logzilla_import.txt' not found (Errcode: 13)

[Avio]

Hi, to all.

I followed the guide to install logzilla. But no message is logged on MySQL. Syslog-NG receives logs correctly but when i launched
db_insert.pl for debug this is the output (file logzilla_import.txt exists and /tmp permissions are ok):

root@srvsyslog:/var/www/logzilla/scripts# ./db_insert.pl -v -d5 /tmp/logzilla_import.txt

2010-11-03 20:34:08
Starting /var/log/logzilla/db_insert.log for /var/www/logzilla/scripts/db_insert.pl at pid 26410
Using Database: syslog
Debug level: 5
Table: logs
Adminuser: syslogadmin
PW: ***REMOVED***
DB: syslog
DB Host: 127.0.0.1
DB Port: 3306
Deduplication Feature = 0
Logging results to /var/log/logzilla/db_insert.log
Printing results to screen (STDOUT)
    DBI::st=HASH(0x89fe1c0) trace level set to 0x0/4 (DBI @ 0x0/0) in DBI 1.611-ithread (pid 26410)



INCOMING MESSAGE:


INVALID MESSAGE FORMAT:


Error inserting record


#######
Current MPS = 3 (1 deduplicated)
#######
    DBI::st=HASH(0x89fe3a0) trace level set to 0x0/4 (DBI @ 0x0/0) in DBI 1.611-ithread (pid 26410)
    -> execute for DBD::mysql::st (DBI::st=HASH(0x89fe450)~0x89fe3a0 3 '2010-11-03 20:35:07' 3) thr#8731008
   Called: dbd_bind_ph
   Called: dbd_bind_ph
   Called: dbd_bind_ph
 -> dbd_st_execute for 089fe560
        >- dbd_st_free_result_sets
        <- dbd_st_free_result_sets RC -1
        <- dbd_st_free_result_sets
mysql_st_internal_execute MYSQL_VERSION_ID 50149
>parse_params statement INSERT INTO cache (name,value,updatetime) VALUES ('msg_sum',?,?) ON DUPLICATE KEY UPDATE value=value + ?
Binding parameters: INSERT INTO cache (name,value,updatetime) VALUES ('msg_sum','3','2010-11-03 20:35:07') ON DUPLICATE KEY UPDATE value=value + '3'
 <- dbd_st_execute returning imp_sth->row_num 3
    <- execute= 3 at ./db_insert.pl line 416



INCOMING MESSAGE:


INVALID MESSAGE FORMAT:


Error inserting record



Queue time limit reached (1 seconds)
Inserting MPS string: chart_mps_07, 3, 2010-11-03 20:35:07
Starting insert: 20:35:12
Importing 2 messages into the database
    -> execute for DBD::mysql::st (DBI::st=HASH(0x89fe270)~0x89fe1c0) thr#8731008
 -> dbd_st_execute for 089fe380
        >- dbd_st_free_result_sets
        <- dbd_st_free_result_sets RC -1
        <- dbd_st_free_result_sets
mysql_st_internal_execute MYSQL_VERSION_ID 50149
>parse_params statement LOAD DATA INFILE '/tmp/logzilla_import.txt' INTO TABLE logs FIELDS TERMINATED BY "\t" LINES TERMINATED BY "\n" (host,facility,severity,program,msg,mne,fo,lo)
             --> do_error
File '/tmp/logzilla_import.txt' not found (Errcode: 13) error 29 recorded: File '/tmp/logzilla_import.txt' not found (Errcode: 13)
             <-- do_error
IGNORING ERROR errno 0
 <- dbd_st_execute returning imp_sth->row_num 18446744073709551614
    !! ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- execute= undef at ./db_insert.pl line 383
DBD::mysql::st execute failed: File '/tmp/logzilla_import.txt' not found (Errcode: 13) at ./db_insert.pl line 383.
    -> errstr for DBD::mysql::st (DBI::st=HASH(0x89fe270)~0x89fe1c0) thr#8731008
       ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- errstr= 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' at ./db_insert.pl line 384
    -> errstr for DBD::mysql::st (DBI::st=HASH(0x89fe270)~0x89fe1c0) thr#8731008
       ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- errstr= 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' at ./db_insert.pl line 387
    -> errstr for DBD::mysql::st (DBI::st=HASH(0x89fe270)~0x89fe1c0) thr#8731008
       ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- errstr= ( 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' ) [1 items] at ./db_insert.pl line 390
FATAL: Unable to execute SQL statement: File '/tmp/logzilla_import.txt' not found (Errcode: 13)
Ending insert: 20:35:12

[Avio]

This is my syslog-ng.conf:

@version: 3.0
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation. Originally written by anonymous (I can't find his name)
# Revised, and rewrited by me (SZALAY Attila <sasa@debian.org>)

###########################################################################################
# Clay's LogZilla config below
###########################################################################################
# Last updated on 2010-06-15
###########################################################################################
# First, set some global options.

options {
      long_hostnames(off);
      # doesn't actually help on Solaris, log(3) truncates at 1024 chars
      log_msg_size(8192);
      # buffer just a little for performance
      # sync(1); <- Deprecated - use flush_lines() instead
      flush_lines(1);
      # memory is cheap, buffer messages unable to write (like to loghost)
      log_fifo_size(16384);
      # Hosts we don't want syslog from
      #bad_hostname("^(ctld.|cmd|tmd|last)$");
      # The time to wait before a dead connection is reestablished (seconds)
      time_reopen(10);
      #Use DNS so that our good names are used, not hostnames
      use_dns(yes);
      dns_cache(yes);
      #Use the whole DNS name
      use_fqdn(yes);
      keep_hostname(yes);
      chain_hostnames(no);
      #Read permission for everyone
      perm(0644);
      # The default action of syslog-ng 1.6.0 is to log a STATS line
      # to the file every 10 minutes.  That's pretty ugly after a while.
      # Change it to every 12 hours so you get a nice daily update of
      # # how many messages syslog-ng missed (0).
      # stats(43200);
};

########################
# Sources
########################

source s_all {
internal ();
unix-dgram ("/dev/log");
unix-stream ("/dev/log");
file ("/proc/kmsg" program_override("kernel"));
tcp (ip(*** REMOVED ***) port(5140) keep-alive(yes));
udp ();
};

##############################################################################
# Destinations:
# Note: LogZilla will ONLY process log entries in this format.
# You can't run db_insert.pl on any log file without using this template.
# The reason is that messages vary in composition so the tab delimiters are
# needed to determine the tokens.
##############################################################################

destination d_logzilla {
   program("/var/www/logzilla/scripts/db_insert.pl"
   template("$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n")
   template_escape(yes)
   );
};

################################################
# LOG:
# Tell syslog-ng to log to our new destination
################################################

log {
   source(s_all);
      destination(d_logzilla);
};

[cdukes]

What's in logzilla_import.txt? It looks like you are just piping blank lines into db_insert.pl

[Avio]

What's in logzilla_import.txt? It looks like you are just piping blank lines into db_insert.pl

This is my logzilla_import.txt:

root@srvsyslog:/tmp# cat logzilla_import.txt
srvnextict   9  6       559476044       (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)   3751981041      2010-11-03 23:34:30     2010-11-03 23:34:30
srvnextict   10 6       559476044       pam_unix(cron:session): session closed for user root    3751981041      2010-11-03 23:34:30     2010-11-03 23:34:30
srvsyslog    0 5       1574083243      [23305.818199] type=1400 audit(1288823670.095:610): apparmor="DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0       3751981041      2010-11-03 23:34:30     2010-11-03 23:34:30
srvnextict   10 6       559476044       pam_unix(cron:session): session opened for user www-data by (uid=0)     3751981041      2010-11-03 23:35:30     2010-11-03 23:35:30
root@srvsyslog:/tmp#

[cdukes]

Email that file to me please - it's hard to see if the formatting is correct
cdukes at logzilla.info.

[cdukes]

Ah, I see the problem - you ran the command wrong

It should be piped into db_insert.pl, not passed to it via command line. Like this:

Code: [Select]

cat logzilla_import.txt | ./db_insert.pl -d4 -v
I do see another odd thing though, your dump file is reporting the $PROGRAM field as an integer. Did this file come from syslog-ng or was it a dump from the DB?

[Avio]

Ah, I see the problem - you ran the command wrong

It should be piped into db_insert.pl, not passed to it via command line. Like this:

Code: [Select]

cat logzilla_import.txt | ./db_insert.pl -d4 -v
I do see another odd thing though, your dump file is reporting the $PROGRAM field as an integer. Did this file come from syslog-ng or was it a dump from the DB?

I piped it, same problem.

This file changes everytime arrive a new log from syslog-ng, i think is generated from script or not?

[cdukes]

Ok, I think I know what's going wrong.
You should NOT be using the logzilla text file that is dumped from the script to replay back into the script.

In order to create a dump file for debugging, please follow the steps outlined here:
http://forum.logzilla.info/index.php/topic,213.0.html

The reason for this is that once the data enters the db_insert.pl pipe, some fields are converted to CRC32 integers for faster storage in the DB (which is why your program names were showing up as integers).

So, to test syslog-ng:
1. Create a dump file using the instructions in the link above.
2. Replay the events in that dump file into db_insert.pl using:

Code: [Select]

cat LZ_DUMP.log | /var/www/logzilla/scripts/db_insert.pl -d4 -v
Verify that the import looks ok.

[Avio]

Ok, I think I know what's going wrong.
You should NOT be using the logzilla text file that is dumped from the script to replay back into the script.

In order to create a dump file for debugging, please follow the steps outlined here:
http://forum.logzilla.info/index.php/topic,213.0.html

The reason for this is that once the data enters the db_insert.pl pipe, some fields are converted to CRC32 integers for faster storage in the DB (which is why your program names were showing up as integers).

So, to test syslog-ng:
1. Create a dump file using the instructions in the link above.
2. Replay the events in that dump file into db_insert.pl using:

Code: [Select]

cat LZ_DUMP.log | /var/www/logzilla/scripts/db_insert.pl -d4 -v
Verify that the import looks ok.

Thanks. I will try and post results tomorrow.

[Avio]

Same problem: db_import.pl now recognize the file format but gives the same error, here's the output:

root@srvsyslog:/var/log/logzilla# cat syslog_dump.log | /var/www/logzilla/scripts/db_insert.pl -v -d8

2010-11-04 17:55:30
Starting /var/log/logzilla/db_insert.log for /var/www/logzilla/scripts/db_insert.pl at pid 27565
Using Database: syslog
Debug level: 8
Table: logs
Adminuser: syslogadmin
PW: ***REMOVED***
DB: syslog
DB Host: 127.0.0.1
DB Port: 3306
Deduplication Feature = 0
Logging results to /var/log/logzilla/db_insert.log
Printing results to screen (STDOUT)
    DBI::st=HASH(0x9cdf518) trace level set to 0x0/4 (DBI @ 0x0/0) in DBI 1.611-ithread (pid 27565)


INCOMING MESSAGE:
srvsyslog.gpavio.security.aviogroup.com 45      syslog-ng       syslog-ng starting up; version=\'3.1.2\'

HOST: srvsyslog.gpavio.security.aviogroup.com
PRI: 45
FAC: 5
SEV: 5
PRG: syslog-ng
MSG: syslog-ng starting up; version='3.1.2\'

MNE: None



INCOMING MESSAGE:
srvsyslog.gpavio.security.aviogroup.com 5       kernel  [89120.015721] type=1400 audit(1288889584.963:1288): apparmor=\"DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

HOST: srvsyslog.gpavio.security.aviogroup.com
PRI: 5
FAC: 0
SEV: 5
PRG: kernel
MSG: [89120.015721] type=1400 audit(1288889584.963:1288): apparmor="DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

MNE: None



INCOMING MESSAGE:
srvsyslog.gpavio.security.aviogroup.com 5       kernel  [89120.016996] type=1400 audit(1288889584.963:1289): apparmor=\"DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

HOST: srvsyslog.gpavio.security.aviogroup.com
PRI: 5
FAC: 0
SEV: 5
PRG: kernel
MSG: [89120.016996] type=1400 audit(1288889584.963:1289): apparmor="DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

MNE: None



INCOMING MESSAGE:
srvsyslog.gpavio.security.aviogroup.com 5       kernel  [89120.039280] type=1400 audit(1288889584.987:1290): apparmor=\"DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

HOST: srvsyslog.gpavio.security.aviogroup.com
PRI: 5
FAC: 0
SEV: 5
PRG: kernel
MSG: [89120.039280] type=1400 audit(1288889584.987:1290): apparmor="DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

MNE: None



INCOMING MESSAGE:
srvsyslog.gpavio.security.aviogroup.com 5       kernel  [89172.164563] type=1400 audit(1288889637.191:1291): apparmor=\"DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23563 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

HOST: srvsyslog.gpavio.security.aviogroup.com
PRI: 5
FAC: 0
SEV: 5
PRG: kernel
MSG: [89172.164563] type=1400 audit(1288889637.191:1291): apparmor="DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23563 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0

MNE: None



INCOMING MESSAGE:
srvnextict      86      CRON    pam_unix(cron:session): session opened for user www-data by (uid=0)

HOST: srvnextict
PRI: 86
FAC: 10
SEV: 6
PRG: CRON
MSG: pam_unix(cron:session): session opened for user www-data by (uid=0)

MNE: None



INCOMING MESSAGE:
srvnextict      78      /USR/SBIN/CRON  (www-data) CMD (/opt/glpi/glpi-0.78/plugins/massocsimport/scripts/ocsng_fullsync.sh --thread_nbr=2 --server_id=1 )

HOST: srvnextict
PRI: 78
FAC: 9
SEV: 6
PRG: CRON
MSG: (www-data) CMD (/opt/glpi/glpi-0.78/plugins/massocsimport/scripts/ocsng_fullsync.sh --thread_nbr=2 --server_id=1 )

MNE: None

EOF - Flushing buffer
Importing 7 messages into the database
    -> execute for DBD::mysql::st (DBI::st=HASH(0x9cb6040)~0x9cdf518) thr#9aa7008
 -> dbd_st_execute for 09cdf598
        >- dbd_st_free_result_sets
        <- dbd_st_free_result_sets RC -1
        <- dbd_st_free_result_sets
mysql_st_internal_execute MYSQL_VERSION_ID 50149
>parse_params statement LOAD DATA INFILE '/tmp/logzilla_import.txt' INTO TABLE logs FIELDS TERMINATED BY "\t" LINES TERMINATED BY "\n" (host,facility,severity,program,msg,mne,fo,lo)
                --> do_error
File '/tmp/logzilla_import.txt' not found (Errcode: 13) error 29 recorded: File '/tmp/logzilla_import.txt' not found (Errcode: 13)
                <-- do_error
IGNORING ERROR errno 0
 <- dbd_st_execute returning imp_sth->row_num 18446744073709551614
    !! ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- execute= undef at /var/www/logzilla/scripts/db_insert.pl line 300
DBD::mysql::st execute failed: File '/tmp/logzilla_import.txt' not found (Errcode: 13) at /var/www/logzilla/scripts/db_insert.pl line 300.
    -> errstr for DBD::mysql::st (DBI::st=HASH(0x9cb6040)~0x9cdf518) thr#9aa7008
       ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- errstr= 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' at /var/www/logzilla/scripts/db_insert.pl line 301
    -> errstr for DBD::mysql::st (DBI::st=HASH(0x9cb6040)~0x9cdf518) thr#9aa7008
       ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- errstr= 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' at /var/www/logzilla/scripts/db_insert.pl line 304
    -> errstr for DBD::mysql::st (DBI::st=HASH(0x9cb6040)~0x9cdf518) thr#9aa7008
       ERROR: 29 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' (err#0)
    <- errstr= ( 'File '/tmp/logzilla_import.txt' not found (Errcode: 13)' ) [1 items] at /var/www/logzilla/scripts/db_insert.pl line 307
FATAL: Unable to execute SQL statement: File '/tmp/logzilla_import.txt' not found (Errcode: 13)
Inserting MPS string: chart_mps_30, 7, 2010-11-04 17:55:30
Ending insert: 17:55:30
    -> DESTROY for DBD::mysql::st (DBI::st=HASH(0x9cdf518)~INNER) thr#9aa7008
    <- DESTROY= undef

[cdukes]

File '/tmp/logzilla_import.txt' not found (Errcode: 13) error 29 recorded: File '/tmp/logzilla_import.txt' not found (Errcode: 13)

Error code 13 is a mysql error. It's trying to tell you it can't write the file.

Check your permissions, also make sure that the syslogadmin user in mysql has FILE permissions on *.*

Replace the $variables below for your environment:

Code: [Select]

GRANT FILE ON *.* TO '$dbadmin'\@'$dbhost' IDENTIFIED BY '$dbadminpw';
FLUSH PRIVILEGES;


[Avio]

File '/tmp/logzilla_import.txt' not found (Errcode: 13) error 29 recorded: File '/tmp/logzilla_import.txt' not found (Errcode: 13)

Error code 13 is a mysql error. It's trying to tell you it can't write the file.

Check your permissions, also make sure that the syslogadmin user in mysql has FILE permissions on *.*

Replace the $variables below for your environment:

Code: [Select]

GRANT FILE ON *.* TO '$dbadmin'\@'$dbhost' IDENTIFIED BY '$dbadminpw';
FLUSH PRIVILEGES;


I gave all permissions to syslogadmin on syslog db also GRANT permissions nothig changed. Also i used user db root on config.php same thing happens.
Now i am really frustrated... 

[cdukes]

Funny, the actual thing that's preventing it is pointed out in your log

Code: [Select]

apparmor="DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0       3751981041      2010

The problem is apparmor - try disabling it.

Edit: I've added this to the Wiki at http://nms.gdd.net/index.php/Install_Guide_for_LogZilla_v3.0#Notes.2FTroubleshooting

[Avio]

Funny, the actual thing that's preventing it is pointed out in your log

Code: [Select]

apparmor="DENIED\" operation=\"open\" parent=1 profile=\"/usr/sbin/mysqld\" name=\"/tmp/logzilla_import.txt\" pid=23567 comm=\"mysqld\" requested_mask=\"r\" denied_mask=\"r\" fsuid=102 ouid=0       3751981041      2010

The problem is apparmor - try disabling it.

WORKS! It was Apparmor, i didn't see that entry in log, incredible...

Only a question more, i had to relaunch manually sphinxd for searching, from now will it update indexes automatically?

THANKS!

[cdukes]

Please check the install guide:
http://nms.gdd.net/index.php/Install_Guide_for_LogZilla_v3.0#Installing_Sphinx

Which explains how to add it to both cron and your /etc/rc.local file