<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3562" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=698222012-01072009><FONT face=Arial
color=#0000ff size=2>Hi,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=698222012-01072009><FONT face=Arial
color=#0000ff size=2>I don't see anything in your config...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=698222012-01072009><FONT face=Arial
color=#0000ff size=2>Are you sure your syslog messages are sent to the UDP port
syslog-ng is listing at (normally: 514)?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=698222012-01072009><FONT face=Arial
color=#0000ff size=2>Did you proof the with one of snoop, ethereal, wireshark
and the like?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=698222012-01072009><FONT face=Arial
color=#0000ff size=2>Just an idea... hth</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=698222012-01072009><FONT face=Arial
color=#0000ff size=2>Ulli</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=de dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>Von:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>Im Auftrag von </B>Cosmin
Neagu<BR><B>Gesendet:</B> Mittwoch, 1. Juli 2009 14:15<BR><B>An:</B> Syslog-ng
users' and developers' mailing list<BR><B>Betreff:</B> Re: [syslog-ng] Syslog-ng
beginners guide<BR></FONT><BR></DIV>
<DIV></DIV>Hello again, <BR>Things are evolving a little bit.<BR><BR>Now the
syslog-ng conf is configured like this:<BR><BR><I>source s_router_udp { udp ();
};<BR>destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO
syslog_incoming (facility, priority, date, time, host, message, seq) VALUES (
'$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$HOST',
'$MSG', '$SEQ' );\n") template-escape(yes));<BR>};<BR>log { source
(s_router_udp); destination (d_mysql); };<BR>log { source (s_sys);
destination(d_mysql); };</I><BR><BR>The second log statement is working, because
i can see in the syslog_incoming tables, entries and also i see the log in
Cacti:<BR><I>mysql> select * from
syslog_incoming;<BR>+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+<BR>|
facility | priority | date |
time |
host |
message
| seq | status
|<BR>+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+<BR>|
syslog | info | 2009-07-01 | 14:56:45 |
monitorizare1 | syslog-ng[20083]: Termination requested via signal, terminating;
| 22 | 0 |<BR>| syslog |
notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]:
syslog-ng shutting down; version='2.0.10' |
23 | 0 |<BR>| syslog |
notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[21587]:
syslog-ng starting up;
version='2.0.10' | 24
| 0 |<BR>| authpriv | info
| 2009-07-01 | 11:56:06 | monitorizare1 | sshd[21567]: Connection closed by
127.0.0.1
| 21 | 0
|<BR>+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+<BR>4
rows in set (0.00 sec)</I><BR><BR>But i don't know what is the problem and how
to fix with the first log statement. Can anyone help a little? Maybe with some
documentation, maybe someone encountered a similar problem?<BR><BR><BR><BR>PS:
something else that i noticed and i don't know what it means.<BR>One of the
syslog-ng messages is like this:<BR><I>syslog-ng[20083]: Log statistics;
<B>dropped='pipe(/tmp/mysql.pipe)=0</B>', processed='center(queued)=30',
processed='center(received)=15', processed='destination(d_boot)=0',
processed='destination(d_auth)=4', processed='destination(d_cron)=9',
processed='destination(d_mysql)=15', processed='destination(d_mlal)=0',
processed='destination(d_mesg)=2', processed='destination(d_cons)=0',
processed='destination(d_spol)=0', processed='destination(d_mail)=0',
processed='source(s_sys)=15', processed='source(s_router_udp)=0'</I><BR><BR>What
could be the cause for that "dropped" there? Should'nt be processed?<BR><BR><PRE class=moz-signature cols="72">Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<A class=moz-txt-link-abbreviated href="http://www.omnilogic.ro">www.omnilogic.ro</A>
</PRE><BR><BR>Cosmin Neagu wrote:
<BLOCKQUOTE cite=mid:4A4B0EB8.7050706@omnilogic.ro
type="cite"> Thanks allot Ulrich, that site contains great
documentation, i'm starting to understand how syslog-ng works.<BR>But, let me
tell you the problem with wich i'm stuck right now.<BR><BR>
A router is sending syslog messages to a linux box (Fedora) from 10.0.0.1. I
can see the messages arriving at the server.<BR><I>[root@monitorizare1 ~]#
tcpdump -v src 10.0.0.1<BR>tcpdump: listening on eth0, link-type EN10MB
(Ethernet), capture size 96 bytes<BR>10:09:07.941254 IP (tos 0x0, ttl 255, id
80, offset 0, flags [none], proto UDP (17), length 115) 10.0.0.1.65150 >
192.168.53.248.syslog: SYSLOG, length:
87<BR> Facility local7 (23),
Severity error (3)<BR> Msg: 81:
*Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]<BR>10:09:08.760267
IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], proto UDP (17), length
138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length:
110<BR> Facility local7 (23),
Severity info (6)<BR> Msg: 82:
*Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]<BR>10:09:09.755868
IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], proto UDP (17), length
137) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length:
109<BR> Facility local7 (23),
Severity notice (5)</I><BR><BR><BR>I have configured syslog-ng.conf like
this:<BR><I>source s_router_udp
{<BR>
internal();<BR> file ("/proc/kmsg"
log_prefix("kernel: "));<BR> udp
(ip(0.0.0.0) port ( 514 ) );<BR>
#unix-stream ("/dev/log");<BR>};<BR>destination d_localfile {<BR>file
("/root/testlog");<BR>};<BR>log
{<BR> source
(s_router_udp);<BR> destination
(d_localfile);<BR>};</I><BR><BR>The problem is that in /root/testlog i can't
see any log, except those internal generated by syslog-ng:<BR><I>Jul 1
09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting up;
version='2.0.10'<BR>Jul 1 09:32:49 monitorizare1 syslog-ng[17787]:
Termination requested via signal, terminating;<BR>Jul 1 09:32:50
monitorizare1 syslog-ng[17812]: syslog-ng starting up;
version='2.0.10'<BR>Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log
statistics; processed='center(queued)=6', processed='center(received)=6',
processed='destination(d_boot)=0', processed='destination(d_auth)=2',
processed='des<BR>tination(d_cron)=2', processed='destination(d_mlal)=0',
processed='destination(d_localfile)=1', processed='destination(d_mesg)=1',
processed='destination(d_cons)=0', processed='destination(d_spol)=0',
processed<BR>='destination(d_mail)=0', processed='source(s_sys)=5',
processed='source(s_router_udp)=1'<BR>Jul 1 09:45:11 monitorizare1
syslog-ng[17812]: Termination requested via signal, terminating;<BR>Jul
1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up;
version='2.0.10'<BR>Jul 1 09:47:43 monitorizare1 syslog-ng[18840]:
Termination requested via signal, terminating;<BR>Jul 1 09:47:43
monitorizare1 syslog-ng[19009]: syslog-ng starting up;
version='2.0.10'</I><BR><BR>I can't find anything in the syslog-ng guide admin
about how can messages received from remote hosts can be inserted into
files.<BR><BR>Can anyone help me? I feel that i'm close to a
solution.<BR><BR><BR><BR><A class=moz-txt-link-abbreviated
href="mailto:Ulrich.Wiemers@t-systems.com"
moz-do-not-send="true">Ulrich.Wiemers@t-systems.com</A> wrote:
<BLOCKQUOTE
cite=mid:527B14C40B32E2408547569696F8AE920136FF41@S4DE8PSAADQ.t-systems.com
type="cite"><PRE wrap="">Hi,
I was in a similar situation some weeks ago.
Admin Guide found at <A class=moz-txt-link-freetext href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</A> was of great help to me.
And, of course, Google ,-)
hth
Ulli
-----Ursprüngliche Nachricht-----
Von: <A class=moz-txt-link-abbreviated href="mailto:syslog-ng-bounces@lists.balabit.hu" moz-do-not-send="true">syslog-ng-bounces@lists.balabit.hu</A> [<A class=moz-txt-link-freetext href="mailto:syslog-ng-bounces@lists.balabit.hu" moz-do-not-send="true">mailto:syslog-ng-bounces@lists.balabit.hu</A>] Im Auftrag von Cosmin Neagu
Gesendet: Dienstag, 30. Juni 2009 14:49
An: <A class=moz-txt-link-abbreviated href="mailto:syslog-ng@lists.balabit.hu" moz-do-not-send="true">syslog-ng@lists.balabit.hu</A>
Betreff: [syslog-ng] Syslog-ng beginners guide
Hello everybody,
Sorry for bothering you with a beginners question.
I have a cacti implementation in my network and a want to integrate it with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.
I'm not able to find where the logs are kept, so this drives me crazy.
Do you know any site or resource where i can find some beginners guide about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before.
Thanks.
--
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<A class=moz-txt-link-abbreviated href="http://www.omnilogic.ro" moz-do-not-send="true">www.omnilogic.ro</A>
______________________________________________________________________________
Member info: <A class=moz-txt-link-freetext href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A>
Documentation: <A class=moz-txt-link-freetext href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</A>
FAQ: <A class=moz-txt-link-freetext href="http://www.campin.net/syslog-ng/faq.html" moz-do-not-send="true">http://www.campin.net/syslog-ng/faq.html</A>
______________________________________________________________________________
Member info: <A class=moz-txt-link-freetext href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A>
Documentation: <A class=moz-txt-link-freetext href="http://www.balabit.com/support/documentation/?product=syslog-ng" moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</A>
FAQ: <A class=moz-txt-link-freetext href="http://www.campin.net/syslog-ng/faq.html" moz-do-not-send="true">http://www.campin.net/syslog-ng/faq.html</A>
</PRE></BLOCKQUOTE><PRE wrap=""><HR width="90%" SIZE=4>
______________________________________________________________________________
Member info: <A class=moz-txt-link-freetext href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A>
Documentation: <A class=moz-txt-link-freetext href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</A>
FAQ: <A class=moz-txt-link-freetext href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</A>
</PRE></BLOCKQUOTE></BODY></HTML>