# syslog-ng network logging & passthrough [SOLVED]

## selig

My server seems to hang on disk access from time to time and I want to learn why. So I decided to try network logging using syslog-ng. Unfortunately, this has a problem: syslog-ng will block on disk access and it will not send anything over the network.

I did this:

1) start syslog-ng with this configuration:

```

options {

        chain_hostnames(no);

        stats_freq(43200);

};

source src {

    unix-stream("/dev/log");

    internal();

};

source kernsrc {

    file("/proc/kmsg");

};

destination loghost { udp("loghost" port(514)); };

destination locallog { pipe("/var/run/syslog/syslog"); };

filter f_remote { not facility(mail,auth,authpriv); };

# local passthrough

log { source(src); source(kernsrc); destination(locallog); };

# remote logging

log { source(src); source(kernsrc); filter(f_remote); destination(loghost); };

```

And then I started another syslog-ng server with this command:

```
usr/sbin/syslog-ng -f /etc/syslog-ng/syslog-nglocal.conf -p /var/run/syslog/syslog-ng.pid
```

and a normal configuration file:

```

options {

        chain_hostnames(no);

        stats_freq(43200);

};

source src {

    pipe("/var/run/syslog/syslog");

};

destination authlog { file("/var/log/auth.log"); };

destination _syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination uucp { file("/var/log/uucp.log"); };

destination mail { file("/var/log/mail.log"); };

destination avc { file("/var/log/avc.log"); };

destination audit { file("/var/log/audit.log"); };

destination pax { file("/var/log/pax.log"); };

destination grsec { file("/var/log/grsec.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

destination xconsole { pipe("/dev/xconsole"); };

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_uucp { facility(uucp); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

filter f_avc { match(".*avc: .*"); };

filter f_audit { match("^audit.*") and not match(".*avc: .*"); };

filter f_pax { match("^PAX:.*"); };

filter f_grsec { match("^grsec:.*"); };

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_syslog); destination(_syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(src); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_uucp); destination(uucp); };

log { source(src); filter(f_pax); destination(pax); };

log { source(src); filter(f_grsec); destination(grsec); };

log { source(src); filter(f_audit); destination(audit); };

log { source(src); filter(f_avc); destination(avc); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };

log { source(src); filter(f_news); filter(f_err); destination(newserr); };

log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

log { source(src); destination(console_all); };

```

The problem is, it does not sort the messages into individual files correctly. The only files that get written to are user.log, syslog, messages and debug. I guess one syslog is not passing the "facility" information to the other. Is this possible somehow? Or how should I sort messages into individual log files in this second syslog-ng instance? Do I need to create pipes for all kinds of filters and then create "log" sections in the second instance for every one of them?

Thanks for any suggestions!

P.S.: The /var/run/syslog is a tmpfs so that it does not block if the disk subsystem fails (I am not sure if this affects the pipe though, but I want to make sure it does not)Last edited by selig on Thu Dec 08, 2011 6:45 pm; edited 1 time in total

----------

## selig

I changed the "pipe" to "unix-stream" and now it seems to sort messages nicely. But how will this behave if the disk-writing process gets into uninterruptible sleep state? Will the connection time out eventually or will the process sending data via the unix socket hang too?

----------

## selig

I solved it by using UDP on localhost instead of unix sockets...

----------

