[syslog-ng]Problem of recording

Stefano Tanfoglio stefano.tanfoglio@assyrus.it
Wed, 6 Nov 2002 17:53:32 +0100 

I am Stefano Tanfoglio, I work from one bank in Italy.
I use syslog-ng for archive the log of 176 computer. ( 2 router - 125
windows server - 51 linux server ).

In Windows server i use ntsyslog service.

protocol =  udp
destination server = ip syslog-ng server
destination port = 514

Ntsyslog send all log

In Linux server i use the syslog

auth.*
@syslog01.xxxx.it
authpriv.*
@syslog01.xxxx.it
kernel.=err;kernel.=warn                               @syslog01.xxxx.it
mail.=err;mail.=warn                                      @syslog01.xxxx.it
daemon.=err;daemon.=warn                          @syslog01.xxxx.it
local7.=err;local7.=warn                                 @syslog01.xxxx.it
...
...

Configuratione syslong-ng.conf:
Versione: syslog-ng-1.4.14-2mdk

options { sync (0);
          time_reopen (10);
          log_fifo_size (3000);
          long_hostnames (on);
          use_dns (yes);
          use_fqdn (yes);
          create_dirs (yes);
          keep_hostname (yes);
        };

source remote   { udp(); };

destination linux { file("/var/log/HOSTS/LINUX/$HOST/$FACILITY"
dir_perm(0755) perm(0655)); };
destination windows { file("/var/log/HOSTS/WINDOWS/$HOST/$FACILITY"
dir_perm(0755) perm(0655)); };
destination router { file("/var/log/HOSTS/ROUTER/$HOST/$FACILITY"
dir_perm(0755) perm(0655)); };

filter f_linux {
host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|51"); }
;

filter f_windows {
host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|125"); 
};

filter f_router { host("name1.domain.tld|name2.domain.tld"); };

log { source(remote); filter(f_linux); destination(linux); };
log { source(remote); filter(f_windows); destination(windows); };
log { source(remote); filter(f_router); destination(router); };

Problem:

1) In the windows section I have 125 machine and only 80 recording.
    I try to move the last hostname in first position:
    filter f_windows {
host("125|name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|124
"); };
    the test it ok, hostname logger and recording.

2)Every 10-15 minutes the syslog-ng system it down.

3) I try the new version but I have not obtained the positive information.

4) I have modified the syslog-ng.conf:

....
....
destination tem { file("/var/log/HOSTS/ALL/$HOST" dir_perm(0755)
perm(0655)); };
...
...
...
log { source(remote); destination(tem); };
..
..

The all machine recording and the server don' t crash with this solution.
I don't try the DB recording.

Thanks for the collaboration.

Stefano Tanfoglio
Assyrus Srl
www.assyrus.it

ICQ:146827274