<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I have tryed like this:<br>
<br>
On a remote linux host (Ubuntu 9.04) i have configured syslog-ng
like this:<br>
<br>
<i>source s_internal {internal();};<br>
source s_local {<br>
file ("/proc/kmsg" log_prefix("kernel: "));<br>
unix-stream ("/dev/log");<br>
};<br>
<br>
destination d_localfile { file ("/home/cosmin/syslog.log"); };<br>
<b>destination d_remote {tcp ("192.168.53.248" port(514)); };</b>
//i have tried with udp also<br>
<br>
log { source(s_local); destination(d_localfile); };<br>
log { source(s_internal); destination(d_localfile); };<br>
<b>log { source(s_local); destination(d_remote); };</b></i><br>
<br>
On the syslog server (Fedora c10), the configuration is:<br>
<br>
<i><b>source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); }; </b>
//i have tried with udp also.<br>
destination d_localfile {file ("/root/syslog.log"); };<br>
log { source (s_remote_tcp); destination (d_localfile); };</i>
<br>
<br>
After a few tests, i have noticed (with the help of wireshark) the
folowing:<br>
1. In UDP case, it sends the logs, i can see the packets arriving on
the server with tcpdump, but the the server returns an icmp error
Destination Unreachable, with a code "Host Administrately Prohibited"<br>
2. The same thing in TCP case, only that the message is not send, only
the first syn pachet trying to establish the tcp connection and it
receives the same icmp error from the server.<br>
<br>
<br>
On the server i have fedora core 10, with selinux disabled. No firewall
at all. Actually i don't know yet how to configure iptables.<br>
<br>
I have noticed that on the server, if i try to define a source like
this:<br>
<i>source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };</i><br>
it will give an error:<br>
<i>Starting syslog-ng: Error binding socket;
addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested
address (99)'<br>
Error initializing source driver; source='s_remote_tcp'</i><br>
<br>
Pls, can someone help me with this problem? I dont know what could be
blocking the packets, if it is because of the OS or because of
syslog-ng configuration.<br>
<br>
<pre class="moz-signature" cols="72">Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<a class="moz-txt-link-abbreviated" href="http://www.omnilogic.ro">www.omnilogic.ro</a>
</pre>
<br>
<br>
Siem Korteweg wrote:
<blockquote
cite="mid:61F7C813E194BE4B978C9F1A16165CBE06B5F6@EX01.QNH.local"
type="cite">
<pre wrap="">Hi,
try to split the sources. The following works for me (tcp in stead of udp)
for OSE 3.0.2. All syslog-ng clients (and server) have the following sources
and destinations:
source s_internal { internal(); };
destination d_syslogng_log { file("/var/log/syslog-ng.log"); };
source s_local {
unix-dgram("/dev/log");
file("/proc/kmsg" program_override("kernel:"));
};
destination d_remote { tcp("logserver.f.q.d.n" port(514) ) ; };
destination d_local { file("/var/log/messages"); };
log { source( s_internal ); destination( d_remote ); };
log { source( s_internal ); destination( d_syslogng_log ); };
log { source( s_local ); destination( d_remote ); };
log { source( s_local ); destination( d_local ); };
All messages are logged in the local file /var/log/messages or in
/var/log/syslog-ng.log and forwarded to the logserver.
The syslog-ng server has the following additional sources and destinations:
source s_network { tcp (ip("logserver.f.q.d.n") port(514)); };
destination d_network {
file (
"/var/log/syslog-ng/hosts/$HOST_FROM/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY
"
create_dirs(yes)
);
};
log { source( s_network ); destination( d_network ); };
Change tcp to udp and change the fqdn to 0.0.0.0. Check
/var/log/syslog-ng.log for errors during the processing of messages.
regards,
Siem Korteweg
-----Oorspronkelijk bericht-----
Van: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> namens Cosmin Neagu
Verzonden: wo 1-7-2009 14:25
Aan: Syslog-ng users' and developers' mailing list
Onderwerp: Re: [syslog-ng] Syslog-ng beginners guide
Yes, that was the first thing i have checked, even now i have checked it
again, and the logs are still comming to the linux box where syslog is
installed.
/tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
96 bytes
15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none],
proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 145
Facility local7 (23), Severity notice (5)
Msg: 126: *Jul 1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog]
15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none],
proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 110
Facility local7 (23), Severity notice (5)
Msg: 127: *Jul 1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog]
15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none],
proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 108
Facility local7 (23), Severity notice (5)
Msg: 128: *Jul 1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog]
15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none],
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 112
Facility local7 (23), Severity info (6)
Msg: 129: *Jul 1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog]
15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none],
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 112
Facility local7 (23), Severity notice (5)
Msg: 130: *Jul 1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog]
And unfortunattely, i'm the only person in the company that knows a
little bit of linux so i don't have anybody to ask...
/
<a class="moz-txt-link-abbreviated" href="mailto:Ulrich.Wiemers@t-systems.com">Ulrich.Wiemers@t-systems.com</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I don't see anything in your config...
Are you sure your syslog messages are sent to the UDP port syslog-ng
is listing at (normally: 514)?
Did you proof the with one of snoop, ethereal, wireshark and the like?
Just an idea... hth
Ulli
------------------------------------------------------------------------
*Von:* <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>
[<a class="moz-txt-link-freetext" href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</a>] *Im Auftrag von *Cosmin Neagu
*Gesendet:* Mittwoch, 1. Juli 2009 14:15
*An:* Syslog-ng users' and developers' mailing list
*Betreff:* Re: [syslog-ng] Syslog-ng beginners guide
Hello again,
Things are evolving a little bit.
Now the syslog-ng conf is configured like this:
/source s_router_udp { udp (); };
destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO
syslog_incoming (facility, priority, date, time, host, message, seq)
VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY',
'$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes));
};
log { source (s_router_udp); destination (d_mysql); };
log { source (s_sys); destination(d_mysql); };/
The second log statement is working, because i can see in the
syslog_incoming tables, entries and also i see the log in Cacti:
/mysql> select * from syslog_incoming;
</pre>
</blockquote>
<pre wrap=""><!---->+----------+----------+------------+----------+---------------+--------------
----------------------------------------------------+-----+--------+
</pre>
<blockquote type="cite">
<pre wrap="">| facility | priority | date | time | host |
message | seq
| status |
</pre>
</blockquote>
<pre wrap=""><!---->+----------+----------+------------+----------+---------------+--------------
----------------------------------------------------+-----+--------+
</pre>
<blockquote type="cite">
<pre wrap="">| syslog | info | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[20083]: Termination requested via signal, terminating; | 22
| 0 |
| syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[20083]: syslog-ng shutting down; version='2.0.10' | 23
| 0 |
| syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[21587]: syslog-ng starting up; version='2.0.10' | 24
| 0 |
| authpriv | info | 2009-07-01 | 11:56:06 | monitorizare1 |
sshd[21567]: Connection closed by 127.0.0.1 | 21
| 0 |
</pre>
</blockquote>
<pre wrap=""><!---->+----------+----------+------------+----------+---------------+--------------
----------------------------------------------------+-----+--------+
</pre>
<blockquote type="cite">
<pre wrap="">4 rows in set (0.00 sec)/
But i don't know what is the problem and how to fix with the first log
statement. Can anyone help a little? Maybe with some documentation,
maybe someone encountered a similar problem?
PS: something else that i noticed and i don't know what it means.
One of the syslog-ng messages is like this:
/syslog-ng[20083]: Log statistics;
*dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30',
processed='center(received)=15', processed='destination(d_boot)=0',
processed='destination(d_auth)=4', processed='destination(d_cron)=9',
processed='destination(d_mysql)=15',
processed='destination(d_mlal)=0', processed='destination(d_mesg)=2',
processed='destination(d_cons)=0', processed='destination(d_spol)=0',
processed='destination(d_mail)=0', processed='source(s_sys)=15',
processed='source(s_router_udp)=0'/
What could be the cause for that "dropped" there? Should'nt be processed?
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<a class="moz-txt-link-abbreviated" href="http://www.omnilogic.ro">www.omnilogic.ro</a>
Cosmin Neagu wrote:
</pre>
<blockquote type="cite">
<pre wrap=""> Thanks allot Ulrich, that site contains great documentation, i'm
starting to understand how syslog-ng works.
But, let me tell you the problem with wich i'm stuck right now.
A router is sending syslog messages to a linux box (Fedora) from
10.0.0.1. I can see the messages arriving at the server.
/[root@monitorizare1 ~]# tcpdump -v src 10.0.0.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
96 bytes
10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none],
proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 87
Facility local7 (23), Severity error (3)
Msg: 81: *Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]
10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none],
proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 110
Facility local7 (23), Severity info (6)
Msg: 82: *Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]
10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none],
proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog:
SYSLOG, length: 109
Facility local7 (23), Severity notice (5)/
I have configured syslog-ng.conf like this:
/source s_router_udp {
internal();
file ("/proc/kmsg" log_prefix("kernel: "));
udp (ip(0.0.0.0) port ( 514 ) );
#unix-stream ("/dev/log");
};
destination d_localfile {
file ("/root/testlog");
};
log {
source (s_router_udp);
destination (d_localfile);
};/
The problem is that in /root/testlog i can't see any log, except
those internal generated by syslog-ng:
/Jul 1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting
up; version='2.0.10'
Jul 1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested
via signal, terminating;
Jul 1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting
up; version='2.0.10'
Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics;
processed='center(queued)=6', processed='center(received)=6',
processed='destination(d_boot)=0', processed='destination(d_auth)=2',
processed='des
tination(d_cron)=2', processed='destination(d_mlal)=0',
processed='destination(d_localfile)=1',
processed='destination(d_mesg)=1', processed='destination(d_cons)=0',
processed='destination(d_spol)=0', processed
='destination(d_mail)=0', processed='source(s_sys)=5',
processed='source(s_router_udp)=1'
Jul 1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested
via signal, terminating;
Jul 1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting
up; version='2.0.10'
Jul 1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested
via signal, terminating;
Jul 1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting
up; version='2.0.10'/
I can't find anything in the syslog-ng guide admin about how can
messages received from remote hosts can be inserted into files.
Can anyone help me? I feel that i'm close to a solution.
<a class="moz-txt-link-abbreviated" href="mailto:Ulrich.Wiemers@t-systems.com">Ulrich.Wiemers@t-systems.com</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I was in a similar situation some weeks ago.
Admin Guide found at
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!----><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a> was of great
help to me.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">And, of course, Google ,-)
hth
Ulli
-----Ursprüngliche Nachricht-----
Von: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->[<a class="moz-txt-link-freetext" href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</a>] Im Auftrag von Cosmin Neagu
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Gesendet: Dienstag, 30. Juni 2009 14:49
An: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>
Betreff: [syslog-ng] Syslog-ng beginners guide
Hello everybody,
Sorry for bothering you with a beginners question.
I have a cacti implementation in my network and a want to integrate it
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->with syslog-ng. I have mostly cisco routers, all configured to sent syslog
messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have
installed syslog-ng.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">I'm not able to find where the logs are kept, so this drives me crazy.
Do you know any site or resource where i can find some beginners guide
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->about using syslog-ng with cisco routers? I mean, a guide for someone who
never used syslog-ng before.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Thanks.
--
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<a class="moz-txt-link-abbreviated" href="http://www.omnilogic.ro">www.omnilogic.ro</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->_____________________________________________________________________________
_
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!----><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->_____________________________________________________________________________
_
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!----><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap="">------------------------------------------------------------------------
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->_____________________________________________________________________________
_
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!----><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap="">------------------------------------------------------------------------
</pre>
</blockquote>
<pre wrap=""><!---->_____________________________________________________________________________
_
</pre>
<blockquote type="cite">
<pre wrap="">Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
</pre>
</blockquote>
<pre wrap=""><!----><a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
</pre>
<blockquote type="cite">
<pre wrap="">FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
<pre wrap="">
<hr size="4" width="90%">
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>