Using prgram destination and the program is not started - used to work

[Glidos]

For some time, I've been getting syslog-ng to send email to root for certain events, using destination program, with the script, listed at the end of this post. It worked fine until I upgraded my server to use SuSE 11.0, which uses syslog-ng v1.6.12. Now the program is never executed.

Anyone any ideas?

The man pages that I have on my server, don't mention "program" as a valid destination, so I wondered if the feature might have been taken out, but that seems unlikely.


#!/usr/bin/perl
# file: syslog-mail
# spec: reads a line of input and mails it, designed to be a destination for syslog-ng

use strict;

$0='syslog-mail';
$|=1;

open MAILER,'|/usr/sbin/sendmail root';
print MAILER "Subject: syslog-mail started\n\nHello";
close MAILER;

while (my $msg = <STDIN>)
{
  my ($pri,$date,$host,$esrc,$evid,$emsg) = $msg =~ m/<(\d+)>(\w{3} +\d{1,2} \d{2}:\d{2}:\d{2}) ([\w\.\-]+) ([\w ]+)\[(\d+)\]: (.+)/o;
  my ($ip) = $emsg =~ m/.* from ([\w\.]+).*/o;
  my ($stat) = $emsg =~ m/(Accepted ).*/o;
  open MAILER,'|/usr/sbin/sendmail root';
  print MAILER "Subject: syslog: $host $esrc $stat$ip\n\n$msg";
  close MAILER;
}

[mutex]

The program() destination driver does exist in 1.6.12.  Do you get any error messages when running syslog-ng in debug mode?

[Glidos]

I just killed the syslog process, and then ran "syslog-ng -d" in a shell. I seemed to get nothing on stdout, and a huge number of lines on stderr. Here's a snapshot, with some bits that might be relevant, but I don't really know what I'm looking at.


gc_mark: Marking object of class 'log_connection' (26)
gc_mark: Marking object of class 'log_endpoint_info' (27)
gc_mark: Marking object of class 'log_endpoint_info' (27)
gc_mark: Marking object of class 'log_endpoint_info' (27)
gc_mark: Marking object of class 'log_dest_group' (28)
gc_mark: Marking object of class 'affile_dest' (29)
gc_mark: Marking object of class 'log_connection' (27)
gc_mark: Marking object of class 'log_endpoint_info' (28)
gc_mark: Marking object of class 'log_endpoint_info' (28)
gc_mark: Marking object of class 'log_endpoint_info' (28)
gc_mark: Marking object of class 'log_dest_group' (29)
gc_mark: Marking object of class 'afprogram_dest' (30)
gc_mark: Marking object of class 'afsocket_source_close_callback' (5)
gc_mark: Marking object of class 'afprogram_child' (3)
gc_mark: Marking object of class 'UNKNOWN' (1)
gc_mark: Marking object of class 'UNKNOWN' (1)
syslog-ng version 1.6.12 going down
gc_mark: Marking object of class 'syslog_backend' (0)
gc_mark: Marking object of class 'syslog_config' (1)
gc_mark: Marking object of class 'resource_list' (2)
gc_mark: Marking object of class 'io_fd' (3)
gc_mark: Marking object of class 'pkt_buffer' (4)
gc_mark: Marking object of class 'io_fd' (4)
gc_mark: Marking object of class 'log_reader' (5)
gc_mark: Marking object of class 'afsocket_source_connection' (6)

[Glidos]

Here's what I get after filtering out all the gc_mark lines, which I guess are something to do with garbage collection. I can't see anything that looks like an error.


syslog-ng -d 2>&1 | sed -e '/^gc_mark/d'
filter expr check: {filter_expr_op} (f_remotesshd)
filter expr check: {filter_expr_op} (f_remotesshd)
filter expr check: {filter_expr_op} (f_remotesshd)
filter expr check: {filter_expr_op} (f_warn)
filter expr check: {filter_expr_call} (f_warn)
filter expr check: {filter_expr_op} (f_warn => f_iptables)
filter expr check: {filter_expr_op} (f_warn => f_iptables)
filter expr check: {filter_expr_op} (f_messages)
filter expr check: {filter_expr_call} (f_messages)
filter expr check: {filter_expr_op} (f_messages => f_iptables)
filter expr check: {filter_expr_op} (f_messages => f_iptables)
filter expr check: {filter_expr_op} (f_acpid)
filter expr check: {filter_expr_op} (f_mail)
filter expr check: {filter_expr_op} (f_mailerr)
filter expr check: {filter_expr_op} (f_mailwarn)
filter expr check: {filter_expr_op} (f_mailinfo)
filter expr check: {filter_expr_op} (f_newserr)
filter expr check: {filter_expr_op} (f_newscrit)
filter expr check: {filter_expr_op} (f_newsnotice)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_call} (f_console)
filter expr check: {filter_expr_op} (f_console => f_iptables)
filter expr check: {filter_expr_op} (f_console => f_iptables)
filter expr check: {filter_expr_op} (f_console)
filter expr check: {filter_expr_op} (f_iptables)
filter expr check: {filter_expr_op} (f_iptables)
io.c: Preparing fd 3 for reading
io.c: Preparing fd 4 for reading
io.c: Preparing fd 6 for writing
syslog-ng version 1.6.12 starting
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 5 for writing
io.c: Preparing fd 6 for writing

[Glidos]

No one any ideas? I have no idea what else I can try to sort this out.

[mutex]

I recommend subscribing to this list: https://lists.balabit.hu/mailman/listinfo/syslog-ng and posting your question there.

[Glidos]

Thanks for your advice. Turns out it was apparmor. I didn't realise I had it enabled. Strange: it seems to be configured to constrain syslog-ng and no other deamons on my system. Anyway, I've just turned it off.

[mutex]

that is the 3rd time I've been bitten by apparmor.  I'm very glad you got it squared away.