I am running into an issue with Syslog. Ubuntu - 18.04, osquery - 4.0.2, Syslog-ng- 3.13.2. I got the message "Successfully opened pipe for Syslog ingestion: /var/osquery/syslog_pipe". Even cat works on syslog_pipe, but no result on query select * from syslog_events. Any help here. @zwass

Did you configure syslog to write into that pipe?

@seph Yes as per the documentation.

Hrm. Are the various osquery settings for syslog events set? (I'm mobile and can't look them up just now)

I was only using --enable_syslog, --disable_events, --syslog_pipe_path flags

Should that be

--disable_events=false

?

yes it was --disable_events=false, I have tried all possible combinations, I read all the discussions on slack. Nothing helped me. The Syslog table always remains empty. Tried with both rsyslog and syslog-ng. both with osqueryi and osqueryd, nothing worked.

The

osquery_

tables often can provide some insight to how events are working

I queried osquery_events table and refreshes count kept on increasing

I’m not really sure how to read that. But I do see the events count staying at zero there

I am receiving syslog in

cat /var/osquery/syslog_pipe

If you are receiving it in

cat

you will not receive it in osquery

@zwass Yes, I just cat it. Never simultaneously run osquery and cat on syslog_pipe

I see

Possibly this issue? https://github.com/osquery/osquery/issues/4810 I haven't worked with syslog for a while.

Probably yes,

syslog hang issue