syslog-ng latest package broke tls

ProperCactus

Hello,

The latest syslog-ng package seems to be broken.

It is telling me that the plugin tls is not found.

This config was working fine until updating to the latest syslog-ng package.

Looks like it hasn't been built with tls plugin or something

Is it possible to roll back to working packages and blacklist this packing from being updated?

Screen Shot 2021-07-23 at 3.31.00 pm.png

ProperCactus

I guess no one uses syslog-ng with tls.... but tls is completely broken with the latest syslog-ng package.

Looks like it hasn't been built with the tls plugin or something.

This configuration was working just fine with the previous package of syslog-ng. i updated and it doesn't like tls settings now.

Screen Shot 2021-07-23 at 3.40.58 pm.png

Juve

I have the same issue.
I dit open this thread earlier:
https://forum.netgate.com/topic/165292/syslog-ng-fails-after-2-5-2-update-due-to-tls-not-found

johnpoz

see the patch that is listed here

https://github.com/pfsense/FreeBSD-ports/commit/a5b1eda67c40592e14806a4a4bbdd946f0461045#comments

ProperCactus

@juve yea this is really bad, like I get errors and stuff but because there seems to be no way to roll back from a bad package, we then get stuck with broken functionality :/

Need a package rollback funtionality for this situation! My device can not ship logs to the SOC :( :( :(

ProperCactus

@johnpoz How do I apply a patch?

johnpoz

@propercactus

https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

ProperCactus

@johnpoz The patch does not work.

It says it can't be cleanly applied and doesn't let me proceed to applying it.

Screen Shot 2021-07-23 at 9.44.22 pm.png

ProperCactus

@juve The fix is to go to patches in the GUI

Add a patch and give the patch a name, ignore the URL and in the big text box paste:

--- /usr/local/pkg/syslog-ng.inc
+++ /usr/local/pkg/syslog-ng.inc
@@ -135,10 +135,6 @@ function syslogng_build_default_objects($settings) {
 		safe_mkdir(SYSLOGNG_DIR);
 		safe_mkdir(SYSLOGNG_DIR . "/ca.d");
 		syslogng_build_cert($settings);
-		$default_objects[0]['objectparameters'] .= " tls(
-		    key-file('/var/etc/syslog-ng/syslog-ng.key')
-		    cert-file('/var/etc/syslog-ng/syslog-ng.cert')
-		    ca-dir('/var/etc/syslog-ng/ca.d'))";
 	} else {
 		rmdir_recursive(SYSLOGNG_DIR);
 	}
@@ -146,7 +142,11 @@ function syslogng_build_default_objects($settings) {
 	foreach (explode(",", $interfaces) as $interface) {
 		$interface_address = syslogng_get_real_interface_address($interface);
 		if ($interface_address[0]) {
-			$default_objects[0]['objectparameters'] .= " syslog(transport($default_protocol) port($default_port) ip({$interface_address[0]}));";
+			$default_objects[0]['objectparameters'] .= " syslog(transport($default_protocol) port($default_port) ip({$interface_address[0]})";
+			if ($settings['default_protocol'] == 'tls') {
+				$default_objects[0]['objectparameters'] .= " tls(key-file('/var/etc/syslog-ng/syslog-ng.key') cert-file('/var/etc/syslog-ng/syslog-ng.cert') ca-dir('/var/etc/syslog-ng/ca.d'))";
+			}
+			$default_objects[0]['objectparameters'] .= ");";
 		}
 	}
 	$default_objects[0]['objectparameters'] .= " };";

Set the path strip from 2 to 0 and then save the patch.

You'll then see a button that says "Test" with a big tick, press that button and then another button should appear that says "Apply" press that and then try start syslog-ng it seems to have fixed for me.

A little concerning that a firewall can just have code pushed willy-nilly that cripples its ability to phone home :/

I think a package rollback feature is needed because if there is noone who can make a patch we are proper cactus!

Juve

I did upgrade the package today and now everything is working !

Thank you