syslog-ng.conf.in does not take effect

Hi,

i’m trying to integrate a SLES 10 server to a syslog server for centralized logging.

I followed the steps in this article: http://www.novell.com/coolsolutions/feature/18044.html
However it doesn’t work. If I “logger user.notice test” i can see the test message in /var/log/messages but no log was send to the loghost. And tcpdump captures no packets.

Then i noticed there are 3 files under /etc/syslog-ng:
-rw-r–r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf
-rw-r–r-- 1 root root 5638 Jun 11 10:43 syslog-ng.conf.SuSEconfig
-rw-r–r-- 1 root root 5656 Jun 11 10:43 syslog-ng.conf.in

Everytime when i change syslog-ng.conf.in and run SuSEconfig, syslog-ng.conf.SuSEconfig is changed accordingly. The syslog-ng.conf doesn’t change at all. I tried to edit syslog-ng.conf directly (although not recommend, i know) and restart syslog-ng by /etc/init.d/syslog restart. Magic happened, it worked.

I feel uncomfortable about it because I made it work by a “forbidden” way. Could anyone explain why the recommended way not work? Any thing i did wrong?

Thanks

The article was written for SLES 9 and while I see a note in there about
SLES 10 I’ve never noticed this issue before and have always modified the
syslog-ng.conf file directly (perhaps incorrectly, and perhaps only
getting by with some good luck). Could you post the contents of your
/etc/sysconfig/syslog file? I notice in there I have a parameter that
tells suseconfig whether or not it should be controlling the
syslog-ng.conf file and it defaults to ‘Yes’ (meaning it sounds like it
should work the same way as SLES 9). If I run SuSEconfig --module
syslog-ng I do not get any new syslog-ng.conf.SuSEconfig file as you do,
which is another interesting point; my server is OES 2 SP2 which is based
on SLES 10.SP3.

By the way, SLES 11 no longer has this syslog-nt.conf.in file so things
are simpler.

Good luck.

By the way, SLES 11 no longer has this syslog-nt.conf.in file so things[color=blue]
are simpler.[/color]

Typo… I meant syslog-ng.conf.in of course.

Good luck.

On 11/06/2013 13:38, ab wrote:
[color=blue]

The article was written for SLES 9 and while I see a note in there about
SLES 10 I’ve never noticed this issue before and have always modified the
syslog-ng.conf file directly (perhaps incorrectly, and perhaps only
getting by with some good luck).[/color]

Tut tut!
[color=blue]

Could you post the contents of your
/etc/sysconfig/syslog file? I notice in there I have a parameter that
tells suseconfig whether or not it should be controlling the
syslog-ng.conf file and it defaults to ‘Yes’ (meaning it sounds like it
should work the same way as SLES 9). If I run SuSEconfig --module
syslog-ng I do not get any new syslog-ng.conf.SuSEconfig file as you do,
which is another interesting point; my server is OES 2 SP2 which is based
on SLES 10.SP3.[/color]

Use “grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog” to quickly
check whether SuSEconfig will generate syslog-ng.conf from
syslog-ng.conf.in.
[color=blue]

By the way, SLES 11 no longer has this syslog-nt.conf.in file so things
are simpler.[/color]

Indeed.

HTH.

Simon
SUSE Knowledge Partner


Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.

On 11/06/2013 04:04, peetoo wrote:
[color=blue]

i’m trying to integrate a SLES 10 server to a syslog server for
centralized logging.

I followed the steps in this article:
http://www.novell.com/coolsolutions/feature/18044.html
However it doesn’t work. If I “logger user.notice test” i can see the
test message in /var/log/messages but no log was send to the loghost.
And tcpdump captures no packets.

Then i noticed there are 3 files under /etc/syslog-ng:
-rw-r–r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf
-rw-r–r-- 1 root root 5638 Jun 11 10:43 syslog-ng.conf.SuSEconfig
-rw-r–r-- 1 root root 5656 Jun 11 10:43 syslog-ng.conf.in

Everytime when i change syslog-ng.conf.in and run SuSEconfig,
syslog-ng.conf.SuSEconfig is changed accordingly. The syslog-ng.conf
doesn’t change at all. I tried to edit syslog-ng.conf directly (although
not recommend, i know) and restart syslog-ng by /etc/init.d/syslog
restart. Magic happened, it worked.

I feel uncomfortable about it because I made it work by a “forbidden”
way. Could anyone explain why the recommended way not work? Any thing i
did wrong?[/color]

When you run “SuSEconfig --module syslog-ng” do you get any errors?

syslog-ng.conf.SuSEconfig can be created if you have modified
syslog-ng.conf rather than syslog-ng.conf.in.

I also think that syslog-ng.conf.SuSEconfig is created from
syslog-ng.conf.in to check syntax, etc. If no errors then syslog-ng.conf
is created (and syslog-ng.conf.SuSEconfig should be removed).

Either way, running “SuSEconfig --module syslog-ng” should reveal the
reason.

HTH.

Simon
SUSE Knowledge Partner


Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.

[QUOTE=smflood;13968]On 11/06/2013 04:04, peetoo wrote:
[color=blue]

When you run “SuSEconfig --module syslog-ng” do you get any errors?

syslog-ng.conf.SuSEconfig can be created if you have modified
syslog-ng.conf rather than syslog-ng.conf.in.

I also think that syslog-ng.conf.SuSEconfig is created from
syslog-ng.conf.in to check syntax, etc. If no errors then syslog-ng.conf
is created (and syslog-ng.conf.SuSEconfig should be removed).

Either way, running “SuSEconfig --module syslog-ng” should reveal the
reason.
[/color][/QUOTE]

First with /etc/sysconfig/syslog
srv:~ # grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog
SYSLOG_NG_CREATE_CONFIG=“yes”
srv:~ #

here is the outcome of “SuSEconfig --module syslog-ng”

[FONT=Courier New]srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool…
Running module syslog-ng only
Reading /etc/sysconfig and updating the system…
Executing /sbin/conf.d/SuSEconfig.syslog-ng…
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok

ATTENTION: You have modified //etc/syslog-ng/syslog-ng.conf. Leaving it untouched…
You can find my version in //etc/syslog-ng/syslog-ng.conf.SuSEconfig…

Finished.
srv:/etc/syslog-ng # [/FONT]

The “ATTENTION” does look suspicious, but still I don’t know why…

On 11/06/2013 23:14, peetoo wrote:
[color=blue]

First with /etc/sysconfig/syslog
srv:~ # grep SYSLOG_NG_CREATE_CONFIG /etc/sysconfig/syslog
SYSLOG_NG_CREATE_CONFIG=“yes”[/color]

So that confirms SuSEconfig is being used to “manage” the configuration
for syslog-ng.
[color=blue]

here is the outcome of “SuSEconfig --module syslog-ng”

srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool…
Running module syslog-ng only
Reading /etc/sysconfig and updating the system…
Executing /sbin/conf.d/SuSEconfig.syslog-ng…
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok

ATTENTION: You have modified //etc/syslog-ng/syslog-ng.conf. Leaving
it untouched…
You can find my version in
//etc/syslog-ng/syslog-ng.conf.SuSEconfig…

Finished.
srv:/etc/syslog-ng #

The “ATTENTION” does look suspicious, but still I don’t know why…[/color]

Well there’s your reason, syslog-ng.conf has been edited.

It might be worth using diff to check the differences between
syslog-ng.conf and syslog-ng.conf.SuSEconfig and then you could edit
syslog-ng.conf.in accordingly. Once you’re happy that
syslog-ng.conf.SuSEconfig is correct (based on syslog-ng.conf.in) then
you should be able to rename syslog-ng.conf to something else
(syslog-ng.conf.bak perhaps) and then rename syslog-ng.conf.SuSEconfig
to syslog-ng.conf.

HTH.

Simon
SUSE Knowledge Partner


Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.

It worked.
It looks that syslog-ng.conf.SuSEconfig is just a middle file. When I modified syslog-ng.conf.in to be consistent with syslog-ng.conf and do “SuSEconfig --module syslog-ng”, I got this:
[FONT=Courier New][COLOR="#696969"]srv:/etc/syslog-ng # SuSEconfig --module syslog-ng
Starting SuSEconfig, the SuSE Configuration Tool…
Running module syslog-ng only
Reading /etc/sysconfig and updating the system…
Executing /sbin/conf.d/SuSEconfig.syslog-ng…
Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: ok
Finished.
srv:/etc/syslog-ng #[/COLOR][/FONT]

But if I ls in /etc/syslog-ng, there is no syslog-ng.conf.SuSEconfig any more.
[FONT=Courier New][COLOR="#696969"]srv:/etc/syslog-ng # ll
total 32
-rw-r–r-- 1 root root 6967 Jun 13 11:28 syslog-ng.conf
-rw-r–r-- 1 root root 6794 Jun 27 2012 syslog-ng.conf.bak
-rw-r–r-- 1 root root 6985 Jun 13 11:27 syslog-ng.conf.in
-rw-r–r-- 1 root root 5459 Jul 6 2007 syslog-ng.conf.in.bak
srv:/etc/syslog-ng #[/COLOR][/FONT]