diff --git a/.circleci/config.yml b/.circleci/config.yml index c93f78c..b38c604 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -90,7 +90,7 @@ jobs: docker: - image: circleci/python:3.7 environment: - SYSLOG: "syslog-ng-3.27.1" + SYSLOG: "syslog-ng-3.28.1" SPLUNK_VERSION: "8.0.2" <<: *test test-sc4s-next-splunk-8-0: @@ -104,14 +104,14 @@ jobs: docker: - image: circleci/python:3.7 environment: - SYSLOG: "syslog-ng-3.27.1" + SYSLOG: "syslog-ng-3.28.1" SPLUNK_VERSION: "7.3.4" <<: *test test-sc4s-current-splunk-7-2: docker: - image: circleci/python:3.7 environment: - SYSLOG: "syslog-ng-3.27.1" + SYSLOG: "syslog-ng-3.28.1" SPLUNK_VERSION: "7.2.9" <<: *test @@ -195,7 +195,7 @@ jobs: docker: - image: circleci/python:3.7 environment: - SYSLOG: "syslog-ng-3.27.1" + SYSLOG: "syslog-ng-3.28.1" steps: - setup_remote_docker: docker_layer_caching: true diff --git a/docs/gettingstarted/docker-swarm-general.md b/docs/gettingstarted/docker-swarm-general.md index b2f68ae..7c97c52 100644 --- a/docs/gettingstarted/docker-swarm-general.md +++ b/docs/gettingstarted/docker-swarm-general.md @@ -225,7 +225,7 @@ index=* sourcetype=sc4s:events "starting up" ``` This should yield the following event: ```ini -syslog-ng starting up; version='3.26.1' +syslog-ng starting up; version='3.28.1' ``` when the startup process proceeds normally (without syntax errors). If you do not see this, follow the steps below before proceeding to deeper-level troubleshooting: @@ -236,16 +236,15 @@ follow the steps below before proceeding to deeper-level troubleshooting: * Ensure the proper operation of the load balancer if used. -* Lastly, execute the following command to check the internal logs of the syslog-ng process running in the container. Depending on the -traffic load, there may be quite a bit of output in the syslog-ng logs. +* Lastly, execute the following command to check the sc4s startup process running in the container. ```bash docker logs SC4S ``` You should see events similar to those below in the output: ```ini -Oct 1 03:13:35 77cd4776af41 syslog-ng[1]: syslog-ng starting up; version='3.26.1' -Oct 1 05:29:55 77cd4776af41 syslog-ng[1]: Syslog connection accepted; fd='49', client='AF_INET(10.0.1.18:55010)', local='AF_INET(0.0.0.0:514)' -Oct 1 05:29:55 77cd4776af41 syslog-ng[1]: Syslog connection closed; fd='49', client='AF_INET(10.0.1.18:55010)', local='AF_INET(0.0.0.0:514)' +syslog-ng checking config +sc4s version=v1.24.0 +syslog-ng starting ``` If you see http server errors such as 4xx or 5xx responses from the http (HEC) endpoint, one or more of the items above are likely set incorrectly. If validating/fixing the configuration fails to correct the problem, proceed to the "Troubleshooting" section for more diff --git a/docs/gettingstarted/docker-swarm-rhel7.md b/docs/gettingstarted/docker-swarm-rhel7.md index 7288430..e10d7ce 100644 --- a/docs/gettingstarted/docker-swarm-rhel7.md +++ b/docs/gettingstarted/docker-swarm-rhel7.md @@ -233,7 +233,7 @@ index=* sourcetype=sc4s:events "starting up" ``` This should yield the following event: ```ini -syslog-ng starting up; version='3.26.1' +syslog-ng starting up; version='3.28.1' ``` when the startup process proceeds normally (without syntax errors). If you do not see this, follow the steps below before proceeding to deeper-level troubleshooting: @@ -244,16 +244,15 @@ follow the steps below before proceeding to deeper-level troubleshooting: * Ensure the proper operation of the load balancer if used. -* Lastly, execute the following command to check the internal logs of the syslog-ng process running in the container. Depending on the -traffic load, there may be quite a bit of output in the syslog-ng logs. +* Lastly, execute the following command to check the sc4s startup process running in the container. ```bash docker logs SC4S ``` You should see events similar to those below in the output: ```ini -Oct 1 03:13:35 77cd4776af41 syslog-ng[1]: syslog-ng starting up; version='3.26.1' -Oct 1 05:29:55 77cd4776af41 syslog-ng[1]: Syslog connection accepted; fd='49', client='AF_INET(10.0.1.18:55010)', local='AF_INET(0.0.0.0:514)' -Oct 1 05:29:55 77cd4776af41 syslog-ng[1]: Syslog connection closed; fd='49', client='AF_INET(10.0.1.18:55010)', local='AF_INET(0.0.0.0:514)' +syslog-ng checking config +sc4s version=v1.24.0 +syslog-ng starting ``` If you see http server errors such as 4xx or 5xx responses from the http (HEC) endpoint, one or more of the items above are likely set incorrectly. If validating/fixing the configuration fails to correct the problem, proceed to the "Troubleshooting" section for more diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index edc61a3..61c8cd9 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -222,7 +222,7 @@ index=* sourcetype=sc4s:events "starting up" ``` This should yield the following event: ```ini -syslog-ng starting up; version='3.26.1' +syslog-ng starting up; version='3.28.1' ``` when the startup process proceeds normally (without syntax errors). If you do not see this, follow the steps below before proceeding to deeper-level troubleshooting: @@ -233,15 +233,14 @@ follow the steps below before proceeding to deeper-level troubleshooting: * Ensure the proper operation of the load balancer if used. -* Lastly, execute the following command to check the internal logs of the syslog-ng process running in the container. Depending on the -traffic load, there may be quite a bit of output in the syslog-ng logs. +* Lastly, execute the following command to check the sc4s startup process running in the container. ```bash docker logs SC4S ``` You should see events similar to those below in the output: ```ini syslog-ng checking config -sc4s version=v1.23.0 +sc4s version=v1.24.0 syslog-ng starting ``` If you do not see the output above, proceed to the "Troubleshooting" section for more detailed information. diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index 0ff260e..347a053 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -241,7 +241,7 @@ index=* sourcetype=sc4s:events "starting up" ``` This should yield the following event: ```ini -syslog-ng starting up; version='3.26.1' +syslog-ng starting up; version='3.28.1' ``` when the startup process proceeds normally (without syntax errors). If you do not see this, follow the steps below before proceeding to deeper-level troubleshooting: @@ -252,15 +252,14 @@ follow the steps below before proceeding to deeper-level troubleshooting: * Ensure the proper operation of the load balancer if used. -* Lastly, execute the following command to check the internal logs of the syslog-ng process running in the container. Depending on the -traffic load, there may be quite a bit of output in the syslog-ng logs. +* Lastly, execute the following command to check the sc4s startup process running in the container. ```bash podman logs SC4S ``` You should see events similar to those below in the output: ```ini syslog-ng checking config -sc4s version=v1.23.0 +sc4s version=v1.24.0 syslog-ng starting ``` If you do not see the output above, proceed to the "Troubleshooting" section for more detailed information. diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index dafc3e6..b1c266a 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -75,7 +75,7 @@ don't expect, check to see that the index is created in Splunk, or that a `lastC cause for almost _all_ `400` errors. * If you continue to the individual log entries in these directories, you will see entries of the form ```bash -curl -k -u "sc4s HEC debug:a778f63a-5dff-4e3c-a72c-a03183659e94" "https://splunk.smg.aws:8088/services/collector/event" -d '{"time":"1584556114.271","sourcetype":"sc4s:events","source":"SC4S:s_internal","index":"main","host":"e3563b0ea5d8","fields":{"sc4s_syslog_severity":"notice","sc4s_syslog_facility":"syslog","sc4s_loghost":"e3563b0ea5d8","sc4s_fromhostip":"127.0.0.1"},"event":"syslog-ng starting up; version='3.26.1'"}' +curl -k -u "sc4s HEC debug:a778f63a-5dff-4e3c-a72c-a03183659e94" "https://splunk.smg.aws:8088/services/collector/event" -d '{"time":"1584556114.271","sourcetype":"sc4s:events","source":"SC4S:s_internal","index":"main","host":"e3563b0ea5d8","fields":{"sc4s_syslog_severity":"notice","sc4s_syslog_facility":"syslog","sc4s_loghost":"e3563b0ea5d8","sc4s_fromhostip":"127.0.0.1"},"event":"syslog-ng starting up; version='3.28.1'"}' ``` * These commands, with minimal modifications (e.g. multiple URLs specified or elements that needs shell escapes) can be run directly on the command line to determine what, exactly, the HEC endpoint is returning. This can be used to refine th index or other parameter to correct the diff --git a/package/etc/syslog-ng.conf.tmpl b/package/etc/syslog-ng.conf.tmpl index 1cd2a87..a62ded7 100644 --- a/package/etc/syslog-ng.conf.tmpl +++ b/package/etc/syslog-ng.conf.tmpl @@ -1,4 +1,4 @@ -@version:3.27 +@version:3.28 # syslog-ng configuration file. diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 532da41..3bc9282 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -105,6 +105,9 @@ echo sc4s version=$(cat /VERSION) echo sc4s version=$(cat /VERSION) >/opt/syslog-ng/var/log/syslog-ng.out /opt/syslog-ng/sbin/syslog-ng -s >>/opt/syslog-ng/var/log/syslog-ng.out 2>/opt/syslog-ng/var/log/syslog-ng.err +echo starting goss +goss serve --format json & + echo syslog-ng starting /opt/syslog-ng/bin/persist-tool add /opt/syslog-ng/etc/reset_persist -o /opt/syslog-ng/var