<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Yes, that was the first thing i have checked, even now i have checked
it again, and the logs are still comming to the linux box where syslog
is installed.<br>
<br>
<i>tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture
size 96 bytes<br>
15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none],
proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 145<br>
Facility local7 (23), Severity notice (5)<br>
Msg: 126: *Jul 1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog]<br>
15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none],
proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 110<br>
Facility local7 (23), Severity notice (5)<br>
Msg: 127: *Jul 1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog]<br>
15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none],
proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 108<br>
Facility local7 (23), Severity notice (5)<br>
Msg: 128: *Jul 1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog]<br>
15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none],
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 112<br>
Facility local7 (23), Severity info (6)<br>
Msg: 129: *Jul 1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog]<br>
15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none],
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 112<br>
Facility local7 (23), Severity notice (5)<br>
Msg: 130: *Jul 1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog]<br>
<br>
And unfortunattely, i'm the only person in the company that knows a
little bit of linux so i don't have anybody to ask...<br>
</i><br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Ulrich.Wiemers@t-systems.com">Ulrich.Wiemers@t-systems.com</a> wrote:
<blockquote
cite="mid:527B14C40B32E2408547569696F8AE9201370148@S4DE8PSAADQ.t-systems.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta content="MSHTML 6.00.2900.3562" name="GENERATOR">
<div dir="ltr" align="left"><span class="698222012-01072009"><font
color="#0000ff" face="Arial" size="2">Hi,</font></span></div>
<div dir="ltr" align="left"><span class="698222012-01072009"><font
color="#0000ff" face="Arial" size="2">I don't see anything in your
config...</font></span></div>
<div dir="ltr" align="left"><span class="698222012-01072009"><font
color="#0000ff" face="Arial" size="2">Are you sure your syslog
messages are sent to the UDP port syslog-ng is listing at (normally:
514)?</font></span></div>
<div dir="ltr" align="left"><span class="698222012-01072009"><font
color="#0000ff" face="Arial" size="2">Did you proof the with one of
snoop, ethereal, wireshark and the like?</font></span></div>
<div dir="ltr" align="left"><span class="698222012-01072009"><font
color="#0000ff" face="Arial" size="2">Just an idea... hth</font></span></div>
<div dir="ltr" align="left"><span class="698222012-01072009"><font
color="#0000ff" face="Arial" size="2">Ulli</font></span></div>
<br>
<div class="OutlookMessageHeader" dir="ltr" align="left" lang="de">
<hr tabindex="-1"><font face="Tahoma" size="2"><b>Von:</b>
<a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>
[<a class="moz-txt-link-freetext" href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</a>] <b>Im Auftrag von </b>Cosmin
Neagu<br>
<b>Gesendet:</b> Mittwoch, 1. Juli 2009 14:15<br>
<b>An:</b> Syslog-ng users' and developers' mailing list<br>
<b>Betreff:</b> Re: [syslog-ng] Syslog-ng beginners guide<br>
</font><br>
</div>
Hello again, <br>
Things are evolving a little bit.<br>
<br>
Now the syslog-ng conf is configured like this:<br>
<br>
<i>source s_router_udp { udp (); };<br>
destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO
syslog_incoming (facility, priority, date, time, host, message, seq)
VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY',
'$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes));<br>
};<br>
log { source (s_router_udp); destination (d_mysql); };<br>
log { source (s_sys); destination(d_mysql); };</i><br>
<br>
The second log statement is working, because i can see in the
syslog_incoming tables, entries and also i see the log in Cacti:<br>
<i>mysql> select * from syslog_incoming;<br>
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+<br>
| facility | priority | date | time | host |
message | seq
| status |<br>
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+<br>
| syslog | info | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[20083]: Termination requested via signal, terminating; | 22
| 0 |<br>
| syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[20083]: syslog-ng shutting down; version='2.0.10' | 23
| 0 |<br>
| syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[21587]: syslog-ng starting up; version='2.0.10' | 24
| 0 |<br>
| authpriv | info | 2009-07-01 | 11:56:06 | monitorizare1 |
sshd[21567]: Connection closed by 127.0.0.1 | 21
| 0 |<br>
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+<br>
4 rows in set (0.00 sec)</i><br>
<br>
But i don't know what is the problem and how to fix with the first log
statement. Can anyone help a little? Maybe with some documentation,
maybe someone encountered a similar problem?<br>
<br>
<br>
<br>
PS: something else that i noticed and i don't know what it means.<br>
One of the syslog-ng messages is like this:<br>
<i>syslog-ng[20083]: Log statistics; <b>dropped='pipe(/tmp/mysql.pipe)=0</b>',
processed='center(queued)=30', processed='center(received)=15',
processed='destination(d_boot)=0', processed='destination(d_auth)=4',
processed='destination(d_cron)=9', processed='destination(d_mysql)=15',
processed='destination(d_mlal)=0', processed='destination(d_mesg)=2',
processed='destination(d_cons)=0', processed='destination(d_spol)=0',
processed='destination(d_mail)=0', processed='source(s_sys)=15',
processed='source(s_router_udp)=0'</i><br>
<br>
What could be the cause for that "dropped" there? Should'nt be
processed?<br>
<br>
<pre class="moz-signature" cols="72">Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="http://www.omnilogic.ro">www.omnilogic.ro</a>
</pre>
<br>
<br>
Cosmin Neagu wrote:
<blockquote cite="mid:4A4B0EB8.7050706@omnilogic.ro" type="cite">
Thanks allot Ulrich, that site contains great documentation, i'm
starting to understand how syslog-ng works.<br>
But, let me tell you the problem with wich i'm stuck right now.<br>
<br>
A router is sending syslog messages to a linux box (Fedora) from
10.0.0.1. I can see the messages arriving at the server.<br>
<i>[root@monitorizare1 ~]# tcpdump -v src 10.0.0.1<br>
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
96 bytes<br>
10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none],
proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 87<br>
Facility local7 (23), Severity error (3)<br>
Msg: 81: *Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]<br>
10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none],
proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 110<br>
Facility local7 (23), Severity info (6)<br>
Msg: 82: *Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]<br>
10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none],
proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 109<br>
Facility local7 (23), Severity notice (5)</i><br>
<br>
<br>
I have configured syslog-ng.conf like this:<br>
<i>source s_router_udp {<br>
internal();<br>
file ("/proc/kmsg" log_prefix("kernel: "));<br>
udp (ip(0.0.0.0) port ( 514 ) );<br>
#unix-stream ("/dev/log");<br>
};<br>
destination d_localfile {<br>
file ("/root/testlog");<br>
};<br>
log {<br>
source (s_router_udp);<br>
destination (d_localfile);<br>
};</i><br>
<br>
The problem is that in /root/testlog i can't see any log, except those
internal generated by syslog-ng:<br>
<i>Jul 1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng
starting up; version='2.0.10'<br>
Jul 1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested
via signal, terminating;<br>
Jul 1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting up;
version='2.0.10'<br>
Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics;
processed='center(queued)=6', processed='center(received)=6',
processed='destination(d_boot)=0', processed='destination(d_auth)=2',
processed='des<br>
tination(d_cron)=2', processed='destination(d_mlal)=0',
processed='destination(d_localfile)=1',
processed='destination(d_mesg)=1', processed='destination(d_cons)=0',
processed='destination(d_spol)=0', processed<br>
='destination(d_mail)=0', processed='source(s_sys)=5',
processed='source(s_router_udp)=1'<br>
Jul 1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested
via signal, terminating;<br>
Jul 1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up;
version='2.0.10'<br>
Jul 1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested
via signal, terminating;<br>
Jul 1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting up;
version='2.0.10'</i><br>
<br>
I can't find anything in the syslog-ng guide admin about how can
messages received from remote hosts can be inserted into files.<br>
<br>
Can anyone help me? I feel that i'm close to a solution.<br>
<br>
<br>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:Ulrich.Wiemers@t-systems.com" moz-do-not-send="true">Ulrich.Wiemers@t-systems.com</a>
wrote:
<blockquote
cite="mid:527B14C40B32E2408547569696F8AE920136FF41@S4DE8PSAADQ.t-systems.com"
type="cite">
<pre wrap="">Hi,
I was in a similar situation some weeks ago.
Admin Guide found at <a class="moz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a> was of great help to me.
And, of course, Google ,-)
hth
Ulli
-----Ursprüngliche Nachricht-----
Von: <a class="moz-txt-link-abbreviated"
href="mailto:syslog-ng-bounces@lists.balabit.hu" moz-do-not-send="true">syslog-ng-bounces@lists.balabit.hu</a> [<a
class="moz-txt-link-freetext"
href="mailto:syslog-ng-bounces@lists.balabit.hu" moz-do-not-send="true">mailto:syslog-ng-bounces@lists.balabit.hu</a>] Im Auftrag von Cosmin Neagu
Gesendet: Dienstag, 30. Juni 2009 14:49
An: <a class="moz-txt-link-abbreviated"
href="mailto:syslog-ng@lists.balabit.hu" moz-do-not-send="true">syslog-ng@lists.balabit.hu</a>
Betreff: [syslog-ng] Syslog-ng beginners guide
Hello everybody,
Sorry for bothering you with a beginners question.
I have a cacti implementation in my network and a want to integrate it with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.
I'm not able to find where the logs are kept, so this drives me crazy.
Do you know any site or resource where i can find some beginners guide about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before.
Thanks.
--
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<a class="moz-txt-link-abbreviated" href="http://www.omnilogic.ro"
moz-do-not-send="true">www.omnilogic.ro</a>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html" moz-do-not-send="true">http://www.campin.net/syslog-ng/faq.html</a>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html" moz-do-not-send="true">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap=""><hr size="4" width="90%">
______________________________________________________________________________
Member info: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap="">
<hr size="4" width="90%">
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>