3.19. Troubleshooting syslog-ng

This section provides tips and guidelines about troubleshooting problems related to syslog-ng. Troubleshooting the syslog-ng Agent for Windows application is discussed in Section 5.10, “Troubleshooting syslog-ng Agent for Windows”.

Tip

	Tip
As a general rule, first try to get logging the messages to a local file. Once this is working, you know that syslog-ng is running correctly and receiving messages, and you can proceed to forwarding the messages to the server. If the syslog-ng server does not receive the messages, use tcpdump or a similar packet sniffer tool on the client to verify that the messages are sent correctly, and on the server to verify that it receives the messages. If syslog-ng is closing the connections for no apparent reason, be sure to check the log messages of syslog-ng. You might also want to run syslog-ng with the `--verbose` or `--debug` command-line options for more-detailed log messages. Similarly, build up encrypted connections step-by-step: first create a working unencrypted (e.g., TCP) connection, then add TLS encryption, and finally client authentication if needed.

As a general rule, first try to get logging the messages to a local file. Once this is working, you know that syslog-ng is running correctly and receiving messages, and you can proceed to forwarding the messages to the server.

If the syslog-ng server does not receive the messages, use tcpdump or a similar packet sniffer tool on the client to verify that the messages are sent correctly, and on the server to verify that it receives the messages.

If syslog-ng is closing the connections for no apparent reason, be sure to check the log messages of syslog-ng. You might also want to run syslog-ng with the --verbose or --debug command-line options for more-detailed log messages.

Similarly, build up encrypted connections step-by-step: first create a working unencrypted (e.g., TCP) connection, then add TLS encryption, and finally client authentication if needed.

3.19.1. Creating syslog-ng core files

When syslog-ng crashes for some reason, it can create a core file that contains important troubleshooting information. To enable core files, complete the following procedure:

Procedure 3.8. Creating syslog-ng core files

Core files are produced only if the maximum core file size ulimit is set to a high value in the init script of syslog-ng. Add the following line to the init script of syslog-ng:
```
ulimit -c unlimited
```
Verify that syslog-ng has permissions to write the directory it is started from, e.g., /opt/syslog-ng/sbin/.
If syslog-ng crashes, it will create a core file in the directory syslog-ng was started from.
To test that syslog-ng can create a core file, you can create a crash manually. For this, determine the PID of syslog-ng (e.g., using the ps -All|grep syslog-ng command), then issue the following command: kill -ABRT <syslog-ng pid>

This should create a core file in the current working directory.

3.19.2. Running a failure script

When syslog-ng is abnormally terminated, it can execute a user-created failure script. This can be used for example to send an automatic e-mail notification. The script must be located at /opt/syslog-ng/sbin/syslog-ng-failure.

3.19.3. Stopping syslog-ng

To avoid problems, always use the init scripts to stop syslog-ng (/etc/init.d/syslog-ng stop), instead of using the kill command. This is especially true on Solaris and HP-UX systems, here use /etc/init.d/syslog stop.

Prev	Up	Next
3.18. Installing and upgrading the license	Home \| Contents	Chapter 4. Installing syslog-ng

The syslog-ng 3.0 Administrator Guide

Document version: Tenth
Release date: January 8, 2010
Latest version available at the BalaBit Documentation Page