<HTML>
<HEAD>
<TITLE>Re: [syslog-ng] 答复: Need help to send logs to a different server</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi<BR>
<BR>
Install syslog-ng on the new server.<BR>
Copy the syslog-ng.conf from the master server to the new server and use that.<BR>
<BR>
Add the information we have given you to the master server.<BR>
<BR>
Now you have ‘two’ master servers where on is forwarding everything to the other.<BR>
<BR>
/Marc<BR>
<BR>
<BR>
On 09/12/08 18.04, "Lavannya" <<a href="swap_project@yahoo.com">swap_project@yahoo.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Thanks to both of you.<BR>
<BR>
I have configured our existing log master , following both of your advice seperately. But the server where I am trying to forward the logs<BR>
is not listening the port I am mentioning.<BR>
<BR>
I tested as follows:<BR>
<BR>
1. I took a server where syslog-ng is not at all installe.<BR>
checked, but did not find any log which is being forwarded<BR>
by the central log master<BR>
<BR>
2.. Took one server which is already a client , and<BR>
syslog-ng is installed already as it is a client server.<BR>
In that server also did not find any logs which is being<BR>
forwarded by the central log master.<BR>
<BR>
In both the servers where I tested, iptables is turned off. Moreover found, that the central log master is broken too.<BR>
<BR>
Pl. guide me more where ,i am missing for this configuration.<BR>
<BR>
Thanks again<BR>
<BR>
<BR>
--- On Tue, 12/9/08, Geller, Sandor (IT) <<a href="Sandor.Geller@morganstanley.com">Sandor.Geller@morganstanley.com</a>> wrote:<BR>
<BR>
> From: Geller, Sandor (IT) <<a href="Sandor.Geller@morganstanley.com">Sandor.Geller@morganstanley.com</a>><BR>
> Subject: Re: [syslog-ng] 答复: Need help to send logs to a different server<BR>
> To: "Syslog-ng users' and developers' mailing list" <<a href="syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><BR>
> Date: Tuesday, December 9, 2008, 3:22 AM<BR>
> Hi,<BR>
><BR>
> The f_everthing filter matches on all logs so it is<BR>
> redundant,<BR>
> you could omit it (using filters is optional in the log<BR>
> sections).<BR>
><BR>
> To forward the logs to a second server the easiest would be<BR>
> to<BR>
> add the host to the everything destination like this:<BR>
><BR>
> destination everything {<BR>
><BR>
> file("/var/log/remotes/$HOST/$HOST-all-system.logs");<BR>
> };<BR>
> tcp(1.2.3.4 port(5));<BR>
> };<BR>
><BR>
> Obviously replace the IP address and the port with valid<BR>
> values,<BR>
> and when the second server doesn't support tcp then you<BR>
> should<BR>
> use udp.<BR>
><BR>
> BTW you should add the log_prefix option to your kernel<BR>
> source<BR>
> to mimic syslogd's behaviour:<BR>
><BR>
> file("/proc/kmsg"<BR>
> log_prefix("kernel: "));<BR>
><BR>
> hth,<BR>
><BR>
> Sandor<BR>
><BR>
> > -----Original Message-----<BR>
> > From: <a href="syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a><BR>
> > [<a href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</a>] On Behalf<BR>
> Of Lavannya<BR>
> > Sent: Monday, December 08, 2008 7:18 PM<BR>
> > To: Syslog-ng users' and developers' mailing<BR>
> list<BR>
> > Subject: Re: [syslog-ng] 答复: Need help to send<BR>
> logs to a<BR>
> > different server<BR>
> ><BR>
> > Hi Mark,<BR>
> ><BR>
> > Thanks for your reply. I am getting error whatever<BR>
> > configuration you had said. May be I need to change<BR>
> our<BR>
> > existing configuration again. Here is the central<BR>
> log<BR>
> > server configuration I am sending as attachment. Our<BR>
> central<BR>
> > log server is already configured with<BR>
> tcp(ip(0.0.0.0) ip<BR>
> > and when I am adding the new server to collect the<BR>
> log it<BR>
> > is giving error.<BR>
> ><BR>
> > - I want to add another server (this is needed for<BR>
> some<BR>
> > application )<BR>
> > to my central log server which will<BR>
> > get all the logs from the central log server.<BR>
> ><BR>
> > Pl. feel free to correct the log file and send it to<BR>
> me.<BR>
> ><BR>
> > Thanks again<BR>
> ><BR>
> ><BR>
> ><BR>
> ><BR>
> ><BR>
> > --- On Mon, 12/8/08, Marc Andersen<BR>
> <<a href="man@inspektsecurity.com">man@inspektsecurity.com</a>> wrote:<BR>
> ><BR>
> > > From: Marc Andersen<BR>
> <<a href="man@inspektsecurity.com">man@inspektsecurity.com</a>><BR>
> > > Subject: Re: [syslog-ng] 答复: Need help to<BR>
> send logs to a<BR>
> > different server<BR>
> > > To: "Syslog-ng users' and<BR>
> developers' mailing list"<BR>
> > <<a href="syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><BR>
> > > Date: Monday, December 8, 2008, 8:04 AM<BR>
> > > If the central syslog server is running syslog-ng<BR>
> you can<BR>
> > > just add another destination (live log server) to<BR>
> the<BR>
> > > already existing local files.<BR>
> > ><BR>
> > > log{<BR>
> > > source (udp/tcp incoming);<BR>
> > > destination(new live log server);<BR>
> > > };<BR>
> > ><BR>
> > > cheers<BR>
> > > /Marc<BR>
> > ><BR>
> > ><BR>
> > > On 07/12/08 16.03, "Lavannya"<BR>
> > > <<a href="swap_project@yahoo.com">swap_project@yahoo.com</a>> wrote:<BR>
> > ><BR>
> > > Yes , from the client we can , but I think if<BR>
> you read<BR>
> > > my mail properly, I clearly written that my<BR>
> requirement is<BR>
> > > NOT, to get the logs from the client. I want to<BR>
> set one<BR>
> > > server , which will get all the information from<BR>
> the<BR>
> > > central log master. Yes , I know it can be done<BR>
> through<BR>
> > > ssh/rsync. But I wanted to know , if there is any<BR>
> option in<BR>
> > > syslog-ng .<BR>
> > ><BR>
> > > Thanks<BR>
> > ><BR>
> > ><BR>
> > ><BR>
> > > --- On Fri, 12/5/08, liuruihong<BR>
> > > <<a href="liuruihong@baidu.com">liuruihong@baidu.com</a>> wrote:<BR>
> > ><BR>
> > > > From: liuruihong<BR>
> <<a href="liuruihong@baidu.com">liuruihong@baidu.com</a>><BR>
> > > > Subject: 答复: [syslog-ng] Need help to<BR>
> send logs to<BR>
> > > a different server<BR>
> > > > To: <a href="swap_project@yahoo.com">swap_project@yahoo.com</a>,<BR>
> "'Syslog-ng<BR>
> > > users' and developers' mailing<BR>
> list'"<BR>
> > > <<a href="syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><BR>
> > > > Date: Friday, December 5, 2008, 3:23 AM<BR>
> > > > in the client,you can define many remote log<BR>
> server<BR>
> > > > simultaneously.syslog<BR>
> > > > and syslog-ng all support this function.<BR>
> > > > You can find in the manual:)<BR>
> > > ><BR>
> > > ><BR>
> > > > 谢谢!<BR>
> > > ><BR>
> > > > 刘蕊红 |sys|6758<BR>
> > > ><BR>
> > > > -----邮件原件-----<BR>
> > > > 发件人:<BR>
> <a href="syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a><BR>
> > > > [<a href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</a>]<BR>
> 代表<BR>
> > > Swapna<BR>
> > > > 发送时间: 2008年12月5日 4:17<BR>
> > > > 收件人: <a href="syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><BR>
> > > > 主题: [syslog-ng] Need help to send logs<BR>
> to a<BR>
> > > different<BR>
> > > > server<BR>
> > > ><BR>
> > > > Hi,<BR>
> > > ><BR>
> > > ><BR>
> > > > We have syslog-ng configuration as follows:<BR>
> > > ><BR>
> > > > - There are 50 clients communicating to<BR>
> one log<BR>
> > > server<BR>
> > > ><BR>
> > > > - The log server is kept in secured<BR>
> place where<BR>
> > > nobody<BR>
> > > > have access<BR>
> > > ><BR>
> > > > - All the logs of 50 clients are<BR>
> coming to the<BR>
> > > log<BR>
> > > > server and<BR>
> > > > the logs are kept as follow<BR>
> > > ><BR>
> > > > /var/log/syslog-ng/<client<BR>
> > > > host>/extended.log<BR>
> > > ><BR>
> > > ><BR>
> > > > We want all the log of each client to<BR>
> relay into a<BR>
> > > > seperate server live.<BR>
> > > > Means the current log file of each host<BR>
> will go to<BR>
> > > the<BR>
> > > > new server<BR>
> > > > simultaneously as it is going to the<BR>
> central log<BR>
> > > server.<BR>
> > > ><BR>
> > > ><BR>
> > > > We can configure a second log server like<BR>
> the<BR>
> > > existing<BR>
> > > > one. But our<BR>
> > > > requirement is, that all the logs will be<BR>
> received<BR>
> > > from<BR>
> > > > the central log<BR>
> > > > server not from the client hosts.<BR>
> > > ><BR>
> > > > Any help is really appreciated.<BR>
> > > ><BR>
> > > > Thanks<BR>
> > > ><BR>
> > > ><BR>
> > > ><BR>
> > > ><BR>
> > > ><BR>
> > ><BR>
> ><BR>
> ______________________________________________________________<BR>
> > ______________<BR>
> > > > __<BR>
> > > > Member info:<BR>
> > > ><BR>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><BR>
> > > > Documentation:<BR>
> > > ><BR>
> > ><BR>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><BR>
> > > > FAQ:<BR>
> <a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><BR>
> > ><BR>
> > ><BR>
> > ><BR>
> > ><BR>
> ><BR>
> ______________________________________________________________<BR>
> > ________________<BR>
> > > Member info:<BR>
> > ><BR>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><BR>
> > > Documentation:<BR>
> > ><BR>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><BR>
> > > FAQ: <a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><BR>
> > ><BR>
> > ><BR>
> > ><BR>
> ><BR>
> ______________________________________________________________<BR>
> > ________________<BR>
> > > Member info:<BR>
> > ><BR>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><BR>
> > > Documentation:<BR>
> > ><BR>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><BR>
> > > FAQ: <a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><BR>
> ><BR>
> ><BR>
> ><BR>
> --------------------------------------------------------<BR>
><BR>
> NOTICE: If received in error, please destroy and notify<BR>
> sender. Sender does not intend to waive confidentiality or<BR>
> privilege. Use of this email is prohibited when received in<BR>
> error.<BR>
> ______________________________________________________________________________<BR>
> Member info:<BR>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><BR>
> Documentation:<BR>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><BR>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><BR>
<BR>
<BR>
<BR>
______________________________________________________________________________<BR>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><BR>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><BR>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>