Installation of syslog-ng

syslog-ng - installation on Solaris10 global zone

This product is coming from Hungary. The main guy there is Balazs Scheidler.

The syslog-ng is a system logging application used mostly for creating centralized logging server.

Also, Nathan Campi has been writing a lot about logging and syslog-ng so please find his site online and check it, tons of stuff there.

I'll write some of my experiences installing syslog-ng on Sun Fire x4200 (x83 platform).

Interestingly, blastwave.org doesn't have syslog-ng, so syslog-ng can be downloaded from sunfreeware.com. Below is what Sunfreeware tells you about syslog-ng.

syslogng-3.0.2-sol10-x86-local.gz Syslog-ng is a syslogd replacement, but with new functionality - installs in /usr/local.
Configuration documentation and sample files can be found in /usr/local/doc/syslogng.
Dependencies: eventlog, libiconv, libintl, zlib, pcre, openssl-0.9.8k, glib and to obtain /usr/local/lib/libgcc_s.so.1 you will need to have installed libgcc-3.4.6 or gcc-3.4.6 or higher.

Download required packages (they are zipped package data stream)

eventlog-0.2.7-sol10-x86-local
gcc-3.4.6-sol10-x86-local.gz
glib-2.14.1-sol10-x86-local.gz
libgcc-3.4.6-sol10-x86-local.gz
libiconv-1.11-sol10-x86-local.gz
libintl-3.4.0-sol10-x86-local.gz
openssl-0.9.8k-sol10-x86-local.gz
pcre-7.9-sol10-x86-local.gz
syslogng-3.0.2-sol10-x86-local.gz

Unzip them: gunzip *

Translate data stream to package directory so you can user 'pkgadd' command for installation (or first you want to verify if you have installed some of them).

# foreach i ( gcc-3.4.6-sol10-x86-local glib-2.14.1-sol10-x86-local libgcc-3.4.6-sol10-x86-local libiconv-1.11-sol10-x86-local libintl-3.4.0-sol10-x86-local openssl-0.9.8k-sol10-x86-local pcre-7.9-sol10-x86-local syslogng-3.0.2-sol10-x86-local )
foreach? echo ----- translate datastream ${i} ------------
foreach? echo
foreach? pkgtrans ${i} .
foreach? echo
foreach? echo ------ done with ${i} ------------
foreach? end

This will make you to have list of package dirs, so now you know exactly package name and can verify its presence on your system.
Package names from Sunfreeware starts with SMC, and you'll look for these ones: SMCevtlog, SMCgcc, SMCglib, SMClgcc346, SMCliconv, SMClintl, SMCossl, SMCpcre and SMCsyslng

# foreach i (`ls -la | awk '{print $9}' | egrep ^SMC`)
foreach? echo
foreach? echo ---- check package ${i} ----------
foreach? echo
foreach? pkginfo ${i}
foreach? echo
foreach? echo ----- done with ${i} ------------
foreach? end

In my case, I already have SMCglib and SMCevtlog, so let's install the rest of stuff (except syslog-ng just in case).

# foreach i ( SMCgcc SMClgcc346 SMCliconv SMClintl SMCossl SMCpcre )
foreach? echo
foreach? echo ----------- installing ${i} -----------
foreach? pkgadd -d . ${i}
foreach? echo
foreach? echo ----------- ${i} installed ---------
foreach? end

Note: If you get warning about presence of files (I guess older version), go ahead with Y to install newer version of "conflicting" files.

Let's install syslog-ng now.

The directory /usr/local/doc/syslogng/contrib has files to start with like sample of configuration file as syslog-ng.conf.SunOS.

Also check /usr/local/doc/syslogng/contrib/solaris-packaging for examples of .xml and method files (yes, this is Solaris 10 and we want to create service for syslog-ng).

 Taking care of configuration file 

You also have 2 configuration examples for Solaris, so start with modifying them:

/usr/local/doc/syslogng/contrib/syslog-ng.conf.SunOS
/usr/local/doc/syslogng/doc/examples/syslog-ng.conf.solaris

Copy one of them to /usr/local/etc/syslog-ng.conf

 Taking care of PID and other temp file location 

Basically you want to put them in swap (reboot will remove them). 

You can see that swap is actually mounted on three filesystems

# df -F tmpfs -h
Filesystem             size   used  avail capacity  Mounted on
swap                    41G   676K    41G     1%    /etc/svc/volatile
swap                    41G     4K    41G     1%    /tmp
swap                    41G    20K    41G     1%    /var/run

Or use mount command:

# mount
/etc/svc/volatile on swap read/write/setuid/devices/xattr/dev=46c0001 on Mon Jul 20 17:51:38 2009
/tmp on swap read/write/setuid/devices/xattr/dev=46c0002 on Mon Jul 20 17:52:10 2009
/var/run on swap read/write/setuid/devices/xattr/dev=46c0003 on Mon Jul 20 17:52:10 2009

Since our PID will be placed in /usr/local/var we'll create symbolic link of this dir to /var/run (swap). 

/usr/local> ln -s /var/run var

Will make:

lrwxrwxrwx   1 root     root           8 Jul 22 11:39 var -> /var/run

 Taking care of .xml file (defines service properties) 

Copy .xml file (defines service's properties) to /var/svc/manifest/system

# cp -p syslog-ng.example.xml /var/svc/manifest/system/syslog-ng.xml

 Taking care of method file (defines how to start/stop/restart/refresh) 

Copy method example to directory /lib/svc/method

# cp -p syslog-ng.method /lib/svc/method/syslog-ng

Just make sure that "location" variables are properly defined, here is how should look after changes mentioned in this text (original variables as you can see are commented).  


 SYSLOGNG_PREFIX=/usr/local
#SYSLOGNG_PREFIX=/opt/syslog-ng
SYSLOGNG="$SYSLOGNG_PREFIX/sbin/syslog-ng"
CONFFILE=$SYSLOGNG_PREFIX/etc/syslog-ng.conf
PIDFILE=$SYSLOGNG_PREFIX/var/syslog-ng.pid
#PIDFILE=$SYSLOGNG_PREFIX/var/run/syslog-ng.pid
SYSLOGPIDFILE=$SYSLOGNG_PREFIX/var/syslog.pid
#SYSLOGPIDFILE=/var/run/syslog.pid


 "Refresh" method is missing in .xml definition 

I've noticed this method is not defined in properties file  /var/svc/manifest/system/syslog-ng.xml , so next lines can be added there (say after 'stop' method).


	
	
		<exec_method
      	type='method'
      	name='refresh'
      	exec='/lib/svc/method/syslog-ng %m'
      	timeout_seconds='60'>
      	<method_context>
        <method_credential user='root'/>
      	</method_context>
    	</exec_method>
	
	
	


Interestingly, executable file  /lib/svc/method/syslog-ng  already has lines for reload the service and 'usage' is well done, but there is one thing.
The command  svcadm  does not have "reload" option, but has "refresh". So "reload" will be replaced with "refresh".  


 refresh)
                if [ -f $PIDFILE ]; then
                        syspid=`head -1 $PIDFILE`
                        [ "$syspid" -gt 0 ] && kill -1 $syspid && echo "syslog-ng service refreshed"
                fi
                ;;
	.
	.
	.
	
	echo "Usage: $0 { start | stop | restart | refresh }"
	


 Disable syslogd (system-log service) 

# svcadm -v disable system-log
svc:/system/system-log:default disabled.

 Validate and import the syslog-ng.xml  

# svccfg
svc:> validate /var/svc/manifest/system/syslog-ng.xml
svc:> import /var/svc/manifest/system/syslog-ng.xml
svc:> quit

 Start syslog-ng 

# svcadm -v enable -r syslog-ng

 Cannot enable/start syslog-ng? 

You may have issue and service will go to maintenance mode. 
Check the log file, it's useful if you have separate putty window (if you use putty) open with command: 

# tail -f /var/svc/log/ system-syslog-ng:default.log 

 Setting LD_LIBRARY_PATH ( ..... just thoughts/ideas, you may want to ignore this !!!!)

Linking is joining object code files with system libraries. Libraries are linked statically or dynamically (called shared libraries).

- Static libraries (.a suffix) are part of binaries. 
- Dynamic libraries (.so suffix) are referenced by location. 

Trend is moving to dynamic library, since it is pain if your static library is updated, you need to manually re-link binaries to use new library. 

Just note: Location of third party libraries can be specified to compiler with "-L dir". 

The ldd command lists all dynamic (shared) libraries that are loaded  when  executable file is  loaded.

Use  ldd syslog-ng  and see that syslog-ng is using some libraries from /usr/local/lib directory. Hence you want to add this directory to LD_LIBRARY_PATH


	
	setenv LD_LIBRARY_PATH /usr/local/lib:${LD_LIBRARY_PATH}
	


This can be added to /.tcshrc (assuming you use tcsh shell) 

Verify variable with  printenv 

 Checking dependants of system-log (syslogd)  

Since system-log has been disabled, we have to make sure its dependents now depend on syslog-ng. 

This is what we have now. 

# svcs -D system-log
STATE          STIME    FMRI
disabled       16:50:23 svc:/system/auditd:default
disabled       16:50:23 svc:/network/rarp:default
online         16:50:55 svc:/network/cswnrpe:default
online         16:50:57 svc:/network/smtp:sendmail
online         16:51:04 svc:/milestone/multi-user:default

Edit .xml file of dependent services, see example for "auditd" (yes, do backup of auditd.xml into auditd.xml_syslogd)


# diff auditd.xml auditd.xml_syslogd
41c41
<               name='syslog-ng'
---
>               name='syslog'
45c45
<               <service_fmri value='svc:/system/syslog-ng' />
---
>               <service_fmri value='svc:/system/system-log' />


After changing the .xml file, disable service (if not in disabled state), validate the file, and import it. Enable the service if needed. See example:  

# svccfg
svc:> validate /var/svc/manifest/system/auditd.xml
svc:> import /var/svc/manifest/system/auditd.xml
svc:> quit

Do the same for other services: rarp, cswnrpe, smtp:sendmail and multi-user milestone. 

Okay, now we are good, see below (maybe reboot system just in case):

# svcs -D system-log
STATE          STIME    FMRI
online         17:46:37 svc:/milestone/multi-user:default

# svcs -D syslog-ng
STATE          STIME    FMRI
disabled       16:50:23 svc:/system/auditd:default
disabled       16:50:23 svc:/network/rarp:default
online         17:31:44 svc:/network/cswnrpe:default
online         17:39:18 svc:/network/smtp:sendmail
online         17:46:37 svc:/milestone/multi-user:default

Note:
I didn't mention this throughout document, but you probably want to check permission and ownership of configuration, .xml and method files. I guess you want them to be owned by root, and also make sure method file /lib/svc/method/syslog-ng is executable.

Back to the main page