[arch-general] syslog-ng + systemd-journald = no logs for syslog-ng

[Troy Engel]

On Sun, Feb 15, 2015 at 3:37 AM,  <Ephaeton at gmx.net> wrote:
> ## vanilla /etc/syslog-ng/syslog-ng.conf
> # grep -v '^#' /etc/systemd/journald.conf
>

It sounds like syslog-ng doesn't understand where the source is -
traditionally that's /dev/log, /dev/kmsg and /proc/kmsg - and it's
selected by a source module. Check your systemd-journald symlink to
ensure it's not broken, you should have a symlink from /dev/log over
to a socket like so:

  $ ls -l /dev/log /run/systemd/journal/dev-log
  lrwxrwxrwx 1 root root 28 Feb 14 09:05 /dev/log ->
/run/systemd/journal/dev-log
  srw-rw-rw- 1 root root  0 Feb 14 09:05 /run/systemd/journal/dev-log

If that's fine, try generating a processed config like so:

  $ syslog-ng -f /etc/syslog-ng/syslog-ng.conf --syntax-only
--preprocess-into=/tmp/test.cfg --no-caps

Inside that /tmp/test.cfg you should see a source section and module
to go with it:

  $ grep ^@module /tmp/test.cfg
  ...
  @module system-source

...and a definition of where that's coming from:

  $ grep -A9 "source src" /tmp/test.cfg
  source src {
    channel {
      source {
  systemd-journal();

      }; # source
  }; # channel
  ;
    internal();
  };

I suspect that something in your configuration has become disconnected
from the upgrade, and syslog-ng is no longer able to read from the
source that it used to 10-15 days ago pre-upgrade...here's the link to
the guide, look on page 96, section 6.11:

  http://www.balabit.com/support/documentation/syslog-ng-ose-3.6-guides/en/syslog-ng-ose-v3.6-guide-admin/pdf/syslog-ng-ose-v3.6-guide-admin.pdf

hth,
-te