-
Titolo
Troubleshooting Syslog-ng Agent for Windows -
Descrizione
This knowledge base article will show general troubleshooting techniques for Syslog-ng Agent for Windows.
Where to find logs, make it verbose logging or debug mode.
-
Risoluzione
Please note:
- Configuration changes take effect only after restarting the syslog-ng service or rebooting the system.
- Configuration changes in domain managed agents are not instantly downloaded to the client hosts, only at the time of the next group policy update.
- If a host is sometimes logged in into a domain and sometimes it is not, its hostname might reflect this. To avoid this situation, enable Global Settings, navigate to Hostname and select Use FQDN.
- Logs are not forwarded instantly in case of certain applications (eg. IIS Server). It is because Windows operating system does not immediately flush its buffers to the file when an application sends a log message. The syslog-ng Agent for Windows application immediately starts sending the log messages when they become available in the log file.
Check eventlog
Syslog-ng Agent sends its internal messages to Eventlog, if you haven't disabled it at Global settings | Internal messages.
- Open Event Viewer application.
- Select Application event container and search for syslog-ng messages.
- If there is an error message check the following knowledge base articles.
Note, that the logs of the remote server may be checked as well.
Troubleshooting syslog connections in syslog-ng Premium Edition (265410)
Common connection issues of syslog-ng (284050)
Common issues of TLS encrypted message transfer (263658)- If you haven't found the root cause you may want to enable debug logging to get more information.
Enable debug logging
There are certain situations where debug logging is needed for troubleshooting, for example to debug message processing like filtering.
To enable debug options, create the debug.ini file in the syslog-ng Agent install directory and restart syslog-ng Agent service.
NOTE: The debug.ini file cannot be distributed. It can only be used on a local machine.
The debug.ini can consist of the following entries:[AgentDbgLog]
enabled=on/off
path=optional_path
[GpoDbgLog]
enabled=on/off
path=optional_path
[WriteMiniDump]
enabled=on/off
1. Turn on debug logging
Enter the following lines in the debug.ini file:
[AgentDbgLog]
enabled=on
path=c:\tmp\syslog-ng-dbg.log # optional
Debug messages are written into the installation folder of the syslog-ng Agent under the syslog_ng_agent_dbg.log filename by default, if no other path is specified.
2. Turn on domain configuration debug logging (Only for domain managed agents)
If the domain settings are not downloaded to a domain host, the syslog-ng Agent can create a log file to debug why the domain settings are not updated on the client.
Enter the following lines in the debug.ini file:
[GpoDbgLog]
enabled=on
path=c:\tmp\syslog-ng-dbg.log # optional
Debug messages are written into the installation folder of the syslog-ng Agent under the syslog_ng_agent_gpo_dbg.log filename by default, if no other path is specified.
3. Creating core and memory dumps
When enabled, the syslog-ng Agent for Windows application creates core dumps automatically when it experiences an unexpected shutdown.
Enable it only if the support team requests it.
Enter the following lines in the debug.ini file:
[WriteMiniDump]
enabled=on
Core dumps are written into the installation folder of the syslog-ng Agent under the syslog-ng-agent.PID.dmp filename.Start syslog-ng Agent manually in debug mode
The debug log is not suited to detect the reasons behind why a syslog-ng service could not start. The only way to check a non-starting agent service is to run it manually in debug mode.
1. Open powershell
2. Navigate to bin directory under syslog-ng Agent's installation path (c:\Program Files\syslog-ng Agent\bin)
3. Stop the syslog-ng Agent if it is still trying to start
4. Start syslog-ng Agent in debug mode
syslog-ng-agent.exe /D > agent_debug.log 2>&1
-
Informazioni aggiuntive
For more information see the Troubleshooting section of the syslog-ng Administration Guide