Converting syslog-ng 3.0? format to 3.2 format
Its probably related to this change in 3.2:
- syslog-ng traditionally expected an optional hostname field even when a syslog message is received on a local transport (e.g. /dev/log). However no UNIX version is known to include this field. This caused problems when the application creating the log message has a space in its program name field. This behaviour has been changed for the unix-stream/unix-dgram/pipe drivers if the config version is 3.2 and can be restored by using an explicit 'expect-hostname' flag for the specific source.
You receive the warning because you use the unix-stream("/dev/log"); in your source. If you don't experience any problems with your local logs, there is nothing else to do except changing the first line to @version: 3.2
If your distro adds the hostname to log messages coming from /dev/log (which they rarely do), then include flags(expect-hostname) in the source.
Regards,
Robert Fekete syslog-ng documentation maintainer
xenoterracide
Former Linux System Administrator, now full time Java Software Engineer.
Updated on November 20, 2022Comments
-
xenoterracide over 1 year
Just rebooted my system to this warning
:: Starting Syslog-NG [BUSY] WARNING: Configuration file format is too old, please update it to use the 3.2 format as some constructs might operate inefficiently; WARNING: the expected message format is being changed for unix-domain transports to improve syslogd compatibity with syslog-ng 3.2. If you are using custom applications which bypass the syslog() API, you might need the 'expect-hostname' flag to get the old behaviour back;
Anyone know of any good resources on converting formats? my
syslog-ng.conf
is primarily from the Gentoo Security Handbook and thus simply using the the.pacnew
file won't workhere's my current conf file
@version: 3.0 # # /etc/syslog-ng.conf # options { stats_freq (0); flush_lines (0); time_reopen (10); log_fifo_size (1000); long_hostnames(off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); perm(0640); group("log"); }; source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); }; destination d_authlog { file("/var/log/auth.log"); }; destination d_syslog { file("/var/log/syslog.log"); }; destination d_cron { file("/var/log/crond.log"); }; destination d_daemon { file("/var/log/daemon.log"); }; destination d_kernel { file("/var/log/kernel.log"); }; destination d_lpr { file("/var/log/lpr.log"); }; destination d_user { file("/var/log/user.log"); }; destination d_uucp { file("/var/log/uucp.log"); }; destination d_mail { file("/var/log/mail.log"); }; destination d_news { file("/var/log/news.log"); }; destination d_ppp { file("/var/log/ppp.log"); }; destination d_debug { file("/var/log/debug.log"); }; destination d_messages { file("/var/log/messages.log"); }; destination d_errors { file("/var/log/errors.log"); }; destination d_everything { file("/var/log/everything.log"); }; destination d_iptables { file("/var/log/iptables.log"); }; destination d_acpid { file("/var/log/acpid.log"); }; destination d_console { usertty("root"); }; # Log everything to tty12 destination console_all { file("/dev/tty12"); }; #destination knotifier { program('/usr/local/bin/knotifier'); }; filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { program(syslog-ng); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kernel { facility(kern) and not filter(f_iptables); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_ppp { facility(local2); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not filter(f_iptables); }; filter f_everything { level(debug..emerg) and not facility(auth, authpriv); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_iptables { match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); }; filter f_acpid { program("acpid"); }; log { source(src); filter(f_acpid); destination(d_acpid); }; log { source(src); filter(f_authpriv); destination(d_authlog); }; log { source(src); filter(f_syslog); destination(d_syslog); }; log { source(src); filter(f_cron); destination(d_cron); }; log { source(src); filter(f_daemon); destination(d_daemon); }; log { source(src); filter(f_kernel); destination(d_kernel); }; log { source(src); filter(f_lpr); destination(d_lpr); }; log { source(src); filter(f_mail); destination(d_mail); }; log { source(src); filter(f_news); destination(d_news); }; log { source(src); filter(f_ppp); destination(d_ppp); }; log { source(src); filter(f_user); destination(d_user); }; log { source(src); filter(f_uucp); destination(d_uucp); }; #log { source(src); filter(f_debug); destination(d_debug); }; log { source(src); filter(f_messages); destination(d_messages); }; log { source(src); filter(f_err); destination(d_errors); }; log { source(src); filter(f_emergency); destination(d_console); }; log { source(src); filter(f_everything); destination(d_everything); }; log { source(src); filter(f_iptables); destination(d_iptables); }; #log { source(src); filter(f_messages); destination(knotifier); }; # Log everything to tty12 log { source(src); destination(console_all); };