Linux Logging to syslog

[ne-bbahn]

Some of the logs seem to be going to syslog in addition to the designated NCPA logs on Linux.

• /var/log/syslog on debian
• /var/log/messages on rpm instead of just to the NCPA logs
• /usr/local/ncpa/var/log/ncpa_listener.log
• /usr/local/ncpa/var/log/ncpa_passive.log

[MrPippin66]

Can you elaborate on the issue you're reporting?

[marchiom]

I am seeing the same behavior after I upgraded to NCPA 3.0.0 (still seeing it on 3.0.1 as well). I believe it is happening because the systemd script starts ncpa with the -n switch. This causes ncpa to start in non-daemon mode which I believe causes the logging output to go to stdout, which eventually dumps into /var/log/messages on Redhat based systems. Is there a way to change the start mode of ncpa using the config file instead of having to modify the systemd script?

[Matty-uk]

I've got this issue with 3.0.2 via repo install to RHEL8 monitored agents.

Everything logged to '/usr/local/ncpa/var/log/ncpa_listener.log' and '/usr/local/ncpa/var/log/ncpa_passive.log' also ends up in /var/log/messages. Its adding unnecessary and unwanted noise to the system log.

[marchiom]

I am still seeing this issue as well.

[ne-bbahn]

I am seeing the same behavior after I upgraded to NCPA 3.0.0 (still seeing it on 3.0.1 as well). I believe it is happening because the systemd script starts ncpa with the -n switch. This causes ncpa to start in non-daemon mode which I believe causes the logging output to go to stdout, which eventually dumps into /var/log/messages on Redhat based systems. Is there a way to change the start mode of ncpa using the config file instead of having to modify the systemd script?

This is not the case. I have testing with and without the -n and it does not affect whether the logs are stored in the system logs. I have tried various things to try and prevent NCPA from sending the logs to the system log, but have so far been unsuccessful.

[MrPippin66]

I'm not sure what you mean when you said you tried this with '-n' and without and got the same results. Do you mean tried this within systemd?

I know the logger code does setup a stream handler, which would include sending output to stdout.

If run from systemd, that would include the data in the journal, and if the journal is configured to forward to syslog (which some distributions have as the default behavior), then you'd get ncpa messages into the messages or syslog files.

And some code used by NCPA will directly send data to stderr, namely the ssl code, depending on the exception.

[ne-bbahn]

I tried with and without -n in the service configuration and I also tried removing the stream handlers. It was still logging to the system log, so those at least aren't the only thing causing the logs to be output to syslog.

[marchiom]

Is there a way, via configuration, to have check_logging enabled but log to a specific file and not to the journal?

[marchiom]

Also, just to note, if I set check_logging = 0 in the ncpa.cfg file then restart the ncpa process via systemctl, it still writes the check_logging details to both the journal/syslog and the ncpa_listener.log in /usr/local/ncpa/var/log . So the process is not respecting the check_logging setting either.

[MrPippin66]

"check_logging" regards the check history you can view in the NCPA web page. Shouldn't have anything to do with external logging to syslog, etc.

Example:

[marchiom]

Okay. I misunderstood the setting then. So, the original question still stands, is there a way via configuration to have ncpa send logging information to /usr/local/ncpa/var/log/ncpa_listener.log but NOT to the journal/syslog ? In older versions of NCPA (I believe prior to 3.x) this is how it behaved.

[MrPippin66]

@ne-bbahn I know you said you disabled stream logging without resolving this, but...should this entry even be there in setup_logger?

https://github.com/NagiosEnterprises/ncpa/blob/6eb3ff02958f47ae8d916322a011d756fde9e29b/agent/ncpa.py#L1005

The line that adds the stream:

https://github.com/NagiosEnterprises/ncpa/blob/6eb3ff02958f47ae8d916322a011d756fde9e29b/agent/ncpa.py#L1031

Even so, I know some events may still show up in the log due to other code like 'gevent' exceptions not being trapped.

[marchiom]

Just checking to see if anyone has any other ideas to resolve this issue?

[Matty-uk]

I'm also just checking in as we are also waiting on a fix for this one?

[ne-bbahn]

I'm also just checking in as we are also waiting on a fix for this one?

Yes, a fix has not yet been figured out for this issue and it will likely be some time before I can try to figure it out as I have other responsibilities and cannot work on this in the near future.