balabit / syslog-ng-docker Goto Github PK

Docker images for syslog-ng development, testing, playground.

License: GNU Lesser General Public License v2.1

Dockerfile 55.56% Mustache 44.44%

syslog-ng-docker's Introduction

Deprecation warning

This repository has been deprecated and is no longer maintained. It has been superseded by syslog-ng, where the syslog-ng Docker image is published automatically after each release.

Moved folders:

syslog-ng: docker
syslog-ng-helm-chart: contrib/syslog-ng-helm-chart

syslog-ng Docker images

This repository contains the source of the following Docker images:

balabit/syslog-ng: syslog-ng is installed. It is intended to be used as a system logging service.

DEPRECATED images

This repository also contained the following images. However, these images are now outdated and deprecated. You can find their updated versions in the main syslog-ng repository.

balabit/syslog-ng-dev: DEPRECATED development image for syslog-ng. It contains all packages to build and debug syslog-ng within the container.
balabit/syslog-ng-incubator-dev: DEPRECATED development image for syslog-ng-incubator. It contains all packages to build and debug syslog-ng-incubator within the container.

More information

For detailed information on how to run your central log server in Docker and other Docker-related syslog-ng use cases, see the blog post Your central log server in Docker.

syslog-ng-docker's People

Contributors

Stargazers

Watchers

Forkers

mitzkia lbudai ihrwein rocklviv garyalex kvch dawidmalina odracci jburgess46 hisaharu jangeador fekete-robert carvind maxpain cyhook furiel buildingrobotics ppanov ranjeetkushwaha bazsi chaseadam paulcalabro simoncor kingedgar drexlma jeenx jchammons jabastien callumgare robertdigital aphris-karu zakkg3 bsigouin matufa xx-docker desmodyne ephemer-ai rjury-sumo dilaverdemirel nickjlange lukehandle alex-y-kozlov-sandbox lamatriz tomasz-kuzemko gaborznagy loesterfranco shakian-jh clang13 briantillman haster heichalot sshanthanand reinaldoca rangerjavelin wuhuaroubj rakesh-padwal nova-platform-io

syslog-ng-docker's Issues

setting the timezone of the environment inside the container

Problem description

I am using the syslog-ng image to aggregate syslog on my environment and forward it all into Elasticsearch for consumption by Kibana (also running in containers).

This all works fine, except that all the timestamps have two hours deducted. After some investigation I found that the issue stems from the docker host and all environment systems running on CEST (UTC+2), but the syslog-ng container has default timezone settings of UTC, so syslog assumes all the logs it gets with CEST values have to be converted when passing them on to elastic.

Workaround

I can docker exec into the running syslog container and run dpkg-reconfigure tzdata to set the container to CEST, too. Without restarting the syslog process, the timestamps immediately start to arrive correctly in Elastic.

This is no real solution as I would have to re-do this step when restarting the syslog container. Fortunately syslog runs really stable and did not crash or otherwise needed to be restarted. But any kernel upgrade of the Docker host would cause a restart and would require reapplication of this change.

Possible solutions

I could bake my own syslog image with just the timezone adjusted.
An environment variable could be offered to allow to specify the system timezone used in the image
Some other means of configuration could be added to the image to set the system timezone

If any of the latter two would be preferred, would you accept a pull request to add such an option to the image, and if so, what would your preferred way of configuring this be?

Environment

Docker host: Ubuntu 16.04 LTS / Docker 1.13.1 / Linux 4.4.0
Docker image: balabit/syslog-ng:3.14.1
Syslog-NG configuration:

@version: 3.14
@module mod-java
@include "scl.conf"

options {
    keep-hostname(no);
    chain-hostnames(no);
};

source s_network {
    network(
        transport("udp")
    );
};

destination d_elastic {
    elasticsearch2(
        client-mode("http")
        cluster("log")
        index("syslog-${YEAR}-${MONTH}-${DAY}")
        cluster-url("http://localhost:9200")
        type("slng_test_type")
        flush-limit("0")
        time-zone("UTC")
    );
};

log {
   source(s_network);
   destination(d_elastic);
   flags(flow-control);
};

How to stop container creating logs/dirs as root?

I use a destination that stores the logs on a mounted docker volume, e.g.:

docker stack:

  syslogng:
    image: balabit/syslog-ng
    ports:
      - 514:514/udp
    volumes:
      - /opt/syslog-ng/log:/var/log/syslog-ng    
      - /opt/syslog-ng:/etc/syslog-ng

syslog-ng.conf:

destination logfiles {
    file("/var/log/syslog-ng/$PROGRAM/$PROGRAM.log");
};

How do I stop syslog-ng-docker creating every log file and directory as root? Thanks!

port 6514/tcp

Why is port 6514 exposed in Dockerfile?

It doesn't seem to get used when following the README.
Can I just add a -p 6514:6514 to the start command?

Please add correct version tags

The balabit/syslog-ng:3.7 is actually contains the 3.14 version. Previously it contained 3.12 or 3.13 (don't remember exactly). It makes very hard to use it in production if the version tagged images are constantly changes.

$ docker run -it --rm balabit/syslog-ng:3.7 -V
syslog-ng 3 (3.14.1)
Config version: 3.14
Installer-Version: 3.14.1
Revision: 3.14.1-1
Compile-Date: Feb 27 2018 12:12:45
Module-Directory: /usr/lib/syslog-ng/3.14
Module-Path: /usr/lib/syslog-ng/3.14
Available-Modules: stardate,tfgetent,mod-python,system-source,redis,linux-kmsg-format,basicfuncs,pacctformat,kvformat,dbparser,appmodel,syslogformat,xml,confgen,sdjournal,graphite,afmongodb,afsmtp,csvparser,date,afsql,tags-parser,mod-java,geoip2-plugin,afstomp,affile,afamqp,afsocket,disk-buffer,riemann,json-plugin,cef,map-value-pairs,pseudofile,afprog,cryptofuncs,snmptrapd-parser,add-contextual-data,http,geoip-plugin,afuser
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

[Feature] Raspberry Pi / ARM Support

Is this possible?

Error creating table with pgsql

I'm using the latest container, I've got the database configured properly, I've tested that with different permissions, if they are not correct other errors are produced. Here is what I'm getting with PostgreSQL:

[2020-02-14T18:19:42.080607] Running SQL query; query='BEGIN'

[2020-02-14T18:19:42.080906] Running SQL query; query='SELECT * FROM messages_10.0.0.84_20200214 WHERE 0=1'

[2020-02-14T18:19:42.081225] Running SQL query; query='COMMIT'

[2020-02-14T18:19:42.081371] Running SQL query; query='BEGIN'

[2020-02-14T18:19:42.081485] Running SQL query; query='CREATE TABLE messages_10.0.0.84_20200214 (datetime varchar(16), host varchar(32), program varchar(20), pid varchar(8), message varchar(200))'

[2020-02-14T18:19:42.081694] Error running SQL query; type='pgsql', host='172.18.0.3', port='', user='syslog', database='syslog', error='6819553: ERROR: syntax error at or near ".0"\x0aLINE 1: CREATE TABLE messages_10.0.0.84_20200214 (datetime varchar(1...\x0a ^\x0a', query='CREATE TABLE messages_10.0.0.84_20200214 (datetime varchar(16), host varchar(32), program varchar(20), pid varchar(8), message varchar(200))'

[2020-02-14T18:19:42.081708] Error creating table, giving up; table='messages_10.0.0.84_20200214'

[2020-02-14T18:19:42.081716] Running SQL query; query='ROLLBACK'

It's a very basic config as far as syslog-ng is concerned. I used the examples from the admin guide.
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/48#TOPIC-1349473

'No such file or directory' When using variables in the destination path.

I get the error: syslog-ng[1]: Error opening file for writing; filename='/var/log/syslog/server01/2020/09/user', error='No such file or directory (2)'

This is the effected config part:

destination hosts {
file("/var/log/syslog/$HOST/$YEAR/$MONTH/$FACILITY-$DAY");
};

I'm running the latest syslog-ng docker image on a Synology ds920+ with Docker.

Reload syslog-ng in container

Hi.
How I can reload syslog-ng in docker?
When I try to do docker exec -ti syslog-ng /etc/init.d/syslog-ng reload I have a error:

[....] Reload system logging: syslog-ngsyslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
[2019-12-13T17:14:10.067630] WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. Please update it to use the syslog-ng 3.24 format at your time of convenience. To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @version header at the top of the configuration file.;
 failed!

It's need when I rotate log files via logrotate on host (in mounted volume in container).

Thanks.

Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'

$ docker run -it -p 514:514 -p 601:601 --name syslog-ng balabit/syslog-ng:latest --no-caps
[2018-10-16T22:24:43.054450] WARNING: With use-dns(no), dns-cache() will be forced to 'no' too!;
[2018-10-16T22:24:43.054957] Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'
[2018-10-16T22:24:43.055000] Error initializing message pipeline; plugin_name='file', location='source generator system:10:1'

$ docker --version
Docker version 18.06.1-ce, build e68fc7a

Kafka destination not working in the Docker image.

When trying to send logs into a kafka destination using this image like so:

destination d_kafka_os_t1x {
    channel {
        destination  {
            kafka(
                client-lib-dir("/usr/lib/syslog-ng/3.11/java-modules/")
                properties_file("/etc/syslog-ng/kafka.conf")
                topic("some_topic")
            );
        };
    };
};

I get the following error:

syslog-ng_1      | syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
syslog-ng_1      | [2017-09-05T10:58:32.347728] Error: org/apache/kafka/clients/producer/Callback;
syslog-ng_1      | java.lang.NoClassDefFoundError: org/apache/kafka/clients/producer/Callback
syslog-ng_1      |      at java.lang.Class.forName0(Native Method)
syslog-ng_1      |      at java.lang.Class.forName(Class.java:278)
syslog-ng_1      |      at org.syslog_ng.SyslogNgClassLoader.loadClass(SyslogNgClassLoader.java:67)
syslog-ng_1      | Caused by: java.lang.ClassNotFoundException: org.apache.kafka.clients.producer.Callback
syslog-ng_1      |      at java.net.URLClassLoader$1.run(URLClassLoader.java:359)
syslog-ng_1      |      at java.net.URLClassLoader$1.run(URLClassLoader.java:348)
syslog-ng_1      |      at java.security.AccessController.doPrivileged(Native Method)
syslog-ng_1      |      at java.net.URLClassLoader.findClass(URLClassLoader.java:347)
syslog-ng_1      |      at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
syslog-ng_1      |      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:312)
syslog-ng_1      |      at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
syslog-ng_1      |      ... 3 more
syslog-ng_1      | [2017-09-05T10:58:32.350135] Can't find class; class_name='org.syslog_ng.kafka.KafkaDestination'
syslog-ng_1      | [2017-09-05T10:58:32.350777] Error initializing message pipeline; plugin name='java', location='#buffer:2:3'

Just like in the following issue: syslog-ng/syslog-ng#1151, but with no success fixing it. I tried to find kafka jars in /opt/kafka and /var/lib/kafka to add them to client-lib-dir parameter, but none of those directories is present in the image.

Is the image kafka-ready? If so, how should I confuigure the kafka destination?
Thanks in advance

Error response when trying to run

I recently downloaded Docker on my Mac and tried to use the syslog-ng Docker. After running docker pull balabit/syslog-ng successfully, I tried running sudo docker run -it -p 514:514/udp -p 601:601 --name syslog-ng balabit/syslog-ng:latest and repeatedly kept getting the following error:

[2020-06-26T16:39:55.200875] WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. Please update it to use the syslog-ng 3.27 format at your time of convenience. To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @version header at the top of the configuration file; config-version='3.18' [2020-06-26T16:39:55.292159] You have a TLS enabled source without a X.509 keypair. Make sure you have tls(key-file() and cert-file()) options, TLS handshake to this source will fail; location='/etc/syslog-ng/syslog-ng.conf:21:2'

Someone else tried replicating the steps and got the same error. I think there might be something wrong.

Provide version tags on hub.docker.com

Please provide version tags on hub.docker.com for better version locking in production use.

I notice this issue was raised before in #29 but the tags show the last version tag to be several version and months out of date.

$ docker run --entrypoint= balabit/syslog-ng:latest syslog-ng --version
syslog-ng 3 (3.18.1)
Config version: 3.18
Installer-Version: 3.18.1
Revision: 3.18.1-1
Compile-Date: Oct 24 2018 10:04:41
Module-Directory: /usr/lib/syslog-ng/3.18
Module-Path: /usr/lib/syslog-ng/3.18
Available-Modules: linux-kmsg-format,json-plugin,kvformat,afsocket,afmongodb,disk-buffer,http,basicfuncs,pacctformat,examples,afamqp,geoip2-plugin,xml,mod-python,map-value-pairs,tags-parser,date,redis,geoip-plugin,csvparser,system-source,syslogformat,confgen,afsmtp,tfgetent,afstomp,affile,cryptofuncs,add-contextual-data,appmodel,hook-commands,riemann,snmptrapd-parser,afprog,stardate,mod-java,afuser,graphite,dbparser,pseudofile,afsql,cef,sdjournal
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

cron not started and as a result logrotate does not run

logrotate runs from /etc/cron.daily and cron is not started in the container.

I would suggest that cron is started at boot and a generic logrotate config be included.

This would necessitate a change in the syslog-ng.conf file to make the messages file end in .log then include a syslog-ng.conf in the /etc/logrotate.d that rotates /var/log/*.log

IP address of ASA

using balabit/syslog-ng:3.25.1

I have configured the syslog to receive logs from several devices (Vmware ESXi, Centos virtual machines, Cisco Switches, Cisco ASA...)

All the logs show the correct IP and hostname for the devices except logs for ASA, the IP saved in the logs is the IP of the docker internal interface (docker0) but the hostname is correct.

is this a bug or a mistake in the configuration that is only affecting ASA logs ?

syslog-ng.conf from repo is not added to the image

The documentation suggests to expose ports in order to be able to receive messages from network, however the image does not contain the necessary .conf file from the git repository but it contains the factory conf shipped by the .deb file.

ps. also the default config file has @Version: 3.6 which is outdated taking into account that the image has version 3.7.2.

Unable to initialize database access (DBI); rc=’-1′, error=’No such file or directory (2)’

Unable to initialize database access (DBI); rc=’-1′, error=’No such file or directory (2)’
i am unable to use the sql() to insert records into a mysql database
it appears the libdbd-mysql package is missing
can this be included?

$HOST is the Docker Root IP on MacOS

i dont know why

Change log file name to container name

I have a scenario and created a syslog container using this syslog-ng repository and I am redirecting my other container logs to this logging container, I used the file naming pattern to be: file("/var/log/messages_${PROGRAM}-${YEAR}${MONTH}${DAY}");. I tried different macros/variables in this file naming pattern but I couldn't get that. ${PROGRAM} returns the container ID. Is there any way to get container name instead of ID?

how to enable mqtt as a source

Hello,

I am asking if there is a docker image that supports the MQTT as a source and destination or not?

Regards,

Suppport for TLSv1.3

Currently the syslog-ng-docker container is using openSSL version 1.1.0l, however support for TLSv1.3 was only introduced in openSSL version 1.1.1.

docker run --rm -it --entrypoint /bin/sh  balabit/syslog-ng       
# openssl version
OpenSSL 1.1.0l  10 Sep 2019

systemd-journal() source doesn't work in official docker images

I'm trying to use the balabit/syslog-ng:3.14.1 to read from the local journald. This is working in a docker image I created from debian:stretch by installing syslog-ng-core and syslog-ng-mod-journal. I have other issues with the Debian based image (the syslog-ng crashes every time in certain situations, but that's another issue) and I liked to check if the official one crashes or not as the Debian one is only 3.8.

I use this command line:
docker run -it --rm -h "syslog-$RANDOM" -v ~/syslog-ng.conf-3.14:/etc/syslog-ng/syslog-ng.conf -v /tmp/dq:/var/lib/syslog-ng -v /var/log/journal:/var/log/journal -v /run/log:/run/log -v /run/systemd:/run/systemd -v /etc/machine-id:/etc/machine-id balabit/syslog-ng:3.14.1 --no-caps -edv

The syslog-ng.conf-3.14 is a minimal one:

@version: 3.14

options {
        chain-hostnames( off );
        flush-lines( 0 );
        log-msg-size( 65536 );
        time-zone( "UTC" );
        ts-format( iso );
        use-dns( no );
        use-fqdn( no );
};

source s_docker_journald {
        internal();
        systemd-journal( prefix( ".SDATA.journal." ) );
};

rewrite r_fakehost {
        set( "KISMACSKA", value( ".SDATA.journal._HOSTNAME" ) );
};

destination d_relay {
        syslog(
                "172.17.0.1"
                transport( "tcp" )
                port( 1234 )
                log-fifo-size( 1000 )
                disk-buffer(
                        reliable( no )
                        disk-buf-size( 1073741824 )
                        mem-buf-length( 10000 )
                )
        );
};

log {
        source( s_docker_journald );
        rewrite( r_fakehost );
        destination( d_relay );
};

The server is a plain netcat. The first run doesn't shows any usable debug information:

[2018-03-08T13:17:52.219061] Seeking the journal to the start position;
[2018-03-08T13:17:52.219215] Processing the time zone file (32bit part); filename='/usr/share/zoneinfo/UTC'
[2018-03-08T13:17:52.219271] Processing the time zone file (32bit part); filename='/usr/share/zoneinfo/UTC'
[2018-03-08T13:17:52.219915] Disk-buffer state saved; filename='/var/lib/syslog-ng/syslog-ng-00000.qf', qout_length='0', qbacklog_length='0', qoverflow_length='0', qdisk_length='0'

At the second run it complains that the position stored in the persist file for the journal driver is empty. The OSE edition doesn't contains the persist-tool, so I can't check the syslog-ng.persist contents. If you wish I can send the file for you.

[2018-03-08T13:18:10.680943] Failed to seek journal to the saved cursor position; cursor='', error='Invalid argument (22)'
[2018-03-08T13:18:10.680976] Seeking the journal to the start position;
[2018-03-08T13:18:10.681121] Processing the time zone file (32bit part); filename='/usr/share/zoneinfo/UTC'
[2018-03-08T13:18:10.681172] Processing the time zone file (32bit part); filename='/usr/share/zoneinfo/UTC'
[2018-03-08T13:18:10.681482] Disk-buffer state loaded; filename='/var/lib/syslog-ng/syslog-ng-00000.qf', qout_length='0', qbacklog_length='0', qoverflow_length='0', qdisk_length='0'

The very same docker command with the very same syslog-ng.conf works with the plain Debian based image.

syslog-ng reload fails

I am using image: balabit/syslog-ng:3.29.1. Even though I run syslogng with --no-caps options, it fails to reload? any idea what is going on?

ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0 10 15:23 ?        00:00:16 /usr/sbin/syslog-ng -F -edvt --no-caps
root        41     0  0 15:25 pts/0    00:00:00 bash
root        88    41  0 15:26 pts/0    00:00:00 ps -ef
root@kasa-logging-server-d87cff6c6-lvp7l:/# /etc/init.d/syslog-ng reload
[....] Reload system logging: syslog-ngsyslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
 failed!

Here is my syslog-ng.conf:
@version: 3.29

source s_local {
    internal();
};

source s_network {
    network(
        ip(0.0.0.0)
        transport("tcp")
        port(11601)
        flags(syslog-protocol)
    );
};

parser p_json { json-parser(); };

destination d_local {
        file(/var/log/messages);
        file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
};

log {
       source(s_local);
       source(s_network);
       destination(d_local);
}

Doesnt start

So im on unraid, pulled your container, didnt found any additional steps to do (besides go to :8000, which dont work, because the container wont even start)

*** Running /etc/rc.local...
ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

*** Booting runit daemon...
*** Runit started as PID 8
Nov 15 08:26:58 98d43466988b syslog-ng[14]: syslog-ng starting up; version='3.5.3'

I tried putting a conf there, but i dont know the correct variables so i get some varios other errors when i put some conf file there.

Maybe you can provide the correct conf file so i can copy it to the correct directory?

Installation of incubator packages are missing from balabit/syslog-ng:3.7 docker image

This PR is depends on syslog-ng/syslog-ng#687.

Setup not reproductible

Hi there!

I'm working on Saltstack formula : syslog-ng which basically installs syslog-ng in Docker container (like you do) and run tests on it to ensure everything is well installed and working.

I have 2 issues :

If I install the syslog-ng package from Debian repository (stretch, version 3.8) the service don't start I get this error :

root@a59e8571db1f:/etc/apt/sources.list.d# syslog-ng -d -e
[2019-09-10T22:32:30.252714] Systemd is detected as the running init system;
[2019-09-10T22:32:30.253033] Error opening control socket, bind() failed; socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Permission denied (13)'
[2019-09-10T22:32:30.253571] Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1'
[2019-09-10T22:32:30.253936] Error processing path for inclusion; path='/usr/share/syslog-ng/include/scl', errno='Permission denied (13)'
[2019-09-10T22:32:30.253976] Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1'
[2019-09-10T22:32:30.254024] Reading path for candidate modules; path='/usr/lib/syslog-ng/3.8'
Error parsing source, source plugin system not found in /etc/syslog-ng/syslog-ng.conf at line 20, column 8:

       system();
       ^^^^^^

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

If I install the syslog-ng package from OpenSuse Builder repo (stretch, version 3.23) (http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debian_9.0/) I get this error :

root@a59e8571db1f:~# syslog-ng -d -e
[2019-09-10T22:22:38.709059] Systemd is detected as the running init system;
[2019-09-10T22:22:38.710672] Processing @include statement; filename='scl.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'
[2019-09-10T22:22:38.710796] Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1'
[2019-09-10T22:22:38.710994] Processing @include statement; filename='scl/*/*.conf', include-path='/etc/syslog-ng:/usr/share/syslog-ng/include'
[2019-09-10T22:22:38.711108] Error processing path for inclusion; path='/usr/share/syslog-ng/include/scl', errno='Permission denied (13)'
[2019-09-10T22:22:38.711257] Global value changed; define='java-module-dir', value='/usr/lib/syslog-ng/3.23/java-modules'
[2019-09-10T22:22:38.711311] Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1'
[2019-09-10T22:22:38.711361] Reading path for candidate modules; path='/usr/lib/syslog-ng/3.23'
Error parsing destination statement, destination plugin file not found in /etc/syslog-ng/syslog-ng.conf:21:3-21:7:
16      source s_src {
17        internal();
18      };
19      
20      destination d_auth {
21---->   file("/var/log/auth.log");
21---->   ^^^^
22      };
23      
24      destination d_cron {
25        file("/var/log/cron.log");
26      };


syslog-ng documentation: https://www.balabit.com/support/documentation?product=syslog-ng-ose
contact: https://lists.balabit.hu/mailman/listinfo/syslog-ng

In both cases there's nothing wrong with /usr/share/syslog-ng/include/scl :

root@a59e8571db1f:~# ls -hal /usr/share/syslog-ng/
total 20K
drwxr-xr-x 4 root root 4.0K Sep 10 22:01 .
drwxr-xr-x 1 root root 4.0K Sep 10 22:12 ..
drwxr-xr-x 3 root root 4.0K Sep 10 22:01 include
drwxr-xr-x 2 root root 4.0K Sep 10 22:11 xsd

root@a59e8571db1f:~# ls -hal /usr/share/syslog-ng/include/
total 12K
drwxr-xr-x  3 root root 4.0K Sep 10 22:01 .
drwxr-xr-x  4 root root 4.0K Sep 10 22:01 ..
drwxr-xr-x 28 root root 4.0K Sep 10 22:11 scl

# version 3.8
root@a59e8571db1f:/etc/apt/sources.list.d# ll /usr/share/syslog-ng/include/scl
total 48K
drwxr-xr-x 12 root root 4.0K Sep 10 22:29 .
drwxr-xr-x  3 root root 4.0K Sep 10 22:29 ..
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 apache
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 cim
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 graphite
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 loggly
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 logmatic
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 mbox
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 nodejs
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 rewrite
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 syslogconf
drwxr-xr-x  2 root root 4.0K Sep 10 22:29 system

# version 3.23
root@a59e8571db1f:~# ls -hal /usr/share/syslog-ng/include/scl/
total 112K
drwxr-xr-x 28 root root 4.0K Sep 10 22:11 .
drwxr-xr-x  3 root root 4.0K Sep 10 22:01 ..
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 apache
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 checkpoint
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 cim
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 cisco
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 collectd
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 default-network-drivers
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 ewmm
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 graphite
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 graylog2
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 iptables
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 junos
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 linux-audit
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 loadbalancer
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 loggly
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 logmatic
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 mbox
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 netskope
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 nodejs
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 osquery
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 rewrite
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 solaris
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 sudo
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 syslogconf
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 system
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 websense
drwxr-xr-x  2 root root 4.0K Sep 10 22:11 windowseventlog

syslog-ng stops relaying messages over udp after "bad lenght"

We are relaying messages to external syslog server 2.2.2.2 via udp, and following scenario is observed:

Monitoring with tcpdump we observe the udp traffic, normally the length is between 80-400 bytes. Every now and then we receive big event which syslog-ng tries to relay to remote server 2.2.2.2

IP 1.1.1.1.34944 > 2.2.2.2.514: UDP, bad length 35190 > 1408

At this moment tcpdump logs stop and in syslog-ng log file we see this output:

Nov 26 21:32:53 afa42ca2eec1 syslog-ng[1]: Syslog connection established; fd='19', server='AF_INET(2.2.2.2:514)', local='AF_INET(0.0.0.0:0)'
Nov 26 21:32:53 afa42ca2eec1 syslog-ng[1]: I/O error occurred while writing; fd='19', error='Message too long (90)'
Nov 26 21:32:53 Syslog connection broken; fd='19', server='AF_INET(2.2.2.2:514)', time_reopen='5'

These messages repeat indefinitely every 5 seconds as this is the reopen time, but syslog-ng never tries to send again to that destination.
syslog-ng now is completely hanging and not trying to send anything to destination 2.2.2.2, but it is sending fine to other destinations. The only fix for destination 2.2.2.2 is restart of the whole container.

config is:

#############################################################################

Default syslog-ng.conf file which collects all local logs into a

single file called /var/log/messages.

@Version: 3.29
@include "scl.conf"

################################################################################
############ Global parameters ####################################
################################################################################

options { chain_hostnames(off);
time_reopen (5);
flush_lines(0);
group(41812);
dir_group(41812);
dir_perm(0770);
perm(0660);
use_dns(persist_only);
dns_cache_hosts(/etc/hosts);
threaded(yes);
log_fifo_size(200000);
};

source s_internal {
internal();
};

source s_network {
tcp(max-connections(500) log_iw_size(11000));
udp( so_rcvbuf(67108864) so_sndbuf(67108864));
};

destination X {
udp("2.2.2.2" port("514") );
};

log {
source(s_network); destination(X);
};

Default log filename?

Is there a trick with getting the default log to name itself other than the ID of the container? I've successfully set the --hostname of the container but syslog-ng still writes its own log out as <container id>.log.

Cannot see logs from network source

How can I test syslog-ng to make sure everything is set up correctly? I cannot see any files in the /var/log/acquia directory

I have attached the /etc/syslog-ng/syslog-ng.conf file

I send a test message from another host with

logger --tcp -n 10.254.239.227 -P 5141 Logging via network $(date)

When I monitor the network traffic on the syslog-ng host with
tcpdump port 5141 -vv

I get this:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
05:21:39.569382 IP (tos 0x48, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.252.34.107.59229 > aws11lvapp999.5141: Flags [SEW], cksum 0xf7bf (correct), seq 2385457101, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 707932918 ecr 0,sackOK,eol], length 0
05:21:39.569493 IP (tos 0x0, ttl 253, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    aws11lvapp999.5141 > 10.252.34.107.59229: Flags [S.E], cksum 0x2877 (incorrect -> 0x9e9d), seq 1988529690, ack 2385457102, win 27960, options [mss 1410,sackOK,TS val 2271834400 ecr 707932918,nop,wscale 7], length 0
05:21:39.667755 IP (tos 0x48, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.252.34.107.59229 > aws11lvapp999.5141: Flags [.], cksum 0x3240 (correct), seq 1, ack 1, win 2064, options [nop,nop,TS val 707933014 ecr 2271834400], length 0
05:21:39.667858 IP (tos 0x4a,ECT(0), ttl 57, id 0, offset 0, flags [DF], proto TCP (6), length 126)
    10.252.34.107.59229 > aws11lvapp999.5141: Flags [P.], cksum 0x83f1 (correct), seq 1:75, ack 1, win 2064, options [nop,nop,TS val 707933015 ecr 2271834400], length 74
05:21:39.667887 IP (tos 0x0, ttl 253, id 48346, offset 0, flags [DF], proto TCP (6), length 52)
    aws11lvapp999.5141 > 10.252.34.107.59229: Flags [.], cksum 0x286f (incorrect -> 0x38c8), seq 1, ack 75, win 219, options [nop,nop,TS val 2271834498 ecr 707933015], length 0
05:21:39.671191 IP (tos 0x48, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.252.34.107.59229 > aws11lvapp999.5141: Flags [F.], cksum 0x31f4 (correct), seq 75, ack 1, win 2064, options [nop,nop,TS val 707933015 ecr 2271834400], length 0
05:21:39.671275 IP (tos 0x0, ttl 253, id 48347, offset 0, flags [DF], proto TCP (6), length 52)
    aws11lvapp999.5141 > 10.252.34.107.59229: Flags [F.], cksum 0x286f (incorrect -> 0x38c2), seq 1, ack 76, win 219, options [nop,nop,TS val 2271834502 ecr 707933015], length 0
05:21:39.772218 IP (tos 0x48, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.252.34.107.59229 > aws11lvapp999.5141: Flags [.], cksum 0x312a (correct), seq 76, ack 2, win 2064, options [nop,nop,TS val 707933114 ecr 2271834502], length 0
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

syslog-ng.conf.txt

docker-compose.yml.txt

Port 514 with UDP doesn't work

It seems that port 514 is exposed with TCP instead of UDP, so connecting to the
syslog-ng server with UDP is not working.

The solution might be this:

EXPOSE 601/tcp 514/udp ...

Add builder script to the builder env image

checkout_and_build_syslog_ng.sh should be included within the image

add HEALTHCHECK

HEALTHCHECK --interval=2m --timeout=3s --start-period=30s CMD /etc/init.d/nginx status || exit 1

Cannot connect to syslog on virtual interface

Hello,

I have a a normal linux interface with an IP of 2.2.2.120. I then add a virtual interface with an IP of 2.2.2.121.
night@ubuntu-westeros-com:~$ ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:0c:d9:69:74
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0

ens36 Link encap:Ethernet HWaddr 00:50:56:86:8c:6d
inet addr:2.2.2.120 Bcast:2.2.2.255 Mask:255.255.255.0

ens36:1 Link encap:Ethernet HWaddr 00:50:56:86:8c:6d
inet addr:2.2.2.121 Bcast:2.2.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

I then start the balabit/syslog-ng container:

sudo docker run -it -p 2.2.2.121:514:514 -p 2.2.2.121:601:601 --name syslog121 balabit/syslog-ng -edv --no-caps

The container starts successfully and I can see on the Linux host that it's listening (although only on TCP):
$ sudo netstat -pano | grep 2.2.2.121
tcp 0 0 2.2.2.121:601 0.0.0.0:* LISTEN 26106/docker-proxy off (0.00/0/0)
tcp 0 0 2.2.2.121:514 0.0.0.0:* LISTEN 26119/docker-proxy off (0.00/0/0)

When I try to telnet from a different host, I get a RST (I run a ping before so you can see I have reachability)
$ sudo tcpdump -nni any host 2.2.2.31

03:50:48.478289 IP 2.2.2.31 > 2.2.2.121: ICMP echo request, id 38161, seq 1, length 64
03:50:48.478575 IP 2.2.2.121 > 2.2.2.31: ICMP echo reply, id 38161, seq 1, length 64

03:50:48.484432 IP 2.2.2.31.54908 > 2.2.2.121.514: Flags [S], seq 2389207154, win 14600, options [mss 1460,sackOK,TS val 1456495683 ecr 0,nop,wscale 7], length 0
03:50:48.484644 IP 2.2.2.31.54908 > 172.17.0.2.514: Flags [S], seq 2389207154, win 14600, options [mss 1460,sackOK,TS val 1456495683 ecr 0,nop,wscale 7], length 0
03:50:48.484656 IP 2.2.2.31.54908 > 172.17.0.2.514: Flags [S], seq 2389207154, win 14600, options [mss 1460,sackOK,TS val 1456495683 ecr 0,nop,wscale 7], length 0
03:50:48.484727 IP 172.17.0.2.514 > 2.2.2.31.54908: Flags [R.], seq 0, ack 2389207155, win 0, length 0
03:50:48.484727 IP 172.17.0.2.514 > 2.2.2.31.54908: Flags [R.], seq 0, ack 1, win 0, length 0
03:50:48.484757 IP 2.2.2.121.514 > 2.2.2.31.54908: Flags [R.], seq 0, ack 2389207155, win 0, length 0

The RST is sent from 172.17.0.2 (which is the IP assigned to the container)
$ sudo docker inspect --format '{{ .NetworkSettings.IPAddress }}' syslog121
172.17.0.2

I don't get any other errors. This image works: https://hub.docker.com/r/bobrik/syslog-ng/.

Cheers,
V

Problem Starting syslog-ng-docker with Ubuntu 16.10

Hi,

I've tried to start syslog-ng just like described on the page https://hub.docker.com/r/balabit/syslog-ng/, but unfortunately this leads to only the output:

syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'

According to http://serverfault.com/questions/524518/error-setting-capabilities-capability-management-disabled, this is a problem of kernel and syslog-ng versions. Mounting a syslog-ng file with -v syslog-ng:/etc/default/syslog-ng does not work, since this is not a directory.

Is there any known workaround for this issue?

https://github.com/bobrik/docker-syslog-ng works fine.

Best regards,
DaGeRe

mod-java load problem

When starting syslog-ng in docker, I receive the following error message:
"
Error opening plugin module; module='mod-java', error='libjvm.so:
cannot open shared object file: No such file or directory'
"
This can be worked around by adding the path to libjvm.so to /etc/ld.so.conf