DevOps Aug 9th '18

Syslog-ng Unique Persist Names

I want mail logs in a separate log file /var/log/mail so that postfix and dovecot messages are not be buried in /var/log/message. While upgrading to syslog-ng to version 3.13.2 I suddenly ran into an error that prevented the daemon to start. The error message was:

# /etc/init.d/syslog-ng start
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ...           [ ok ]
 * Starting syslog-ng ...
[2018-08-09T12:43:05.358947] Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.; persist_name='affile_dd_writers(/var/log/mail)', location='/etc/syslog-ng/mail.conf:6:9'
[2018-08-09T12:43:05.358991] Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.; persist_name='affile_dd_writers(/var/log/mail)', location='/etc/syslog-ng/mail.conf:9:9'
[2018-08-09T12:43:05.359006] Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.; persist_name='affile_dd_writers(/var/log/mail)', location='/etc/syslog-ng/mail.conf:13:9'
 * start-stop-daemon: failed to start `/usr/sbin/syslog-ng'
 * Failed to start syslog-ng                                              [ !! ]
 * ERROR: syslog-ng failed to start

The configuration for the separate mail log is included in the main configuration file /etc/syslog-ng/syslog-ng.conf with a directive added to then end of the file:

@include "mail.conf"

The relevant parts in /etc/syslog-ng/mail.conf that syslog-ng complained about looked like this:

destination mail {
        file("/var/log/mail");
};

destination mailinfo {
        file("/var/log/mail");
};
destination mailwarn {
        file("/var/log/mail");
};

destination mailerr {
        file("/var/log/mail");
};

The problem is that all four destinations go to the same file /var/log/mail which disturbs syslog-ng's internal book-keeping.

Searching for the error message I came across https://github.com/balabit/syslog-ng/issues/1275 which showed one usage of the persist-name option that is recommended in the error message. Unfortunately, my configuration looked different. The solution is still simple. Just in case, I post my complete fixed and working configuration here:

destination mail {
        file("/var/log/mail" persist-name("mail"));
};

destination mailinfo {
        file("/var/log/mail" persist-name("mailinfo"));
};
destination mailwarn {
        file("/var/log/mail" persist-name("mailwarn"));
};

destination mailerr {
        file("/var/log/mail" persist-name("mailerr"));
};

filter f_mail {
        facility(mail);
};

filter f_info {
        level(info);
};
filter f_warn {
        level(warn);
};

filter f_err {
        level(err);
};

log {
        source(src);
        filter(f_mail);
        destination(mail);
        flags(final);
};

log {
        source(src);
        filter(f_mail);
        filter(f_info);
        destination(mailinfo);
        flags(final);
};

log {
        source(src);
        filter(f_mail);
        filter(f_warn);
        destination(mailwarn);
        flags(final);
};

log {
        source(src);
        filter(f_mail);
        filter(f_err);
        destination(mailerr);
        flags(final);
};

Beware that this is not the entire syslog-ng configuration but just the mail specific part in /etc/syslog-ng/mail.conf included with @include "mail.conf" in /etc/syslog-ng/syslog-ng.conf!

Leave a comment

Categories

Tags

This website uses cookies and similar technologies to provide certain features, enhance the user experience and deliver content that is relevant to your interests. Depending on their purpose, analysis and marketing cookies may be used in addition to technically necessary cookies. By clicking on "Agree and continue", you declare your consent to the use of the aforementioned cookies. Here you can make detailed settings or revoke your consent (in part if necessary) with effect for the future. For further information, please refer to our Privacy Policy.