topic Re: syslog-ng systemctl not starting the service in Getting Data In

syslog-ng systemctl not starting the service

tthonest — Wed, 14 Aug 2019 00:28:50 GMT

running CentOS 7

journalctl -fu syslog-ng shows
Unit syslog-ng.service entered failed state.
syslog-ng.service failed.
syslog-ng.service holdoff time over, scheduling restart.
start request repeated too quickly for syslog-ng.service
Failed to start System Logger Daemon.
Unit syslog-ng.service entered failed state.
syslog-ng.service failed.

trying to get Cisco ASA to forward logs over but can't seem to get it to work.

syslog-ng.conf:

# syslog-ng configuration file.
#
#
@include "/opt/syslog-ng/scl.conf"

options {
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
perm(0644);
time_reopen (10);
use_dns(yes);
use_fqdn(yes);
};

source s_network {
udp(port(514));
};

#Destinations
destination d_cisco_asa { file(“/var/syslog/logs/cisco/asa/$HOST/$YEAR-$MONTH-$DAY-cisco-asa.log” create_dirs(yes)); };

# Filters
filter f_cisco_asa { match(“%ASA” value(“PROGRAM”)) or match(“%ASA” value(“MESSAGE”)); };
filter f_all { not (
filter(f_cisco_asa)
);
};
# Log
log { source(s_network); filter(f_cisco_asa); destination(d_cisco_asa); };
log { source(s_network); filter(f_all); destination(d_all); }

Re: syslog-ng systemctl not starting the service

dhihoriya_splun — Wed, 14 Aug 2019 02:12:36 GMT

Hi @tthonest

Try below steps to resolve the issue:

Please check whether rsyslog is running on your server, if rsyslog is running you won't be able to start Syslog because by default they are listening on the same port. To disable rsyslog run this command: systemctl disable rsyslog
Try running syslog-ng --syntax-only to verify that there are no syntax errors in your config as because if there is any syntax error present on your config file then it will fail to start Syslog and also try to run /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid as it will check customized syslog-ng.conf that there is any typo or syntax error present or not, if there are any errors then you have to fix them and need to restart Syslog.

Re: syslog-ng systemctl not starting the service

datsplunk4272 — Fri, 13 Aug 2021 19:51:36 GMT

Hi:

You can use this cmd follow to see what lines could cost the issue. I used to use to find mine as well. Please let me know your outcome.

[ root@hostname ]# journalctl -a | grep syslog-ng

Also, I am concerning this code follow that you might check as well. I will double-check with it as well since I have never used it before.

filter f_all {
not (
filter(f_cisco_asa)
);
};

Re: syslog-ng systemctl not starting the service

splunkcol — Fri, 13 Aug 2021 19:59:12 GMT

Hi, I'm new too, my English is not good so I use the google translator.

I ever presented something similar, and I don't know if it's the same

run the command in linux df -h and see if there is any partition or disk at 100%

Re: syslog-ng systemctl not starting the service

datsplunk4272 — Fri, 13 Aug 2021 19:59:55 GMT

For me, it should work, but could you try this.

filter f_all {
not filter(f_cisco_asa);
};

http://www.softpanorama.org/Logs/Syslog_ng/configuration_examples.shtml

Re: syslog-ng systemctl not starting the service

datsplunk4272 — Fri, 13 Aug 2021 20:03:16 GMT

Hi:

I believe, it is not the same. The post has an issue with the 'syslog-ng.service' app that would not be started.