This is a multi-part message in MIME format.
------_=_NextPart_001_01C36B4D.05097E43
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
It seems that syslog-ng thinks you're looking for $DAY_ and not $DAY.
Try to replace the underscore by a dot, or RTFM to see if syslog-ng =
supports specifying variables that way : ${DAY}.
Regards,
J.
-----Original Message-----
From: William Pope [mailto:pope.william@epa.gov]
Sent: Mon 8/25/2003 20:43
To: syslog-ng@lists.balabit.hu
Cc:=09
Subject: [syslog-ng]$DAY in
I recently upgraded syslog-ng from version 1.4.17 to 1.6.0rc3. After
the upgrade, the system logs do not include the DAY when sent to the
following destination.
=20
destination hosts {
file("/var/adm/logs/$HOST/$YEAR/$MONTH/$DAY_$FACILITY"); };
I get logs like /var/logs/HOST/2003/08/kern.log instead of
/var/logs/HOST/2003/08/25_kern.log like I did with version 1.4.17. The
day and the underscore are missing. I am using the same conf file as
1.4.17.
=20
Any help would be greatly appreciated! I am sure I am missing something
stupid.
=20
Thank you,
=20
Will
=20
-------------------------------------------------------------------
This is a PRIVATE message, intended for the designated recipient(s) only
and may contain privileged or confidential information. If you have
received this message in error, please notify me immediately, delete the
original, and destroy any paper copies. Any other use of the email by
you is prohibited.
NOTE: Regardless of content, this e-mail shall not operate to bind the
sender to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use
of e-mail for such purpose.
=20
This e-mail and any attachment is for authorised use by the intended =
recipient(s) only. It may contain proprietary material, confidential =
information and/or be subject to legal privilege. It should not be =
copied, disclosed to, retained or used by, any other party. If you are =
not an intended recipient then please promptly delete this e-mail and =
any attachment and all copies and inform the sender. Thank you.
------_=_NextPart_001_01C36B4D.05097E43
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
eJ8+Iq8BAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIASCAAwAOAAAA0wcIABkAFwAQAAIAAQAlAQENgAQAAgAAAAIAAgAB
BIABABcAAABSRTogW3N5c2xvZy1uZ10kREFZIGluAEUHAQWAAwAOAAAA0wcIABkAFwAIABcAAQAy
AQEJgAEAIQAAADE4MkI2MDVFQUUAN0IwNEQ5NzIwMzNFRjFFRjVBMTJDADMHAQOQBgAYDQAAPQAA
AEAABzCgelAWTmvDAUAACDCgelAWTmvDAQMA9w8BAAAAAwD0DwMAAAAeAAQOAQAAAAEAAAAAAAAA
HgADDgEAAAABAAAAAAAAAB4AAg4BAAAAAQAAAAAAAAACAQkQAQAAAJUGAACRBgAAZwsAAExaRnWu
9NBFAwAKAHJjcGcxMjXiMgNDdGV4BUEBAwH3/wqAAqQD5AcTAoAP8wBQBFY/CFUHshElDlEDAQIA
Y2jhCsBzZXQyBgAGwxEl9jMERhO3MBIsETMI7wn3tjsYHw4wNREiDGBjAFAzCwkBZDM2FlALpiBJ
0wVAFBBlbQQgdBPgHQGEeXMXsGctbmcdcVULgGsEIHkIYCcYICB5F7BvawuAHlACEAXAJCBEQVlf
IABwZCDsbm8FQCASLgqiCoQKgMhUcnkdcG8gGCALUe5jHzAdgB8wdSCABJAE8IsFsB8wYiIgYSBk
IMCELCAFsVJURk0iMg0dISAGkB3Jc3VwcLMXwQQgc3AFkAaQeR+SPnYKwAcwAmAHkR2Dd2ElIiA6
IABceyAhXH2RITtSZWcLEXMsIUpWSiE7IUQtLKJPBRBnDwuAB0AF0AeQc2FnZSssoyFERgNhOgyC
IFeFAxBsBzBtIFBvJuDcIFsAwAMQIkA6JnAm4BYuA/AvY0AigGEuZ3hvdl0hRAZgAjAu5E0xAiAg
OC8OMDMwMDDkMyAB0Do0FTAhtDBwKy7zHddAL3BzJqAuYsMHQAGgaXQuaAxwIVOMQ2Mu5DHldWJq
BZD1MnVbHdddIBIlYAuQIVPuSSJhIsACMGwiICZQCcB+YQEAIJAd2ANSJ3AjYWmBMvExLjQuMTci
MgE80DYuMHJjMy7+IBDAAYAEkCFEIvM65CRg/yLyHdEOsC+gHgEEICQwIKO9C4BjCkABACLjOWJ3
IwD/A6AUEAIwIjIi8SFEAhAvYP5vA/AeQQEANbAtMURAAiDHITU3ZUQZIGhvNbEDMIcAAEMkAxBl
KCIvJ4ESLzsQbS9AUi8kSAhPU1RIcFlFQVLBSHBNT05USEhwICIAJEZBQ0lMSVTQWSIpOwMwfRkw
IVnfOiAt0AVAQFMvcGsfMEej50gzSJMzci8wMyBMkASgvi4eATmRQAE7ECRwZiFEd0zPTdQOMF9O
N0xzOiBkvmkgkAPwHYA8TT3xVEL2vmQogSByIv0KwB8wbQQB7x+RPfE6IC+RdVZyP5QvkLsfMAWg
biWAR0IgYHMhRDNTdUTbQW4iICMAbHDrKGAIYGwgkGIfMAnBHaA9OqFhJmA6QQcwDrBkIf9WxSZA
HyFW41ZFHRADcBQg/R6BZyFENbAmUFJwRMxUAP0AcGse0iqVN2UvQkTbLKP/Y29kf2WPZklgRgQA
JWAEIAEkEFBSSVZBVEX/VjAtlCRgC4AOsCNBIJAf0v8i8kQRLRBEYTsxXFJfkDJR6ChzKSRwbjqg
IUQgcl8AwCIgWCEBkAuAIFxAaf52R1Et0E8hBcBYIlJwMlH/BzE5kR/RAMBEg1bBJYAe4f1GUGE8
UCFEOkJtsDsxHnG3BCBo1TmRIASQA2ByJGB/C1BPABQQIKInEWjBJWBt/weAUmBckTqgJGABACfg
DrD/QtgFsC0UJGAgckQSA2BUsv8iIAqwJuBuUmthNdA+AVqR/yDAIwAFwFcwHzBPQCLjHUC/MDEj
0SFEcFJn0VxAbx6A5zYxCYAhNU5PaKAosCok/yfhBCB5gW0SMlE/gmfRLeD9egNzE+AvYCCjL9E7
AHVS/yJQNjBU5F8FaZJqESJQd3L/BbCBQgWxeORtEjsAOCAjIf19E3AIcCZAAHBCkw7AC1D3DeA2
QCFEdwUQAkBCMS3A/wnRB4BCgQWxMaEEkYZTC4D/NkBcgXFxhJIYIAQQOqF30f9WQAJAV1Z5QXW1
JYB+dR/S/yZAE9CD0iZwFBBEzCFLfjn/IHJ3ch2gAZAT0Ic0BCAf0vxhdR2AdhEUECCQeUIj4f8i
8mlnay9WsgVAbNwv0AiB/wGQIhFvkQZxdnJuf2+FIGL+LwWxW3EmQDfzIjJt4S1Rf22XkvR+4Fsj
ILJbcXgTZN908QQAQTCLwVTxbyRgGCD/bUJuFHlBW1F04YGzePMKsf50kuNwNFYCILIDkZFfQpH3
QiJzNXtBbQUwOqF1F42//47KoyN/EXgUIGNvRD+UgSPXU9NgxSt/DUbTIAqFCoDeKqlvqn+rj6yf
KqiFjZT/ottHQh1hOwAAgIkCOzFSo/82QFXzlXsgcaiFaWdecCfg3zqhafZ5SYBBbbFkhCADIP8F
sZXSngAiMkIQPCEi8Wwj96jBVgI7EGSIYnvBcBo6M/9xeHn0cpZzLKiFP6kDgS3BDaaBTB4QDeBh
Q01H36j/vv/AD8EfrT59wyDDYAAAAEAAOQBDfgkFTWvDAQMAJgAAAAAAAwA2AAAAAAAeAD0AAQAA
AAUAAABSRTogAAAAAAIBRwABAAAANwAAAGM9Tkw7YT0gO3A9R1JPVVAtTUFJTDtsPUZSLVBBUi1N
QjAxLTAzMDgyNTIxMDgyM1otNjA2MAAAHgBJAAEAAAATAAAAW3N5c2xvZy1uZ10kREFZIGluAABA
AE4AANnXuDhrwwEeAFoAAQAAAA0AAABXaWxsaWFtIFBvcGUAAAAAAgFbAAEAAAA/AAAAAAAAAIEr
H6S+oxAZnW4A3QEPVAIAAAAAV2lsbGlhbSBQb3BlAFNNVFAAcG9wZS53aWxsaWFtQGVwYS5nb3YA
AAIBXAABAAAAGgAAAFNNVFA6UE9QRS5XSUxMSUFNQEVQQS5HT1YAAAAeAF0AAQAAAA0AAABXaWxs
aWFtIFBvcGUAAAAAAgFeAAEAAAA/AAAAAAAAAIErH6S+oxAZnW4A3QEPVAIAAAAAV2lsbGlhbSBQ
b3BlAFNNVFAAcG9wZS53aWxsaWFtQGVwYS5nb3YAAAIBXwABAAAAGgAAAFNNVFA6UE9QRS5XSUxM
SUFNQEVQQS5HT1YAAAAeAGYAAQAAAAUAAABTTVRQAAAAAB4AZwABAAAAFQAAAHBvcGUud2lsbGlh
bUBlcGEuZ292AAAAAB4AaAABAAAABQAAAFNNVFAAAAAAHgBpAAEAAAAVAAAAcG9wZS53aWxsaWFt
QGVwYS5nb3YAAAAAHgBwAAEAAAATAAAAW3N5c2xvZy1uZ10kREFZIGluAAACAXEAAQAAABsAAAAB
w2s42dPV2BWGA4dOFr6UVeIcyr76AAT5OBkAHgB0AAEAAAAbAAAAc3lzbG9nLW5nQGxpc3RzLmJh
bGFiaXQuaHUAAB4AGgwBAAAADQAAAErpcvRtZSBGZW5hbAAAAAAeAB0OAQAAABMAAABbc3lzbG9n
LW5nXSREQVkgaW4AAB4ANRABAAAARwAAADxGQTc5NTlBNDhCNzU0RTQ1OUU2QkZEODhCMDFGNDZC
RUFFMEQ2NEBmci1wYXItbWIwMS5mcmEuZ3JvdXAuY21nLmNvbT4AAB4ARxABAAAADwAAAG1lc3Nh
Z2UvcmZjODIyAAALAPIQAQAAAAsA9hAAAAAAAwDeP69vAAADAPE/CQQAAB4A+D8BAAAADQAAAErp
cvRtZSBGZW5hbAAAAAACAfk/AQAAAEwAAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAAL089
R1JPVVAtTUFJTC9PVT1BRy1GUkEvQ049UkVDSVBJRU5UUy9DTj1KRkVOQUwAHgD6PwEAAAAVAAAA
U3lzdGVtIEFkbWluaXN0cmF0b3IAAAAAAgH7PwEAAAAeAAAAAAAAANynQMjAQhAatLkIACsv4YIB
AAAAAAAAAC4AAAADAP0/5AQAAAMAGUAAAAAAAwAaQAAAAAADAB1AAAAAAAMAHkAAAAAAHgAwQAEA
AAAHAAAASkZFTkFMAAAeADFAAQAAAAcAAABKRkVOQUwAAB4AMkABAAAAFQAAAHBvcGUud2lsbGlh
bUBlcGEuZ292AAAAAB4AM0ABAAAAFQAAAHBvcGUud2lsbGlhbUBlcGEuZ292AAAAAB4AOEABAAAA
BwAAAEpGRU5BTAAAHgA5QAEAAAACAAAALgAAAAsAKQAAAAAACwAjAAAAAAADAAYQRIlyYQMABxBA
BgAAAwAQEAAAAAADABEQAQAAAB4ACBABAAAAZQAAAElUU0VFTVNUSEFUU1lTTE9HLU5HVEhJTktT
WU9VUkVMT09LSU5HRk9SJERBWUFORE5PVCREQVlUUllUT1JFUExBQ0VUSEVVTkRFUlNDT1JFQllB
RE9ULE9SUlRGTVRPU0VFSUYAAAAAAgF/AAEAAABHAAAAPEZBNzk1OUE0OEI3NTRFNDU5RTZCRkQ4
OEIwMUY0NkJFQUUwRDY0QGZyLXBhci1tYjAxLmZyYS5ncm91cC5jbWcuY29tPgAAHgDzEAEAAAAd
AAAAUkUlM0EgW3N5c2xvZy1uZ10kREFZIGluLkVNTAAAAAALAB8OAABnXcqR
------_=_NextPart_001_01C36B4D.05097E43--
From syslog-ng@lists.balabit.hu Mon Aug 25 22:09:11 2003
From: syslog-ng@lists.balabit.hu (seth vidal)
Date: 25 Aug 2003 17:09:11 -0400
Subject: [syslog-ng]newbie linux/syslog-ng server question...
In-Reply-To: <3F4A79A4.8060702@duke.edu>
References: <3F4A79A4.8060702@duke.edu>
Message-ID: <1061845751.26027.36.camel@opus.phy.duke.edu>
On Mon, 2003-08-25 at 17:03, Matt Miller wrote:
> When running syslog-ng on linux, do I still need to run klogd... or does
> syslog-ng replace syslogd and klogd?
Hi matt,
You have to setup a certain source pipe("/proc/kmsg") then you don't
need klogd.
also if you need syslog-ng packages for the distro additions on campus
ask on the internal lists. I've got rpms for 7.3 and 9 duke addons.
-sv
From syslog-ng@lists.balabit.hu Tue Aug 26 20:40:34 2003
From: syslog-ng@lists.balabit.hu (Matt Scifo)
Date: 26 Aug 2003 12:40:34 -0700
Subject: [syslog-ng]template_escape character not valid for oracle
Message-ID: <1061926834.23729.59.camel@localhost>
Hello
I just started using syslog-ng with an oracle database as my
destination. I have discovered that Oracle does not accept a backslash
as an escape character (I thought backslash was a standard).
The following query does not work in Oracle...
INSERT INTO messages (ID, TIMESTAMP, HOST ,FACILITY, PRIORITY, TAG,
PROGRAM, MESSAGE) VALUES ('', to_date('2003-08-26 11:51:00', 'yyyy-mm-dd
hh24:mi:ss'), 'host1', 'local0', 'warning', '84', '1', 'STOP:
\'edrasmu\' message')
It will only accept a single quote for escaping a single quote...
INSERT INTO messages (ID, TIMESTAMP, HOST ,FACILITY, PRIORITY, TAG,
PROGRAM, MESSAGE) VALUES ('', to_date('2003-08-26 11:51:00', 'yyyy-mm-dd
hh24:mi:ss'), 'host1', 'local0', 'warning', '84', '1', 'STOP:
''edrasmu'' message')
How hard would it be to change the escape character that syslog-ng is
looking for, or even better, make a template_escape(string) option which
accepts a custom escape string? Where is the code that handles the
escaping of characters located in the source?
Matt Scifo
mscifo@o1.com
From syslog-ng@lists.balabit.hu Wed Aug 27 12:42:10 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 27 Aug 2003 13:42:10 +0200
Subject: [syslog-ng]template_escape character not valid for oracle
In-Reply-To: <1061926834.23729.59.camel@localhost>
References: <1061926834.23729.59.camel@localhost>
Message-ID: <20030827114209.GC11883@balabit.hu>
On Tue, Aug 26, 2003 at 12:40:34PM -0700, Matt Scifo wrote:
> Hello
>
> I just started using syslog-ng with an oracle database as my
> destination. I have discovered that Oracle does not accept a backslash
> as an escape character (I thought backslash was a standard).
>
> The following query does not work in Oracle...
>
> INSERT INTO messages (ID, TIMESTAMP, HOST ,FACILITY, PRIORITY, TAG,
> PROGRAM, MESSAGE) VALUES ('', to_date('2003-08-26 11:51:00', 'yyyy-mm-dd
> hh24:mi:ss'), 'host1', 'local0', 'warning', '84', '1', 'STOP:
> \'edrasmu\' message')
>
> It will only accept a single quote for escaping a single quote...
>
> INSERT INTO messages (ID, TIMESTAMP, HOST ,FACILITY, PRIORITY, TAG,
> PROGRAM, MESSAGE) VALUES ('', to_date('2003-08-26 11:51:00', 'yyyy-mm-dd
> hh24:mi:ss'), 'host1', 'local0', 'warning', '84', '1', 'STOP:
> ''edrasmu'' message')
>
> How hard would it be to change the escape character that syslog-ng is
> looking for, or even better, make a template_escape(string) option which
> accepts a custom escape string? Where is the code that handles the
> escaping of characters located in the source?
you are looking for macros.c, append_string function, currently the escaping
via '\' is absolutely wired in.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Aug 27 17:24:55 2003
From: syslog-ng@lists.balabit.hu (Matt Scifo)
Date: 27 Aug 2003 09:24:55 -0700
Subject: [syslog-ng]template_escape character not valid for oracle
In-Reply-To: <20030827114209.GC11883@balabit.hu>
References: <1061926834.23729.59.camel@localhost>
<20030827114209.GC11883@balabit.hu>
Message-ID: <1062001495.23728.65.camel@localhost>
Thanks. I found it.
On Wed, 2003-08-27 at 04:42, Balazs Scheidler wrote:
> On Tue, Aug 26, 2003 at 12:40:34PM -0700, Matt Scifo wrote:
> > Hello
> >
> > I just started using syslog-ng with an oracle database as my
> > destination. I have discovered that Oracle does not accept a backslash
> > as an escape character (I thought backslash was a standard).
> >
> > The following query does not work in Oracle...
> >
> > INSERT INTO messages (ID, TIMESTAMP, HOST ,FACILITY, PRIORITY, TAG,
> > PROGRAM, MESSAGE) VALUES ('', to_date('2003-08-26 11:51:00', 'yyyy-mm-dd
> > hh24:mi:ss'), 'host1', 'local0', 'warning', '84', '1', 'STOP:
> > \'edrasmu\' message')
> >
> > It will only accept a single quote for escaping a single quote...
> >
> > INSERT INTO messages (ID, TIMESTAMP, HOST ,FACILITY, PRIORITY, TAG,
> > PROGRAM, MESSAGE) VALUES ('', to_date('2003-08-26 11:51:00', 'yyyy-mm-dd
> > hh24:mi:ss'), 'host1', 'local0', 'warning', '84', '1', 'STOP:
> > ''edrasmu'' message')
> >
> > How hard would it be to change the escape character that syslog-ng is
> > looking for, or even better, make a template_escape(string) option which
> > accepts a custom escape string? Where is the code that handles the
> > escaping of characters located in the source?
>
> you are looking for macros.c, append_string function, currently the escaping
> via '\' is absolutely wired in.
From syslog-ng@lists.balabit.hu Sat Aug 2 14:19:35 2003
From: syslog-ng@lists.balabit.hu (Ravi shetkar)
Date: Sat, 2 Aug 2003 06:19:35 -0700 (PDT)
Subject: [syslog-ng]new member
Message-ID: <20030802131935.55965.qmail@web41709.mail.yahoo.com>
--0-907542157-1059830375=:54805
Content-Type: text/plain; charset=us-ascii
Hi
My name is Shetkar Ravi and AS i am new to syslog-ng I am interested to become a new syslog-ng member to learn more about syslog-ng.
I am currently working on logging server project. I searched the web and found lot of good things and recommendations about the syslog-ng and decided install and test in my solaris/HP/Aix environment.
I down loaded libol-0.3.9 and syslog-ng-1.6.0rc3 and installed and compiled on solaris 8 server.
I added /etc/syslog-ng/syslog-ng.conf file and modified the /etc/init.d/syslog file, but when try to start the syslog-ng (/etc/init.d/syslog start) it giving me following error on the console..
io.c: bind_inet_socket() bind failed 0.0.0.0:514 Address already in use
Need your help and suggestion for syslog-ng configuration...to make it work on my syslog -ng centralize logging server.
Do i need to install syslog-ng on all the clients also or the default syslog will work.?
and then what will be the syslog.conf file on clients.
Follwing are my configuration files..
/etc/syslog-ng/syslog-ng.conf file..
# more syslog-ng.conf
#
# Syslog-ng example configuration file for Solaris
#
#use_fqdn() add FQDN instead of short hostname
#use_dns() use DNS (may cause DOS)
#sync() number of lines buffered before written to file
#log_fifo_size() number of lines fitting to the output queue
#
#options { use_fqdn(no);
# keep_hostname(yes);
# use_dns(no);
# long_hostnames(off);
# sync(0);
# log_fifo_size(1000); };
options { sync(0); keep_hostname(yes); chain_hostnames(no);
log_fifo_size(30000); };
source s_local { sun-streams("/dev/log" door("/etc/.syslog_door"));
internal(); };
source s_net_udp { udp(); };
destination d_local { file("/logs/messages"); };
log { source(s_local); source(s_net_udp); destination(d_local); };
#
# local and network sources
#
# + will accept udp/tcp connections on port 514 from any host
# + keepalive option is for tcp only and will keep connection open
# when the SIGHUP signal is seen
#
#source s_stream { sun-streams("/dev/log" door("/etc/.syslog_door"); };
#source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal();};
#source network { udp(); tcp(); };
#source s_tcp { tcp(ip(127.0.0.1) port(19990) max-connections(10)); };
#Source s_udp { udp(); };
#
# standard destinations for local standard system messages
#
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination kern { file("/var/log/kern.log"); };
destination maillog { file("/var/log/maillog"); };
#
# special log destinations for our remote hosts
# (pixlog, switchlog) and for our IP Filter firewall (ipflog)
#
#destination ipflog { file("/var/log/ipf.log"); };
#destination pixlog { file("/var/log/pix.log"); };
#destination switchlog { file("/var/log/switch.log"); };
#
# Some log files used to catch remaining messages
#
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
#
# console destination
#
destination console { file("/dev/sysmsg"); };
#
# filters for standard local system messages which come
# in on non-local facilities
#
filter f_authpriv { facility(auth) ; };
filter f_syslog { not facility(auth) and not facility(mail); };
filter f_kern { facility(kern); };
filter f_mail { facility(mail); };
#
# filters for IPFilter and the Cisco equipment
#
#filter f_ipf { facility(local0); };
#filter f_pix { facility(local4); };
#filter f_switch { facility(local6, local7); };
#
# catch the rest
#
filter f_debug { not facility(kern, auth, mail, local6, local7, local4, local0); };
filter f_messages { level(info .. warn) and not facility(auth, mail, local0, local4
, local6, local7); };
#
# filters for various emergency level messages
#
filter f_emergency { level(emerg); };
#
# log emergency level messages out to console
#
log { source(local); filter(f_emergency); destination(console); };
#
# log messages from local machine
#
log { source(local); filter(f_authpriv); destination(authlog); };
log { source(local); filter(f_syslog); destination(syslog); };
log { source(local); filter(f_kern); destination(kern); };
log { source(local); filter(f_mail); destination(maillog); };
#
# log IP Filter messages to the ipf.log
#
#log { source(local); filter(f_ipf); destination(ipflog); };
#
# log switch and pix messages
#
#log { source(network); filter(f_pix); destination(pixlog); };
#log { source(network); filter(f_switch); destination(switchlog); };
#
# catch the rest of the messages
#
log { source(local); source(network); filter(f_debug); destination(debug); };
log { source(local); source(network); filter(f_messages); destination(messages); };
#
# Automatic sorting of host messages by $HOST and $YEAR$MONTH$DAY
#
# + will automatically create a directory structure for all messages
# sorted first by host, then by date, then by facility.
# + with use_dns(no) we will have files based on ip address not hostname
#
destination hosts { file("/var/log/HOSTS/$HOST/$YEAR$MONTH$DAY/$FACILITY" owner(roo
t) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
#
# logs all incoming messages from network source to the sorted
# destination
#
log { source(network); destination(hosts); };
My /etc/init.d/syslog file is
# more syslog
#!/sbin/sh
#
# script to start syslog-ng on boot up for a Solaris machine.
# This script replaces /etc/init.d/syslog on a Solaris machine.
#
case "$1" in
'start')
if [ -f /etc/syslog-ng.conf -a -f /usr/local/sbin/syslog-ng ];
then
echo 'syslog-ng service starting.'
#
# Before syslogd starts, save any messages from previous
# crash dumps so that messages appear in chronological order.
#
/usr/bin/savecore -m
if [ -r /etc/dumpadm.conf ]; then
. /etc/dumpadm.conf
[ "x$DUMPADM_DEVICE" != xswap ] && \
/usr/bin/savecore -m -f $DUMPADM_DEVICE
fi
if [ ! -f /var/adm/messages ]; then
/usr/bin/cp /dev/null /var/adm/messages
/usr/bin/chmod 0644 /var/adm/messages
fi
/usr/local/sbin/syslog-ng >/dev/msglog 2>&1 &
fi
;;
'stop')
echo 'syslog-ng service stopping.'
if [ -f /var/run/syslog-ng.pid ]; then
syspid=`/usr/bin/cat /var/run/syslog-ng.pid`
[ "$syspid" -gt 0 ] && kill -15 $syspid
fi
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
my daemon is in /usr/loca/sbin/syslog-ng
thanks for your help.
Shetkar Ravi
Unix systel Administrator.
WebMD
rshetkar@webmd.net
rshetkar88@yahoo.com
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
--0-907542157-1059830375=:54805
Content-Type: text/html; charset=us-ascii
Hi
My name is Shetkar Ravi and AS i am new to syslog-ng I am interested to become a new syslog-ng member to learn more about syslog-ng.
I am currently working on logging server project. I searched the web and found lot of good things and recommendations about the syslog-ng and decided install and test in my solaris/HP/Aix environment.
I down loaded libol-0.3.9 and syslog-ng-1.6.0rc3 and installed and compiled on solaris 8 server.
I added /etc/syslog-ng/syslog-ng.conf file and modified the /etc/init.d/syslog file, but when try to start the syslog-ng (/etc/init.d/syslog start) it giving me following error on the console..
io.c: bind_inet_socket() bind failed 0.0.0.0:514 Address already in use
Need your help and suggestion for syslog-ng configuration...to make it work on my syslog -ng centralize logging server.
Do i need to install syslog-ng on all the clients also or the default syslog will work.?
and then what will be the syslog.conf file on clients.
Follwing are my configuration files..
/etc/syslog-ng/syslog-ng.conf file..
# more syslog-ng.conf
#
# Syslog-ng example configuration file for Solaris
#
#use_fqdn() add FQDN instead of short hostname
#use_dns() use DNS (may cause DOS)
#sync() number of lines buffered before written to file
#log_fifo_size() number of lines fitting to the output queue
#
#options { use_fqdn(no);
# keep_hostname(yes);
# use_dns(no);
# long_hostnames(off);
# sync(0);
# log_fifo_size(1000); };
options { sync(0); keep_hostname(yes); chain_hostnames(no);
log_fifo_size(30000); };
source s_local { sun-streams("/dev/log" door("/etc/.syslog_door"));
internal(); };
source s_net_udp { udp(); };
destination d_local { file("/logs/messages"); };
log { source(s_local); source(s_net_udp); destination(d_local); };
#
# local and network sources
#
# + will accept udp/tcp connections on port 514 from any host
# + keepalive option is for tcp only and will keep connection open
# when the SIGHUP signal is seen
#
#source s_stream { sun-streams("/dev/log" door("/etc/.syslog_door"); };
#source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal();};
#source network { udp(); tcp(); };
#source s_tcp { tcp(ip(127.0.0.1) port(19990) max-connections(10)); };
#Source s_udp { udp(); };
#
# standard destinations for local standard system messages
#
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination kern { file("/var/log/kern.log"); };
destination maillog { file("/var/log/maillog"); };
#
# special log destinations for our remote hosts
# (pixlog, switchlog) and for our IP Filter firewall (ipflog)
#
#destination ipflog { file("/var/log/ipf.log"); };
#destination pixlog { file("/var/log/pix.log"); };
#destination switchlog { file("/var/log/switch.log"); };
#
# Some log files used to catch remaining messages
#
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
#
# console destination
#
destination console { file("/dev/sysmsg"); };
#
# filters for standard local system messages which come
# in on non-local facilities
#
filter f_authpriv { facility(auth) ; };
filter f_syslog { not facility(auth) and not facility(mail); };
filter f_kern { facility(kern); };
filter f_mail { facility(mail); };
#
# filters for IPFilter and the Cisco equipment
#
#filter f_ipf { facility(local0); };
#filter f_pix { facility(local4); };
#filter f_switch { facility(local6, local7); };
#
# catch the rest
#
filter f_debug { not facility(kern, auth, mail, local6, local7, local4, local0); };
filter f_messages { level(info .. warn) and not facility(auth, mail, local0, local4
, local6, local7); };
#
# filters for various emergency level messages
#
filter f_emergency { level(emerg); };
#
# log emergency level messages out to console
#
log { source(local); filter(f_emergency); destination(console); };
#
# log messages from local machine
#
log { source(local); filter(f_authpriv); destination(authlog); };
log { source(local); filter(f_syslog); destination(syslog); };
log { source(local); filter(f_kern); destination(kern); };
log { source(local); filter(f_mail); destination(maillog); };
#
# log IP Filter messages to the ipf.log
#
#log { source(local); filter(f_ipf); destination(ipflog); };
#
# log switch and pix messages
#
#log { source(network); filter(f_pix); destination(pixlog); };
#log { source(network); filter(f_switch); destination(switchlog); };
#
# catch the rest of the messages
#
log { source(local); source(network); filter(f_debug); destination(debug); };
log { source(local); source(network); filter(f_messages); destination(messages); };
#
# Automatic sorting of host messages by $HOST and $YEAR$MONTH$DAY
#
# + will automatically create a directory structure for all messages
# sorted first by host, then by date, then by facility.
# + with use_dns(no) we will have files based on ip address not hostname
#
destination hosts { file("/var/log/HOSTS/$HOST/$YEAR$MONTH$DAY/$FACILITY" owner(roo
t) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
#
# logs all incoming messages from network source to the sorted
# destination
#
log { source(network); destination(hosts); };
My /etc/init.d/syslog file is
# more syslog
#!/sbin/sh
#
# script to start syslog-ng on boot up for a Solaris machine.
# This script replaces /etc/init.d/syslog on a Solaris machine.
#
case "$1" in
'start')
if [ -f /etc/syslog-ng.conf -a -f /usr/local/sbin/syslog-ng ];
then
echo 'syslog-ng service starting.'
#
# Before syslogd starts, save any messages from previous
# crash dumps so that messages appear in chronological order.
#
/usr/bin/savecore -m
if [ -r /etc/dumpadm.conf ]; then
. /etc/dumpadm.conf
[ "x$DUMPADM_DEVICE" != xswap ] && \
/usr/bin/savecore -m -f $DUMPADM_DEVICE
fi
if [ !
-f /var/adm/messages ]; then
/usr/bin/cp /dev/null /var/adm/messages
/usr/bin/chmod 0644 /var/adm/messages
fi
/usr/local/sbin/syslog-ng >/dev/msglog 2>&1 &
fi
;;
'stop')
echo 'syslog-ng service stopping.'
if [ -f /var/run/syslog-ng.pid ]; then
syspid=`/usr/bin/cat /var/run/syslog-ng.pid`
[ "$syspid" -gt 0 ] && kill -15 $syspid
fi
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
my daemon is in /usr/loca/sbin/syslog-ng
thanks for your help.
Shetkar Ravi
Unix systel Administrator.
WebMD
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
--0-907542157-1059830375=:54805--
From syslog-ng@lists.balabit.hu Tue Aug 19 10:17:06 2003
From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu)
Date: Tue, 19 Aug 2003 11:17:06 +0200
Subject: [syslog-ng]Forwarding unchanged Syslog messages
Message-ID: <3F41EB12.1050206@lgs.com>
Is it possible to forward syslogmessages without modifing the Host and
the messages.
I thought "keep_hostname(yes)" would solve the problem, but it didn't.
Normaly i use version 1.5.15 shipped with debian, but I tryed 1.5.26 too.
I don't konw if its important, but our syslogserver has a load of 100%
the whole day (not from syslog-ng).
I tryed the following config:
options { use_fqdn(yes); sync(0); use_dns(yes);
chain_hostnames(yes); keep_hostname(yes); };
source net { tcp(); udp();};
destination pc1 { udp(192.168.1.1);};
destination pc2 { udp(192.168.1.2);};
destination pc3 { udp(192.168.1.3);};
log { source(net); destination(pc1);};
log { source(net); destination(pc2);};
log { source(net); destination(pc3);};
bye
Harrie
From syslog-ng@lists.balabit.hu Fri Aug 22 19:33:55 2003
From: syslog-ng@lists.balabit.hu (Shah, Sanjay T [FI])
Date: Fri, 22 Aug 2003 14:33:55 -0400
Subject: [syslog-ng]Any one ported syslog-ng for IRIX system
Message-ID: <1FD06269A7D4D611851800080261511A049600EB@exchny57.ny.ssmb.com>
Has any one ported syslog-ng for IRIX system?
Can you please provide some info on source ?
Thanks
sanjay=20
From syslog-ng@lists.balabit.hu Thu Aug 28 09:23:27 2003
From: syslog-ng@lists.balabit.hu (TIM MOORE)
Date: Thu, 28 Aug 2003 04:23:27 -0400
Subject: [syslog-ng]Re: syslog-ng digest, Vol 1 #1031 - 10 msgs (Vacation)
Message-ID:
FYI: I will be out on vacation from 8/28 until 9/8. Please contact the =
NOC if you need immediate assistance.
Thanks,
Tim Moore
From syslog-ng@lists.balabit.hu Thu Aug 28 09:26:33 2003
From: syslog-ng@lists.balabit.hu (TIM MOORE)
Date: Thu, 28 Aug 2003 04:26:33 -0400
Subject: [syslog-ng]Re: syslog-ng digest, Vol 1 #1032 - 9 msgs (Vacation)
Message-ID:
FYI: I will be out on vacation from 8/28 until 9/8. Please contact the =
NOC if you need immediate assistance.
Thanks,
Tim Moore
From syslog-ng@lists.balabit.hu Thu Aug 28 11:36:27 2003
From: syslog-ng@lists.balabit.hu (Rule, Ted)
Date: Thu, 28 Aug 2003 11:36:27 +0100
Subject: [syslog-ng]last message repeated?
Message-ID: <7EE401CB7BDD6541BE2EB68CC917596D5937BC@fttvgpsexch2-nas.flextech.co.uk>
Dear old syslogd has explicit code to save a copy of the last message recei=
ved,
and compare it with the current message ( less the timestamp field and it o=
nly saves 256
bytes of message(?) ), so as to throttle out such floods. It's fairly basic=
, however,
as it imposes no time restriction on the history buffer, so duplicate messa=
ges hours
apart don't cause separate messages to be logged.
As far as I'm aware, syslog-ng has never had this feature, but I agree it
would be highly desirable to add to future releases. On the face of it, the
basic functionality provided in syslogd shouldn't be difficult thing to cod=
e.
however, the tricky bells&whistles feature would be to add a separate messa=
ge=20
history/throttle/cache(?)/aging(?) for each source IP so that a server
could correctly spot multiple copies of the same message within a given tim=
eframe
even if intervening messages were from a different source.
=20
Ted
-----Original Message-----
From: Chuck Berg @FLEXTECH =20
Sent: Wednesday 02 July 2003 21:53
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]last message repeated?
=20
Is there a particular reason why syslog-ng doesn't generate "last message
repeated x times" messages? It's very unfortunate to have the disk on my
log server fill up because of one machine flooding the logs.
For example, Solaris will send one "WARNING: /tmp: File system full, swap
space limit exceeded" message for every write() that fails for that
reason. It's easy to get tens of thousands of these per second.
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************
From syslog-ng@lists.balabit.hu Thu Aug 28 13:14:37 2003
From: syslog-ng@lists.balabit.hu (Paul Jasa)
Date: Thu, 28 Aug 2003 08:14:37 -0400
Subject: [syslog-ng]Forwarding unchanged Syslog messages
Message-ID: <7E43058117985342A83CC0EFEAF66351026F1F33@MIA-CL01.utg.uvn.net>
I have the exact same issue with syslog-ng. I run Red Hat 7.3. Despite =
the claims that the syslog message can be forwarded without being =
modified, syslog-ng STILL modifies it. The modified syslog message =
has the original IP address AND the server's IP address in chain format, =
which is no good. I want to keep the message UNtouched when it gets =
forwarded.
If anyone has the answer to this question I would very much appreciate =
it. The MAIN reason why I installed syslog-ng was due to the claim that =
it could forward without changing the message, but so far it just looks =
like a claim.
pj
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Paul Jasa=20
Network Engineer=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
-----Original Message-----
From: Harrie.van.Arragon@steinmuehlen-brot.de
[mailto:Harrie.van.Arragon@steinmuehlen-brot.de]
Sent: Tuesday, August 19, 2003 05:17 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Forwarding unchanged Syslog messages
Is it possible to forward syslogmessages without modifing the Host and
the messages.
I thought "keep_hostname(yes)" would solve the problem, but it didn't.
Normaly i use version 1.5.15 shipped with debian, but I tryed 1.5.26 =
too.
I don't konw if its important, but our syslogserver has a load of 100%
the whole day (not from syslog-ng).
I tryed the following config:
options { use_fqdn(yes); sync(0); use_dns(yes);
chain_hostnames(yes); keep_hostname(yes); };
source net { tcp(); udp();};
destination pc1 { udp(192.168.1.1);};
destination pc2 { udp(192.168.1.2);};
destination pc3 { udp(192.168.1.3);};
log { source(net); destination(pc1);};
log { source(net); destination(pc2);};
log { source(net); destination(pc3);};
bye
Harrie
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Thu Aug 28 15:11:25 2003
From: syslog-ng@lists.balabit.hu (Marc Spitzer)
Date: Thu, 28 Aug 2003 10:11:25 -0400
Subject: [syslog-ng]syslog-ng and IPSEC does anyone have any experiences eit the
combination?
Message-ID: <3F4E0D8D.D2B5E55B@morganstanley.com>
I am doing some logging infrastructure research and I am looking into
syslog-ng and IPSEC, does any experience with this setup?
Thanks
marc
--
NOTICE: If received in error, please destroy and notify sender. Sender
does not waive confidentiality or privilege, and use is prohibited.
From syslog-ng@lists.balabit.hu Thu Aug 28 16:23:24 2003
From: syslog-ng@lists.balabit.hu (Richard E. Perlotto II)
Date: Thu, 28 Aug 2003 08:23:24 -0700
Subject: [syslog-ng]Log TCP
In-Reply-To: <05a501c34811$b50feeb0$6501a8c0@cr830163a>
Message-ID: <00e201c36d78$536029a0$a5465d42@defcon>
This is a multi-part message in MIME format.
------=_NextPart_000_00E3_01C36D3D.A70151A0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Standard networking devices do not syslog on TCP ports.
Richard
-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Darrell
Sent: Friday, July 11, 2003 6:06 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Log TCP
I'm new to Linux and we've decided to setup syslog-ng 1.4.17 on Redhat 8 at work. I'm trying to centralize the logs using TCP for
all of our Cisco routers, Nortel firewalls and switches. I need to know what lines to enter and where to enter them in my
syslog-ng.conf file. Any help would be greatly appreciated.
-----------------------------------
Darrell
IT Support
------=_NextPart_000_00E3_01C36D3D.A70151A0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message
Standard networking devices do not syslog on TCP=20
ports.
Richard
I'm new to Linux and we've decided to =
setup=20
syslog-ng 1.4.17 on Redhat 8 at work. I'm trying to =
centralize the=20
logs using TCP for all of our Cisco routers, Nortel firewalls and=20
switches. I need to know what lines to enter and where to enter =
them in=20
my syslog-ng.conf file. Any help would be greatly=20
appreciated.
-----------------------------------
Darrell
IT =
Support
------=_NextPart_000_00E3_01C36D3D.A70151A0--
From syslog-ng@lists.balabit.hu Thu Aug 28 16:52:27 2003
From: syslog-ng@lists.balabit.hu (Naman Latif)
Date: Thu, 28 Aug 2003 08:52:27 -0700
Subject: [syslog-ng]syslog-ng and logrotate
Message-ID: <83B3FCAD284096489C9967C54B33B6B301D3A848@sigma.inamed.com>
Have you tried the "copytruncate" option in logrotate.conf ? I am using
it without any problems on Solaris8.
++++++++++++++++++++
copytruncate
Truncate the original log file in place after creating
a copy, instead of moving the old log file and option-
ally creating a new one, It can be used when some pro-
gram can not be told to close its logfile and thus
might continue writing (appending) to the previous log
file forever. Note that there is a very small time
slice between copying the file and truncating it, so
some logging data might be lost. When this option is
used, the create option will have no effect, as the old
log file stays in place.
+++++++++++++++++++++++
Regards \\ Naman
> My pb :
> before the log rotate, all is good. After logrotate,=20
> syslog-ng don't write in=20
> the remote file.
From syslog-ng@lists.balabit.hu Thu Aug 28 20:45:34 2003
From: syslog-ng@lists.balabit.hu (Jens Gutzeit)
Date: Thu, 28 Aug 2003 21:45:34 +0200
Subject: [syslog-ng]Syslog-ng on NetBSD
In-Reply-To:
References:
Message-ID: <200308282145.34051.jens@freebsdforum.de>
On Saturday 28 June 2003 23:38, Axel Gerster wrote:
> afstreams.c:37: stropts.h: No such file or directory
> afstreams.c:38: sys/strlog.h: No such file or directory
Your system misses some header files from your libc. I don't know NETBSD, but
theres probably a libc devel package which you need to install first.
Jens
From syslog-ng@lists.balabit.hu Fri Aug 29 01:01:51 2003
From: syslog-ng@lists.balabit.hu (Atif Ghaffar)
Date: Fri, 29 Aug 2003 02:01:51 +0200
Subject: [syslog-ng]logging to file and remote host
Message-ID: <3F4E97EF.90909@developer.ch>
hi all,
I am not yet a syslog-ng user. I would like to know if it is possible to
do what I want with standard syslogd and if not then with syslog-ng
On HP-UX 11.00
I want to log messages to a file and to remote host.
Is that possible with syslogd?
I tried something like
mail.* /var/adm/syslog/mail.log
and it works
I tried
mail.* @LOGHOST
and it works
If I put both lines then only one is used.
How can I log to a file and also to LOGHOST?
If it is not possible with syslog and is possible with syslog-ng, then
please let me know so I can continue the reading of the manuals.
best regards and thanks
Atif Ghaffar
From syslog-ng@lists.balabit.hu Fri Aug 29 01:15:54 2003
From: syslog-ng@lists.balabit.hu (Harry Hoffman)
Date: Thu, 28 Aug 2003 20:15:54 -0400
Subject: [syslog-ng]logging to file and remote host
In-Reply-To: <3F4E97EF.90909@developer.ch>
References: <3F4E97EF.90909@developer.ch>
Message-ID: <1062116154.fd775ef36addd@secure.ip-solutions.net>
Hi Atif,
Not sure on HP-UX but I can confirm that this works on Solaris and Linux.
I do something like:
mail.* /var/log/maillog
*.warn @loghost
HTH,
Harry
Quoting Atif Ghaffar :
*> hi all,
*>
*> I am not yet a syslog-ng user. I would like to know if it is possible to
*> do what I want with standard syslogd and if not then with syslog-ng
*>
*> On HP-UX 11.00
*>
*> I want to log messages to a file and to remote host.
*> Is that possible with syslogd?
*>
*> I tried something like
*> mail.* /var/adm/syslog/mail.log
*>
*> and it works
*>
*> I tried
*>
*> mail.* @LOGHOST
*>
*> and it works
*>
*> If I put both lines then only one is used.
*>
*> How can I log to a file and also to LOGHOST?
*>
*> If it is not possible with syslog and is possible with syslog-ng, then
*> please let me know so I can continue the reading of the manuals.
*>
*> best regards and thanks
*>
*> Atif Ghaffar
*>
*>
*> _______________________________________________
*> syslog-ng maillist - syslog-ng@lists.balabit.hu
*> https://lists.balabit.hu/mailman/listinfo/syslog-ng
*> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
*>
*>
--
Harry Hoffman
hhoffman@ip-solutions.net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
**********************************************
-------------------------------------------------
This mail sent through IpSolutions: http://www.ip-solutions.net/
From syslog-ng@lists.balabit.hu Fri Aug 29 01:48:38 2003
From: syslog-ng@lists.balabit.hu (Atif Ghaffar)
Date: Fri, 29 Aug 2003 02:48:38 +0200
Subject: [syslog-ng]logging to file and remote host
In-Reply-To: <1062116154.fd775ef36addd@secure.ip-solutions.net>
References: <3F4E97EF.90909@developer.ch> <1062116154.fd775ef36addd@secure.ip-solutions.net>
Message-ID: <3F4EA2E6.5010508@developer.ch>
Harry Hoffman wrote:
> Hi Atif,
>
> Not sure on HP-UX but I can confirm that this works on Solaris and Linux.
> I do something like:
> mail.* /var/log/maillog
> *.warn @loghost
Hi Harry,
Thanks for the quick reply,
You are sending two entries to different destinations.
Can you do:
mail.* /var/log/maillog
mail.* @loghost
What we are trying to do is log everything localy as well as remotely.
So if the remote server is down, the logs are localy present and
if the server is compromised and the logs are deleted, there is still
trace on syslog.
best regards
From syslog-ng@lists.balabit.hu Fri Aug 29 02:27:19 2003
From: syslog-ng@lists.balabit.hu (Harry Hoffman)
Date: Thu, 28 Aug 2003 21:27:19 -0400
Subject: [syslog-ng]logging to file and remote host
In-Reply-To: <3F4EA2E6.5010508@developer.ch>
References: <3F4E97EF.90909@developer.ch>
<1062116154.fd775ef36addd@secure.ip-solutions.net>
<3F4EA2E6.5010508@developer.ch>
Message-ID: <1062120439.b30be45ce1e5c@secure.ip-solutions.net>
Hi Atif,
Ok, right. Sorry about that. I can't test the Uni setup right now but this quick
test on my home linux network seems to work (I don't have a Solaris box right now):
/etc/syslog.conf
...
mail.* /var/log/maillog
mail.* @192.168.1.3
# From test host
# Cause it's not running a remote syslog server
tcpdump -x -X -vvv dst host 192.168.1.3
logger -p mail.info TEST MESSAGE
If I cat /var/log/maillog I see the "TEST MESSAGE" text. Also I can see the
packets going to 192.168.1.3
HTH,
Harry
PS-> I don't know about you guys but for us that was alot of logging which is
why we tuned down what we were sending across the wire.
Also, if making sure that you have logs on both the client and server than you
may wish to use TCP transport (which would require syslog-ng on the client).
Quoting Atif Ghaffar :
*> Harry Hoffman wrote:
*>
*> > Hi Atif,
*> >
*> > Not sure on HP-UX but I can confirm that this works on Solaris and Linux.
*> > I do something like:
*> > mail.* /var/log/maillog
*> > *.warn @loghost
*>
*>
*> Hi Harry,
*>
*> Thanks for the quick reply,
*>
*> You are sending two entries to different destinations.
*>
*> Can you do:
*> mail.* /var/log/maillog
*> mail.* @loghost
*>
*>
*> What we are trying to do is log everything localy as well as remotely.
*> So if the remote server is down, the logs are localy present and
*> if the server is compromised and the logs are deleted, there is still
*> trace on syslog.
*>
*> best regards
*>
*>
*>
*> _______________________________________________
*> syslog-ng maillist - syslog-ng@lists.balabit.hu
*> https://lists.balabit.hu/mailman/listinfo/syslog-ng
*> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
*>
*>
--
Harry Hoffman
hhoffman@ip-solutions.net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
**********************************************
-------------------------------------------------
This mail sent through IpSolutions: http://www.ip-solutions.net/
From syslog-ng@lists.balabit.hu Fri Aug 29 02:29:26 2003
From: syslog-ng@lists.balabit.hu (TIM MOORE)
Date: Thu, 28 Aug 2003 21:29:26 -0400
Subject: [syslog-ng]Re: syslog-ng digest, Vol 1 #1033 - 15 msgs (Vacation)
Message-ID:
FYI: I will be out on vacation from 8/28 until 9/8. Please contact the =
NOC if you need immediate assistance.
Thanks,
Tim Moore
From syslog-ng@lists.balabit.hu Thu Aug 28 15:09:00 2003
From: syslog-ng@lists.balabit.hu (William Rhodes)
Date: Thu, 28 Aug 2003 09:09:00 -0500
Subject: [syslog-ng]syslog-ng and logrotate
Message-ID: <0296816EB287BC489812FB4F652A6C190142B395@houemail2.calpine.com>
Had the same problem and found that syslog-ng has a problem with the kill
-HUP that logrotate uses. I replaced that command with
/etc/rc.d/init.d/syslog-ng reload and all works fine with no problems.
William
-----Original Message-----
From: yannick.haguenier@tuxfamily.org
[mailto:yannick.haguenier@tuxfamily.org]
Sent: Thursday, July 10, 2003 3:57 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]syslog-ng and logrotate
Hy,
i have squid + syslog-ng 1.0.6.rc1
Syslog-ng look squid/access.log, and write log file (with date format) on a
remote server (tcp).
On squid there is a logrotate at 6 am.
My pb :
before the log rotate, all is good. After logrotate, syslog-ng don't write
in
the remote file.
The last line appear in this file was create at 6am.
The process run on the both server, and i have no error.
If i run syslog-ng restart, syslog-ng write the ligne in remote file . the
next error appear after the next logrotate.
Does anyone know why this is happening?
thanks
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Fri Aug 29 02:28:19 2003
From: syslog-ng@lists.balabit.hu (Leonard Mills)
Date: Fri, 29 Aug 2003 01:28:19 +0000
Subject: [syslog-ng]logging to file and remote host
In-Reply-To: Your message of "Fri, 29 Aug 2003 02:48:38 +0200."
<3F4EA2E6.5010508@developer.ch>
Message-ID: <200308290128.h7T1SJW03377@soda-pop.corpnet.sel.sony.com>
Atif,
On systems with non-broken syslogd you can even do more.
This works just fine on my BSDi servers:
*.err;kern.debug;auth.notice;mail.crit /dev/console
*.notice;kern.debug;auth.info;mail.crit /var/log/messages
mail.debug /var/log/maillog
cron.info /var/log/cron
local0.debug /var/log/proxynet
local7.debug /var/log/ciscolog
*.notice;auth.debug root
*.emerg *
kern.debug;auth.info @160.33.83.4
mail.crit @160.33.83.4
local0.crit @160.33.83.4
local7.debug @160.33.83.4
Note kern.debug going to three places and local7.debug going
to two in the same way (approximately) as you are using.
Len