<div dir="ltr">Hi,<br><br>I have been tried with your configuration. I'm very happy, it succeed and my syslog-ng running like a charm. You are very helpful. Right now, I can sleep well.<br><br>Thank you very much.<br><br>
<div class="gmail_quote">On Fri, Sep 12, 2008 at 5:10 PM, Geller, Sandor (IT) <span dir="ltr"><<a href="mailto:Sandor.Geller@morganstanley.com">Sandor.Geller@morganstanley.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br>
<div class="Ih2E3d"><br>
> #<br>
> # This sample configuration file is essentially equilivent to<br>
> the stock<br>
> # FreeBSD /etc/syslog.conf file.<br>
> #<br>
><br>
> #<br>
> # options<br>
> #<br>
> options { long_hostnames(off); sync(0); };<br>
><br>
> #<br>
> # sources<br>
> #<br>
> source src { unix-dgram("/var/run/log");<br>
> unix-dgram("/var/run/logpriv" perm(0600));<br>
> udp(); internal(); file("/dev/klog"); };<br>
<br>
</div>You have a single source definition having multiple sources. As<br>
syslog-ng can't differentiate between these sources later, all<br>
logs arriving from any of the sources above would give a match.<br>
So I'd recomment moving at least the udp() source to a separate<br>
source definition, like<br>
<div class="Ih2E3d"><br>
source src {<br>
unix-dgram("/var/run/log");<br>
unix-dgram("/var/run/logpriv" perm(0600));<br>
</div> internal();<br>
file("/dev/klog");<br>
};<br>
<br>
source s_remote {<br>
udp();<br>
tcp();<br>
};<br>
<br>
And use these sources in the log sections. This way syslog-ng can<br>
distinguish between the locally- and the remotely-generated logs.<br>
<div><div></div><div class="Wj3C7c"><br>
> #<br>
> # destinations<br>
> #<br>
> #destination <a href="http://local0.info" target="_blank">local0.info</a> {<br>
> #file("/var/log/remote/servers/$HOST/$YEAR/$MONTH/$DAY/pflogd/<br>
pflogd.log"<br>
> #owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)<br>
> #);<br>
> #};<br>
><br>
><br>
> destination messages { file("/var/log/remote/messages"); };<br>
> destination localhost { file("/var/log/remote/syslog-ng.all"); };<br>
> destination security { file("/var/log/remote/security"); };<br>
> destination authlog { file("/var/log/remote/auth.log"); };<br>
> destination maillog { file("/var/log/remote/maillog"); };<br>
> destination lpd-errs { file("/var/log/remote/lpd-errs"); };<br>
> destination xferlog { file("/var/log/remote/xferlog"); };<br>
> destination cron { file("/var/log/remote/cron"); };<br>
> destination debuglog { file("/var/log/remote/debug.log"); };<br>
> destination consolelog { file("/var/log/remote/console.log"); };<br>
> destination all { file("/var/log/remote/all.log"); };<br>
> destination newscrit { file("/var/log/news/news.crit"); };<br>
> destination newserr { file("/var/log/news/news.err"); };<br>
> destination newsnotice { file("/var/log/news/news.notice"); };<br>
> destination slip { file("/var/log/remote/slip.log"); };<br>
> destination ppp { file("/var/log/remote/ppp.log"); };<br>
> destination console { file("/dev/console"); };<br>
> destination allusers { usertty("*"); };<br>
> #destination loghost { udp("loghost" port(514)); };<br>
> #destination local0 { file("/var/log/remote/pflog.txt"); };<br>
> destination local0 { file("/var/log/remote/local0.log"); };<br>
> #destination local1 { file("/var/log/remote/alert"); };<br>
> destination local1 { file("/var/log/remote/local1.log"); };<br>
><br>
> #log {<br>
> # source(tcp); source(internal); source(udp); source(unix);<br>
> # source(s_tcp); source(s_internal); source(s_udp);<br>
> source(s_unix);<br>
> # filter(f_local0); filter(f_local1);<br>
> # destination(df_local1);<br>
> # };<br>
<br>
</div></div>In this commented part you have two filters which mutually exclude<br>
each other. As syslog-ng uses logical and operation this log section<br>
won't work.<br>
<div class="Ih2E3d"><br>
<br>
> #<br>
> # log facility filters<br>
> #<br>
> filter f_auth { facility(auth); };<br>
> filter f_authpriv { facility(authpriv); };<br>
> filter f_not_authpriv { not facility(authpriv); };<br>
> filter f_console { facility(console); };<br>
> filter f_cron { facility(cron); };<br>
> filter f_daemon { facility(daemon); };<br>
> filter f_ftp { facility(ftp); };<br>
> filter f_kern { facility(kern); };<br>
> filter f_lpr { facility(lpr); };<br>
> filter f_mail { facility(mail); };<br>
> filter f_news { facility(news); };<br>
> filter f_security { facility(security); };<br>
<br>
</div>You should remove security. It's just an alias to auth<br>
<div><div></div><div class="Wj3C7c"><br>
> filter f_user { facility(user); };<br>
> filter f_uucp { facility(uucp); };<br>
> #filter f_local0 { facility(local0); };<br>
> #filter f_local00 { facility(local0); };<br>
> #filter f_local1 { facility(local1); };<br>
> #filter f_local01 { facility(local1) or facility(local1); };<br>
> filter f_local2 { facility(local2); };<br>
> filter f_local3 { facility(local3); };<br>
> filter f_local4 { facility(local4); };<br>
> filter f_local5 { facility(local5); };<br>
> filter f_local6 { facility(local6); };<br>
> filter f_local7 { facility(local7); };<br>
><br>
> #<br>
> # log level filters<br>
> #<br>
> filter f_emerg { level(emerg); };<br>
> filter f_alert { level(alert..emerg); };<br>
> filter f_crit { level(crit..emerg); };<br>
> filter f_err { level(err..emerg); };<br>
> filter f_warning { level(warning..emerg); };<br>
> filter f_notice { level(notice..emerg); };<br>
> filter f_info { level(info..emerg); };<br>
> filter f_debug { level(debug..emerg); };<br>
> filter f_is_debug { level(debug); };<br>
><br>
> #<br>
> # program filters<br>
> #<br>
> filter f_ppp { program("ppp"); };<br>
> filter f_slip { program("startslip"); };<br>
<br>
</div></div>Better to use anchors to avoid false matches: program("^ppp$")<br>
<div><div></div><div class="Wj3C7c"><br>
> #<br>
> # *.err;kern.warning;auth.notice;mail.crit /dev/console<br>
> #<br>
> log { source(src); filter(f_err); destination(console); };<br>
> log { source(src); filter(f_kern); filter(f_warning);<br>
> destination(console); };<br>
> log { source(src); filter(f_auth); filter(f_notice);<br>
> destination(console); };<br>
> log { source(src); filter(f_mail); filter(f_crit);<br>
> destination(console); };<br>
><br>
> #<br>
> #<br>
> *.notice;authpriv.none;kern.debug;<a href="http://lpr.info" target="_blank">lpr.info</a>;mail.crit;news.err<br>
> /var/log/messages<br>
> #<br>
> log { source(src); filter(f_notice); filter(f_not_authpriv);<br>
> destination(messages); };<br>
> log { source(src); filter(f_kern); filter(f_debug);<br>
> destination(messages); };<br>
> log { source(src); filter(f_lpr); filter(f_info);<br>
> destination(messages); };<br>
> log { source(src); filter(f_mail); filter(f_crit);<br>
> destination(messages); };<br>
> log { source(src); filter(f_news); filter(f_err);<br>
> destination(messages); };<br>
><br>
> #<br>
> # security.* /var/log/security<br>
> #<br>
> log { source(src); filter(f_security); destination(security); };<br>
><br>
> #<br>
> # <a href="http://auth.info" target="_blank">auth.info</a>;<a href="http://authpriv.info" target="_blank">authpriv.info</a> /var/log/auth.log<br>
> log { source(src); filter(f_auth); filter(f_info);<br>
> destination(authlog); };<br>
> log { source(src); filter(f_authpriv); filter(f_info);<br>
> destination(authlog); };<br>
><br>
> #<br>
> # <a href="http://mail.info" target="_blank">mail.info</a> /var/log/maillog<br>
> #<br>
> log { source(src); filter(f_mail); filter(f_info);<br>
> destination(maillog); };<br>
><br>
> #<br>
> # <a href="http://lpr.info" target="_blank">lpr.info</a> /var/log/lpd-errs<br>
> #<br>
> log { source(src); filter(f_lpr); filter(f_info);<br>
> destination(lpd-errs); };<br>
><br>
> #<br>
> # <a href="http://ftp.info" target="_blank">ftp.info</a> /var/log/xferlog<br>
> #<br>
> log { source(src); filter(f_ftp); filter(f_info);<br>
> destination(xferlog); };<br>
><br>
> #<br>
> # cron.* /var/log/cron<br>
> #<br>
> log { source(src); filter(f_cron); destination(cron); };<br>
><br>
> #<br>
> # *.=debug /var/log/debug.log<br>
> #<br>
> log { source(src); filter(f_is_debug); destination(debuglog); };<br>
><br>
> #<br>
> # *.emerg *<br>
> #<br>
> log { source(src); filter(f_emerg); destination(allusers); };<br>
><br>
> #<br>
> # uncomment this to log all writes to /dev/console to<br>
> /var/log/console.log<br>
> # <a href="http://console.info" target="_blank">console.info</a> /var/log/console.log<br>
> #<br>
> #log { source(src); filter(f_console); filter(f_info);<br>
> destination(consolelog); };<br>
><br>
> #<br>
> # uncomment this to enable logging of all log messages to<br>
> /var/log/all.log<br>
> # touch /var/log/all.log and chmod it to mode 600 before it will work<br>
> # *.* /var/log/all.log<br>
> #<br>
> #log { source(src); destination(all); };<br>
><br>
> #<br>
> # uncomment this to enable logging to a remote loghost named loghost<br>
> # *.* @loghost<br>
> #<br>
> #log { source(src); destination(loghost); };<br>
><br>
> #<br>
> # uncomment these if you're running inn<br>
> # news.crit /var/log/news/news.crit<br>
> # news.err /var/log/news/news.err<br>
> # news.notice /var/log/news/news.notice<br>
> #<br>
> #log { source(src); filter(f_news); filter(f_crit);<br>
> destination(newscrit); };<br>
> #log { source(src); filter(f_news); filter(f_err);<br>
> destination(newserr); };<br>
> #log { source(src); filter(f_news); filter(f_notice);<br>
> destination(newsnotice); };<br>
><br>
> #<br>
> # !startslip<br>
> # *.* /var/log/slip.log<br>
> #<br>
> log { source(src); filter(f_slip); destination(slip); };<br>
><br>
> #<br>
> # !ppp<br>
> # *.* /var/log/ppp.log<br>
> #<br>
> log { source(src); filter(f_ppp); destination(ppp); };<br>
<br>
</div></div>As you're not logging local0 or local1, the config needs to be<br>
extended. First uncomment the f_local0 and f_local1 filters<br>
above, and add something like this to your config:<br>
<br>
# <a href="http://local0.info" target="_blank">local0.info</a><br>
<br>
log {<br>
source(src);<br>
filter(f_local0);<br>
filter(f_info);<br>
destination(local0);<br>
};<br>
<br>
# <a href="http://local1.info" target="_blank">local1.info</a><br>
<br>
log {<br>
source(src);<br>
filter(f_local1);<br>
filter(f_info);<br>
destination(local1);<br>
};<br>
<br>
Before making any changes I'd think about whether I need to separate<br>
the local and remote logs, and when yes then I'd update the log{}<br>
sections to refer to the appropriate source definition.<br>
<div><div></div><div class="Wj3C7c"><br>
Regards,<br>
<br>
Sandor<br>
--------------------------------------------------------<br>
<br>
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>MUHAMMAD AZIZUL DARUS<br><a href="http://www.foodmalaysia.net">http://www.foodmalaysia.net</a><br><a href="http://www.myfelis.com">http://www.myfelis.com</a><br>
<a href="http://yourubuntulinux.blogspot.com">http://yourubuntulinux.blogspot.com</a><br><a href="http://opensource-2u.blogspot.com">http://opensource-2u.blogspot.com</a><br><a href="http://photograph2u.blogspot.com">http://photograph2u.blogspot.com</a><br>
<a href="http://malaysiataste.blogspot.com">http://malaysiataste.blogspot.com</a><br><a href="http://jomshopping.blogspot.com">http://jomshopping.blogspot.com</a><br><a href="http://jahitan-manik.blogspot.com">http://jahitan-manik.blogspot.com</a><br>
<a href="http://nissan-maniac.blogspot.com">http://nissan-maniac.blogspot.com</a><br><a href="http://narutoslash.blogspot.com/">http://narutoslash.blogspot.com/</a><br>
</div>