<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
Ok this woked successfuly now<br>Thanks for help<br><br><hr id="stopSpelling">From: reakyrok@hotmail.com<br>To: syslog-ng@lists.balabit.hu<br>Date: Sun, 5 Jul 2009 23:38:04 +0300<br>Subject: Re: [syslog-ng] Send a specific log by email<br><br>
<style>
.ExternalClass .EC_hmmessage P
{padding:0px;}
.ExternalClass body.EC_hmmessage
{font-size:10pt;font-family:Verdana;}
</style>
Dear <br> I don't know if the problem in me or what :)<br>As I understood you send me configration related with which interface I'll use to receive logs, But this's not the problem, The problem is that I want when I receive logs from the remote server that It's IP is 163.121.189.131 to send the logs of this server to my email,I's sorry if I used a configration in wronge way make you not understand me.<br>Any way , I'm trying now some kind of solution , I don't know if it can be a way to do what I want or not,<br>I did the following:<br>========================================================================================<br> source sme {file (/var/log/syslog-ng/servers/163.121.189.131/local7.log); };<br><br><br> destination maillog { program ("/usr/local/bin/syslog-mail-perl" );<br> };<br>log {source(sme); destination(maillog); };<br>========================================================================================<br>As you see I try to make the sourse is the file that contain the logs of the remote server 163.121.189.131<br>And try to send it to a script that mail it to me, But When I try nothing happened.<br>I'll attache the full configuration file to you and the mail script, I make it send to root for example in the first<br><br><br>configuaration file:<br>=================================================================<br># configuration file for syslog-ng, customized for remote logging<br>#<br><br>source s_internal { internal(); };<br>destination d_syslognglog { file("/var/log/syslog-ng.log"); };<br>log { source(s_internal); destination(d_syslognglog); };<br><br># Remote logging<br>source s_remote {<br> tcp(ip(0.0.0.0) port(514));<br> udp(ip(0.0.0.0) port(514));<br>};<br><br>destination d_separatedbyhosts {<br> file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));<br>};<br><br>log { source(s_remote); destination(d_separatedbyhosts); };<br><br># This is the new part that I did<br> source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); };<br><br><br> destination maillog { program ("/usr/local/bin/syslog-mail-perl" );<br> };<br>log {source(sme); destination(maillog); };<br><br>options {<br><br> # Number of syslog lines stored in memory before being written to files<br> flush_lines (0);<br><br> # Syslog-ng uses queues<br> log_fifo_size (1000);<br><br> # Create log directories as needed<br> create_dirs (yes);<br><br> # Make the group "logs" own the log files and directories<br> group (logs);<br> dir_group (logs);<br><br> # Set the file and directory permissions<br> perm (0640);<br> dir_perm (0750);<br><br> # Check client hostnames for valid DNS characters<br> check_hostname (yes);<br><br> # Specify whether to trust hostname in the log message.<br> # If "yes", then it is left unchanged, if "no" the server replaces<br> # it with client's DNS lookup value.<br> keep_hostname (yes);<br><br> # Use DNS fully qualified domain names (FQDN)<br> # for the names of log file folders<br> use_fqdn (yes);<br> use_dns (yes);<br><br> # Cache DNS entries for up to 1000 hosts for 12 hours<br> dns_cache (yes);<br> dns_cache_size (1000);<br> dns_cache_expire (43200);<br><br> };<br># Define all the source<br>source s_localhost {<br> pipe ("/proc/kmsg" program_override("kernel: "));<br> unix-stream ("/dev/log");<br> internal();<br>};<br><br># Define the destination "d_localhost" log directory<br>destination d_localhost {<br> file ("/var/log/syslog-ng/localhost/$FACILITY.log");<br>};<br><br>#================================<br>#================================<br># Define all the sources of network generated syslog<br># messages and label it "d_network"<br>source s_network {<br> tcp(max-connections(5000));<br> udp();<br>};<br><br># Define the destination "d_network" log directory<br>destination d_network {<br> file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");<br>};<br><br>#=======================<br>#=======================<br># Any logs that match the "s_localhost" source should be logged<br># in the "d_localhost" directory<br><br>log { source(s_localhost);<br> destination(d_localhost);<br>};<br>#=======================<br>===========================================================================<br><br>and the following is the mail script<br><br>++++++++++++++++++++++++++++++++++++++++=====<br>#!/usr/bin/perl -n<br># thanks to Brian Dowling for an example with security in mind.<br><br>$TO = 'root';<br>$FROM = $TO;<br><br>s/^<\d{1,2}>//;<br><br>open(MAIL, "|/usr/sbin/sendmail -t");<br><br>print MAIL <<"EOT";<br>To: $TO<br>From: $FROM<br>Subject: SME Log Alert: $_<br><br>$_<br><br>EOT<br><br>close(MAIL);<br>+++++++++++++++++++++++++++++++++++++++++++++++<br><br>Thanks for your patience and help<br>Reaky<br><br><br><br><br>> Date: Sat, 4 Jul 2009 13:02:37 +0200<br>> From: Sandor.Geller@morganstanley.com<br>> To: syslog-ng@lists.balabit.hu<br>> Subject: Re: [syslog-ng] Send a specific log by email<br>> <br>> ...and to provide actual help: use filters based on hostname or the IP address<br>> <br>> filter f_myhostname {<br>> host("^myhostname$"); # this is a regexp, not a simple string<br>> }<br>> <br>> filter f_myipaddress {<br>> netmask("127.0.0.1/32");<br>> }<br>> <br>> later in your log definitions just use the filters:<br>> <br>> log {<br>> source(...);<br>> filter(...);<br>> destination(...);<br>> flags(final); # so the logs won't get processed by further log definitions<br>> }<br>> <br>> In the admin guide you can find more details about the configuration<br>> possibilities.<br>> <br>> hth,<br>> <br>> Sandor<br>> <br>> On Sat, Jul 4, 2009 at 12:48 PM, Sandor Geller<sandorg@morganstanley.com> wrote:<br>> > Hi,<br>> ><br>> > Local means that the host syslog-ng is running on has the IP address<br>> > configured on one of the network interfaces. Apps can bind only to<br>> > 0.0.0.0 or to local IP addresses, not to remote addresses. I think<br>> > you're after filtering based on the remote host's IP address, not<br>> > binding to the IP address.<br>> ><br>> > Regards,<br>> ><br>> > Sandor<br>> ><br>> > 2009/7/4 Reaky Rok <reakyrok@hotmail.com>:<br>> >> Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way<br>> >> IT's routed IP not in the same subnet of the syslog server,<br>> >> But any way what the right option to filter the requests fom this IP only<br>> >> ???<br>> >><br>> >><br>> >>> From: bazsi@balabit.hu<br>> >>> To: syslog-ng@lists.balabit.hu<br>> >>> Date: Fri, 3 Jul 2009 15:57:08 +0200<br>> >>> Subject: Re: [syslog-ng] Send a specific log by email<br>> >>><br>> >>> On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:<br>> >>> > I modefied it and it gave me the following result after restarting :<br>> >>> ><br>> >>> > Error binding socket; addr='AF_INET(163.121.189.131:514)',<br>> >>> > error='Cannot assign requested address (99)'<br>> >>> > Error initializing source driver; source='s_remote', id='s_remote#0'<br>> >>> > Error initializing message pipeline;<br>> >>> > [FAILED]<br>> >>> ><br>> >>> > I s it possible that this's becuese I used the same source name in the<br>> >>> > first part of configuration ?<br>> >>> ><br>> >>><br>> >>> Is 163.121.189.131 a local IP address? The ip() option of source drivers<br>> >>> specify the bind address, not the address to accept messages from.<br>> >>><br>> >>> --<br>> >>> Bazs i<br>> >>><br>> >>><br>> >>><br>> >>> ______________________________________________________________________________<br>> >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> >>> Documentation:<br>> >>> http://www.balabit.com/support/documentation/?product=syslog-ng<br>> >>> FAQ: http://www.campin.net/syslog-ng/faq.html<br>> >>><br>> >><br>> >> ________________________________<br>> >> Windows Live™: Keep your life in sync. Check it out!<br>> >> ______________________________________________________________________________<br>> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> >> Documentation:<br>> >> http://www.balabit.com/support/documentation/?product=syslog-ng<br>> >> FAQ: http://www.campin.net/syslog-ng/faq.html<br>> >><br>> >><br>> >><br>> ><br>> ______________________________________________________________________________<br>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<br>> FAQ: http://www.campin.net/syslog-ng/faq.html<br>> <br><br><hr>See all the ways you can stay connected <a href="http://www.microsoft.com/windows/windowslive/default.aspx">to friends and family</a><br /><hr />Windows Live™: Keep your life in sync. <a href='http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009' target='_new'>Check it out!</a></body>
</html>