NSLU2-Linux
view · edit · print · history

Syslog-ng is a replacement for the standard syslog utility for Unix and Linux systems. It is developed and maintained by BalaBit Security.

Syslog-ng can be used as a replacement for the stock syslogd provided by Unslung, if you want more control about how messages are logged or if you need to log messages sent by other systems in your network, such as a router or access point, since these devices do not usually have a hard disk to store log messages and can only store a bunch of log messages in memory.

The current Optware package for syslog-ng is based on version 2.0.9, with basic setup scripts, a default config file and a startup script to run syslog-ng at every boot. The standard config file creates all log files under /opt/var/log.

Installation

If you want to install it, just update the list of packages available for ipkg and then install it:

ipkg update
ipkg install syslog-ng

If you are running Unslung, before starting syslog-ng for the first time you have to disable the built-in syslogd and klogd. To do this, comment the two lines at /etc/inittab by inserting a '#' at the beginning of each line. The file should like like this:

 #slog:unknown:/sbin/syslogd -n
 #klog:unknown:/sbin/klogd -n

You won't be able to kill the running copies of syslogd and klogd because init will restart them; you must reboot.

Logging from remote sources

If you want to receive log messages from other machines in your network, such as a router or access point, you should configure them to use your slug as a syslog destination, according to the instructions for each device.

At the slug, edit the /opt/etc/syslog-ng/syslog-ng.conf and add a path to send messages from remote devices to a file. Since the original config file already has a source entry called net that receives messages through the syslog UDP protocol, all you need is a line at the end of the file defining a new message path. For example, if you want to send all messages received from remote device to /opt/var/log/syslog, already defined in the file as a destination called syslog, add this line to the end of the config:

 log { source(net); destination(syslog); };

Caveats and advice for Unslung

The default config file may not be ideal for an Unslung user; unslung uses /var/log/messages, which the watchdog process truncates aggressively.

Another thing to be aware of is that the default linksys setup is to use DGRAM (not stream) sockets. If you run the distributed file, things shouldn't get confused - but seem to anyway. To fix this, make sure you don't use unix-stream and restore the DGRAM setup:

 
ln -sf /var/tmp/log /dev/log

Here's a simple config file that will write a standard syslog to /opt/var/log/messages, while duplicating the linksys /var/log/messages file.

Also shown is how to monitor another (syslog format) log file, and how to exclude some programs that might confuse the linksys utilities from the traditional file.

 
options { long_hostnames(off); sync(0); create_dirs(yes); ts_format(bsd); log_msg_size(1024); };

template std_msg { template("<$PRI>$STAMP $HOST $MESSAGE\n"); template_escape(no); };
template old_msg { template("<$PRI>$STAMP $MESSAGE\n"); template_escape(no); };

#On NSLU2, /dev/log -> /var/tmp/log & is a DGRAM
#Use a file (not a pipe) to read kmsg - pipe is rw
#unix-stream("/dev/log" max-connections(10));

source src { file("/proc/kmsg" log_prefix("kernel: "));
             unix-dgram("/var/tmp/log");
             internal();
             file("/var/log/watchnet.log" follow_freq(1)); };

#source net { udp(); };

destination messages { file("/opt/var/log/messages" template(std_msg) log_fifo_size(200)); };
#destination netlog { udp("192.0.2.12" localip("192.0.2.77") template(std_msg) log_fifo_size(500)); };
destination oldmsgs { file("/var/log/messages" template(old_msg) log_fifo_size(200)); };

#Everything to the large logfile
#
log { source(src); destination(messages); };

# Don't put watchnet clutter in the (small) traditional logfile.

filter nowatch { not program(watchnet); };

log { source(src); filter(nowatch); destination(oldmsgs); };


Unslung syslog-ng won't work properly without glib 2.12.12 or greater. Make sure you install it.

The ipkg's configure script is somewhat limited. Here's a more complete one that I use - it provides all the usual functions, and automagically does the necessary edits to other startup files. The code using IPADDR is useful when your machine has more than one IP address; it's harmless otherwise. /opt/etc/config can be used to set customization variables without editing the startup script.

chmod +x!

/opt/etc/init.d/S010syslog-ng

 
#!/bin/sh
#
# Startup script for syslog-ng
#

if [ -e /opt/etc/config ]; then
    . /opt/etc/config
fi

if [ -z "$IPADDR" ]; then
    . /etc/sysconfig/network-scripts/ifcfg-ixp0
fi

if [ -z "$SYSLOGCFG" ]; then
    SYSLOGCFG=/opt/etc/syslog-ng.conf
fi

PIDFILE=/opt/var/run/syslog-ng.pid

config () {
    #
    # Check for configured
    #
    if [ -n "$IPADDR" ]; then
	if ! grep -q "localip(\"$IPADDR\")" $SYSLOGCFG ; then
	    #
            # Adjust config file so all messages sent to the network hub come from our primary IP address
	    #
	    sed -i -e"/destination /s/localip(\"[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\"/localip(\"$IPADDR\"/" \
	                                 $SYSLOGCFG
	fi
    fi
    return 0
}

start () {
    echo -n "Starting syslog-ng Server: "
    if [ -n "`pidof syslog-ng`" ]; then 
	echo "already running..."
	false
	return
    fi

    # Remove standard syslogd/klogd from inittab

    if [ -n "`sed -n -e'/^.log:unknown:\/sbin\/.*logd/p' /etc/inittab`" ]; then
	sed -i -e '/^.log:unknown:\/sbin\/.*logd/s/^/#/' /etc/inittab
	echo "syslogd/klogd have been removed from /etc/inittab."
    fi

    # If old loggers are runing, try to kill them (but as they run under init, probably won't work.)

    if [ -n "`pidof syslogd``pidof klogd`" ]; then
	if [ -n "`pidof syslogd`" ]; then
	    /bin/killall -9 syslogd 2>/dev/null
	fi
	if [ -n "`pidof klogd`" ]; then
	    /bin/killall -9 klogd 2>/dev/null
	fi
	sleep 5
	if [ -n "`pidof syslogd``pidof klogd`" ]; then

	    cat <<EOF
syslogd/klogd have been killed, but were magically restarted,
probably by init.  syslog-ng can not be started with them running.
Please reboot.
EOF
	    /bin/false
	    return
	fi
    fi
    ln -sf /var/tmp/log /dev/log
    config

    #
    #  Supersedes the kit version
    #
    rm -rf /opt/etc/init.d/S01syslog-ng

    /opt/sbin/syslog-ng -f $SYSLOGCFG -p $PIDFILE $SYSLOGFLAGS
    if [ -n "`pidof syslog-ng`" ]; then
	echo "started"
    else
	echo "failed"
	/bin/false
    fi
    return
}

stop () {
    echo -n "Shutting down syslog-ng Server: "
    if [ -n "`pidof syslog-ng`" ]; then 
	/bin/killall -TERM syslog-ng 2>/dev/null
	sleep 5
    fi
    if [ -n "`pidof syslog-ng`" ]; then 
	echo "Failed"
	/bin/false
    else
	echo "OK"
    fi
    return
}

rstatus () {
    pid="`pidof syslog-ng`"
    if [ -n "$pid" ] && [ $pid = `cat $PIDFILE 2>&1` ]; then
	echo "Server is running (pid $pid)"
    else
	if [ -n "$pid" ]; then
	    echo "Server is running (pid $pid), but $PIDFILE doesn't match"
	else
	    echo "Server is stopped"
	    /bin/false
	fi
    fi
    return
}

restart () {
    stop
    start
}

reload () {
    echo -n "Reloading syslog-ng configuration: "
    config
    /bin/killall -HUP syslog-ng
    sleep 5
    if [ -n "`pidof syslog-ng`" ]; then
	if [ -x /opt/bin/netstat ]; then
	    if /opt/bin/netstat -ax | grep -q /var/tmp/log ; then
		echo "OK"
	    else
		echo "server died - bad version or glib?"
		/bin/false
	    fi
	else
	    echo "OK"
	fi
    else
	echo "server died - bad version or glib?"
	/bin/false
    fi
    return
}

#
# Mainline: command decode and dispatch
#
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        rstatus
        ;;
  reload)
	reload
	;;
  restart)
        restart
        ;;
  condrestart)
        [ -n "`pidof syslog-ng`" ] && restart
        ;;
  *)
        echo "Usage: $0 {start|stop|status|reload|restart|condrestart}"
        exit 1
esac
exit $?

More information

At BalaBit you can find the Reference Manual in HTML for syslog-ng 1.6. Reference Manual in PDF. There is also a FAQ about it.

You should set up some rotation mechanism to archive your logs and prevent them from becoming too long. You can use logrotate for this, it will let you create a rotation schedule for syslog-ng or any other program that generates logfiles.

Question: All slug related events are logging fine, but I'm having trouble logging events from my Linksys router - RT31P2?. I set the router to send logs to the slug's ip address and then to the subnet's broadcast address to no avail. I captured packets with ethereal on another linux box and identified that the snmp traffic is being sent, just not logged by the slug's syslog-ng instance. Could the Linksys snmp be somewhat proprietary? -- Grant

Syslog-ng can only be used to log remote events from other network devices, such as routers and access points, if they use the syslog protocol. It does not receive SNMP trap messages, so if your device generates log and alarm messages via SNMP, you will need an additional tool, such as the snamptrapd server available in the net-snmp Optware package, to receive SNMP traps and log them to syslog.

view · edit · print · history · Last edited by tlhackque.
Based on work by tlhackque, fcarolo, and Grant.
Originally by fcarolo.
Page last modified on March 30, 2008, at 04:56 PM