Update your custom syslog-ng configuration files to be compatible with the new syslog-ng
syntax in version 3.23.
About this task
During the upgrade to Update Package 8, the custom configuration files in the
/opt/qradar/conf/syslog-ng.conf and /etc/syslog-ng/conf.d/
directories are validated to verify whether their syntax is still valid for syslog-ng version
3.23.
If any custom configuration files are invalid, a .invalid file extension is
added to the files to prevent syslog-ng from using them. You can update these custom configuration
files to prevent syslog-ng from failing.
Procedure
-
After you upgrade to Update Package 8, check the syslog-ng service logs by using the following
command.
If any custom syslog-ng configuration files are invalid, the service logs show
warning messages. These files are renamed with the .invalid file
extension.
- Identify the issues that need to be resolved by using the following the command, and
replace <custom_file> with the directory path to the invalid configuration
file.
/usr/sbin/syslog-ng --syntax-only --cfgfile=<custom_file>
For
example:
/usr/sbin/syslog-ng --syntax-only --cfgfile=/etc/syslog-ng/conf.d/99-audit.conf.invalid
- After you resolve the issues, remove the
.invalid extension from the
configuration files and restart syslog-mg by using the following command.
systemctl restart syslog-ng
- Verify that no new warnings are in the syslog-ng service logs by using the following
command.