2

I'm working to implement syslog-ng OSE in my environment. Eventually I'd like to setup a central logging server, but in order to get my feet wet, I'm starting with a simple configuration. I've created a config that contains a single source, a single destination, and a single log. When I execute syslog-ng -F (as a foreground process via the cli) I get the expected results (all system messages are getting logged to /var/log/messages). However, if I run it as a daemon (via systemctl) I don't receive all the expected system messages. What's odd is that I'm still receiving messages from the kernel facility. Here's my simple config:

@version:3.5
@include "scl.conf"
source s_sys { system(); internal(); };
destination d_mesg { file("/var/log/messages"); };
log { source(s_sys); destination(d_mesg); };

As you can see, I don't have any filters set. I've verified that the service is running via systemctl status syslog-ng and it is. I've made sure and stopped and removed all other logging daemons as well.

syslog-ng.service - System Logger Daemon
   Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled;     vendor preset: enabled)
   Active: active (running) since Sun 2016-02-28 17:15:07 EST; 21min ago
     Docs: man:syslog-ng(8)
 Main PID: 3416 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
           └─3416 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid

My OS is CentOS 7.2 Any help would be greatly appreciated

NevDull
  • 21
  • 4
  • 2
    So it looks like on CentOS and RHEL7, the system logging facility is journald which by default doesn't forward system messages to syslog (or syslog-ng). Once I uncommented the line "ForwardToSyslog=yes" in the file "/etc/systemd/journald.conf" and restarted the services, everything started coming up Mihouse!" – NevDull Feb 29 '16 at 00:57

2 Answers2

0

NevDull, thanks for your input. It has helped me with the following problem that is similar to this topic:

syslog-ng fails to catch messages issued by logger command when running under systemctl administration. But it performs as expected when you go through the terminal as follows:

systemctl stop syslog-nd 
syslog-ng -Fevd
logger -p mail.info "I'm testing..." [need to open a new terminal session]
cat /var/log/maillog

As result, you can see your "I'm testing..." message on /var/log/maillog file.

Editing the "/etc/systemd/journald.conf" file as you recommended solved the problem.

Thanks for sharing

mmaciel
  • 1
0

Another possible solution is to upgrade syslog-ng to a later version. Starting with syslog-ng 3.7 it can read the systemd journal directly.

https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions

Peter Czanik
  • 71
  • 3