This is the scenario: I have a server that's listening on port 6514 on TCP for logs. I created the .key .crt files on the server as described here: https://www.logzilla.net/2014/10/17/configuring-tls-tunnels-in-syslog-ng.html : [root@server1 ~]$ openssl genrsa -des3 -out logserver.key 2048 Generating RSA private key, 2048 bit long modulus .................................................+++ .+++ e is 65537 (0x10001) Enter pass phrase for logserver.key: Verifying - Enter pass phrase for logserver.key: [root@server1 ~]$ openssl req -new -key logserver.key -out logserver.csr Enter pass phrase for logserver.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@server1 ~]$ cp logserver.key logserver.key.org [root@server1 ~]$ openssl rsa -in logserver.key.org -out logserver.key Enter pass phrase for logserver.key.org: writing RSA key [root@server1 ~]$ openssl x509 -req -days 365 -in logserver.csr -signkey logserver.key -out logserver.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Getting Private key and placed the settings in a created file named tls.conf in the /etc/syslog-ng/conf.d I followed the next instructions. Connect to the Client and mkdir -p /etc/syslog-ng/ssl. Download/Upload the /etc/syslog-ng/ssl/logserver.crt (which was created earlier on the Server) to the Client system and put the file in /etc/syslog-ng/ssl on the Client. Find the hash for your key by running openssl x509 -noout -hash -in /etc/syslog-ng/ssl/logserver.crt Next, create a symbolic link to the certificate that uses the hash returned by the previous command, with an added .0 suffix. ln -s /etc/syslog-ng/ssl/logserver.crt /etc/syslog-ng/ssl/84d92a45.0 As soon as I add the client-to-server.conf under /etc/syslog-ng/conf.d/client-to-server.conf that has the following @version:3.14 @define allow-config-dups 1 @include "scl.conf" destination d_tls { tcp("192.168.1.7" port(6514) tls( ca_dir("/etc/syslog-ng/ssl/")) ); }; log { source(s_sys); destination(d_tls); }; the syslog-ng service won't start on the client. systemctl restart syslog-ng.service Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details. [root@localhost conf.d]# systemctl status syslog-ng.service -l ● syslog-ng.service - System Logger Daemon Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) Active: failed (Result: start-limit) since Thu 2018-06-07 22:50:30 EEST; 7min ago Docs: man:syslog-ng(8) Process: 18196 ExecStart=/usr/sbin/syslog-ng -F $SYSLOGNG_OPTS -p /var/run/syslogd.pid (code=exited, status=2) Main PID: 18196 (code=exited, status=2) Status: "Starting up... (Thu Jun 7 22:50:30 2018" Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: start request repeated too quickly for syslog-ng.service Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. [root@localhost conf.d]# journalctl -xe -- Subject: Unit syslog-ng.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has begun starting up. Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.022361] Error setting up TLS session context; tls_error='(null):(null):(null)' Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.022410] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7' Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: Starting System Logger Daemon... -- Subject: Unit syslog-ng.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has begun starting up. Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.281966] Error setting up TLS session context; tls_error='(null):(null):(null)' Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.282017] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7' Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: Starting System Logger Daemon... -- Subject: Unit syslog-ng.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has begun starting up. Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.522580] Error setting up TLS session context; tls_error='(null):(null):(null)' Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.522870] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7' Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: start request repeated too quickly for syslog-ng.service Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. What am I doing wrong?

I have OpenSSL installed from source and linked the GLIB_LIBS and GLIB_CFLAGS to the correct directories during configure and configured with-SSL When I try to start syslog-ng (Version 3.6.4) on Ubuntu Server 14.04, I get the following errors: [2017-04-20T12:39:18.252222] Error opening plugin module; module='afsocket', error='/linux1/lib/syslog-ng/libsyslog-ng-crypto.so: undefined symbol: SSL_library_init' [2017-04-20T12:39:18.253205] Error opening plugin module; module='dbparser', error='/linux1/lib/syslog-ng/libsyslog-ng-crypto.so: undefined symbol: SSL_library_init' [2017-04-20T12:39:18.255387] Error opening plugin module; module='afsocket-tls', error='/linux1/lib/syslog-ng/libsyslog-ng-crypto.so: undefined symbol: SSL_library_init' [2017-04-20T12:39:18.256429] Error opening plugin module; module='cryptofuncs', error='/linux1/lib/syslog-ng/libsyslog-ng-crypto.so: undefined symbol: SSL_library_init' [2017-04-20T12:39:18.256964] Error opening plugin module; module='syslog-ng-crypto', error='/linux1/lib/syslog-ng/libsyslog-ng-crypto.so: undefined symbol: SSL_library_init'

new to syslog-ng but been working on this issue for a few days and have nowhere to go. logs aren't really pointing me anywhere anymore that I can tell. I'm running syslog-ng as a container in an openshift cluster to process networking logs. cisco doesn't send in rfc format and it causes issues in loki because it needs logs in a standard format to process. I never see any cisco macros. originally when my source was just the default-network-drivers I wasn't getting any cisco pairs but I was getting pairs from the syslog parser. I added no-parse and have tried a few different sources like network and udp. Now that I have added no-parse and explicitly call the cisco parser, any destination under the parser in the log statement never gets created. In the debug I see the cisco parser doing its thing on the log messages it gets all the way to the [parser](https://github.com/syslog-ng/syslog-ng/blob/develop/scl/cisco/plugin.conf) line 141 which is the last parser. there is no error in the debug after that the message just never ends up in any destination file after the parser. The file destinations above the parser work just fine and I changed the cisco parser to a csv parser just to see and after that the destination files after the parser did populate. I see logs in debug where it is setting the values but they are not available to the template

Apr 23 17:57:04 syslogng-984b5f8df-xrm8z syslog-ng: Setting value; name='.cisco.facility', value='LICMGR', type='string', msg='0x7f5c20009510', rcptid='0'
Apr 23 17:57:04 syslogng-984b5f8df-xrm8z syslog-ng: Setting value; name='.cisco.severity', value='3', type='string', msg='0x7f5c20009510', rcptid='0'

So Im lost at this point and asking for help ``` @version: 4.8 @include "scl.conf" source s_local { internal(); }; options { log-level(trace); }; # source s_network { # default-network-drivers( # flags(no-parse,store-raw-message) #store-raw-message # udp-port(1514) # tcp-port(1514) # rfc5424-tcp-port(1601) # ); #}; source s_network { network( port(1514) transport("udp") flags(no-parse) ); }; # source s_network { # udp( # flags(no-parse) # port(1514) # ); # }; destination d_raw { file("/var/log/syslog-ng/raw"); }; destination d_allmacros { file("/var/log/syslog-ng/${HOST}.log" template("Full Dump:\n$MSG\n$(format-json --scope everything)\n\n----\n") create-dirs(yes)); }; destination d_internal { file("/var/log/syslog-ng/syslog-system"); }; destination d_parsed { file("/var/log/syslog-ng/networkparsed" template("${ISODATE} ${HOST} ${MSGHDR} ${MSG}")); }; destination d_ciscoparser { file("/var/log/syslog-ng/ciscoparsed"); #file("/var/log/syslog-ng/ciscoparsed" # template("$(format-json --scope nv-pairs)\n----\n")); }; destination d_loki { syslog("loki.test.local" transport("tcp") port("5140") ); }; log { source(s_local); destination(d_internal); destination{stdout();}; }; log { source(s_network); #destination(d_loki); #destination(d_parsed); destination(d_raw); parser { cisco-parser();}; destination(d_allmacros); destination(d_ciscoparser); };

I would like to send logs of each application to a remote collector with syslog-ng. If I have Apache, I'd like my Apache logs to be sent to my remote collector in the file /var/log/apache.log. I couldn't find anything about this. I know it's possible with rsyslog but the only thing I'm able to do here is to send all the logs together with: destination remote { network("" transport("udp") port(514)); };

We have a system in place where we have a bunch of f5 devices sending logs to syslog-ng. We have syslog-ng configured to go to: /path/to/directory/$HOST. This is causing a problem because since /local is in the hostname field it tries to send it to: /path/to/directory/local/ or /path/to/directory/slot1/. Since we do not want to create directories the error is: Directory does not exist. I have tried a syslog-ng rewrite rule to subsitute the /local and /slot1 in the hostnames to local- and slot- but it does not seem to be working. Here is the rewrite rule:

rewrite r_f5{
        subst("slot1/", "slot1-", value("HOST"), flags("global"), flags("ignore-case"));
        subst("slot1/", "slot1-", value("MESSAGE"), flags("global"), flags("ignore-case"));     
        subst("local/", "local-", value("HOST"), flags("global"), flags("ignore-case"));
        subst("local/", "local-", value("MESSAGE"), flags("global"), flags("ignore-case"));
};

Please note that the Message rules were due to the Host rules not working. Here is the logging rule: log { source(s_network_f5); rewrite(r_f5); destination(d_network_f5);}; Is there something I am doing wrong with the rewrite rule?

I noticed that the default datetime format for logs in /var/log/messages is mmm [d]d hh:mm:ss, for example:

Jan  4 03:46:50 1.2.3.4 ntpclient: Failed resolving address to hostname pool.ntp.org: Try again
Jan  4 03:46:50 1.2.3.4 ntpclient: Failed resolving server pool.ntp.org: Network is down
Jan  4 03:46:50 1.2.3.4 process_monitor: cyclic NTP Update failed (servers pool.ntp.org)

I found a post here that describes updating the rsyslog.conf file, and although I made that change, it is only for syslog/rsyslog, not syslog-ng, so it makes no difference. I looked for the equivalent configuration setting in the syslog-ng.conf file, but I can't find where to set it. I can't see anything in any @included configuration files either.

grep -Ei 'time|format|date' /etc/syslog-ng/syslog-ng.conf

and

grep -Eir 'time|format|date' /etc/syslog-ng/*.conf

both return nothing.

I am running syslog-ng on debian. **How do I check which conf file was loaded upon startup?** Neither

systemctl status syslog-ng

nor

systemctl show syslog-ng

tell me.

I am doing a project where the organisation uses syslog-ng for the central remote logging servers and this will surely not change. The application suite that I am developing on, is using Red Hat Enterprise Linux 8, which will surely also not change. From my understanding, RHEL 8 ships standard with rsyslog and if I want to use syslog-ng, it is necessary to install it from either the EPEL repositories or the "suplementary" repository. However, I am working on private internal network without internet access and the internal RHEL update server does not provide these repositories. So my main question is how do I get my application logs on RHEL 8 to the remote syslog-ng server? I suppose my options are as follows: 1. try to somehow get syslog-ng installed internally on my client (cumbersome option) 2. perhaps rsyslog is already compatible with syslog-ng, so I can simply log there? (wishful option) 3. convert rsyslog logs to syslog-ng before pushing it to the the log server (undesirable option) Could you guys please provide some advice? Thanks in advance!

We have following remote logging configuration: destination d_jenkins { network("x.x.x.x" transport("udp") port(514) template(t_jenkins)); }; log { source(s_system); destination(d_jenkins); }; This is a syslog-ng server to syslog-ng client communication. Occasionally we are getting following errors. Seems like EINVAL (22) is coming from write() call. 2016-10-19T15:12:39.393+00:00 axis-accc8e59xxxx [ ERR ] syslog-ng: I/O error occurred while writing; fd='28', error='Invalid argument (22)' 2016-10-19T15:12:39.394+00:00 axis-accc8e59xxxx [ NOTICE ] syslog-ng: Syslog connection broken; fd='28', server='AF_INET(172.27.0.34:514)', time_reopen=’60' - Is it that network is problematic or am I missing some configuration? - Could it be that syslog-ng server is being HUPed without our knowledge, dropping the connections. - Could using TCP with keep-alive help the problem?

I am new to syslog-ng and was trying to fix the issue of an error which arises due to uniqueness of the persist names in syslog-ng, I see the below error in my syslog > err Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.; persist_name='afsocket_dd.(dgram,10.120.21.10:514)', location='/etc/syslog-ng/syslog-ng.conf:81:26' The current syslog-ng.conf is as below, I did a search in google and found we need to add persist-name() in order to make it unique, but with my understanding each if the destination is already unique, with the below syslog-ng.conf, I get the error when the IP address are same, destination d_tempask_1 and destination d_temst_1 have the same IP address. But if I provide a different IP address I don't see the error. Could anybody provide some insight as to how to handle same IP address. > source s_syslogng { > file ("/proc/kmsg" program_override("kernel: ")); > unix-stream ("/run/systemd/journal/syslog" max-connections(200)); }; > > source s_internal { > internal(); }; > > filter f_test1 { message("__test1"); }; > > destination d_test1_1 { udp ( "192.168.202.119" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_test1); destination(d_test1_1); }; > > filter f_tempask { message("__tempask"); }; > > destination d_tempask_1 { udp ( "10.120.21.10" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_tempask); destination(d_tempask_1); > }; > > filter f_temst { message("__temst"); }; > > destination d_temst_1 { udp ( "10.120.21.10" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_temst); destination(d_temst_1); }; > > filter f_dir { message("__dir"); }; > > destination d_dir_1 { udp ( "10.35.183.11" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_dir); destination(d_dir_1); }; tried with persist-name(), but even that still throws the error even if IP address is different or same syslog-ng.conf with persist-name() > source s_syslogng { > file ("/proc/kmsg" program_override("kernel: ")); > unix-stream ("/run/systemd/journal/syslog" max-connections(200)); }; > > source s_internal { > internal(); }; > > filter f_test1 { > message("__test1"); }; > > destination d_test1_1 { persist-name(test1_1) udp ( "192.168.202.119" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_test1); destination(d_test1_1); }; > > filter f_tempask { message("__tempask"); }; > > destination d_tempask_1 { persist-name(tempask_1) udp ( "10.120.21.11" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_tempask); destination(d_tempask_1); > }; > > filter f_temst { message("__temst"); }; > > destination d_temst_1 { persist-name(temst_1) udp ( "10.120.21.10" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_temst); destination(d_temst_1); }; > > filter f_dir { message("__dir"); }; > > destination d_dir_1 { persist-name(dir_1) udp ( "10.35.183.11" > port(514) template("$DATE local0 infoblox Outbound[]: debug > $MSGONLY\n") template_escape(no) ); }; > > log { source(s_syslogng); filter(f_dir); destination(d_dir_1); }; Any input will be very help full.

I am building an embedded Linux board with Buildroot ([user manual here](https://buildroot.org/downloads/manual/manual.html)) . I have syslog-ng running on the board. It's config file is specified in buildroot here: https://github.com/buildroot/buildroot/blob/master/package/syslog-ng/syslog-ng.conf :

@version: 3.37

source s_sys {
    file("/proc/kmsg" program_override("kernel"));
    unix-stream ("/dev/log");
    internal();
};

destination d_all {
    file("/var/log/messages");
};

log {
    source(s_sys);
    destination(d_all);
};

Notice it specifies the destination as "/var/log/messages", yet active logging on the board is going into a file named /var/log/messages.1, and the /var/log/messages file doesn't even exist. Why is that? Is there a way to get logging into the /var/log/messages file instead? Syslog, which we used to use, logs into /var/log/messages, and we are trying to keep that behavior for consistency. ## Additional notes 1. ls -1 /var/log on a board running syslog contains these messages files:

messages
    messages.1
    messages.2
    messages.2.gz
    messages.3
    messages.4
    messages.5
    messages.6
    messages.7

1. ls -1 /var/log on a board running syslog-ng contains these messages files (notice messages is missing):

messages.1
    messages.2
    messages.3
    messages.4
    messages.5
    messages.6
    messages.7

1. On the syslog-ng board, tail -f /var/log/messages.1 shows it is continually receiving logged messages, which is unexpected, since when using syslog the "active" file is /var/log/messages instead.

I am new to syslog-ng, and want to test writing to a syslog from an external device. The external device shows that it is "connected" to my syslog on port 516. However, on my CentOS7 host nothing is being written to the log file (and now errors in /var/log/messages). I tried telneting to localhost:516 and dumping in some text (as a test) but nothing is logged anywhere. netstat confirms syslog is listening on tcp 516. My config is below: source s_test { system() internal() syslog(ip(0.0.0.0) port(516) transport("tcp")); }; destination d_test { file("/var/log/test"); }; log { source(s_test); destination(d_test); }; Is there an error in my config?

I have a freshly installed version on CentOS 7 once which I have installed syslog-ng from the EPEL repositories. ~: yum list | grep syslog syslog-ng.x86_64 3.5.6-1.el7 @epel When I try to start it via systemctl, it fails as follows : /usr/lib/systemd/system: systemctl start syslog-ng Job for syslog-ng.service failed. See 'systemctl status syslog-ng.service' and 'journalctl -xn' for details. When looking into the journals, we can see that their is a dependency on the socket which "starts" fine but that the process returns an error about the arguments being incorrect as shown below : May 07 17:26:15 superserver.company.corp systemd: Starting Syslog Socket. May 07 17:26:15 superserver.company.corp systemd: Listening on Syslog Socket. May 07 17:26:15 superserver.company.corp systemd: Starting System Logger Daemon... May 07 17:26:15 superserver.company.corp systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT May 07 17:26:15 superserver.company.corp systemd: Failed to start System Logger Daemon. May 07 17:26:15 superserver.company.corp systemd: Unit syslog-ng.service entered failed state. May 07 17:26:15 superserver.company.corp systemd: syslog-ng.service holdoff time over, scheduling restart. May 07 17:26:15 superserver.company.corp systemd: Stopping System Logger Daemon... May 07 17:26:15 superserver.company.corp systemd: Starting System Logger Daemon... May 07 17:26:15 superserver.company.corp systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT If we look into the service configuration file, we can confirm the dependency on the socket and the command that is used to start the service. [Service] Type=notify Sockets=syslog.socket ExecStart=/usr/sbin/syslog-ng -F -p /var/run/syslogd.pid The problem is that if I run the above-mentionned command, it starts up just fine and it works as expected. My question is : what is difference between me running the program startup command and systemd starting up the same program ? What can I do to find out what is actually wrong with it ? ---------- **Edit 1** I enabled the debug output as suggested by Raymond in the answers and the output doesn't teach us much more. May 08 10:31:29 server.corp systemd: Starting System Logger Daemon... May 08 10:31:29 server.corp systemd: About to execute: /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid May 08 10:31:29 server.corp systemd: Forked /usr/sbin/syslog-ng as 3121 May 08 10:31:29 server.corp systemd: syslog-ng.service changed dead -> start May 08 10:31:29 server.corp systemd: Set up jobs progress timerfd. May 08 10:31:29 server.corp systemd: Set up idle_pipe watch. May 08 10:31:29 server.corp systemd: Executing: /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid May 08 10:31:29 server.corp systemd: Got notification message for unit syslog-ng.service May 08 10:31:29 server.corp systemd: syslog-ng.service: Got message May 08 10:31:29 server.corp systemd: syslog-ng.service: got STATUS=Starting up... (Fri May 8 10:31:29 2015 May 08 10:31:29 server.corp systemd: Got notification message for unit syslog-ng.service May 08 10:31:29 server.corp systemd: syslog-ng.service: Got message May 08 10:31:29 server.corp systemd: syslog-ng.service: got STATUS=Starting up... (Fri May 8 10:31:29 2015 May 08 10:31:29 server.corp systemd: Received SIGCHLD from PID 3121 (syslog-ng). May 08 10:31:29 server.corp systemd: Child 3121 (syslog-ng) died (code=exited, status=2/INVALIDARGUMENT) May 08 10:31:29 server.corp systemd: Child 3121 belongs to syslog-ng.service May 08 10:31:29 server.corp systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT May 08 10:31:29 server.corp systemd: syslog-ng.service changed start -> failed May 08 10:31:29 server.corp systemd: Job syslog-ng.service/start finished, result=failed May 08 10:31:29 server.corp systemd: Failed to start System Logger Daemon. There are a few warnings that are displayed at the start of the syslog-ng processes (nothing that keeps it from starting properly) so I redirected all output to /dev/null but the end result is the same. Also, as a side note, my entire system does not boot anymore if systemd is unable to syslog. This can be disabled with kernel options to log to kmesg.

I have an Ubuntu server with sftpd running where /var/data/chroot/ is an NFS mount from a remote central NFS server, and each sftpd user's chroot home is /var/data/chroot// and every user has a log device /var/data/chroot//dev/log which I read in successfully with syslog-ng:

source s_chroot_    { unix-stream("/var/data/chroot//dev/log" optional(yes) ); };
destination d_sftp_ { file("/var/log/sftp/.log"); };

Now I have a second sftpd server in parallel, with the same user database and also mounts /var/data/chroot/ via NFS, and has the same syslog-ng config, so every user can login on the one server or on the other. This is for high availability. This works so far. What is not working now is the sftpd logging: The sftp user's log is only available on _one_ sftp server exclusively, and that is the one where syslog-ng was started least, because as I understand it takes the exclusive unix socket file lock for each user's /dev/log. So, if a user logs in on the first server, where syslog-ng was started least, the user's sftp activity is logged on the first server. But if the user logs in on the second server, it's sftp activity is not logged, neither on the second nor on the first server. If the syslog-ng is then restarted on the second server, the sftp user's activity is exclusively logged only on the second server and only for logins on the second server. How can I get the sftp user's activity be logged on each sftp server, when a user logs in to that server, while the user's home is shared on both servers via NFS?

I'm trying to configure syslog-ng in an embedded distro. I added the syslog-ng package. I was expecting the /var/log/ files to include their log severity / log level, but it isn't to. Any way to configure syslog-ng to add the severity to each line? Thank you and Regards

I have *stunnel* v5.44 (Ubuntu 18.04 v3:5.44-1ubuntu3) configured on a client to connect to a server in a screened subnet. The remote host has syslog configured to listen for logfiles over the *stunnel* connection. The client, of course, is configured to forward it's logs to the server over *stunnel*. This setup has worked great for years, but sometime last year (or year before? *gawd* 2020...), during OS upgrades (Ubuntu 16.04 and 18.04), something changed where stunnel is now spamming the logfiles with **hundreds** of error messages **per second** whenever the remote syslog server is rebooted or unavailable. ... Jan 20 04:20:31 nwhost stunnel: LOG5: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Jan 20 04:20:31 nwhost stunnel: LOG5: Service [syslog_tunnel] accepted connection from 127.0.0.1:52970 Jan 20 04:20:31 nwhost stunnel: LOG3: s_connect: connect 172.22.15.23:51400: Connection refused (111) Jan 20 04:20:31 nwhost stunnel: LOG3: No more addresses to connect Jan 20 04:20:31 nwhost stunnel: LOG5: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Jan 20 04:20:31 nwhost stunnel: LOG5: Service [syslog_tunnel] accepted connection from 127.0.0.1:52974 Jan 20 04:20:31 nwhost stunnel: LOG3: s_connect: connect 172.22.15.23:51400: Connection refused (111) Jan 20 04:20:31 nwhost stunnel: LOG3: No more addresses to connect ... In my clientside /etc/stunnel/remote_log.conf I have this, but the errors keep filling up the logs: client = yes cert = /etc/stunnel/shared/stunnel.pem pid = /var/run/stunnel4/syslog_stunnel.pid syslog = no output = /var/log/stunnel4/stunnel.log [syslog_tunnel] accept = 127.0.0.1:5140 connect = 172.22.15.23:51400 I thought syslog = no would disable logging (man page) but it doesn't. Anyone know of a config that works or something to disable the spammy logging altogether?

we would like to understand copytruncate before rotating the file using logrotate with below configuration: /app/syslog-ng/custom/output/all_devices.log { size 200M copytruncate dateext dateformat -%Y%m%d-%s rotate 365 sharedscripts compress postrotate /app/syslog-ng/sbin/syslog-ng-ctl reload endscript } RHEL 7.x, 8GB RAM, 4 VCpu Question: How does logrotate truncate the file, when syslog-NG already opened file for logging? Is it not the contention of resource? Does syslog-NG close the file immediately, when it has nothing to log?

I wanted to switch logging from rsyslog to syslog-ng, but after configuration and startup, it faield to start up. This is the log file I am getting, but I cant find any clues there what is wrong: rrr-hp:~# systemctl status syslog-ng.service ● syslog-ng.service - System Logger Daemon Loaded: loaded (/lib/systemd/system/syslog-ng.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2021-03-22 12:51:35 CET; 4min 52s ago Docs: man:syslog-ng(8) Process: 448232 ExecStart=/usr/sbin/syslog-ng -F $SYSLOGNG_OPTS (code=exited, status=1/FAILURE) Main PID: 448232 (code=exited, status=1/FAILURE) Status: "Starting up... (Mon Mar 22 12:51:35 2021" Mar 22 12:51:35 rrr-hp systemd: syslog-ng.service: Scheduled restart job, restart counter is at 5. Mar 22 12:51:35 rrr-hp systemd: Stopped System Logger Daemon. Mar 22 12:51:35 rrr-hp systemd: syslog-ng.service: Start request repeated too quickly. Mar 22 12:51:35 rrr-hp systemd: syslog-ng.service: Failed with result 'exit-code'. Mar 22 12:51:35 rrr-hp systemd: Failed to start System Logger Daemon. rrr-hp:~# There is also journalctl -xe output, but that is not any clearer for me: rrr-hp:~# journalctl -xe Mar 22 12:41:37 rrr-hp syslog-ng: contact: https://lists.balabit.hu/mailman/listinfo/syslog-ng Mar 22 12:41:37 rrr-hp systemd: syslog-ng.service: Main process exited, code=exited, status=1/FAILURE ░░ Subject: Unit process exited ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ An ExecStart= process belonging to unit syslog-ng.service has exited. ░░ ░░ The process' exit code is 'exited' and its exit status is 1. Mar 22 12:41:37 rrr-hp systemd: syslog-ng.service: Failed with result 'exit-code'. ░░ Subject: Unit failed ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ The unit syslog-ng.service has entered the 'failed' state with result 'exit-code'. Mar 22 12:41:37 rrr-hp systemd: Failed to start System Logger Daemon. ░░ Subject: A start job for unit syslog-ng.service has failed ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ A start job for unit syslog-ng.service has finished with a failure. ░░ ░░ The job identifier is 7765 and the job result is failed. Mar 22 12:41:38 rrr-hp systemd: syslog-ng.service: Scheduled restart job, restart counter is at 5. ░░ Subject: Automatic restarting of a unit has been scheduled ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ Automatic restarting of the unit syslog-ng.service has been scheduled, as the result for ░░ the configured Restart= setting for the unit. Mar 22 12:41:38 rrr-hp systemd: Stopped System Logger Daemon. ░░ Subject: A stop job for unit syslog-ng.service has finished ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ A stop job for unit syslog-ng.service has finished. ░░ ░░ The job identifier is 7865 and the job result is done. Mar 22 12:41:38 rrr-hp systemd: syslog-ng.service: Start request repeated too quickly. Mar 22 12:41:38 rrr-hp systemd: syslog-ng.service: Failed with result 'exit-code'. ░░ Subject: Unit failed ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ The unit syslog-ng.service has entered the 'failed' state with result 'exit-code'. Mar 22 12:41:38 rrr-hp systemd: Failed to start System Logger Daemon. ░░ Subject: A start job for unit syslog-ng.service has failed ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ A start job for unit syslog-ng.service has finished with a failure. ░░ ░░ The job identifier is 7865 and the job result is failed. rrr-hp:~# I have been trying to switch between unix-dgram / unix-socket / unix-stream based on: https://unix.stackexchange.com/questions/202044/syslog-ng-service-not-starting-with-systemd-but-command-works-fine but neither of them worked. My linux version is: rrr-hp:~# cat /etc/debian_version kali-rolling rrr-hp:~# Could anybody give me hints, what can be wrong, or where to search for more clues?

Does the syslog-ng has its own rotating mechanism? I am new to auditing and linux and I though I could use logrotate but I noticed that I need to restart the syslog-ng daemon every time when I use it to rotate the logs. Having said that, I think that syslog-ng must have some sort of internal mechanism to achieve the same goal and if it does not what are my other options. Maybe using macros and creating folders for each ${HOUR}${DAY} etc? Thank's in advance.

centos 7(x64),syslog-ng v 3.5 Below is my syslog-ng.cfg @version:3.5 @include "scl.conf" options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; @include "/etc/syslog-ng/conf.d/*.conf" # Custom lines added below source s_external { udp(ip(102.94.26.26) port(514)); #unix-dgram("/dev/log"); }; destination d_ext { file("/var/log/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(root) perm(0644) create_dirs(yes)); }; log { source(s_external); destination(d_ext); }; #Error #systemctl restart syslog-ng # journalctl -xe -- Unit syslog-ng.service has failed. -- -- The result is failed. Aug 19 16:44:49 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Aug 19 16:44:49 localhost.localdomain systemd: syslog-ng.service failed. Aug 19 16:44:49 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Aug 19 16:44:49 localhost.localdomain systemd: start request repeated too quickly for syslog-ng.service Aug 19 16:44:49 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. The client linuxserver(centos 6) which sends log to syslog-ngserver have rsyslogd running with below line added *.* @102.94.26.27:514 #ip of syslog-ng server and port