# Syslog-ng failing each night at 3 AM ish

## schmeggahead

Intermittently on multiple boxes with the same syslog-ng configuration and very similar installs, syslog-ng and therefore tenshi, stop running. Syslog-ng eventually does come back up and begin logging but it leaves tenshi in the dust:

```
/var/log/debug:Nov 22 03:10:57 localhost syslog-ng[4029]: Configuration reload request received, reloading configuration;

/var/log/debug:Nov 22 03:10:58 localhost supervise/syslog-ng[6538]: Daemon exited gracefully, not restarting; exitcode='0'

/var/log/debug:Nov 22 03:10:58 localhost syslog-ng[4029]: Internal error, duplicate configuration elements refer to the same persistent config; name='affile_dd_writers(/dev/tty12)'

/var/log/debug:Nov 22 03:10:58 localhost syslog-ng[4029]: Configuration reload request received, reloading configuration;

/var/log/debug:Nov 22 03:10:58 localhost supervise/syslog-ng[6573]: Daemon exited gracefully, not restarting; exitcode='0'

/var/log/debug:Nov 22 03:10:58 localhost syslog-ng[4029]: Internal error, duplicate configuration elements refer to the same persistent config; name='affile_dd_writers(/dev/tty12)'

/var/log/debug:Nov 22 03:10:58 localhost syslog-ng[4029]: Configuration reload request received, reloading configuration;

/var/log/debug:Nov 22 03:10:59 localhost supervise/syslog-ng[6607]: Daemon exited gracefully, not restarting; exitcode='0'

/var/log/debug:Nov 22 03:10:59 localhost syslog-ng[4029]: Internal error, duplicate configuration elements refer to the same persistent config; name='affile_dd_writers(/dev/tty12)'

/var/log/debug:Nov 22 03:10:59 localhost syslog-ng[4029]: Configuration reload request received, reloading configuration;

/var/log/debug:Nov 22 03:10:59 localhost supervise/syslog-ng[6643]: Daemon exited gracefully, not restarting; exitcode='0'

/var/log/debug:Nov 22 03:10:59 localhost syslog-ng[4029]: Internal error, duplicate configuration elements refer to the same persistent config; name='affile_dd_writers(/dev/tty12)'

/var/log/debug:Nov 22 03:10:59 localhost syslog-ng[4029]: Configuration reload request received, reloading configuration;

/var/log/debug:Nov 22 03:10:59 localhost supervise/syslog-ng[6677]: Daemon exited gracefully, not restarting; exitcode='0'

/var/log/debug:Nov 22 03:10:59 localhost syslog-ng[4029]: Internal error, duplicate configuration elements refer to the same persistent config; name='affile_dd_writers(/dev/tty12)'

/var/log/debug:Nov 22 03:10:59 localhost syslog-ng[4029]: Configuration reload request received, reloading configuration;

```

my syslog-ng is fairly standard for hardened, although I removed error causing match without value lines in the stock version.

```

# cat /etc/syslog-ng/syslog-ng.conf 

@version: 3.0

# Copyright 2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.hardened.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $

#

# Syslog-ng configuration file, compatible with default hardened installations.

#

options {

   chain_hostnames(no);

   flush_lines(0);

   stats_freq(43200);

   mark_freq(43200);

  time_reopen (10);

  log_fifo_size (1000);

  long_hostnames(off);

  use_dns (no);

  use_fqdn (no);

#  create_dirs (no);

  keep_hostname (yes);

        dir_group("tenshi");

        group("tenshi");

  perm(0640);

};

source src {

    unix-stream("/dev/log");

    internal();

};

source kernsrc {

    file("/proc/kmsg");

};

destination authlog { file("/var/log/auth.log"); };

destination _syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination uucp { file("/var/log/uucp.log"); };

#destination ppp { file("/var/log/ppp.log"); };

destination mail { file("/var/log/mail.log"); };

destination avc { file("/var/log/avc.log"); };

destination audit { file("/var/log/audit.log"); };

destination pax { file("/var/log/pax.log"); };

destination grsec { file("/var/log/grsec.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

destination xconsole { pipe("/dev/xconsole"); };

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_uucp { facility(uucp); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

   and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_syslog); destination(_syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_uucp); destination(uucp); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };

log { source(src); filter(f_news); filter(f_err); destination(newserr); };

log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

log { source(src); destination(console_all); };

```

I start tenshi successfully once I see that it is stopped.

I can restart syslog-ng and both tenshi and syslog-ng stop and restart again.

hmmm.   :Sad: Last edited by schmeggahead on Wed Nov 25, 2009 4:50 pm; edited 1 time in total

----------

## gentoo_ram

What's the question?  A large part of that file is duplicated... that's what the problem is.  Get rid of the duplications.  I'm guessing the reason it's happening is because logrotate is running.  And when it moves a file, it has to tell syslog to re-open the output files.  That's why the reload is triggered.

----------

## schmeggahead

Ok. I fixed the duplications.

It was a cut and paste error from my config to the post.

I have the kern.log entries going to tty12 and also console_all going to tty12 - maybe that is the dup?

If that is the duplication, why does syslog-ng start initially along with tenshi and in the restarts eventually start back up but tenshi does not?

----------

