i’m trying to integrate a SLES 10 server to a syslog server for centralized logging.
I followed the steps in this article: http://www.novell.com/coolsolutions/feature/18044.html
However it doesn’t work. If I “logger user.notice test” i can see the test message in /var/log/messages but no log was send to the loghost. And tcpdump captures no packets.
Then i noticed there are 3 files under /etc/syslog-ng:
-rw-r–r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf
-rw-r–r-- 1 root root 5638 Jun 11 10:43 syslog-ng.conf.SuSEconfig
-rw-r–r-- 1 root root 5656 Jun 11 10:43 syslog-ng.conf.in
Everytime when i change syslog-ng.conf.in and run SuSEconfig, syslog-ng.conf.SuSEconfig is changed accordingly. The syslog-ng.conf doesn’t change at all. I tried to edit syslog-ng.conf directly (although not recommend, i know) and restart syslog-ng by /etc/init.d/syslog restart. Magic happened, it worked.
I feel uncomfortable about it because I made it work by a “forbidden” way. Could anyone explain why the recommended way not work? Any thing i did wrong?
The article was written for SLES 9 and while I see a note in there about
SLES 10 I’ve never noticed this issue before and have always modified the
syslog-ng.conf file directly (perhaps incorrectly, and perhaps only
getting by with some good luck). Could you post the contents of your
/etc/sysconfig/syslog file? I notice in there I have a parameter that
tells suseconfig whether or not it should be controlling the
syslog-ng.conf file and it defaults to ‘Yes’ (meaning it sounds like it
should work the same way as SLES 9). If I run SuSEconfig --module
syslog-ng I do not get any new syslog-ng.conf.SuSEconfig file as you do,
which is another interesting point; my server is OES 2 SP2 which is based
on SLES 10.SP3.
By the way, SLES 11 no longer has this syslog-nt.conf.in file so things
are simpler.
The article was written for SLES 9 and while I see a note in there about
SLES 10 I’ve never noticed this issue before and have always modified the
syslog-ng.conf file directly (perhaps incorrectly, and perhaps only
getting by with some good luck).[/color]
Tut tut!
[color=blue]
Could you post the contents of your
/etc/sysconfig/syslog file? I notice in there I have a parameter that
tells suseconfig whether or not it should be controlling the
syslog-ng.conf file and it defaults to ‘Yes’ (meaning it sounds like it
should work the same way as SLES 9). If I run SuSEconfig --module
syslog-ng I do not get any new syslog-ng.conf.SuSEconfig file as you do,
which is another interesting point; my server is OES 2 SP2 which is based
on SLES 10.SP3.[/color]
Use “grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog” to quickly
check whether SuSEconfig will generate syslog-ng.conf from
syslog-ng.conf.in.
[color=blue]
By the way, SLES 11 no longer has this syslog-nt.conf.in file so things
are simpler.[/color]
Indeed.
HTH.
Simon
SUSE Knowledge Partner
Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See TTP Organization | Micro Focus for more details.
i’m trying to integrate a SLES 10 server to a syslog server for
centralized logging.
I followed the steps in this article: http://www.novell.com/coolsolutions/feature/18044.html
However it doesn’t work. If I “logger user.notice test” i can see the
test message in /var/log/messages but no log was send to the loghost.
And tcpdump captures no packets.
Then i noticed there are 3 files under /etc/syslog-ng:
-rw-r–r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf
-rw-r–r-- 1 root root 5638 Jun 11 10:43 syslog-ng.conf.SuSEconfig
-rw-r–r-- 1 root root 5656 Jun 11 10:43 syslog-ng.conf.in
Everytime when i change syslog-ng.conf.in and run SuSEconfig,
syslog-ng.conf.SuSEconfig is changed accordingly. The syslog-ng.conf
doesn’t change at all. I tried to edit syslog-ng.conf directly (although
not recommend, i know) and restart syslog-ng by /etc/init.d/syslog
restart. Magic happened, it worked.
I feel uncomfortable about it because I made it work by a “forbidden”
way. Could anyone explain why the recommended way not work? Any thing i
did wrong?[/color]
When you run “SuSEconfig --module syslog-ng” do you get any errors?
syslog-ng.conf.SuSEconfig can be created if you have modified
syslog-ng.conf rather than syslog-ng.conf.in.
I also think that syslog-ng.conf.SuSEconfig is created from
syslog-ng.conf.in to check syntax, etc. If no errors then syslog-ng.conf
is created (and syslog-ng.conf.SuSEconfig should be removed).
Either way, running “SuSEconfig --module syslog-ng” should reveal the
reason.
HTH.
Simon
SUSE Knowledge Partner
Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See TTP Organization | Micro Focus for more details.
When you run “SuSEconfig --module syslog-ng” do you get any errors?
syslog-ng.conf.SuSEconfig can be created if you have modified
syslog-ng.conf rather than syslog-ng.conf.in.
I also think that syslog-ng.conf.SuSEconfig is created from
syslog-ng.conf.in to check syntax, etc. If no errors then syslog-ng.conf
is created (and syslog-ng.conf.SuSEconfig should be removed).
Either way, running “SuSEconfig --module syslog-ng” should reveal the
reason.
[/color][/QUOTE]
First with /etc/sysconfig/syslog
srv:~ # grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog
SYSLOG_NG_CREATE_CONFIG=“yes”
srv:~ #
here is the outcome of “SuSEconfig --module syslog-ng”
[FONT=Courier New]srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool…
Running module syslog-ng only
Reading /etc/sysconfig and updating the system…
Executing /sbin/conf.d/SuSEconfig.syslog-ng…
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok
ATTENTION: You have modified //etc/syslog-ng/syslog-ng.conf. Leaving it untouched…
You can find my version in //etc/syslog-ng/syslog-ng.conf.SuSEconfig…
Finished.
srv:/etc/syslog-ng # [/FONT]
The “ATTENTION” does look suspicious, but still I don’t know why…
First with /etc/sysconfig/syslog
srv:~ # grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog
SYSLOG_NG_CREATE_CONFIG=“yes”[/color]
So that confirms SuSEconfig is being used to “manage” the configuration
for syslog-ng.
[color=blue]
here is the outcome of “SuSEconfig --module syslog-ng”
srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool…
Running module syslog-ng only
Reading /etc/sysconfig and updating the system…
Executing /sbin/conf.d/SuSEconfig.syslog-ng…
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok
ATTENTION: You have modified //etc/syslog-ng/syslog-ng.conf. Leaving
it untouched…
You can find my version in
//etc/syslog-ng/syslog-ng.conf.SuSEconfig…
Finished.
srv:/etc/syslog-ng #
The “ATTENTION” does look suspicious, but still I don’t know why…[/color]
Well there’s your reason, syslog-ng.conf has been edited.
It might be worth using diff to check the differences between
syslog-ng.conf and syslog-ng.conf.SuSEconfig and then you could edit
syslog-ng.conf.in accordingly. Once you’re happy that
syslog-ng.conf.SuSEconfig is correct (based on syslog-ng.conf.in) then
you should be able to rename syslog-ng.conf to something else
(syslog-ng.conf.bak perhaps) and then rename syslog-ng.conf.SuSEconfig
to syslog-ng.conf.
HTH.
Simon
SUSE Knowledge Partner
Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See TTP Organization | Micro Focus for more details.
It worked.
It looks that syslog-ng.conf.SuSEconfig is just a middle file. When I modified syslog-ng.conf.in to be consistent with syslog-ng.conf and do “SuSEconfig --module syslog-ng”, I got this:
[FONT=Courier New][COLOR="#696969"]srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool…
Running module syslog-ng only
Reading /etc/sysconfig and updating the system…
Executing /sbin/conf.d/SuSEconfig.syslog-ng…
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok
Finished.
srv:/etc/syslog-ng #[/COLOR][/FONT]
But if I ls in /etc/syslog-ng, there is no syslog-ng.conf.SuSEconfig any more.
[FONT=Courier New][COLOR="#696969"]srv:/etc/syslog-ng # ll
total 32
-rw-r–r-- 1 root root 6967 Jun 13 11:28 syslog-ng.conf
-rw-r–r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf.bak
-rw-r–r-- 1 root root 6985 Jun 13 11:27 syslog-ng.conf.in
-rw-r–r-- 1 root root 5459 Jul 6 2007 syslog-ng.conf.in.bak
srv:/etc/syslog-ng #[/COLOR][/FONT]