>
_____________________________________________
From: KELLY,THOMAS (HP-Boise,ex1)
Sent: Tuesday, November 04, 2003 11:39 AM
To: 'syslog-ng@lists.balabit.hu'
Subject: parse error on Template (
Hello,
I am using syslog-ng-1.6.0rc4 on RH 9. I just migrated to using mysql for
syslog-ng.
After I added in the support for mysql in my syslog-ng.conf, when I try
starting syslog-ng is gives me a parse error on the line that specifies the
template:
template("INSERT INTO logs (host, facility, priority, level,
tag, date,
Does anyone know how to resolve this error?
Thanks,
Tom Kelly
------_=_NextPart_001_01C3A312.7E73424C
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
FW: parse error on Template (
Attached is my syslog-ng.conf file
=
<<syslog-ng.conf>>
_____________________________________________
From: KELLY,THOMAS (HP-Boise,ex1)
Sent: Tuesday, November 04, 2003 11:39 AM
To: 'syslog-ng@lists.balabit.hu'
Subject: =
parse error on Template (
Hello,
I am using =
syslog-ng-1.6.0rc4 on RH 9. I just migrated to using mysql for =
syslog-ng.
After I added in the =
support for mysql in my syslog-ng.conf, when I try starting syslog-ng =
is gives me a parse error on the line that specifies the =
template:
template("INSERT INTO logs (host, facility, =
priority, level, tag, date,
Does =
anyone know how to resolve this error?
Thanks,
Tom =
Kelly
------_=_NextPart_001_01C3A312.7E73424C--
------_=_NextPart_000_01C3A312.7E73424C
Content-Type: application/octet-stream;
name="syslog-ng.conf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="syslog-ng.conf"
# syslog-ng configuration file.=0A=
#=0A=
# This should behave pretty much like the original syslog on RedHat. =
But=0A=
# it could be configured a lot smarter.=0A=
#=0A=
# See syslog-ng(8) and syslog-ng.conf(5) for more information.=0A=
#=0A=
# 20000925 gb@sysfive.com=0A=
#=0A=
# Updated by Frank Crawford () - 10 Aug =
2002=0A=
# - for Red Hat 7.3=0A=
# - totally do away with klogd=0A=
# - add message "kernel:" as is done with klogd.=0A=
#=0A=
# Updated by Frank Crawford () - 22 Aug =
2002=0A=
# - use the log_prefix option as per Balazs Scheidler's email=0A=
#=0A=
=0A=
options { sync (0);=0A=
time_reopen (10);=0A=
log_fifo_size (1000);=0A=
long_hostnames (off);=0A=
use_dns (no);=0A=
use_fqdn (no);=0A=
create_dirs (no);=0A=
keep_hostname (yes);=0A=
};=0A=
=0A=
#source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream =
("/dev/log"); internal(); };=0A=
=0A=
destination d_cons { file("/dev/console"); };=0A=
destination d_mesg { file("/var/log/messages"); };=0A=
destination d_auth { file("/var/log/secure"); };=0A=
destination d_mail { file("/var/log/maillog"); };=0A=
destination d_spol { file("/var/log/spooler"); };=0A=
destination d_boot { file("/var/log/boot.log"); };=0A=
destination d_cron { file("/var/log/cron"); };=0A=
destination d_mlal { usertty("*"); };=0A=
=0A=
filter f_filter1 { facility(kern); };=0A=
filter f_filter2 { level(info) and=0A=
not (facility(mail)=0A=
or facility(authpriv) or facility(cron)); };=0A=
filter f_filter3 { facility(authpriv); };=0A=
filter f_filter4 { facility(mail); };=0A=
filter f_filter5 { level(emerg); };=0A=
filter f_filter6 { facility(uucp) or=0A=
(facility(news) and level(crit)); };=0A=
filter f_filter7 { facility(local7); };=0A=
filter f_filter8 { facility(cron); };=0A=
=0A=
#log { source(s_sys); filter(f_filter1); destination(d_cons); };=0A=
log { source(s_sys); filter(f_filter2); destination(d_mesg); };=0A=
log { source(s_sys); filter(f_filter3); destination(d_auth); };=0A=
log { source(s_sys); filter(f_filter4); destination(d_mail); };=0A=
log { source(s_sys); filter(f_filter5); destination(d_mlal); };=0A=
log { source(s_sys); filter(f_filter6); destination(d_spol); };=0A=
log { source(s_sys); filter(f_filter7); destination(d_boot); };=0A=
log { source(s_sys); filter(f_filter8); destination(d_cron); };=0A=
=0A=
# # Log syslog-ng to mysql database=0A=
# #=0A=
destination d_mysql {=0A=
pipe("/tmp/mysql.pipe"=0A=
#template("INSERT INTO logs(host,facility,priority,level,tag,date,=0A=
#time,program,msg) VALUES =
('$HOST,'$FACILITY,'$PRIORITY','$LEVEL','$TAG',=0A=
#'$YEAR-$MONTH-$DAY','$HOUR:$MIN:$SEC','$PROGRAM','$MSG');\n") =
template-escape(yes));=0A=
#};=0A=
#log { source(net); destination(d_mysql);=0A=
#};=0A=
------_=_NextPart_000_01C3A312.7E73424C--
From syslog-ng@lists.balabit.hu Tue Nov 4 20:57:43 2003
From: syslog-ng@lists.balabit.hu (Michael Earls)
Date: Tue, 04 Nov 2003 15:57:43 -0500
Subject: [syslog-ng]FW: parse error on Template (
Message-ID:
The only thing i see missing on your config is the " source net { udp();
}; ". I know template version does work on syslog-ng 1.6.0rc1. I
would assume it would work on the next version up. Can any one else
verify that template versions work on versions 1.6.0rc4.
michael
PGP Info: KeyID 0x5EB59708
Fingerprint 108B A1D8 76F5 08A8 501A F28C 86F4 4BC5 5EB5 9708
>>> tom.kelly@hp.com 11/04/03 03:31PM >>>
Attached is my syslog-ng.conf file
<>
_____________________________________________
From: KELLY,THOMAS (HP-Boise,ex1)
Sent: Tuesday, November 04, 2003 11:39 AM
To: 'syslog-ng@lists.balabit.hu'
Subject: parse error on Template (
Hello,
I am using syslog-ng-1.6.0rc4 on RH 9. I just migrated to using mysql
for
syslog-ng.
After I added in the support for mysql in my syslog-ng.conf, when I
try
starting syslog-ng is gives me a parse error on the line that specifies
the
template:
template("INSERT INTO logs (host, facility, priority,
level,
tag, date,
Does anyone know how to resolve this error?
Thanks,
Tom Kelly
From syslog-ng@lists.balabit.hu Thu Nov 6 14:07:21 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Thu, 6 Nov 2003 15:07:21 +0100
Subject: [syslog-ng]FW: parse error on Template (
In-Reply-To: <345D43ADFFFF864298F9ECD6C5D574E8034DD5DB@xboi21.boise.itc.hp.com>
References: <345D43ADFFFF864298F9ECD6C5D574E8034DD5DB@xboi21.boise.itc.hp.com>
Message-ID: <20031106140721.GC11681@balabit.hu>
On Tue, Nov 04, 2003 at 03:31:25PM -0500, KELLY,THOMAS (HP-Boise,ex1) wrote:
> Attached is my syslog-ng.conf file
>
> <>
the problem seems to be that your template line spans several lines, whereas
the parser is line based and doesn't handle this.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Fri Nov 7 22:15:54 2003
From: syslog-ng@lists.balabit.hu (Forrest Aldrich)
Date: Fri, 07 Nov 2003 17:15:54 -0500
Subject: [syslog-ng]Logging options in XML?
Message-ID: <6.0.0.22.2.20031107171447.01c746e8@192.168.1.1>
I understand that the logging function(s) of syslog-ng can be
customized/modified, and I saw some mention of enabling syslog-ng to log
into XML - is this possible, and if so I'd be interested in the nuances or
hearing any experience with it.
From syslog-ng@lists.balabit.hu Sat Nov 8 00:05:22 2003
From: syslog-ng@lists.balabit.hu (Kenneth Webber)
Date: Sat, 08 Nov 2003 00:05:22 +0000
Subject: [syslog-ng]Use template() for Program()
Message-ID:
I don’t want to reinvent the wheal. I like the functionality of the template
() function. Is there a way to apply the template () to a program
destination or is template only good for file ()?
-Ken
_________________________________________________________________
>From Beethoven to the Rolling Stones, your favorite music is always playing
on MSN Radio Plus. No ads, no talk. Trial month FREE!
http://join.msn.com/?page=offers/premiumradio
From syslog-ng@lists.balabit.hu Sat Nov 8 12:31:12 2003
From: syslog-ng@lists.balabit.hu (Amodiovalerio Verde)
Date: Sat, 8 Nov 2003 13:31:12 +0100
Subject: [syslog-ng]Use template() for Program()
References:
Message-ID: <002201c3a5f4$323f0520$51004701@ags.wan>
the template() function applies to file destination too in syslog-ng 1.6.
( and if i'm not wrong it applies to all destination now even udp() and
tcp() )
I cannot remember when syslog-ng starts to apply template function to file
but there is a patch for 1.5.20.
Amodiovalerio [Hypo] Verde
----- Original Message -----
From: "Kenneth Webber"
To:
Sent: Saturday, November 08, 2003 1:05 AM
Subject: [syslog-ng]Use template() for Program()
> I don't want to reinvent the wheal. I like the functionality of the
template
> () function. Is there a way to apply the template () to a program
> destination or is template only good for file ()?
>
> -Ken
>
> _________________________________________________________________
> >From Beethoven to the Rolling Stones, your favorite music is always
playing
> on MSN Radio Plus. No ads, no talk. Trial month FREE!
> http://join.msn.com/?page=offers/premiumradio
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Sun Nov 9 14:53:50 2003
From: syslog-ng@lists.balabit.hu (Jos Vos)
Date: Sun, 09 Nov 2003 15:53:50 +0100
Subject: [syslog-ng]Backslash-escaped quotes in message strings
Message-ID: <200311091453.hA9EroG32641@xos037.xos.nl>
Hi,
When a single (') or double (") quote appears in a syslog message,
this quote gets escaped with a backslash by syslog-ng, which results
in pretty ugly output, different from what the standard Linux
sysklogd does (this doesn't change the message).
Can this be considered a bug (or is it a feature)?
Thanks,
--
-- Jos Vos
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
From syslog-ng@lists.balabit.hu Sun Nov 9 16:54:00 2003
From: syslog-ng@lists.balabit.hu (Jos Vos)
Date: Sun, 09 Nov 2003 17:54:00 +0100
Subject: [syslog-ng]Re: Backslash-escaped quotes in message strings
In-Reply-To: Your message of "Sun, 09 Nov 2003 15:53:50 +0100."
Message-ID: <200311091654.hA9Gs0r00659@xos037.xos.nl>
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <655.1068396825.1@xos037.xos.nl>
Hi,
Earlier I wrote:
> When a single (') or double (") quote appears in a syslog message,
> this quote gets escaped with a backslash by syslog-ng, which results
> in pretty ugly output, different from what the standard Linux
> sysklogd does (this doesn't change the message).
I have made a patch (attached) to solve this - at least in my specific
situation - but the question is: does this maybe break something else?
Cheers,
--
-- Jos Vos
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <655.1068396825.2@xos037.xos.nl>
--- syslog-ng-1.6.0rc4/src/macros.c.orig 2003-04-16 12:15:02.000000000 +0200
+++ syslog-ng-1.6.0rc4/src/macros.c 2003-11-09 17:42:54.000000000 +0100
@@ -348,7 +348,7 @@
}
case M_MESSAGE: {
/* message */
- length = append_string(dest, left, msg->msg->data, msg->msg->length, escape);
+ length = append_string(dest, left, msg->msg->data, msg->msg->length, 0);
break;
}
default:
------- =_aaaaaaaaaa0--
From syslog-ng@lists.balabit.hu Mon Nov 10 09:08:20 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Mon, 10 Nov 2003 10:08:20 +0100
Subject: [syslog-ng]Backslash-escaped quotes in message strings
In-Reply-To: <200311091453.hA9EroG32641@xos037.xos.nl>
References: <200311091453.hA9EroG32641@xos037.xos.nl>
Message-ID: <20031110090820.GA634@balabit.hu>
On Sun, Nov 09, 2003 at 03:53:50PM +0100, Jos Vos wrote:
> Hi,
>
> When a single (') or double (") quote appears in a syslog message,
> this quote gets escaped with a backslash by syslog-ng, which results
> in pretty ugly output, different from what the standard Linux
> sysklogd does (this doesn't change the message).
>
> Can this be considered a bug (or is it a feature)?
this can be controlled by template_escape()
destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); };
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Mon Nov 10 12:03:54 2003
From: syslog-ng@lists.balabit.hu (Jos Vos)
Date: Mon, 10 Nov 2003 13:03:54 +0100
Subject: [syslog-ng]Backslash-escaped quotes in message strings
In-Reply-To: <20031110090820.GA634@balabit.hu>; from bazsi@balabit.hu on Mon, Nov 10, 2003 at 10:08:20AM +0100
References: <200311091453.hA9EroG32641@xos037.xos.nl> <20031110090820.GA634@balabit.hu>
Message-ID: <20031110130354.C5080@xos037.xos.nl>
On Mon, Nov 10, 2003 at 10:08:20AM +0100, Balazs Scheidler wrote:
> this can be controlled by template_escape()
>
> destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); };
Great.
But can't the default better be "no" i.s.o. "yes"?
--
-- Jos Vos
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
From syslog-ng@lists.balabit.hu Mon Nov 10 15:15:44 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Mon, 10 Nov 2003 16:15:44 +0100
Subject: [syslog-ng]Backslash-escaped quotes in message strings
In-Reply-To: <20031110130354.C5080@xos037.xos.nl>
References: <200311091453.hA9EroG32641@xos037.xos.nl> <20031110090820.GA634@balabit.hu> <20031110130354.C5080@xos037.xos.nl>
Message-ID: <20031110151544.GA1904@balabit.hu>
On Mon, Nov 10, 2003 at 01:03:54PM +0100, Jos Vos wrote:
> On Mon, Nov 10, 2003 at 10:08:20AM +0100, Balazs Scheidler wrote:
>
> > this can be controlled by template_escape()
> >
> > destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); };
>
> Great.
>
> But can't the default better be "no" i.s.o. "yes"?
I think this option only applies to template(), so when you are not using
templates you will get the unescaped behaviour.
Setting the default for 'no' in templates is a security issue when sending
the template output to a database server (fairly common setup), imagine
an SQL query like:
INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
if the quotation mark is not protected by a backslash, the DROP DATABASE
command will be executed. I think this scenario is less visible to a normal
user, at least it is more difficult to notice this possibility.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Mon Nov 10 18:46:17 2003
From: syslog-ng@lists.balabit.hu (Kenneth Webber)
Date: Mon, 10 Nov 2003 18:46:17 +0000
Subject: [syslog-ng]Use template() for Program()
Message-ID:
>the template() function applies to file destination too in syslog-ng 1.6.
>( and if i'm not wrong it applies to all destination now even udp() and
>tcp() )
>I cannot remember when syslog-ng starts to apply template function to file
>but there is a patch for 1.5.20.
Thanks, I was on syslog-ng 1.5.26. I am now upgraded to 1.6.0rc4 and it
works great.
_________________________________________________________________
Crave some Miles Davis or Grateful Dead? Your old favorites are always
playing on MSN Radio Plus. Trial month free!
http://join.msn.com/?page=offers/premiumradio
From syslog-ng@lists.balabit.hu Tue Nov 11 09:55:16 2003
From: syslog-ng@lists.balabit.hu (Peter J. Holzer)
Date: Tue, 11 Nov 2003 10:55:16 +0100
Subject: [syslog-ng]Backslash-escaped quotes in message strings
In-Reply-To: <20031110151544.GA1904@balabit.hu>
References: <200311091453.hA9EroG32641@xos037.xos.nl> <20031110090820.GA634@balabit.hu> <20031110130354.C5080@xos037.xos.nl> <20031110151544.GA1904@balabit.hu>
Message-ID: <20031111095516.GB10451@teal.hjp.at>
--yNb1oOkm5a9FJOVX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> Setting the default for 'no' in templates is a security issue when sending
> the template output to a database server (fairly common setup), imagine
> an SQL query like:
>=20
> INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP =
DATABASE logdb');
>=20
> if the quotation mark is not protected by a backslash, the DROP DATABASE
> command will be executed. I think this scenario is less visible to a norm=
al
> user, at least it is more difficult to notice this possibility.
The proper quoting depends on the database, however. For example, Oracle
doesn't recognize a backslash as quoting character:
SQL> insert into foo values('foo\'bar');
ERROR:
ORA-01756: quoted string not properly terminated
you have to double the single quotes:
SQL> insert into foo values('foo''bar');
1 row created.
I think this is also ANSI SQL, the backslash is a mysql extension.
hp
--=20
_ | Peter J. Holzer | We have failed our own creation and given
|_|_) | Sysadmin WSR | birth something truly awful. We're just too
| | | hjp@hjp.at | busy cooing over the pram to notice.
__/ | http://www.hjp.at/ | -- http://www.internetisshit.org
--yNb1oOkm5a9FJOVX
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/sLIEfZ+RkG8quy0RApZ3AJ9u1F55ZR9mMyZqfbVSzRpqPo9pRwCfdtbf
eGy7XXroNdXUTDw5en2uAek=
=5R7H
-----END PGP SIGNATURE-----
--yNb1oOkm5a9FJOVX--
From syslog-ng@lists.balabit.hu Tue Nov 11 17:32:01 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Tue, 11 Nov 2003 18:32:01 +0100
Subject: [syslog-ng]Backslash-escaped quotes in message strings
In-Reply-To: <20031111095516.GB10451@teal.hjp.at>
References: <200311091453.hA9EroG32641@xos037.xos.nl> <20031110090820.GA634@balabit.hu> <20031110130354.C5080@xos037.xos.nl> <20031110151544.GA1904@balabit.hu> <20031111095516.GB10451@teal.hjp.at>
Message-ID: <20031111173201.GA23674@balabit.hu>
On Tue, Nov 11, 2003 at 10:55:16AM +0100, Peter J. Holzer wrote:
> On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> > Setting the default for 'no' in templates is a security issue when sending
> > the template output to a database server (fairly common setup), imagine
> > an SQL query like:
> >
> > INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
> >
> > if the quotation mark is not protected by a backslash, the DROP DATABASE
> > command will be executed. I think this scenario is less visible to a normal
> > user, at least it is more difficult to notice this possibility.
>
> The proper quoting depends on the database, however. For example, Oracle
> doesn't recognize a backslash as quoting character:
>
> SQL> insert into foo values('foo\'bar');
> ERROR:
> ORA-01756: quoted string not properly terminated
>
> you have to double the single quotes:
>
> SQL> insert into foo values('foo''bar');
>
> 1 row created.
>
> I think this is also ANSI SQL, the backslash is a mysql extension.
thanks for the info, I've added a bug ticket to our bugzilla, this will be
added in the future.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Nov 12 09:00:06 2003
From: syslog-ng@lists.balabit.hu (Tom McGee)
Date: Wed, 12 Nov 2003 09:00:06 +0000
Subject: [syslog-ng]GUI Monitoring tool ?
Message-ID:
Hi,
I'm a real newbie to syslog-ng so sorry if this has been asked before.
I'm looking for something that will allow me to keep an eye on syslog via
some GUI.
Ideally via a browser...
Any suggestions ?
Thanks
Tom.
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
From syslog-ng@lists.balabit.hu Wed Nov 12 14:06:37 2003
From: syslog-ng@lists.balabit.hu (Hamilton Andrew)
Date: Wed, 12 Nov 2003 09:06:37 -0500
Subject: [syslog-ng]GUI Monitoring tool ?
Message-ID:
What do you mean by "keep an eye on"? Do you want logging stats, or just
"is it running"? There are a number of system monitoring tools out there
that will let "watch" various processes including syslog-ng. I use Big
Brother(http://www.bb4.com). I wrote a couple of scripts that monitor the
syslog-ng process and plugged them into Big Brother so I could ensure that
it was alive and kicking. The BB results are posted on a series of web
pages, all of which are customizable. I know there are several others out
there and some of the other folks here use them so perhaps they will respond
as well.
Regards,
Drew
-----Original Message-----
From: Tom McGee [mailto:tom_mcgee_2@hotmail.com]
Sent: Wednesday, November 12, 2003 4:00 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]GUI Monitoring tool ?
Hi,
I'm a real newbie to syslog-ng so sorry if this has been asked before.
I'm looking for something that will allow me to keep an eye on syslog via
some GUI.
Ideally via a browser...
Any suggestions ?
Thanks
Tom.
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Wed Nov 12 14:16:14 2003
From: syslog-ng@lists.balabit.hu (Jim Mozley)
Date: Wed, 12 Nov 2003 14:16:14 +0000
Subject: [syslog-ng]GUI Monitoring tool ?
In-Reply-To:
References:
Message-ID: <3FB240AE.9040200@exponential-e.com>
Hamilton Andrew wrote:
> What do you mean by "keep an eye on"? Do you want logging stats, or just
> "is it running"? There are a number of system monitoring tools out there
> that will let "watch" various processes including syslog-ng. I use Big
> Brother(http://www.bb4.com). I wrote a couple of scripts that monitor the
> syslog-ng process and plugged them into Big Brother so I could ensure that
> it was alive and kicking. The BB results are posted on a series of web
> pages, all of which are customizable. I know there are several others out
> there and some of the other folks here use them so perhaps they will respond
> as well.
Nagios is good, I've used BB too, but rate Nagios higher.
From syslog-ng@lists.balabit.hu Wed Nov 12 17:49:55 2003
From: syslog-ng@lists.balabit.hu (Russell Adams)
Date: Wed, 12 Nov 2003 11:49:55 -0600
Subject: [syslog-ng]GUI Monitoring tool ?
In-Reply-To: <3FB240AE.9040200@exponential-e.com>
References: <3FB240AE.9040200@exponential-e.com>
Message-ID: <20031112174955.GL8684@soja.ksnet.com.>
Nagios and BB are better for testing for boolean conditions. (ie: Is
it broke? Yes/No?)
What I use is LogMuncher to watch my syslog files on a central log
host, and it mails me about any messages I need to see. Then I get all
the important messages in my mail client.
See http://www.campin.net/syslog-ng/faq.html
Russell
On Wed, Nov 12, 2003 at 02:16:14PM +0000, Jim Mozley wrote:
> Hamilton Andrew wrote:
>
> >What do you mean by "keep an eye on"? Do you want logging stats, or just
> >"is it running"? There are a number of system monitoring tools out there
> >that will let "watch" various processes including syslog-ng. I use Big
> >Brother(http://www.bb4.com). I wrote a couple of scripts that monitor the
> >syslog-ng process and plugged them into Big Brother so I could ensure that
> >it was alive and kicking. The BB results are posted on a series of web
> >pages, all of which are customizable. I know there are several others out
> >there and some of the other folks here use them so perhaps they will
> >respond
> >as well.
>
> Nagios is good, I've used BB too, but rate Nagios higher.
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Thu Nov 13 09:28:10 2003
From: syslog-ng@lists.balabit.hu (Jim Mozley)
Date: Thu, 13 Nov 2003 09:28:10 +0000
Subject: [syslog-ng]GUI Monitoring tool ?
In-Reply-To: <20031112174955.GL8684@soja.ksnet.com.>
References: <3FB240AE.9040200@exponential-e.com> <20031112174955.GL8684@soja.ksnet.com.>
Message-ID: <3FB34EAA.6060300@exponential-e.com>
> What I use is LogMuncher to watch my syslog files on a central log
> host, and it mails me about any messages I need to see. Then I get all
> the important messages in my mail client.
I've been using swatch in conjunction with some of my own scripts to do
a similar job. Look at SEC (simple event correlation) if you want to
match up events in the log.
From syslog-ng@lists.balabit.hu Thu Nov 13 21:52:21 2003
From: syslog-ng@lists.balabit.hu (Florian Lindner)
Date: Thu, 13 Nov 2003 22:52:21 +0100
Subject: [syslog-ng]Filter postfix log messages
Message-ID: <200311132252.21926.mailinglists@xgm.de>
Hello,
I want to filter out all log messages from postfix. They look like these:
Nov 9 14:16:28 s_sys@bastet postfix/pickup[24484]: 4D92C4580B7: uid=30
from=
Nov 9 14:16:28 s_sys@bastet postfix/cleanup[24510]: 4D92C4580B7:
message-id=<20031109131628.4D92C4580B7@bastet.centershock.net>
How can I do that?
I tried:
filter f_postfix { match(".{16,16}s_sys@bastet postfix"); };
But it doesn't work...
Thanks,
Florian
From syslog-ng@lists.balabit.hu Thu Nov 13 22:55:24 2003
From: syslog-ng@lists.balabit.hu (Andrew Gray)
Date: Fri, 14 Nov 2003 05:55:24 +0700
Subject: [syslog-ng]GUI Monitoring tool ?
In-Reply-To:
Message-ID: <000001c3aa39$67232480$ccc809c0@dell>
Depends a lot on what you are trying to achieve.
You might like to take a look at this;
http://argray.org/ams/
Gives you a real-time view of syslog in a browser.
[ I should declare an interest - as the author... ]
-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu
[mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Tom McGee
Sent: Wednesday, November 12, 2003 4:00 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]GUI Monitoring tool ?
Hi,
I'm a real newbie to syslog-ng so sorry if this has been asked before.
I'm looking for something that will allow me to keep an eye on syslog via
some GUI.
Ideally via a browser...
Any suggestions ?
Thanks
Tom.
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Fri Nov 14 04:30:58 2003
From: syslog-ng@lists.balabit.hu (Ed Ravin)
Date: Thu, 13 Nov 2003 23:30:58 -0500
Subject: [syslog-ng]Filter postfix log messages
In-Reply-To: <200311132252.21926.mailinglists@xgm.de>
References: <200311132252.21926.mailinglists@xgm.de>
Message-ID: <20031114043058.GC1448@panix.com>
On Thu, Nov 13, 2003 at 10:52:21PM +0100, Florian Lindner wrote:
> I want to filter out all log messages from postfix. They look like these:
>
> Nov 9 14:16:28 s_sys@bastet postfix/pickup[24484]: 4D92C4580B7: uid=30
> from=
> Nov 9 14:16:28 s_sys@bastet postfix/cleanup[24510]: 4D92C4580B7:
> message-id=<20031109131628.4D92C4580B7@bastet.centershock.net>
...
> filter f_postfix { match(".{16,16}s_sys@bastet postfix"); };
> But it doesn't work...
This works for me:
filter smtp {
program("^(postfix|sendmail)");
};
From syslog-ng@lists.balabit.hu Mon Nov 17 05:45:56 2003
From: syslog-ng@lists.balabit.hu (Vijayant J Singh)
Date: Mon, 17 Nov 2003 11:15:56 +0530
Subject: [syslog-ng]Compilation Problems!
Message-ID: <200311170527.KAA13527@WS0005.indiatimes.com>
Hi,
I'm Getting following messege while performing 'make' after './configure' ...
Root@stonegate ~/syslog-ng-1.9.1 # make
make all-recursive
make[1]: Entering directory `/root/syslog-ng-1.9.1'
Making all in src
make[2]: Entering directory `/root/syslog-ng-1.9.1/src'
make[2]: *** No rule to make target `fdread.h', needed by `logreader.o'. Stop.
make[2]: Leaving directory `/root/syslog-ng-1.9.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/syslog-ng-1.9.1'
make: *** [all-recursive-am] Error 2
please help me out!
Thanks
VJS
Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com
Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com
Bid for for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now!
From syslog-ng@lists.balabit.hu Mon Nov 17 05:46:22 2003
From: syslog-ng@lists.balabit.hu (Vijayant J Singh)
Date: Mon, 17 Nov 2003 11:16:22 +0530
Subject: [syslog-ng]Compilation Problems!
Message-ID: <200311170528.KAA13666@WS0005.indiatimes.com>
Hi,
I'm Getting following messege while performing 'make' after './configure' ...
Root@stonegate ~/syslog-ng-1.9.1 # make
make all-recursive
make[1]: Entering directory `/root/syslog-ng-1.9.1'
Making all in src
make[2]: Entering directory `/root/syslog-ng-1.9.1/src'
make[2]: *** No rule to make target `fdread.h', needed by `logreader.o'. Stop.
make[2]: Leaving directory `/root/syslog-ng-1.9.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/syslog-ng-1.9.1'
make: *** [all-recursive-am] Error 2
please help me out!
Thanks
VJS
Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com
Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com
Bid for for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now!
From syslog-ng@lists.balabit.hu Mon Nov 17 13:13:45 2003
From: syslog-ng@lists.balabit.hu (joop jansen)
Date: Mon, 17 Nov 2003 05:13:45 -0800 (PST)
Subject: [syslog-ng]syslog-ng and security
Message-ID: <20031117131345.7427.qmail@web20705.mail.yahoo.com>
Hi,
I was wondering if anyone has experience with sanity
checking of syslog messages.
I'm looking for a manner to filter syslog messages
such as: "set passwd ....", which could start commands
on a UNIX system.
Also, I use a webinterface to view the syslog messages
(like the vermeer.org). However I want to filter
syslog messages that could exploit browser
vulnerabilities.
Anyone experience with this or have some good advice ?
Thanks in advance for any help.
Carol Overes
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
From syslog-ng@lists.balabit.hu Mon Nov 17 20:56:49 2003
From: syslog-ng@lists.balabit.hu (Daniel Flick)
Date: Mon, 17 Nov 2003 14:56:49 -0600
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <20031117131345.7427.qmail@web20705.mail.yahoo.com>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com>
Message-ID: <1069102609.15235.22.camel@aa724322>
I have been beating my head against a wall getting this to work but no
joy. Syslog-ng is running and logging on the local system but no remote
logs are being saved. Devices in question are PIX firewalls and
NetCache proxies.
Here is a netstat:
netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 *:sunrpc *:*
LISTEN
tcp 0 0 *:ssh *:*
LISTEN
tcp 0 0 cscnet08p:smtp *:*
LISTEN
udp 0 0 *:syslog
*:*
udp 0 0 *:sunrpc
*:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1512 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 93129 /dev/log
Here is my config:
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (on);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (on);
};
source s_udp { udp(); };
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream
("/dev/log"); internal(); };
destination rlog { file("/var/log/$HOST/$MONTH.$DAY.log"
create_dirs(yes) owner("log") group("log") perm(0600)); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
log { source(s_udp); filter(f_filter7); destination(rlog); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
From syslog-ng@lists.balabit.hu Tue Nov 18 01:20:14 2003
From: syslog-ng@lists.balabit.hu (Bobby Johnson)
Date: Mon, 17 Nov 2003 18:20:14 -0700
Subject: [syslog-ng]OpenBSD named pipe
Message-ID: <20031117182014.470aafef.bobby@plexuscomp.com>
I'm new to the list, hope this hasn't been covered before. I'm having some problems with syslog-ng, a named pipe and a shell script. I've created a destination in syslog-ng.conf that points to a pipe. In short the shell script looks like this.
while read -r line; do
sort input and output to file
done < named.pipe
Almost no matter what I do the script will sit outside the while loop not reading anything as things are input into the pipe. If i echo "anything" > named.pipe the shell script will run through all or most(not absolutly sure on this) of the input and then exit. I have this same setup on a FreeBSD computer and it works great, moved it to OpenBSD and it doesn't. If I do a tail -f on the pipe while my script is running then exit the tail the script works properly. I have tried a few different versions of syslog-ng and libol currently I have 1.6.0rc4 and 0.3.11. I have tried bourne, bash and ksh.
Please help.
Bobby Johnson
Plexus Computer Services
www.plexuscomp.com
From syslog-ng@lists.balabit.hu Tue Nov 18 09:06:19 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Tue, 18 Nov 2003 10:06:19 +0100
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <1069102609.15235.22.camel@aa724322>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com> <1069102609.15235.22.camel@aa724322>
Message-ID: <20031118090619.GA524@balabit.hu>
On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> I have been beating my head against a wall getting this to work but no
> joy. Syslog-ng is running and logging on the local system but no remote
> logs are being saved. Devices in question are PIX firewalls and
> NetCache proxies.
Have you checked whether syslog-ng is actually receiving messages ?
tcpdump and strace would help here.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Tue Nov 18 09:08:39 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Tue, 18 Nov 2003 10:08:39 +0100
Subject: [syslog-ng]OpenBSD named pipe
In-Reply-To: <20031117182014.470aafef.bobby@plexuscomp.com>
References: <20031117182014.470aafef.bobby@plexuscomp.com>
Message-ID: <20031118090839.GB524@balabit.hu>
On Mon, Nov 17, 2003 at 06:20:14PM -0700, Bobby Johnson wrote:
> I'm new to the list, hope this hasn't been covered before. I'm having some problems with syslog-ng, a named pipe and a shell script. I've created a destination in syslog-ng.conf that points to a pipe. In short the shell script looks like this.
> while read -r line; do
> sort input and output to file
> done < named.pipe
>
> Almost no matter what I do the script will sit outside the while loop not
> reading anything as things are input into the pipe. If i echo "anything"
> > named.pipe the shell script will run through all or most(not absolutly
> sure on this) of the input and then exit. I have this same setup on a
> FreeBSD computer and it works great, moved it to OpenBSD and it doesn't.
> If I do a tail -f on the pipe while my script is running then exit the
> tail the script works properly. I have tried a few different versions of
> syslog-ng and libol currently I have 1.6.0rc4 and 0.3.11. I have tried
> bourne, bash and ksh. Please help.
The script probably exits because of an EOF read from named.pipe, at least
this is the case when you echo something into the named pipe.
syslog-ng should never close the pipe though, so it should correctly send
messages. Maybe you should try to strace|ktrace|truss the shell script to see
what it exactly does.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Tue Nov 18 15:02:32 2003
From: syslog-ng@lists.balabit.hu (=?ISO-8859-15?Q?Thomas_V=F6gtle?=)
Date: Tue, 18 Nov 2003 16:02:32 +0100
Subject: [syslog-ng]Flood Protection
Message-ID: <3FBA3488.8020008@pyramid.de>
Hello,
we are using syslog-ng on our servers and we are quite satiesfied with it.
But there is still one question open for me: is there any kind of flood
protection like the old syslog has?
One stupid program got mad and flooded our logs until the harddisk was full.
I want to have the same as that:
Nov 18 15:58:56 tv2 user: allwaysthesame
Nov 18 15:58:56 tv2 last message repeated 137 times
No way to configure this behaviour?
Thanks,
Thomas
From syslog-ng@lists.balabit.hu Tue Nov 18 22:09:44 2003
From: syslog-ng@lists.balabit.hu (Jason Haar)
Date: Wed, 19 Nov 2003 11:09:44 +1300
Subject: [syslog-ng]Flood Protection
In-Reply-To: <3FBA3488.8020008@pyramid.de>
References: <3FBA3488.8020008@pyramid.de>
Message-ID: <1069193384.19494.70.camel@crom.trimble.co.nz>
On Wed, 2003-11-19 at 04:02, Thomas Vögtle wrote:
> I want to have the same as that:
> Nov 18 15:58:56 tv2 user: allwaysthesame
> Nov 18 15:58:56 tv2 last message repeated 137 times
>
One problem with this feature is that it can only work if the last 137
syslog events to occur were the same event. We run a large centralized
syslog server environment, with lots of syslog clients, and as such this
sort of limiting feature never really gets to work, as it's quite rare
for one event to occur record after record without some other client
squirting in a new record.
Oh well...
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
From syslog-ng@lists.balabit.hu Wed Nov 19 09:27:54 2003
From: syslog-ng@lists.balabit.hu (Rule, Ted)
Date: Wed, 19 Nov 2003 09:27:54 -0000
Subject: [syslog-ng]Flood Protection
Message-ID: <7EE401CB7BDD6541BE2EB68CC917596DA77A1F@fttvgpsexch2-nas.flextech.co.uk>
Surely one can code round that little problem.
Instead of maintaining a history table which records the number
of times the last message has been received, one records the
number of times in the last N seconds that a given client's
last message has been repeated. The history table, instead of
being one count, and one string buffer, becomes an array indexed
by clients of with each item containing a count and a buffer
and a timestamp.
Obviously the table would have to be size limited and probably
idle-time-purged, to avoid it eating up resource.
Ted
> -----Original Message-----
> From: syslog-ng-admin@lists.balabit.hu=20
> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Jason Haar
> Sent: Tuesday 18 November 2003 22:10
> To: syslog-ng@lists.balabit.hu
> Subject: Re: [syslog-ng]Flood Protection
>=20
>=20
> On Wed, 2003-11-19 at 04:02, Thomas V=F6gtle wrote:
> > I want to have the same as that:
> > Nov 18 15:58:56 tv2 user: allwaysthesame
> > Nov 18 15:58:56 tv2 last message repeated 137 times
> >=20
>=20
> One problem with this feature is that it can only work if the last 137
> syslog events to occur were the same event. We run a large centralized
> syslog server environment, with lots of syslog clients, and=20
> as such this
> sort of limiting feature never really gets to work, as it's quite rare
> for one event to occur record after record without some other client
> squirting in a new record.=20
>=20
> Oh well...
>=20
> Cheers
>=20
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>=20
>=20
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
>=20
***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************
From syslog-ng@lists.balabit.hu Wed Nov 19 10:55:40 2003
From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?Thomas_V=F6gtle?=)
Date: Wed, 19 Nov 2003 11:55:40 +0100
Subject: [syslog-ng]Re: Flood Protection
In-Reply-To: <3FBA3488.8020008@pyramid.de>
References: <3FBA3488.8020008@pyramid.de>
Message-ID: <3FBB4C2C.8030801@pyramid.de>
Jason Haar wrote:
> One problem with this feature is that it can only work if the last 137
> syslog events to occur were the same event. We run a large centralized
> syslog server environment, with lots of syslog clients, and as such this
> sort of limiting feature never really gets to work, as it's quite rare
> for one event to occur record after record without some other client
> squirting in a new record.
OK, but if you run syslog-ng local, and only logging local logs, then it
is easy to fill the harddisk with logger. With a good flood protection
it is more difficult.
Greetings
From syslog-ng@lists.balabit.hu Wed Nov 19 13:55:46 2003
From: syslog-ng@lists.balabit.hu (Daniel Flick)
Date: Wed, 19 Nov 2003 07:55:46 -0600
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <20031118090619.GA524@balabit.hu>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com>
<1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu>
Message-ID: <1069250146.3082.24.camel@aa724322>
08:28:15.975018 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
08:28:15.976003 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137
08:28:15.976820 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
08:28:15.978296 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137
08:28:15.979772 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
08:28:15.980096 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
08:28:15.980756 138.57.100.15.syslog > 66.6.86.58.syslog: udp 133
looks like the firewall is sending (100.15 is firewall)
On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
> On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> > I have been beating my head against a wall getting this to work but no
> > joy. Syslog-ng is running and logging on the local system but no remote
> > logs are being saved. Devices in question are PIX firewalls and
> > NetCache proxies.
>
> Have you checked whether syslog-ng is actually receiving messages ?
>
> tcpdump and strace would help here.
From syslog-ng@lists.balabit.hu Wed Nov 19 14:29:18 2003
From: syslog-ng@lists.balabit.hu (Josh Endries)
Date: Wed, 19 Nov 2003 09:29:18 -0500
Subject: [syslog-ng]syslog-ng newbie facility question
In-Reply-To: <1069250146.3082.24.camel@aa724322>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com> <1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu> <1069250146.3082.24.camel@aa724322>
Message-ID: <3FBB7E3E.1000100@pragmeta.com>
Hiya everyone,
I'm pretty new to syslog-ng, and I'm currently working on converting our
current "normal" syslog daemons (FreeBSD) ro syslog-ng and setting up a
central loghost. So far so good -- everything is working, even through
stunnel and TCP, which is awesome. I'm going to try and get it into
PostgreSQL next.
Anyway, my question is about logging facilities. I never thought about
this with syslogd; I always assumed I was limited to the normal
facilities, local2 and mail and whatnot. But looking through the
syslog-ng config file it occurred to me that I may be able to create my
own facility filters. For example, create an apache facility and have
Apache log to this. I could then pipe Apache to the log host and have it
consolidate all that stuff into httpd-error files in the new directory
hierarchy.
Thanks! :)
--
Josh
From syslog-ng@lists.balabit.hu Wed Nov 19 14:53:51 2003
From: syslog-ng@lists.balabit.hu (Daniel Flick)
Date: Wed, 19 Nov 2003 08:53:51 -0600
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <20031118090619.GA524@balabit.hu>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com>
<1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu>
Message-ID: <1069253630.3082.34.camel@aa724322>
On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
> On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> > I have been beating my head against a wall getting this to work but no
> > joy. Syslog-ng is running and logging on the local system but no remote
> > logs are being saved. Devices in question are PIX firewalls and
> > NetCache proxies.
>
> Have you checked whether syslog-ng is actually receiving messages ?
>
> tcpdump and strace would help here.
tcpdump shows that the firewalls are contacting the machine.
I was not able to get anything of value with "strace syslog-ng" I am
new to this tool so I may not be using it right. This is the only error
I could find but I don't know what that means.
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
From syslog-ng@lists.balabit.hu Wed Nov 19 16:46:46 2003
From: syslog-ng@lists.balabit.hu (Brad Arlt)
Date: Wed, 19 Nov 2003 09:46:46 -0700
Subject: [syslog-ng]Re: Flood Protection
In-Reply-To: <3FBB4C2C.8030801@pyramid.de>
References: <3FBA3488.8020008@pyramid.de> <3FBB4C2C.8030801@pyramid.de>
Message-ID: <20031119164646.GA9325@ms257a.cpsc.ucalgary.ca>
On Wed, Nov 19, 2003 at 11:55:40AM +0100, Thomas Vgtle wrote:
> Jason Haar wrote:
> > One problem with this feature is that it can only work if the last 137
> > syslog events to occur were the same event. We run a large centralized
> > syslog server environment, with lots of syslog clients, and as such this
>
> OK, but if you run syslog-ng local, and only logging local logs, then it
> is easy to fill the harddisk with logger. With a good flood protection
> it is more difficult.
I cannot be 100% certain, but I am reasonably certain that syslog-ng
does not have this compression of the logs.
One could use swatch (or other log monitoring/reduction tools) to do
this on the fly. Or an ultra lazy (though not as effective) way would
be to log via pipes only and run gzip or bzip2 from the pipes to the
disk.
Honestly though, the point above about multiple log lines applies just
a well to the local machine. *Most* things log more than one line
repeatatively, syslogd doesn't handle this either. Log reduction
programs are about the only thing that will. The upshot is while they
are reducing your logs they could also page/email you to inform you
that there is a problem.
-----------------------------------------------------------------------
__o Bradley Arlt Security Team Lead
_ \<_ arlt@cpsc.ucalgary.ca University Of Calgary
(_)/(_) Joyously Canadian Computer Science
From syslog-ng@lists.balabit.hu Wed Nov 19 16:54:47 2003
From: syslog-ng@lists.balabit.hu (Brad Arlt)
Date: Wed, 19 Nov 2003 09:54:47 -0700
Subject: [syslog-ng]syslog-ng newbie facility question
In-Reply-To: <3FBB7E3E.1000100@pragmeta.com>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com> <1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu> <1069250146.3082.24.camel@aa724322> <3FBB7E3E.1000100@pragmeta.com>
Message-ID: <20031119165447.GB9325@ms257a.cpsc.ucalgary.ca>
On Wed, Nov 19, 2003 at 09:29:18AM -0500, Josh Endries wrote:
> Hiya everyone,
> Anyway, my question is about logging facilities. I never thought
> about this with syslogd; I always assumed I was limited to the
> normal facilities, local2 and mail and whatnot. But looking through
> the syslog-ng config file it occurred to me that I may be able to
> create my own facility filters. For example, create an apache
> facility and have Apache log to this. I could then pipe Apache to
> the log host and have it consolidate all that stuff into httpd-error
> files in the new directory hierarchy.
Ummm... the "local" facilities are the custom ones. In your head you
are supposed to say "local4 means apache", and maybe you say it in a
comment in a config file somewhere.
I would not recommend sliding your own facility into slots your OS(es)
just happen not to use. And you will find some OSes will not allow
this added facility to work correctly (it will work fine over the
network, but an OS needed to feed it to syslog in the first place,
so...)
You will be just as happy logging to daemon (since Apache is a daemon)
and matching on "httpd" or "apache" in the program field.
-----------------------------------------------------------------------
__o Bradley Arlt Security Team Lead
_ \<_ arlt@cpsc.ucalgary.ca University Of Calgary
(_)/(_) Joyously Canadian Computer Science
From syslog-ng@lists.balabit.hu Wed Nov 19 18:22:07 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 19 Nov 2003 19:22:07 +0100
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <1069250146.3082.24.camel@aa724322>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com> <1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu> <1069250146.3082.24.camel@aa724322>
Message-ID: <20031119182207.GD12055@balabit.hu>
On Wed, Nov 19, 2003 at 07:55:46AM -0600, Daniel Flick wrote:
> 08:28:15.975018 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
> 08:28:15.976003 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137
> 08:28:15.976820 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
> 08:28:15.978296 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137
> 08:28:15.979772 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
> 08:28:15.980096 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134
> 08:28:15.980756 138.57.100.15.syslog > 66.6.86.58.syslog: udp 133
> looks like the firewall is sending (100.15 is firewall)
ok, please strace the syslog-ng process to see whether it is actually
receiving messages.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Nov 19 18:26:20 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 19 Nov 2003 19:26:20 +0100
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <1069253630.3082.34.camel@aa724322>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com> <1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu> <1069253630.3082.34.camel@aa724322>
Message-ID: <20031119182619.GE12055@balabit.hu>
On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:
> On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
> > On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> > > I have been beating my head against a wall getting this to work but no
> > > joy. Syslog-ng is running and logging on the local system but no remote
> > > logs are being saved. Devices in question are PIX firewalls and
> > > NetCache proxies.
> >
> > Have you checked whether syslog-ng is actually receiving messages ?
> >
> > tcpdump and strace would help here.
> tcpdump shows that the firewalls are contacting the machine.
>
> I was not able to get anything of value with "strace syslog-ng" I am
> new to this tool so I may not be using it right. This is the only error
> I could find but I don't know what that means.
>
> open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> directory)
check the pid of the syslog-ng process as it is running in the background,
and attach to it using strace
strace -s 256 -o /tmp/syslog-ng.trace -p
run it for a couple of seconds, to let your firewall send syslog messages.
Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
Each received message should have a corresponding recvfrom() call. If you
can't see anything either syslog-ng is not correctly bound, or your packet
filter drops syslog traffic.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Nov 19 19:39:13 2003
From: syslog-ng@lists.balabit.hu (Daniel Flick)
Date: Wed, 19 Nov 2003 13:39:13 -0600
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <20031119182619.GE12055@balabit.hu>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com>
<1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu>
<1069253630.3082.34.camel@aa724322> <20031119182619.GE12055@balabit.hu>
Message-ID: <1069270753.3082.61.camel@aa724322>
On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:
> > On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
> > > On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> > > > I have been beating my head against a wall getting this to work but no
> > > > joy. Syslog-ng is running and logging on the local system but no remote
> > > > logs are being saved. Devices in question are PIX firewalls and
> > > > NetCache proxies.
> > >
> > > Have you checked whether syslog-ng is actually receiving messages ?
> > >
> > > tcpdump and strace would help here.
> > tcpdump shows that the firewalls are contacting the machine.
> >
> > I was not able to get anything of value with "strace syslog-ng" I am
> > new to this tool so I may not be using it right. This is the only error
> > I could find but I don't know what that means.
> >
> > open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> > directory)
>
> check the pid of the syslog-ng process as it is running in the background,
> and attach to it using strace
>
> strace -s 256 -o /tmp/syslog-ng.trace -p
>
> run it for a couple of seconds, to let your firewall send syslog messages.
> Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
>
> Each received message should have a corresponding recvfrom() call. If you
> can't see anything either syslog-ng is not correctly bound, or your packet
> filter drops syslog traffic
Interesting that I have so many syslog-ng processes. Is this normal?
ps -aux | grep [s]yslog
root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng
root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng
root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng
all all
root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng
root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng
root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng
root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng
root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng
root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
I attached to 11999 and a few others and could not find recvfrom
anywhere. The file is rather small and I posted one here. I also tries
to attach to several other syslog-ng processes with the same results. I
also verified that no filters are running that may be dropping the
packets.
cat /tmp/syslog-ng.trace
time(NULL) = 1069271394
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0
time(NULL) = 1069271425
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0
getpid() = 11999
time(NULL) = 1069271425
time(NULL) = 1069271425
time(NULL) = 1069271425
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll(
From syslog-ng@lists.balabit.hu Wed Nov 19 20:50:59 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 19 Nov 2003 21:50:59 +0100
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <1069270753.3082.61.camel@aa724322>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com> <1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu> <1069253630.3082.34.camel@aa724322> <20031119182619.GE12055@balabit.hu> <1069270753.3082.61.camel@aa724322>
Message-ID: <20031119205059.GA20667@balabit.hu>
On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
> On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> > check the pid of the syslog-ng process as it is running in the background,
> > and attach to it using strace
> >
> > strace -s 256 -o /tmp/syslog-ng.trace -p
> >
> > run it for a couple of seconds, to let your firewall send syslog messages.
> > Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
> >
> > Each received message should have a corresponding recvfrom() call. If you
> > can't see anything either syslog-ng is not correctly bound, or your packet
> > filter drops syslog traffic
> Interesting that I have so many syslog-ng processes. Is this normal?
> ps -aux | grep [s]yslog
> root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng
> root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng
> root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng
> all all
> root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng
> root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
> root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng
> root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
> root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng
> root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng
> root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng
> root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
To my best knowledge syslog-ng forks only when it starts another program
(program destination). So it is not normal that you have this number of
syslog-ng processes.
> I attached to 11999 and a few others and could not find recvfrom
> anywhere. The file is rather small and I posted one here. I also tries
> to attach to several other syslog-ng processes with the same results. I
> also verified that no filters are running that may be dropping the
> packets.
> cat /tmp/syslog-ng.trace
> time(NULL) = 1069271394
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0
> time(NULL) = 1069271425
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0
> getpid() = 11999
the output of "lsof" might reveal the nature of those polled
filedescriptors, but in general if you can't see recvfrom() lines and
syslog-ng is bound to the correct ports there is really something wrong
outside syslog-ng.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Nov 19 21:51:47 2003
From: syslog-ng@lists.balabit.hu (Daniel Flick)
Date: Wed, 19 Nov 2003 15:51:47 -0600
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <20031119205059.GA20667@balabit.hu>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com>
<1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu>
<1069253630.3082.34.camel@aa724322> <20031119182619.GE12055@balabit.hu>
<1069270753.3082.61.camel@aa724322> <20031119205059.GA20667@balabit.hu>
Message-ID: <1069278706.3082.97.camel@aa724322>
On Wed, 2003-11-19 at 14:50, Balazs Scheidler wrote:
> On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
> > On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> > > check the pid of the syslog-ng process as it is running in the background,
> > > and attach to it using strace
> > >
> > > strace -s 256 -o /tmp/syslog-ng.trace -p
> > >
> > > run it for a couple of seconds, to let your firewall send syslog messages.
> > > Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
> > >
> > > Each received message should have a corresponding recvfrom() call. If you
> > > can't see anything either syslog-ng is not correctly bound, or your packet
> > > filter drops syslog traffic
> > Interesting that I have so many syslog-ng processes. Is this normal?
> > ps -aux | grep [s]yslog
> > root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng
> > root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng
> > root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng
> > all all
> > root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng
> > root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
> > root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng
> > root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
> > root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng
> > root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng
> > root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng
> > root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
>
> To my best knowledge syslog-ng forks only when it starts another program
> (program destination). So it is not normal that you have this number of
> syslog-ng processes.
Would this make sense due to the fact that my destination creates a new
file based on the host source? If so, that is encouraging.
destination rlog { file("/var/log/$HOST/$MONTH.$DAY.log"
create_dirs(yes) owner("log") group("log") perm(0600)); };
>
> > I attached to 11999 and a few others and could not find recvfrom
> > anywhere. The file is rather small and I posted one here. I also tries
> > to attach to several other syslog-ng processes with the same results. I
> > also verified that no filters are running that may be dropping the
> > packets.
> > cat /tmp/syslog-ng.trace
> > time(NULL) = 1069271394
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0
> > time(NULL) = 1069271425
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0
> > getpid() = 11999
>
> the output of "lsof" might reveal the nature of those polled
> filedescriptors, but in general if you can't see recvfrom() lines and
> syslog-ng is bound to the correct ports there is really something wrong
> outside syslog-ng.
If the config looks good then I might just do a rebuild to Gentoo and
try again. Did you see any obvious errors in my syslog-ng.conf? Thanks
very much for the assistance. I learned quite a bit!
From syslog-ng@lists.balabit.hu Wed Nov 19 19:58:42 2003
From: syslog-ng@lists.balabit.hu (Hamilton Andrew)
Date: Wed, 19 Nov 2003 14:58:42 -0500
Subject: [syslog-ng]Please help with logging remote machines
Message-ID:
Looks to me like you are using some flavor of linux. My process table on
Redhat only has one entry for syslog-ng. I think you should probably stop
the syslog-ng process via your usual startup/shutdown method to see what
process it thinks it is running. Then look to see what processes are still
alive. Kill those via the kill command then restart syslog-ng via your
normal startup procedure. That might clear up some of your issues.
Regards,
Drew
-----Original Message-----
From: Daniel Flick [mailto:dflick@pdq.net]
Sent: Wednesday, November 19, 2003 2:39 PM
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng]Please help with logging remote machines
On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:
> > On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
> > > On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> > > > I have been beating my head against a wall getting this to work but
no
> > > > joy. Syslog-ng is running and logging on the local system but no
remote
> > > > logs are being saved. Devices in question are PIX firewalls and
> > > > NetCache proxies.
> > >
> > > Have you checked whether syslog-ng is actually receiving messages ?
> > >
> > > tcpdump and strace would help here.
> > tcpdump shows that the firewalls are contacting the machine.
> >
> > I was not able to get anything of value with "strace syslog-ng" I am
> > new to this tool so I may not be using it right. This is the only error
> > I could find but I don't know what that means.
> >
> > open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> > directory)
>
> check the pid of the syslog-ng process as it is running in the background,
> and attach to it using strace
>
> strace -s 256 -o /tmp/syslog-ng.trace -p
>
> run it for a couple of seconds, to let your firewall send syslog messages.
> Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
>
> Each received message should have a corresponding recvfrom() call. If you
> can't see anything either syslog-ng is not correctly bound, or your packet
> filter drops syslog traffic
Interesting that I have so many syslog-ng processes. Is this normal?
ps -aux | grep [s]yslog
root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng
root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng
root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng
all all
root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng
root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng
root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng
root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng
root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng
root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
I attached to 11999 and a few others and could not find recvfrom
anywhere. The file is rather small and I posted one here. I also tries
to attach to several other syslog-ng processes with the same results. I
also verified that no filters are running that may be dropping the
packets.
cat /tmp/syslog-ng.trace
time(NULL) = 1069271394
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0
time(NULL) = 1069271425
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0
getpid() = 11999
time(NULL) = 1069271425
time(NULL) = 1069271425
time(NULL) = 1069271425
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll(
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Thu Nov 20 15:02:00 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Thu, 20 Nov 2003 16:02:00 +0100
Subject: [syslog-ng]Please help with logging remote machines
In-Reply-To: <1069278706.3082.97.camel@aa724322>
References: <20031117131345.7427.qmail@web20705.mail.yahoo.com> <1069102609.15235.22.camel@aa724322> <20031118090619.GA524@balabit.hu> <1069253630.3082.34.camel@aa724322> <20031119182619.GE12055@balabit.hu> <1069270753.3082.61.camel@aa724322> <20031119205059.GA20667@balabit.hu> <1069278706.3082.97.camel@aa724322>
Message-ID: <20031120150159.GA1330@balabit.hu>
On Wed, Nov 19, 2003 at 03:51:47PM -0600, Daniel Flick wrote:
> On Wed, 2003-11-19 at 14:50, Balazs Scheidler wrote:
> > On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
> > > On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> > > root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng
> > > root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng
> > > root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
> >
> > To my best knowledge syslog-ng forks only when it starts another program
> > (program destination). So it is not normal that you have this number of
> > syslog-ng processes.
> Would this make sense due to the fact that my destination creates a new
> file based on the host source? If so, that is encouraging.
> destination rlog { file("/var/log/$HOST/$MONTH.$DAY.log"
> create_dirs(yes) owner("log") group("log") perm(0600)); };
No, syslog-ng does not fork in this case.
> If the config looks good then I might just do a rebuild to Gentoo and
> try again. Did you see any obvious errors in my syslog-ng.conf? Thanks
> very much for the assistance. I learned quite a bit!
it seems to be ok.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Thu Nov 20 15:22:23 2003
From: syslog-ng@lists.balabit.hu (Carol Overes)
Date: Thu, 20 Nov 2003 07:22:23 -0800 (PST)
Subject: [syslog-ng]Sanity checking
Message-ID: <20031120152223.12527.qmail@web20707.mail.yahoo.com>
Hi,
I'm looking for a way to do some sanity checking on
logs messages. My goal is to delete any logmessages
which might contain malicious strings or commands like
"halt".
I'm thinking of using a combination of syslog-ng and
logsurfer. However I haven;t have any experience with
this combination.
Any thoughts or tips about this matter are
appreciated.
Regards,
Carol
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
From syslog-ng@lists.balabit.hu Fri Nov 21 02:55:51 2003
From: syslog-ng@lists.balabit.hu (Forrest Aldrich)
Date: Thu, 20 Nov 2003 21:55:51 -0500
Subject: [syslog-ng]Logging with XML... experience?
In-Reply-To: <20031120152223.12527.qmail@web20707.mail.yahoo.com>
References: <20031120152223.12527.qmail@web20707.mail.yahoo.com>
Message-ID: <6.0.0.22.2.20031120215516.081fa100@192.168.1.1>
Has anyone worked with syslog-ng and logging in XML... I'd be interested in
hearing, etc.
From syslog-ng@lists.balabit.hu Tue Nov 25 13:25:01 2003
From: syslog-ng@lists.balabit.hu (Stephan Hendl)
Date: Tue, 25 Nov 2003 14:25:01 +0100
Subject: [syslog-ng]errors on HPUX 11.0 (syslog-ng-1.6.rc4)
Message-ID: <1069766700.9858.6.camel@hendl-0.ldspdm.ldsbb.lvnbb.de>
Hi all,
I get the following errors on HPUX11 using syslog-ng-1.6.rc4
What does "...unparseable log message: " mean and how can I solve the
problem? My /etc/syslog-ng.conf ion enclosed.
Thanks
Stephan
------------------
-- root@tc1:/var/adm/syslog> cat messages=20
[2003/11/25 13:29:24] tc1 notice [syslog] syslog-ng[1057]: syslog-ng
version 1.6.0rc4 starting
[2003/11/25 13:29:25] tc1 notice [daemon] prngd[1083]: prngd 0.9.12 (05
March 2001) started up for user root
[2003/11/25 13:29:25] tc1 notice [daemon] prngd[1083]: have 7 out of 60
filedescriptors open
Y!=E5C=3D>e^a01 01:00:00] tc1 err [syslog] unparseable log message:
\"<=BFvz?=E1=B2=DD=AA=A8R=AA9P3_}=A3=A8zL;=BD =F3E2=F7=E3=E4=E1C=C69J=AES=
r#
ej3\'=B8p=E2A=DFy=B4,Y=E5=C4=F2=B1=C3s =ADS=D2=D6q=DEy=D2=E2I=A8=FC=CD
4=BFD=E5=AAR
[2003/11/25 13:29:28] tc1 info [auth] sshd[1118]: Server listening on
0.0.0.0 port 22.
[2003/11/25 13:29:28] tc1 emerg [kern]=20
[2003/11/25 13:29:39] tc1 info [daemon] /usr/sbin/nfsd[1240]: Setting
STREAMS-HEAD high water value to 65536.
[2003/11/25 13:29:39] tc1 info [daemon] /usr/sbin/nfsd[1241]: nfsd
do_one mpctl succeeded: ncpus =3D 1.
[2003/11/25 13:29:39] tc1 info [daemon] /usr/sbin/nfsd[1241]: nfsd
do_one pmap 2
[2003/11/25 13:29:39] tc1 info [daemon] /usr/sbin/nfsd[1241]: nfsd
do_one pmap 3
[2003/11/25 13:29:39] tc1 info [daemon] /usr/sbin/nfsd[1241]: nfsd
do_one bind 0
[2003/11/25 13:29:39] tc1 info [daemon] /usr/sbin/nfsd[1241]: Return
from t_optmgmt(XTI_DISTRIBUTE) 0
[1970/01/01 01:00:00] tc1 err [syslog] unparseable log message: \" cat /etc/syslog-ng.conf=20
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on HP-UX. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(8) for more information.
#
# 20000925 gb@sysfive.com
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys { pipe("/dev/log"); internal(); };
destination d_syslog {
file("/var/adm/syslog/messages"
owner("root")
group("root")
perm(0644)
template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] $HOST $PRIORITY
[$FACILITY] $MESSAGE\n"));
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/adm/syslog/syslog.log"); };
destination d_mail { file("/var/adm/syslog/mail.log"); };
destination d_mlrt { usertty("root"); };
destination d_mlal { usertty("*"); };
filter f_filter1 { facility(mail) and level(debug); };
filter f_filter2 { level(debug) or level(info) or level(alert) or
level(emerg); };
filter f_filter3 { level(alert); };
filter f_filter4 { level(emerg); };
filter f_syslog { not (facility(mail) or facility(user)); };
log { source(s_sys); filter(f_filter1); destination(d_mail); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_cons);
destination(d_mlrt); };
log { source(s_sys); filter(f_filter4); destination(d_mlal); };
log { source(s_sys); filter(f_syslog); destination(d_syslog); };
root@tc1:/var/adm/syslog>
Stephan Hendl
From syslog-ng@lists.balabit.hu Tue Nov 25 16:14:11 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Tue, 25 Nov 2003 17:14:11 +0100
Subject: [syslog-ng]errors on HPUX 11.0 (syslog-ng-1.6.rc4)
In-Reply-To: <1069766700.9858.6.camel@hendl-0.ldspdm.ldsbb.lvnbb.de>
References: <1069766700.9858.6.camel@hendl-0.ldspdm.ldsbb.lvnbb.de>
Message-ID: <20031125161411.GB1461@balabit.hu>
On Tue, Nov 25, 2003 at 02:25:01PM +0100, Stephan Hendl wrote:
> Hi all,
>
> I get the following errors on HPUX11 using syslog-ng-1.6.rc4
>
> What does "...unparseable log message: " mean and how can I solve the
> problem? My /etc/syslog-ng.conf ion enclosed.
HPUX pads incoming log messages to 2048 bytes boundary, so you need a log
source like this (quoted from the file INSTALL):
HP-UX (HP-UX 11.0)
------------------
HP-UX uses a named pipe called /dev/log for log transport, and you
can use this with the pipe() driver with an additional option. HP-UX pads
all incoming messages to 2048 bytes by default, so you need to specify
this:
source stdlog { pipe("/dev/log" pad_size(2048)); };
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Tue Nov 25 16:43:34 2003
From: syslog-ng@lists.balabit.hu (Jay Davis)
Date: Tue, 25 Nov 2003 11:43:34 -0500
Subject: [syslog-ng]Use_dns(no)
Message-ID: <672AC3A6AB1B43488715A4DC0782378116BA8C@EXVB.fanniemae.com>
I seem to still be getting hostnames in my messages with this turned on.
Am I missing something? I need messages to retain their IP addresses and
not get translated to a hostname. I need to get the IP for other
information then have an application convert the name. Thanks!!! Please
reply to jay_davis@fanniemae.com as well as the listserv. Thanks!!!!
From syslog-ng@lists.balabit.hu Tue Nov 25 16:46:59 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Tue, 25 Nov 2003 17:46:59 +0100
Subject: [syslog-ng]Use_dns(no)
In-Reply-To: <672AC3A6AB1B43488715A4DC0782378116BA8C@EXVB.fanniemae.com>
References: <672AC3A6AB1B43488715A4DC0782378116BA8C@EXVB.fanniemae.com>
Message-ID: <20031125164659.GA1571@balabit.hu>
On Tue, Nov 25, 2003 at 11:43:34AM -0500, Jay Davis wrote:
> I seem to still be getting hostnames in my messages with this turned on.
> Am I missing something? I need messages to retain their IP addresses and
> not get translated to a hostname. I need to get the IP for other
> information then have an application convert the name. Thanks!!! Please
> reply to jay_davis@fanniemae.com as well as the listserv. Thanks!!!!
maybe the sender specified the hostname and you are using
keep_hostnames(yes)? in that case syslog-ng never changes the hostname part.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Tue Nov 25 17:05:40 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Tue, 25 Nov 2003 17:05:40 -0000
Subject: [syslog-ng]Membership?
Message-ID: <0E8A20F2EB7BD7119C1F00508BB333780E5C87@tmservermail02.t-modus.nec.co.uk>
Hi
How can I become a member of this list? (A post I sent yesterday is
awaiting approval by the moderator.)
Best regards
David
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please forward the whole message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
From syslog-ng@lists.balabit.hu Tue Nov 25 22:54:02 2003
From: syslog-ng@lists.balabit.hu (Bobby Johnson)
Date: Tue, 25 Nov 2003 15:54:02 -0700
Subject: [syslog-ng]OpenBSD named pipe
In-Reply-To: <20031118090839.GB524@balabit.hu>
References: <20031117182014.470aafef.bobby@plexuscomp.com>
<20031118090839.GB524@balabit.hu>
Message-ID: <20031125155402.60ce7afa.bobby@plexuscomp.com>
Thanks for the help, I did a ktrace. I noticed this in the trace. The trace file has nothing in it until I echo something to the pipe.
14319 bash CALL close(0x3)
14319 bash RET close 0
14319 bash CALL ioctl(0,TIOCGETA,0xcfbfd350)
14319 bash RET ioctl -1 errno 45 Operation not supported
14319 bash CALL lseek(0,0,0,0,0x1)
14319 bash RET lseek -1 errno 29 Illegal seek
14319 bash CALL read(0,0xcfbfd427,0x1)
14319 bash GIO fd 0 read 1 bytes
"P"
Bobby
On Tue, 18 Nov 2003 10:08:39 +0100
Balazs Scheidler wrote:
> The script probably exits because of an EOF read from named.pipe, at least
> this is the case when you echo something into the named pipe.
>
> syslog-ng should never close the pipe though, so it should correctly send
> messages. Maybe you should try to strace|ktrace|truss the shell script to see
> what it exactly does.
>
> --
> Bazsi
> PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
From syslog-ng@lists.balabit.hu Wed Nov 26 08:53:28 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 26 Nov 2003 09:53:28 +0100
Subject: [syslog-ng]OpenBSD named pipe
In-Reply-To: <20031125155402.60ce7afa.bobby@plexuscomp.com>
References: <20031117182014.470aafef.bobby@plexuscomp.com> <20031118090839.GB524@balabit.hu> <20031125155402.60ce7afa.bobby@plexuscomp.com>
Message-ID: <20031126085328.GB538@balabit.hu>
On Tue, Nov 25, 2003 at 03:54:02PM -0700, Bobby Johnson wrote:
> Thanks for the help, I did a ktrace. I noticed this in the trace. The trace file has nothing in it until I echo something to the pipe.
>
> 14319 bash CALL close(0x3)
> 14319 bash RET close 0
> 14319 bash CALL ioctl(0,TIOCGETA,0xcfbfd350)
> 14319 bash RET ioctl -1 errno 45 Operation not supported
> 14319 bash CALL lseek(0,0,0,0,0x1)
> 14319 bash RET lseek -1 errno 29 Illegal seek
> 14319 bash CALL read(0,0xcfbfd427,0x1)
> 14319 bash GIO fd 0 read 1 bytes
this shows that 1 byte was read on stdin, which is definitely not an EOF,
the EOF is indicated by reading 0 bytes.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Fri Nov 7 01:27:18 2003
From: syslog-ng@lists.balabit.hu (Michaelmas)
Date: Thu, 6 Nov 2003 17:27:18 -0800
Subject: [syslog-ng]1.6.0rc3 dumps core on gc when listening on TCP?
Message-ID: <200311070127.hA71RIgE094199@mailserver2.hushmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is there a known issue with syslog-ng-1.6.0rc3 dumping core when reaping
an idle TCP listener?
I've had a high-volume syslog-ng server installed and running fine for
a couple of months now with rc3, I just started to install syslog-ng
on client hosts recently, so I added TCP listener options on the server.
If TCP is enabled, syslog-ng dies (dumps core with signal 6) apparently
when doing gc on an idle TCP listener. The problem does not happen if
I comment out the TCP line:
# source s_tcp { tcp( ip(192.168.192.92)); };
I don't see anything in the ChangeLog for rc4 to suggest upgrading would
fix this?
$ gdb /usr/local/sbin/syslog-ng ./syslog-ng.core
. . .
Core was generated by `syslog-ng'.
Program terminated with signal 6, Abort trap.
Reading symbols from /usr/libexec/ld.so...done.
Reading symbols from /usr/lib/libc.so.29.0...done.
#0 0x400a4fcf in _thread_sys_kill ()
(gdb) bt
#0 0x400a4fcf in _thread_sys_kill ()
#1 0x400a48bb in abort ()
#2 0x11014 in do_object_queue_mark ()
#3 0x120a5 in dont_free_live_resource ()
#4 0x11f7c in do_resource_free ()
#5 0x11625 in gc_sweep ()
#6 0x116fd in gc ()
#7 0x117a4 in gc_maybe ()
#8 0xeebe in io_iter ()
#9 0x1e1a in main_loop (backend=0x1b000) at main.c:255
#10 0x2b7b in main (argc=2, argv=0xcfbfd994) at main.c:545
(gdb) quit
$ exit
I run "syslog-ng -F" under DJB's daemontools, so when the application
dies I get an alert message and svscan restarts it immediately, but in
the interim I lose some (UDP) log data...
mas
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAj+q9O0ACgkQKo6Jkwn+K0gNvQCeNfzvOSzM0aaI+YENoQSTC1dqvwYA
njjCWIFA1klWjZHDvyZWFozJr6sm
=38xg
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
From syslog-ng@lists.balabit.hu Sun Nov 9 20:23:11 2003
From: syslog-ng@lists.balabit.hu (Sander)
Date: Sun, 09 Nov 2003 21:23:11 +0100
Subject: [syslog-ng]Re: Backslash-escaped quotes in message strings
In-Reply-To: <200311091654.hA9Gs0r00659@xos037.xos.nl>
References: <200311091654.hA9Gs0r00659@xos037.xos.nl>
Message-ID:
It might break for people who import log in comma delimited and quote
enclosed format into databases. Like me at times...
I'd like to be able to choose to escape quotes or not.
Sander
On Sun, 09 Nov 2003 17:54:00 +0100, Jos Vos wrote:
> Hi,
>
> Earlier I wrote:
>
>> When a single (') or double (") quote appears in a syslog message,
>> this quote gets escaped with a backslash by syslog-ng, which results
>> in pretty ugly output, different from what the standard Linux
>> sysklogd does (this doesn't change the message).
>
> I have made a patch (attached) to solve this - at least in my specific
> situation - but the question is: does this maybe break something else?
>
> Cheers,
>
From syslog-ng@lists.balabit.hu Tue Nov 18 16:14:38 2003
From: syslog-ng@lists.balabit.hu (Aaron Botsis)
Date: Tue, 18 Nov 2003 10:14:38 -0600
Subject: [syslog-ng]compiling syslog-ng on AIX...
Message-ID: <20031118161438.GH4419@crack>
I'm having quite a significant amount of trouble compiling syslog-ng on
aix. I'm using aix 5.1ML3 with gnupro toolchain.
Normally, I wouldn't ask such a silly question on a mailing list, but I'm
getting quite strange compiler errors such as:
main.c: In function `setup_signals':
main.c:122: `SA_ONESHOT' undeclared (first use in this function)
main.c:122: (Each undeclared identifier is reported only once
which leads me to believe nobody has ever attempted a port, yet I'm seeing
mailing list entries that suggest otherwise (from like 2002) -- can anyone
offer some tips on what toolchain (xlc, gnu, etc) they used, and which
version of the supporting libraries were used also? tia!
Aaron
From syslog-ng@lists.balabit.hu Mon Nov 24 17:29:10 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Mon, 24 Nov 2003 17:29:10 +0000
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID: <3FC23FE6.8000001@t-modus.nec.co.uk>
Hi
I am trying to compile syslog-ng 1.6.0rc4 under Redhat Linux. The make
is failing because some header files appear to be missing. Please see
the make output below. Can you suggest what is wrong please?
Best regards
David
bash-2.05$ pwd
/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4
bash-2.05$
bash-2.05$ make
Making all in src
make[1]: Entering directory
`/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4/src'
make all-recursive
make[2]: Entering directory
`/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4/src'
Making all in .
make[3]: Entering directory
`/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4/src'
gcc -DHAVE_CONFIG_H -I.
-I/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4/src -I. -g
-O2 -Wall -D_GNU_SOURCE -c main.c
In file included from main.c:26:
syslog-ng.h:31:21: objects.h: No such file or directory
In file included from cfgfile.h:29,
from main.c:27:
sources.h:30:23: read_line.h: No such file or directory
In file included from sources.h:32,
from cfgfile.h:29,
from main.c:27:
log.h:30:16: io.h: No such file or directory
In file included from cfgfile.h:29,
from main.c:27:
sources.h:33:18: list.h: No such file or directory
main.c:29:20: format.h: No such file or directory
main.c:30:20: werror.h: No such file or directory
main.c:31:19: queue.h: No such file or directory
main.c:32:24: pkt_buffer.h: No such file or directory
make[3]: *** [main.o] Error 1
make[3]: Leaving directory
`/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory
`/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4/src'
make[1]: *** [all-recursive-am] Error 2
make[1]: Leaving directory
`/home/daldrich/Downloads/syslog-ng/syslog-ng-1.6.0rc4/src'
make: *** [all-recursive] Error 1
bash-2.05$
bash-2.05$ cd src
bash-2.05$
bash-2.05$ ls
affile.c afremctrl.h afuser.h cfg-lex.l
getopt.h Makefile.in strptime.h
affile.c.x afsocket.c center.c config.h
log.c nscache.c syslog-names.c
affile.h afsocket.c.x center.c.x config.h.in log.h
nscache.h syslog-names.h
afinet.c afsocket.h center.h destinations.c
log.h.x snprintf.c syslog-ng.h
afinet.c.x afsocket.h.x center.h.x destinations.h
macros.c sources.c tests
afinter.c afstreams.c cfgfile.c destinations.h.x
macros-gperf.c sources.c.x utils.c
afinter.h afstreams.c.x cfgfile.h filters.c
macros.gprf sources.h utils.h
afprogram.c afstreams.h cfgfile.h.x filters.c.x
macros.h sources.h.x
afprogram.c.x afunix.c cfg-grammar.c filters.h
main.c stamp-h
afprogram.h afunix.c.x cfg-grammar.h filters.h.x
main.c.x stamp-h.in
afremctrl.c afuser.c cfg-grammar.y getopt1.c
Makefile strcasecmp.c
afremctrl.c.x afuser.c.x cfg-lex.c getopt.c
Makefile.am strptime.c
bash-2.05$
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please forward the whole message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
From syslog-ng@lists.balabit.hu Wed Nov 26 09:17:45 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 26 Nov 2003 10:17:45 +0100
Subject: [syslog-ng]syslog-ng to mysql
In-Reply-To:
References:
Message-ID: <20031126091744.GC538@balabit.hu>
On Tue, Sep 23, 2003 at 01:49:11PM +0200, Ali, Tahir wrote:
> Hey,
>
> I'am running syslog-ng Version: 1.5.15-1. I pipe all the syslog messages to a mysql database. Every thing works fine, but some times it stop logging to the database.
>
> I run mysql Version: 3.23.49-8.
>
> When i restart syslog-ng it work fine again. It can work fine for weeks.
>
> Have any else experience the same problem ?
Maybe you are using klogd and syslog-ng is reading /proc/kmsg? I've added a
workaround for this problem to 1.6.0rc4 (making /proc/kmsg nonblocking)
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Nov 26 09:18:22 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 26 Nov 2003 10:18:22 +0100
Subject: [syslog-ng]Preserving syslogd formatting
In-Reply-To: <4.3.2.7.2.20031003102316.06e11e08@171.70.144.164>
References: <4.3.2.7.2.20031003102316.06e11e08@171.70.144.164>
Message-ID: <20031126091822.GD538@balabit.hu>
On Fri, Oct 03, 2003 at 10:25:59AM -0400, Kenneth Gray wrote:
> Howdy, I'm using syslog-ng for the first time. I have several scripts that
> break because the output from the log files created by syslog-ng does not
> have the hostname bracketed as it does in syslogd. Is there any option to
> emulate the syslogd formatting?
>
> Example:
>
> syslog-ng Oct 3 06:29:13 10.11.27.1/10.11.27.1 1164:
> syslogd Oct 1 22:48:41 [10.11.27.1.218.94] 2354:
you can do this by specifying a template.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Nov 26 09:39:22 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Wed, 26 Nov 2003 10:39:22 +0100
Subject: [syslog-ng]/dev/log is not a socket error on startup
In-Reply-To:
References:
Message-ID: <20031126093922.GA753@balabit.hu>
On Wed, Oct 22, 2003 at 02:12:55PM -0400, Tony Karakashian wrote:
> Howdy. Doing some updates to my Linux box today when I noticed I still
> hadn't gotten around to setting up log rotation. It was then that I've
> noticed syslog-ng wasn't running. I tried to start it manually, but get the
> following:
>
> io.c: bind_unix_socket(): /dev/log not a socket
> Error initializing configuration, exiting.
>
> I just upgraded to latest libol (0.3.11) and syslog-ng (1.6.rc4) today, same
> results. Any ideas?
something probably changed the socket to a pipe or something. try removing
/dev/log and restart syslog-ng so it will not refuse to start.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Wed Nov 26 09:44:58 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Wed, 26 Nov 2003 09:44:58 -0000
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID: <0E8A20F2EB7BD7119C1F00508BB333780E5C89@tmservermail02.t-modus.nec.co.uk>
Hi
I have now built syslog-ng 1.6.0rc4 successfully. The key was to build
it as root. Perhaps this should be made clear in the installation
procedure?
Best wishes
David
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please forward the whole message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
From syslog-ng@lists.balabit.hu Wed Nov 26 13:58:42 2003
From: syslog-ng@lists.balabit.hu (Hamilton Andrew)
Date: Wed, 26 Nov 2003 08:58:42 -0500
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID:
Interesting, I've never had to build it as root on my RH Linux boxes. I had
to install it as root but that is to be expected...
-----Original Message-----
From: David Aldrich [mailto:david.aldrich@t-modus.nec.co.uk]
Sent: Wednesday, November 26, 2003 4:45 AM
To: 'syslog-ng@lists.balabit.hu'
Subject: RE: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Hi
I have now built syslog-ng 1.6.0rc4 successfully. The key was to build
it as root. Perhaps this should be made clear in the installation
procedure?
Best wishes
David
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS
ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee
or agent responsible for delivering the message to the intended recipient,
you are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited.
If you have received this communication in error, please forward the whole
message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Wed Nov 26 14:04:11 2003
From: syslog-ng@lists.balabit.hu (Hamilton Andrew)
Date: Wed, 26 Nov 2003 09:04:11 -0500
Subject: [syslog-ng]problem with syslog-ng
Message-ID:
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C3B426.2ABBEB04
Content-Type: text/plain;
charset="iso-8859-1"
try configuring with --enable-sun-streams --enable-sun-door and see if that
helps. It usually detects it but I guess for some reason it didn't on your
machine.
-----Original Message-----
From: Suchun Wu [mailto:swu@isc.bmo.com]
Sent: Monday, September 08, 2003 5:11 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]problem with syslog-ng
I'm trying to use syslog-ng-1.6.0rc3 on Solaris8. The compilation and
installation passed. But when I run the start-up script, I got the
following:
sun-door support is not compiled in, door=/etc/.syslog_door
Error initializing configuration, exiting.
Any help is appreciated
Suchun
------_=_NextPart_001_01C3B426.2ABBEB04
Content-Type: text/html;
charset="iso-8859-1"
try
configuring with --enable-sun-streams --enable-sun-door and see if that
helps. It usually detects it but I guess for some reason it didn't on your
machine.
I'm trying to use syslog-ng-1.6.0rc3 on Solaris8.
The compilation and installation passed. But when I run the start-up script, I
got the following:
sun-door support is not compiled in,
door=/etc/.syslog_door
Error initializing configuration,
exiting.
Any help is appreciated
Suchun
------_=_NextPart_001_01C3B426.2ABBEB04--
From syslog-ng@lists.balabit.hu Wed Nov 26 14:09:37 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Wed, 26 Nov 2003 14:09:37 -0000
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID: <0E8A20F2EB7BD7119C1F00508BB333780E5C8C@tmservermail02.t-modus.nec.co.uk>
Hi
> Interesting, I've never had to build it as root on my RH
> Linux boxes. I had to install it as root but that is to be
> expected...
Ok, I think the point is that it is necessary to install libol as root
before building syslog-ng. I am quite new to Linux and followed the
syslog-ng instruction:
./configure && make && make install
explicity. i.e. I did it all on one line, as root.
Sorry, if I missed the obvious.
David
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please forward the whole message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
From syslog-ng@lists.balabit.hu Wed Nov 26 14:14:54 2003
From: syslog-ng@lists.balabit.hu (Hamilton Andrew)
Date: Wed, 26 Nov 2003 09:14:54 -0500
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID:
You can actually build libol in your home directory and pass
--with-libol=~/libol-0.3.xx and not have to install it.
Welcome to Linux...
I in no way meant to sound condescending and apologize if it came across
that way. It was interesting as I was trying to imagine situations in which
that could happen to you, thus trying to help.
Drew
-----Original Message-----
From: David Aldrich [mailto:david.aldrich@t-modus.nec.co.uk]
Sent: Wednesday, November 26, 2003 9:10 AM
To: 'syslog-ng@lists.balabit.hu'
Subject: RE: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Hi
> Interesting, I've never had to build it as root on my RH
> Linux boxes. I had to install it as root but that is to be
> expected...
Ok, I think the point is that it is necessary to install libol as root
before building syslog-ng. I am quite new to Linux and followed the
syslog-ng instruction:
./configure && make && make install
explicity. i.e. I did it all on one line, as root.
Sorry, if I missed the obvious.
David
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS
ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee
or agent responsible for delivering the message to the intended recipient,
you are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited.
If you have received this communication in error, please forward the whole
message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Wed Nov 26 14:22:11 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Wed, 26 Nov 2003 14:22:11 -0000
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID: <0E8A20F2EB7BD7119C1F00508BB333780E5C8D@tmservermail02.t-modus.nec.co.uk>
Hi
> I in no way meant to sound condescending and apologize if it
> came across that way. It was interesting as I was trying to
> imagine situations in which that could happen to you, thus
> trying to help.
Thanks for your help - I wasn't offended at all!
I want to experiment with syslog-ng's ability to log messages received
on the UDP port. For now, I want to continue to use syslogd to log all
other messages - so as not to disturb the system. Please could you or
anyone else briefly explain how to make a simple .conf file to log UDP
messages with syslog-ng?
David
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please forward the whole message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
From syslog-ng@lists.balabit.hu Wed Nov 26 14:39:24 2003
From: syslog-ng@lists.balabit.hu (Hamilton Andrew)
Date: Wed, 26 Nov 2003 09:39:24 -0500
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID:
#set up your source:
source net { udp(); } # default port all interfaces
#or
source net { udp(ip("10.10.10.10") port(514)); };# specific interface and
specific port
#any sort of filter or none:
filter f_local7 { facility(local7); };
#a destination
destination d_net { file("/var/log/netmessages" perm(644)); }; # perm is an
option, you can leave it off.
#or
destination d_macro_net {
file("/var/log/net/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.log" create_dirs(yes)
perm(600)); } #macros
#and a log line
log { source(net); destination(d_macro_net); }; # everything from the port
is logged to the macro determined file
log { source(net); filter(f_local7); destination(d_net); }; # only local7
messages logged
That shows you a couple of different options as well as some defaults. This
really just scratches the surface of what syslog-ng is capable of...
-----Original Message-----
From: David Aldrich [mailto:david.aldrich@t-modus.nec.co.uk]
Sent: Wednesday, November 26, 2003 9:22 AM
To: 'syslog-ng@lists.balabit.hu'
Subject: RE: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Hi
> I in no way meant to sound condescending and apologize if it
> came across that way. It was interesting as I was trying to
> imagine situations in which that could happen to you, thus
> trying to help.
Thanks for your help - I wasn't offended at all!
I want to experiment with syslog-ng's ability to log messages received
on the UDP port. For now, I want to continue to use syslogd to log all
other messages - so as not to disturb the system. Please could you or
anyone else briefly explain how to make a simple .conf file to log UDP
messages with syslog-ng?
David
Telecom MODUS is an ISO9001/TickIT approved Company.
LRQA Certificate of Approval reference 0965133
************************************************************
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS
ADDRESSED AND CONTAINS INFORMATION THAT IS PRIVATE AND/OR PROPRIETARY.
If the reader of this message is not the intended recipient, or the employee
or agent responsible for delivering the message to the intended recipient,
you are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited.
If you have received this communication in error, please forward the whole
message to admin@t-modus.nec.co.uk
Company Registration No.3493954
Telephone Number +44 (0) 1372 381880
Fax Number +44 (0) 1372 381804
Email general@t-modus.nec.co.uk
************************************************************
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
From syslog-ng@lists.balabit.hu Wed Nov 26 14:47:37 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Wed, 26 Nov 2003 14:47:37 -0000
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID: <0E8A20F2EB7BD7119C1F00508BB333780E5C8E@tmservermail02.t-modus.nec.co.uk>
Hi Andrew
Thank you very much for your reply. I will give it a try.
David
> -----Original Message-----
> From: Hamilton Andrew [mailto:Andrew.Hamilton@afccc.af.mil]
> Sent: Wednesday, November 26, 2003 2:39 PM
> To: syslog-ng@lists.balabit.hu
> Subject: RE: [syslog-ng]syslog-ng 1.6.0rc4 build problems
>
>
> #set up your source:
>
> source net { udp(); } # default port all interfaces
> #or
> source net { udp(ip("10.10.10.10") port(514)); };# specific
> interface and specific port
>
> #any sort of filter or none:
>
> filter f_local7 { facility(local7); };
>
> #a destination
>
> destination d_net { file("/var/log/netmessages" perm(644));
> }; # perm is an option, you can leave it off. #or
> destination d_macro_net {
> file("/var/log/net/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.log"
> create_dirs(yes) perm(600)); } #macros
>
> #and a log line
>
> log { source(net); destination(d_macro_net); }; # everything
> from the port is logged to the macro determined file log {
> source(net); filter(f_local7); destination(d_net); }; # only
> local7 messages logged
>
> That shows you a couple of different options as well as some
> defaults. This really just scratches the surface of what
> syslog-ng is capable of...
>
> -----Original Message-----
> From: David Aldrich [mailto:david.aldrich@t-modus.nec.co.uk]
> Sent: Wednesday, November 26, 2003 9:22 AM
> To: 'syslog-ng@lists.balabit.hu'
> Subject: RE: [syslog-ng]syslog-ng 1.6.0rc4 build problems
>
>
> Hi
>
> > I in no way meant to sound condescending and apologize if it
> > came across that way. It was interesting as I was trying to
> > imagine situations in which that could happen to you, thus
> > trying to help.
>
> Thanks for your help - I wasn't offended at all!
>
> I want to experiment with syslog-ng's ability to log messages
> received on the UDP port. For now, I want to continue to use
> syslogd to log all other messages - so as not to disturb the
> system. Please could you or anyone else briefly explain how
> to make a simple .conf file to log UDP messages with syslog-ng?
>
> David
>
>
> Telecom MODUS is an ISO9001/TickIT approved Company.
> LRQA Certificate of Approval reference 0965133
> ************************************************************
> THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL
> TO WHOM IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS
> PRIVATE AND/OR PROPRIETARY. If the reader of this message is
> not the intended recipient, or the employee or agent
> responsible for delivering the message to the intended
> recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error,
> please forward the whole message to admin@t-modus.nec.co.uk
> Company Registration No.3493954 Telephone Number +44 (0) 1372
> 381880 Fax Number +44 (0) 1372 381804 Email general@t-modus.nec.co.uk
> ************************************************************
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
>
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
>
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
>
From syslog-ng@lists.balabit.hu Wed Nov 26 17:46:18 2003
From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?Jos=E9_Pedro_Oliveira?=)
Date: Wed, 26 Nov 2003 17:46:18 +0000
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
In-Reply-To: <0E8A20F2EB7BD7119C1F00508BB333780E5C8E@tmservermail02.t-modus.nec.co.uk>
References: <0E8A20F2EB7BD7119C1F00508BB333780E5C8E@tmservermail02.t-modus.nec.co.uk>
Message-ID: <3FC4E6EA.8080703@di.uminho.pt>
David,
A couple of months ago I placed online SRPMS
of libol and syslog-ng. They build without problems
in Red Hat 7.3, 8.0, and 9.0. The configuration
file included is similar to the one RH includes
with Syslog.
http://gsd.di.uminho.pt/jpo/software/RPMS/
Regards,
jpo
--
José Pedro Oliveira
* mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo *
From syslog-ng@lists.balabit.hu Wed Nov 26 18:17:06 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Wed, 26 Nov 2003 18:17:06 -0000
Subject: [syslog-ng]syslog-ng 1.6.0rc4 build problems
Message-ID: <0E8A20F2EB7BD7119C1F00508BB333780E5C8F@tmservermail02.t-modus.nec.co.uk>
Hi Jos=E9
> A couple of months ago I placed online SRPMS
> of libol and syslog-ng. They build without problems
> in Red Hat 7.3, 8.0, and 9.0. The configuration
> file included is similar to the one RH includes
> with Syslog.
>=20
> http://gsd.di.uminho.pt/jpo/software/RPMS/
Thank you for this information.
David
From syslog-ng@lists.balabit.hu Wed Nov 26 20:38:38 2003
From: syslog-ng@lists.balabit.hu (Achim Gsell)
Date: Wed, 26 Nov 2003 21:38:38 +0100
Subject: [syslog-ng]UDP Template
In-Reply-To: <20030926065726.M15251@dns.atsweb.it>
References: <20030926065726.M15251@dns.atsweb.it>
Message-ID: <200311262138.38966.achim@cybercity.ch>
On Friday 26 September 2003 08:58, Gianpiero Porchia wrote:
> I would like to do log relaying, using syslog-ng.
> But I need to change the log format.
> The problem is that the "template" directive is not available for the udp
> destination (even for the tcp destination).
>
> Could you suggest me some work around to do that?
Use syslog-ng version 1.6rc3 or newer. There the "template" directive is
available for all destinations - including udp.
Achim
From syslog-ng@lists.balabit.hu Thu Nov 27 21:53:32 2003
From: syslog-ng@lists.balabit.hu (Matthew Bassili)
Date: Fri, 28 Nov 2003 08:53:32 +1100
Subject: [syslog-ng]error "Cannot assign requested address"
Message-ID: <8D011699C220D411A266009027AF327D0158F933@mis-exchange.neca.nec.com.au>
List members,
I am trying to setup syslog-ng (Red Hat9, syslog build 1.6.0rc4) with the
following syslog-ng.conf file:
###############################################################
# First, set some global options
#
options {
keep_hostname(yes);
long_hostnames(off);
sync(0);
log_fifo_size(1024);
log_msg_size(8192);
};
###############################################################
#
#
source local
{ unix-dgram("/dev/log"); internal(); pipe("/proc/kmsg"
log_prefix("kernel: "));
};
#source nocpix
# { udp(ip("172.31.30.2") port(514));
# };
source nocpix-out
{ udp(ip("147.76.127.44") port(514));
};
#source mb2-pix
# { udp(ip("172.18.1.6") port(514));
# };
source other
{ udp();
};
#
#
###############################################################
#
#
destination local {
file("/var/log/syslog-ng/local/local.$YEAR.$MONTH.$DAY"); };
destination other {
file("/var/log/syslog-ng/other/other.$YEAR.$MONTH.$DAY"); };
destination nocpix {
file("/var/log/syslog-ng/nocpix/nocpix.$YEAR.$MONTH.$DAY"); };
#destination mb2 {
file("/var/log/syslog-ng/mb2/mb2.$YEAR.$MONTH.$DAY"); };
#
#
###############################################################
#
#
filter f_auth { facility(auth, authpriv); };
filter f_authpriv { facility(authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_messages { facility(daemon, kern, user); };
filter f_news { facility(news); };
filter f_spooler { facility(uucp,news) and level(crit); };
filter f_syslog { not facility(auth, authpriv) and not
facility(mail); };
filter f_user { facility(user); };
#
#
###############################################################
#
#
log { source(local); destination(local);};
#log { source(nocpix); destination(nocpix);};
log { source(nocpix-out); destination(nocpix);};
#log { source(mb2-pix); destination(mb2);};
log { source(other); destination(other);};
& I get the following error message on startup:
"Starting syslog-ng: io.c: bind_inet_socket() bind failed 147.76.127.44:514
Cannot assign requested address"
When I comment out the line " source nocpix-out { udp(ip("147.76.127.44")
port(514)); };"
Everything works fine using udp();, but I really want to separate the
sources so I can direct the log files to a different directory.
Any help would be GREATLY appreciated.
Matthew Bassili
Senior Network Engineer
NEC Business Solutions P/L
649 Springvale Rd
Mulgarve, 3170
AUSTRALIA
e-mail: matthew.bassili@nec.com.au
From syslog-ng@lists.balabit.hu Fri Nov 28 11:22:05 2003
From: syslog-ng@lists.balabit.hu (Bedo Sandor)
Date: Fri, 28 Nov 2003 12:22:05 +0100
Subject: [syslog-ng]pipes and tags
Message-ID: <20031128112205.GA9231@sunserv.kfki.hu>
Hi,
Syslog-ng sends to the program destination
"blah-blah" formatted lines, where num is a
decimal-coded value of the priority and facility. I
have a little application that strongly uses this
number. There's a master syslog-ng in my system, and
there is a chroot-ed syslog-ng with this little
application. The two syslog-ngs communicates each
other using named pipes found in the chroot-ed
environment, but the decimal value does not come across
the pipes, and I can only put a hexadecimal value with
template("<$PRI>$MSG\n") back.
Why doesn't use pipe() the same template like file()?
Is it able to send this value in decimal format on the
pipe?
--
bSanyI
From syslog-ng@lists.balabit.hu Fri Nov 28 13:35:48 2003
From: syslog-ng@lists.balabit.hu (Voelkl, Markus)
Date: Fri, 28 Nov 2003 14:35:48 +0100
Subject: [syslog-ng]Date Format
Message-ID: <445B8F5CA217D4119991009027723ACE0D0A1C71@DMSEXCHANGE>
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C3B5B4.888A94B0
Content-Type: text/plain
Is there any Way in Syslog-ng to change the incoming Date Format
from "Nov 28" to "11-28-2003" in the logfile.
This would help me very much. Eventually after syslog-ng with a script.
thanks in advance.
Markus
------_=_NextPart_001_01C3B5B4.888A94B0
Content-Type: text/html
Date Format
Is there any Way in Syslog-ng to change the incoming Date Format
from "Nov 28" to "11-28-2003" in the logfile.
This would help me very much. Eventually after syslog-ng with a script.
thanks in advance.
Markus
------_=_NextPart_001_01C3B5B4.888A94B0--
From syslog-ng@lists.balabit.hu Fri Nov 28 13:59:24 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Fri, 28 Nov 2003 14:59:24 +0100
Subject: [syslog-ng]pipes and tags
In-Reply-To: <20031128112205.GA9231@sunserv.kfki.hu>
References: <20031128112205.GA9231@sunserv.kfki.hu>
Message-ID: <20031128135924.GA525@balabit.hu>
On Fri, Nov 28, 2003 at 12:22:05PM +0100, Bedo Sandor wrote:
>
>
> Hi,
>
> Syslog-ng sends to the program destination
> "blah-blah" formatted lines, where num is a
> decimal-coded value of the priority and facility. I
> have a little application that strongly uses this
> number. There's a master syslog-ng in my system, and
> there is a chroot-ed syslog-ng with this little
> application. The two syslog-ngs communicates each
> other using named pipes found in the chroot-ed
> environment, but the decimal value does not come across
> the pipes, and I can only put a hexadecimal value with
> template("<$PRI>$MSG\n") back.
>
> Why doesn't use pipe() the same template like file()?
>
> Is it able to send this value in decimal format on the
> pipe?
please try this patch
Index: macros.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/macros.c,v
retrieving revision 1.4
diff -u -r1.4 macros.c
--- macros.c 16 Apr 2003 10:15:02 -0000 1.4
+++ macros.c 28 Nov 2003 13:58:45 -0000
@@ -139,6 +139,10 @@
length = snprintf(*dest, *left, "%02x", msg->pri);
break;
}
+ case M_PRI: {
+ length = snprintf(*dest, *left, "%d", msg->pri);
+ break;
+ }
case M_SOURCE_IP: {
char *ip;
@@ -376,6 +380,7 @@
{ "PRIORITY", M_LEVEL },
{ "LEVEL", M_LEVEL },
{ "TAG", M_TAG },
+ { "PRI", M_PRI },
{ "DATE", M_DATE },
{ "FULLDATE", M_FULLDATE },
Index: macros.h
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/macros.h,v
retrieving revision 1.2
diff -u -r1.2 macros.h
--- macros.h 10 Apr 2003 10:51:00 -0000 1.2
+++ macros.h 28 Nov 2003 13:58:45 -0000
@@ -28,6 +28,7 @@
#define M_FACILITY 0
#define M_LEVEL 1
#define M_TAG 2
+#define M_PRI 50
#define M_DATE 3
#define M_FULLDATE 4
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Fri Nov 28 13:59:57 2003
From: syslog-ng@lists.balabit.hu (Balazs Scheidler)
Date: Fri, 28 Nov 2003 14:59:57 +0100
Subject: [syslog-ng]Date Format
In-Reply-To: <445B8F5CA217D4119991009027723ACE0D0A1C71@DMSEXCHANGE>
References: <445B8F5CA217D4119991009027723ACE0D0A1C71@DMSEXCHANGE>
Message-ID: <20031128135956.GB525@balabit.hu>
On Fri, Nov 28, 2003 at 02:35:48PM +0100, Voelkl, Markus wrote:
> Is there any Way in Syslog-ng to change the incoming Date Format
> from "Nov 28" to "11-28-2003" in the logfile.
>
> This would help me very much. Eventually after syslog-ng with a script.
you can do this by using templates.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From syslog-ng@lists.balabit.hu Fri Nov 28 17:12:53 2003
From: syslog-ng@lists.balabit.hu (Ian Hunt)
Date: Fri, 28 Nov 2003 17:12:53 -0000
Subject: [syslog-ng]filtering pre logger script
Message-ID: <03A7212F4308CA4E91B9E538AD4BB5C401286E1E@swsrv002.ldn.sw.com>
Hi, I have some quite busy logs that I would like to pre filter using log=
ger.
I had sort of thought that this might be possible using grep but it doesn=
't seem to work, not a logger problem probably a scripting issue !
tail -200f ${logdir}/${logfile} | egrep -e 'ERR-*' | logger
Although if I take off the grep it seem to work
i.e.
tail -200f ${logdir}/${logfile} | logger
Anyone any ideas? (it may be that this is the wrong way to go about it)
Ta
Ian
I was wondering if it is possible to filter=20
Ian Hunt
email: ian.hunt@swapswire.com
Tel: +44 (0) 207 868 2452
---------------------------------------------------------------------
This is a commercial communication sent by SwapsWire Limited.
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version.
Please contact info@swapswire.com if you no longer wish to receive
commercial communications from us, identifying the email addresses=20
to which you no longer wish commercial emails to be sent.
From syslog-ng@lists.balabit.hu Wed Nov 26 22:30:52 2003
From: syslog-ng@lists.balabit.hu (Matthew Bassili)
Date: Thu, 27 Nov 2003 09:30:52 +1100
Subject: [syslog-ng]error "Cannot assign requested address"
Message-ID: <8D011699C220D411A266009027AF327D0158F92F@mis-exchange.neca.nec.com.au>
List members,
I am trying to setup syslog-ng (Red Hat9, syslog build 1.6.0rc4) with the
following syslog-ng.conf file:
###############################################################
# First, set some global options
#
options {
keep_hostname(yes);
long_hostnames(off);
sync(0);
log_fifo_size(1024);
log_msg_size(8192);
};
###############################################################
#
#
source local
{ unix-dgram("/dev/log"); internal(); pipe("/proc/kmsg"
log_prefix("kernel: "));
};
#source nocpix
# { udp(ip("172.31.30.2") port(514));
# };
source nocpix-out
{ udp(ip("147.76.127.44") port(514));
};
#source mb2-pix
# { udp(ip("172.18.1.6") port(514));
# };
source other
{ udp();
};
#
#
###############################################################
#
#
destination local {
file("/var/log/syslog-ng/local/local.$YEAR.$MONTH.$DAY"); };
destination other {
file("/var/log/syslog-ng/other/other.$YEAR.$MONTH.$DAY"); };
destination nocpix {
file("/var/log/syslog-ng/nocpix/nocpix.$YEAR.$MONTH.$DAY"); };
#destination mb2 {
file("/var/log/syslog-ng/mb2/mb2.$YEAR.$MONTH.$DAY"); };
#
#
###############################################################
#
#
filter f_auth { facility(auth, authpriv); };
filter f_authpriv { facility(authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_messages { facility(daemon, kern, user); };
filter f_news { facility(news); };
filter f_spooler { facility(uucp,news) and level(crit); };
filter f_syslog { not facility(auth, authpriv) and not
facility(mail); };
filter f_user { facility(user); };
#
#
###############################################################
#
#
log { source(local); destination(local);};
#log { source(nocpix); destination(nocpix);};
log { source(nocpix-out); destination(nocpix);};
#log { source(mb2-pix); destination(mb2);};
log { source(other); destination(other);};
& I get the following error message on startup:
"Starting syslog-ng: io.c: bind_inet_socket() bind failed 147.76.127.44:514
Cannot assign requested address"
When I comment out the line " source nocpix-out { udp(ip("147.76.127.44")
port(514)); };"
Everything works fine using udp();, but I really want to separate the
sources so I can direct the log files to a different directory.
Any help would be GREATLY appreciated.
Matthew Bassili
Senior Network Engineer
NEC Business Solutions P/L
649 Springvale Rd
Mulgarve, 3170
AUSTRALIA
e-mail: matthew.bassili@nec.com.au
From syslog-ng@lists.balabit.hu Fri Nov 28 12:04:44 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Fri, 28 Nov 2003 12:04:44 +0000
Subject: [syslog-ng]UDP driver - display source IP address
Message-ID: <3FC739DC.4090300@t-modus.nec.co.uk>
Hi
I wish to use syslog-ng to log messages received on the UDP port. I
have a very simple .conf file:
==============================
# Syslog-ng test file for BB failure logging
#
# D Aldrich 27/11/2003
options { long_hostnames(off); sync(0); keep_hostname(yes);};
# Listen on udp port 514 of all available interfaces
source net { udp(); };
destination d_net { file("/var/log/bb.log"); };
filter f_auth { facility(auth); };
log { source(net); destination(d_net); };
============================
An example of a logged message using this file is:
Nov 28 11:27:44 embedded This is a test message
I assume that "embedded" here is the hostname of the source. Am I correct?
Can I configure syslog-ng to display an explicit IP address rather than
the host name?
Thanks
David
From syslog-ng@lists.balabit.hu Fri Nov 28 14:41:43 2003
From: syslog-ng@lists.balabit.hu (David Aldrich)
Date: Fri, 28 Nov 2003 14:41:43 +0000
Subject: [syslog-ng]UDP driver - display source IP address
Message-ID: <3FC75EA7.4090009@t-modus.nec.co.uk>
Hi
I now realise that the answer to my question is to use option:
use_dns(no)
Thanks
David
From syslog-ng@lists.balabit.hu Wed Nov 26 11:18:17 2003
From: syslog-ng@lists.balabit.hu (Tony Karakashian)
Date: Wed, 26 Nov 2003 06:18:17 -0500 (Eastern Standard Time)
Subject: [syslog-ng]/dev/log is not a socket error on startup
In-Reply-To: <20031126093922.GA753@balabit.hu>
References:
<20031126093922.GA753@balabit.hu>
Message-ID: <.10.200.28.1.1069845497.squirrel@home.monstertruck.cc>
>> io.c: bind_unix_socket(): /dev/log not a socket
>> Error initializing configuration, exiting.
>
> something probably changed the socket to a pipe or something. try
> removing /dev/log and restart syslog-ng so it will not refuse to start.
And, just like that, it's working. I had removed /dev/log and recreated
it, not realizing syslog takes care of that. Cool. Thanks!
-T
--
Answering the age old question: Which is more painful, going to work or
gouging your eye out with a spoon?
www.workorspoon.com
From syslog-ng@lists.balabit.hu Wed Nov 26 14:35:29 2003
From: syslog-ng@lists.balabit.hu (Aaron Botsis)
Date: Wed, 26 Nov 2003 08:35:29 -0600
Subject: [syslog-ng]compiling syslog-ng on AIX...
In-Reply-To: <20031118161438.GH4419@crack>
References: <20031118161438.GH4419@crack>
Message-ID: <20031126143529.GA20810@crack>
Nevermind -- was using the new new (1.6 is it?) branch... older branch
built fine...
-Aaron
On 2003/11/18 10:14 -0600, Aaron Botsis wrote:
>
> I'm having quite a significant amount of trouble compiling syslog-ng on
> aix. I'm using aix 5.1ML3 with gnupro toolchain.
> Normally, I wouldn't ask such a silly question on a mailing list, but I'm
> getting quite strange compiler errors such as:
>
> main.c: In function `setup_signals':
> main.c:122: `SA_ONESHOT' undeclared (first use in this function)
> main.c:122: (Each undeclared identifier is reported only once
>
> which leads me to believe nobody has ever attempted a port, yet I'm seeing
> mailing list entries that suggest otherwise (from like 2002) -- can anyone
> offer some tips on what toolchain (xlc, gnu, etc) they used, and which
> version of the supporting libraries were used also? tia!
>
> Aaron
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>