # Destination #\n###############\ndestination d_splunk {\n  udp(\"192.168.200.11\" port(514) template(no_head));\n};\ndestination d_file {\n file(\"/var/log/syslogtemp\" template(no_head));\n};\n##############\n # Log Action #\n##############\nlog {\n source(s_udp);\n filter(remove_matching_logs);\n#...\n destination(d_splunk);\n destination(d_file);\n};\n\n<\/code><\/pre>","upvoteCount":9,"datePublished":"2021-06-30T07:11:00.000Z","url":"https://community.spiceworks.com/t/syslog-ng-stop-sending-logs-to-splunk/804287/1","author":{"@type":"Person","name":"spiceuser-l0kcb","url":"https://community.spiceworks.com/u/spiceuser-l0kcb"}},{"@type":"Answer","text":"
How long does it work before it suddenly stops? Have you looked at the logs around the time it stops working?<\/p>\n
I would say that the most likely issue is that another daemon is binding to that port, but that obviously would require something/somebody to stop syslog-ng first, and then start something else.<\/p>\n
So another thing to try would be to see whether there is another process binding to port 514 (with netstat) when it stops working.<\/p>","upvoteCount":0,"datePublished":"2021-07-01T11:21:14.000Z","url":"https://community.spiceworks.com/t/syslog-ng-stop-sending-logs-to-splunk/804287/2","author":{"@type":"Person","name":"petersaraby","url":"https://community.spiceworks.com/u/petersaraby"}}]}}