Archive
Highlighted

syslog-ng systemctl not starting the service

New Member

running CentOS 7

journalctl -fu syslog-ng shows
Unit syslog-ng.service entered failed state.
syslog-ng.service failed.
syslog-ng.service holdoff time over, scheduling restart.
start request repeated too quickly for syslog-ng.service
Failed to start System Logger Daemon.
Unit syslog-ng.service entered failed state.
syslog-ng.service failed.

trying to get Cisco ASA to forward logs over but can't seem to get it to work.

syslog-ng.conf:

# syslog-ng configuration file.
#
#
@include "/opt/syslog-ng/scl.conf"

options {
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
perm(0644);
time_reopen (10);
use_dns(yes);
use_fqdn(yes);
};

source s_network {
udp(port(514));
};

#Destinations
destination d_cisco_asa { file(“/var/syslog/logs/cisco/asa/$HOST/$YEAR-$MONTH-$DAY-cisco-asa.log” create_dirs(yes)); };

# Filters
filter f_cisco_asa { match(“%ASA” value(“PROGRAM”)) or match(“%ASA” value(“MESSAGE”)); };
filter f_all { not (
filter(f_cisco_asa)
);
};
# Log
log { source(s_network); filter(f_cisco_asa); destination(d_cisco_asa); };
log { source(s_network); filter(f_all); destination(d_all); }
Tags (1)
0 Karma
Highlighted

Re: syslog-ng systemctl not starting the service

Splunk Employee
Splunk Employee

Hi @tthonest

Try below steps to resolve the issue:

  • Please check whether rsyslog is running on your server, if rsyslog is running you won't be able to start Syslog because by default they are listening on the same port. To disable rsyslog run this command: systemctl disable rsyslog

  • Try running syslog-ng --syntax-only to verify that there are no syntax errors in your config as because if there is any syntax error present on your config file then it will fail to start Syslog and also try to run /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid as it will check customized syslog-ng.conf that there is any typo or syntax error present or not, if there are any errors then you have to fix them and need to restart Syslog.

0 Karma