# syntax error in /etc/syslog-ng/syslog-ng.conf at line 40

## upengan78

Greetings,

There wasn't any issue prior to installing bastille on this gentoo box.

/etc/init.d/syslog-ng start

```
syntax error in /etc/syslog-ng/syslog-ng.conf at line 40.

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng

mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

 * Configuration error. Please fix your configfile (/etc/syslog-ng/syslog-ng.conf) 
```

cat /etc/syslog-ng/syslog-ng.conf -n

```
     1   @version: 3.0

     2   # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3,v 1.1 2010/04/06 02:11:35 mr_bones_ Exp $

     3   #

     4   # Syslog-ng default configuration file for Gentoo Linux

     5   

     6   options { 

     7      chain_hostnames(no); 

     8   

     9      # The default action of syslog-ng is to log a STATS line

    10      # to the file every 10 minutes.  That's pretty ugly after a while.

    11      # Change it to every 12 hours so you get a nice daily update of

    12      # how many messages syslog-ng missed (0).

    13      stats_freq(43200); 

    14   };

    15   

    16   source src {

    17       unix-stream("/dev/log" max-connections(256));

    18       internal();

    19       file("/proc/kmsg");

    20   };

    21   

    22   destination messages { file("/var/log/messages"); };

    23   destination debug { file("/var/log/debug"); };

    24   

    25   

    26   # By default messages are logged to tty12...

    27   destination console_all { file("/dev/tty12"); };

    28   # ...if you intend to use /dev/console for programs like xconsole

    29   # you can comment out the destination line above that references /dev/tty12

    30   # and uncomment the line below.

    31   #destination console_all { file("/dev/console"); };

    32   

    33   log { source(src); destination(messages); };

    34   log { source(src); destination(console_all); };

    35   filter f_debug { not facility(auth, authpriv, news, mail); };

    36   log { source(src); filter(f_debug); destination(debug); };

    37   

    38   ############ BASTILLE ADDITIONS BELOW : ################# 

    39   # Log warning and errors to the new file /var/log/syslog

    40   destination syslog { file("/var/log/syslog"); };

    41   filter f_syslog { facility(warn, err); };

    42   log { source(src); filter(f_syslog); destination(syslog); };

    43   

    44   # Log all kernel messages to the new file /var/log/kernel

    45   source kernsrc { file("/proc/kmsg"); };

    46   destination kern { file("/var/log/kernel"); };

    47   filter f_kern { facility(kern); };

    48   log { source(kernsrc); filter(f_kern); destination(kern); };

    49   

    50   # Log all logins to /var/log/loginlog

    51   destination loginlog { file("/var/log/loginlog"); };

    52   filter f_loginlog { facility(auth, user) and not facility(daemon); };

    53   log { source(src); filter(f_loginlog); destination(loginlog); };

    54   

    55   # Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)

    56   

    57   destination tty7 { file("/dev/tty7"); };

    58   destination tty8 { file("/dev/tty8"); };

    59   filter f_info { level(info) and not facility(mail, authpriv); };

    60   filter f_authpriv { facility(authpriv); };

    61   filter f_warnerr { level(warn, err); };

    62   filter f_mail { facility(mail); };

    63   log { source(src); filter(f_info); destination(tty7); };

    64   log { source(src); filter(f_authpriv); destination(tty7); };

    65   log { source(src); filter(f_warnerr); destination(tty7); };

    66   log { source(kernsrc); filter(f_kern); destination(tty7); };

    67   log { source(src); filter(f_mail); destination(tty8); };

    68   

    69   ########## BASTILLE ADDITIONS CONCLUDED : ###############
```

Can someone please help?

Thanks in advance.

----------

## cdstealer

Hi, I don't know if this will make any difference, but at the end of my syslog-ng.conf I have 

```
# ALWAYS AT THE END

log { source(src); destination(messages); };

log { source(src); destination(console_all); };
```

where these 2 lines are at 33 in yours.. is it worth a shot moving them to the end?

----------

## lxg

upengan78: What happens if you temporarily comment out this line and restart syslog-ng? (Sometimes, if a parser woes about a certain line, the actual error may already have been before.)

----------

## upengan78

 *lxg wrote:*   

> upengan78: What happens if you temporarily comment out this line and restart syslog-ng? (Sometimes, if a parser woes about a certain line, the actual error may already have been before.)

 

Line 40 commented

/etc/init.d/syslog-ng start  

Unknown facility; facility='warn'

* Configuration error. Please fix your configfile (/etc/syslog-ng/syslog-ng.conf) 

hank you for helping me out.

----------

## upengan78

 *cdstealer wrote:*   

> Hi, I don't know if this will make any difference, but at the end of my syslog-ng.conf I have 
> 
> ```
> # ALWAYS AT THE END
> 
> ...

 

Moving lines 33,34 to the end also failed with same messages. Thanks for help!

----------

## upengan78

 *upengan78 wrote:*   

>  *lxg wrote:*   upengan78: What happens if you temporarily comment out this line and restart syslog-ng? (Sometimes, if a parser woes about a certain line, the actual error may already have been before.) 
> 
> Line 40 commented
> 
> /etc/init.d/syslog-ng start  
> ...

 

Commented below lines 

```
  40   destination syslog { file("/var/log/syslog"); };

    41   filter f_syslog { facility(warn, err); };

    42   log { source(src); filter(f_syslog); destination(syslog); }; 

```

Then syslog-ng started with OK status

/etc/init.d/syslog-ng restart

```
 * Stopping bastille-firewall ...

WARNING: reverting to default settings (dropping firewall)

disabling IP forwarding... done.

unloading masquerading modules... done.

resetting default input rules to accept... done.

resetting default output rule to accept... done.

resetting default forward rule to accept... done.

flushing INPUT rules... done.

flushing OUTPUT rules... done.

flushing FORWARD rules... done.

removing user-defined chains... done.                                                                                                   [ ok ]

 * Stopping psadwatchd ...                                                                                                              [ ok ]

 * Stopping psad ...                                                                                                                    [ ok ]

 * Stopping syslog-ng ...                                                                                                               [ ok ]

 * Starting syslog-ng ...                                                                                                               [ ok ]

 * Starting bastille-firewall ...

FATAL: Module ip_tables not found.

FATAL: Module ip_conntrack not found.

FATAL: Module ip_conntrack_ftp not found.

FATAL: Module ipt_LOG not found.

Setting up IP spoofing protection... done.

Allowing traffic from trusted interfaces... done. 

Setting up chains for public/internal interface traffic... done. 

Setting up general rules... done.

Setting up outbound rules... done.                                                                                                      [ ok ]

 * Starting psad ...                                                                                                                    [ ok ]
```

----------

## lxg

Uhm, if I were you, I'd comment the entire Bastille section and post a bug report. I don't know much about the config of Syslog-NG, but something seems to be quite wrong.

By the way, this “Bastille Linux” looks pretty unmaintained to me, the latest release is more than two years old. It is well possible that some internals of Syslog-NG changed, which Bastille relies on. And I wouldn't be astonished if the Gentoo devs kicked it out of Portage as “unmaintained”.

edit: Ok you got it running, never mind.  :Wink: 

----------

## upengan78

Hi LXG,

I think you are right, Bastille is something I had heard long time back. However,  recently I saw on some mailing list that people still recommend this software for server hardening. I got curious and tried eix bastille and was excited to find it in portage. I thought if this is in portage, it is okay to install this and being maintained or at-least someone is watching over it. But the developers website tells the truth - 2008...

Anyone knows if there are similar packages like bastille ? I do use ossec, fail2ban but bastille also got me iptables firewall configured and psad as well.

----------

