Re: [gentoo-user] Re: syslog-ng: v2->v3 config issue... - gentoo-user

From:	frobert@×××××××.hu
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Re: syslog-ng: v2->v3 config issue...
Date:	Wed, 04 Nov 2009 19:33:10
Message-Id:	`20091104203300.mtynbvjaioggskww@webmail.balabit`
In Reply to:	Re: [gentoo-user] Re: syslog-ng: v2->v3 config issue... by Jarry

1

Hi Jarry,

2

thanks for the detailed info. I have discussed the issue with my  

3

colleagues, and it seems that the error is on our side: there was a  

4

performance-related change in the program-override option in 3.0.4,  

5

which broke the function.

6

7

So you can either downgrade to an older version (3.0.3 should work),  

8

or if you want to stick to 3.0.4, you can try to add a rewrite rule to  

9

set the PROGRAM field to teamspeak (which may or may not work in this  

10

case, since the program field seems to be empty in the message -  

11

sorry, I haven't had the time to test it).

12

13

Alternatively, you can create a template for this destination and  

14

rebuild the message from macros and add a default value for program  

15

($ISODATE $HOST ${PROGRAM:-teamspeak2} $MESSAGE)

16

17

I hope one of these will work for you.

18

19

Regards,

20

21

Robert

22

23

24

Quoting Jarry <mr.jarry@×××××.com>:

25

26

> Fekete Robert wrote:

27

>> You are right, the program-override option is missing from the

28

>> documentation of the file source, but it should work anyway.

29

>> We did a quick test and it was working on our Ubuntu machines (tested

30

>> with syslog-ng 3.02a), both on kernel messages and also on custom

31

>> files containing log messages.

32

>

33

> Well, I'm not sure where is the problem. I'm using syslog-ng-3.0.4

34

> (the last stable version in portage). This is relevant part of my

35

> "new" /etc/syslog-ng.conf:

36

> ====================

37

> options { chain_hostnames(no);

38

>           stats_freq(3600);

39

>           ts_format(iso);

40

>           flush_lines(1);

41

>           log_fifo_size(250); };

42

>

43

> source s_teamspeak { file("/var/log/teamspeak2-server/server.log"

44

>                         flags(store-legacy-msghdr)

45

>                         program_override("teamspeak: ")

46

>                         log_fetch_limit(100)

47

>                         flags(no-parse)); };

48

>

49

> destination d_teamspeak { file("/var/log/ts2.log"); };

50

> log { source(s_teamspeak); destination(d_teamspeak); };

51

> ==========================

52

>

53

> One line in source (/var/log/teamspeak-server/server.log):

54

> 04-11-09 16:52:54,ALL,Info... (etc)

55

>

56

> Corresponding line in /var/log/ts2.log (that program_override()

57

> is simply missing):

58

> 2009-11-04T16:52:54+00:00 talk 04-11-09 16:52:54,ALL,Info...

59

>

60

> For comparison, the same part of my syslog-ng v2.x config:

61

> ==========================

62

> options { chain_hostnames(off);

63

>           sync(0);

64

>           stats(43200);

65

>           ts_format(iso); };

66

>

67

> source s_teamspeak2 { file("/var/log/teamspeak2-server/server.log"

68

>                         log_prefix("teamspeak2: ")

69

>                         follow_freq(1)

70

>                         flags(no-parse)); };

71

>

72

> destination d_teamspeak { file("/var/log/ts2.log"); };

73

> log { source(s_teamspeak); destination(d_teamspeak); };

74

> ===========================

75

>

76

> And this is what I got in ts2.log with syslog-ng v2.x:

77

>

78

> 2009-09-25T18:17:41+00:00 talk teamspeak2: 28-07-09 18:49:39,ALL,Info...

79

>

80

> You see the difference?

81

> syslog-ng 2.x: "iso-time hostname *log_prefix* message"

82

> syslog-ng 3.x: "iso-time hostname message"

83

> Where is program_override?

84

>

85

> v2/v3 config-files are now not absolutely the same but even when

86

> I made them identical (removed fifo_size, fetch_limit, flags, etc)

87

> I still had this problem. And I observed this strange behavior

88

> not only with this particular file() source, but with all file()

89

> sources. So what could be the reason?

90

>

91

> Jarry

92

>

93

> --

94

> _______________________________________________________________

95

> This mailbox accepts e-mails only from selected mailing-lists!

96

> Everything else is considered to be spam and therefore deleted.

----------------------------------------------------------------

101

This message was sent using IMP, the Internet Messaging Program.

Gentoo Archives: gentoo-user

Replies

1	Hi Jarry,
2	thanks for the detailed info. I have discussed the issue with my
3	colleagues, and it seems that the error is on our side: there was a
4	performance-related change in the program-override option in 3.0.4,
5	which broke the function.
6
7	So you can either downgrade to an older version (3.0.3 should work),
8	or if you want to stick to 3.0.4, you can try to add a rewrite rule to
9	set the PROGRAM field to teamspeak (which may or may not work in this
10	case, since the program field seems to be empty in the message -
11	sorry, I haven't had the time to test it).
12
13	Alternatively, you can create a template for this destination and
14	rebuild the message from macros and add a default value for program
15	($ISODATE $HOST ${PROGRAM:-teamspeak2} $MESSAGE)
16
17	I hope one of these will work for you.
18
19	Regards,
20
21	Robert
22
23
24	Quoting Jarry <mr.jarry@×××××.com>:
25
26	> Fekete Robert wrote:
27	>> You are right, the program-override option is missing from the
28	>> documentation of the file source, but it should work anyway.
29	>> We did a quick test and it was working on our Ubuntu machines (tested
30	>> with syslog-ng 3.02a), both on kernel messages and also on custom
31	>> files containing log messages.
32	>
33	> Well, I'm not sure where is the problem. I'm using syslog-ng-3.0.4
34	> (the last stable version in portage). This is relevant part of my
35	> "new" /etc/syslog-ng.conf:
36	> ====================
37	> options { chain_hostnames(no);
38	> stats_freq(3600);
39	> ts_format(iso);
40	> flush_lines(1);
41	> log_fifo_size(250); };
42	>
43	> source s_teamspeak { file("/var/log/teamspeak2-server/server.log"
44	> flags(store-legacy-msghdr)
45	> program_override("teamspeak: ")
46	> log_fetch_limit(100)
47	> flags(no-parse)); };
48	>
49	> destination d_teamspeak { file("/var/log/ts2.log"); };
50	> log { source(s_teamspeak); destination(d_teamspeak); };
51	> ==========================
52	>
53	> One line in source (/var/log/teamspeak-server/server.log):
54	> 04-11-09 16:52:54,ALL,Info... (etc)
55	>
56	> Corresponding line in /var/log/ts2.log (that program_override()
57	> is simply missing):
58	> 2009-11-04T16:52:54+00:00 talk 04-11-09 16:52:54,ALL,Info...
59	>
60	> For comparison, the same part of my syslog-ng v2.x config:
61	> ==========================
62	> options { chain_hostnames(off);
63	> sync(0);
64	> stats(43200);
65	> ts_format(iso); };
66	>
67	> source s_teamspeak2 { file("/var/log/teamspeak2-server/server.log"
68	> log_prefix("teamspeak2: ")
69	> follow_freq(1)
70	> flags(no-parse)); };
71	>
72	> destination d_teamspeak { file("/var/log/ts2.log"); };
73	> log { source(s_teamspeak); destination(d_teamspeak); };
74	> ===========================
75	>
76	> And this is what I got in ts2.log with syslog-ng v2.x:
77	>
78	> 2009-09-25T18:17:41+00:00 talk teamspeak2: 28-07-09 18:49:39,ALL,Info...
79	>
80	> You see the difference?
81	> syslog-ng 2.x: "iso-time hostname log_prefix message"
82	> syslog-ng 3.x: "iso-time hostname message"
83	> Where is program_override?
84	>
85	> v2/v3 config-files are now not absolutely the same but even when
86	> I made them identical (removed fifo_size, fetch_limit, flags, etc)
87	> I still had this problem. And I observed this strange behavior
88	> not only with this particular file() source, but with all file()
89	> sources. So what could be the reason?
90	>
91	> Jarry
92	>
93	> --
94	> _______________________________________________________________
95	> This mailbox accepts e-mails only from selected mailing-lists!
96	> Everything else is considered to be spam and therefore deleted.
97
98
99
100	----------------------------------------------------------------
101	This message was sent using IMP, the Internet Messaging Program.