<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16850" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=436074817-07072009><FONT face=Arial
color=#0000ff size=2>I use vuurmuur as an IP tables front-end - IMHO - Greatest
thing since sliced bread for iptables.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>Cosmin
Neagu<BR><B>Sent:</B> Tuesday, July 07, 2009 1:50 AM<BR><B>To:</B> Syslog-ng
users' and developers' mailing list<BR><B>Subject:</B> Re: [syslog-ng] Syslog-ng
beginners guide<BR></FONT><BR></DIV>
<DIV></DIV>Sorry for answering so late.<BR>You were right guys about the
firewall, on the Fedora server iptables was on, and as soon as I turned it off,
everything worked great. <BR>Know i have to learn how to configure iptables,
cause i don't want to leave it off.<BR>Anyone knows a good starting point for
iptables?<BR><BR><BR><BR>And another thing that bothers me...why the hell does
the cpu stays most of the time at 100% because of the syslog-ng
process?<BR><BR><I>top - 09:42:37 up 55 min, 2 users, load average:
1.10, 1.07, 0.98<BR>Tasks: 134 total, 3 running, 131
sleeping, 0 stopped, 0 zombie<BR>Cpu(s): 12.3%us,
39.0%sy, 0.0%ni, 48.6%id, 0.0%wa, 0.0%hi, 0.2%si,
0.0%st<BR>Mem: 2060488k total, 850036k used,
1210452k free, 77172k buffers<BR>Swap: 2931820k
total, 0k used, 2931820k
free, 460408k cached<BR><BR> PID
USER PR NI VIRT RES SHR S
%CPU %MEM TIME+
COMMAND
<BR> 2527 root 20 0 3344
1268 848 R <B>100</B> 0.1 32:13.86
syslog-ng
<BR> 3028 root 20 0
305m 34m 11m S 2 1.7 1:04.90
Xorg
<BR> 22 root 15
-5 0 0 0
S 0 0.0 0:00.12
ata/1
<BR> 3788 cosmin 20 0 221m 102m
26m S 0 5.1 1:12.27
firefox <BR><BR></I>I have a dual core processor, and
either CPU1 or CPU2 stays at 100% utilization...<BR><PRE class=moz-signature cols="72">Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
<A class=moz-txt-link-abbreviated href="http://www.omnilogic.ro">www.omnilogic.ro</A>
</PRE><BR><BR>Dave Edelman wrote:
<BLOCKQUOTE cite=mid:000001c9fc3b$06fca360$14f5ea20$@com type="cite"><PRE wrap="">The problem might be in this line: " Actually i don't know yet how to
configure iptables"
They might be enabled by default so you might want to try this:
# iptables -L
If it shows anything but a bunch of lines saying policy accept and some
header lines, then you (at your own risk) need to tell it to stop by issuing
the magical incantation
# iptables -F
To keep the pesky safe guards off on a full time basis, you might want to do
something like:
# chkconfig iptables off
# service iptables stop
You need to do this with root access so sudo is your friend unless you are
really brave and are logging on as root directly :)
--Dave
"I insist that my car has good brakes, they allow me to go faster"
-----Original Message-----
From: <A class=moz-txt-link-abbreviated href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</A>
[<A class=moz-txt-link-freetext href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of Balazs Scheidler
Sent: Friday, July 03, 2009 10:03 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-ng beginners guide
On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">I have tryed like this:
On a remote linux host (Ubuntu 9.04) i have configured syslog-ng
like this:
source s_internal {internal();};
source s_local {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
};
destination d_localfile { file ("/home/cosmin/syslog.log"); };
destination d_remote {tcp ("192.168.53.248" port(514)); }; //i
have tried with udp also
log { source(s_local); destination(d_localfile); };
log { source(s_internal); destination(d_localfile); };
log { source(s_local); destination(d_remote); };
On the syslog server (Fedora c10), the configuration is:
source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); };
//i have tried with udp also.
destination d_localfile {file ("/root/syslog.log"); };
log { source (s_remote_tcp); destination (d_localfile); };
After a few tests, i have noticed (with the help of wireshark) the
folowing:
1. In UDP case, it sends the logs, i can see the packets arriving on
the server with tcpdump, but the the server returns an icmp error
Destination Unreachable, with a code "Host Administrately Prohibited"
2. The same thing in TCP case, only that the message is not send, only
the first syn pachet trying to establish the tcp connection and it
receives the same icmp error from the server.
On the server i have fedora core 10, with selinux disabled. No
firewall at all. Actually i don't know yet how to configure iptables.
I have noticed that on the server, if i try to define a source like
this:
source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };
it will give an error:
Starting syslog-ng: Error binding socket;
addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested
address (99)'
Error initializing source driver; source='s_remote_tcp'
Pls, can someone help me with this problem? I dont know what could be
blocking the packets, if it is because of the OS or because of
syslog-ng configuration.
</PRE></BLOCKQUOTE><PRE wrap=""><!---->
ICMP admin prohibited is probably generated by the packet filter. It
cannot be generated by an application (unless it'd be injecting ICMP
packets of its own, which syslog-ng doesn't do).
Also, I wanted to point out that starting with 2.1, syslog-ng has its
own SQL destination, no need to mess with named pipes. But if you decide
to use a newer version, I would recommend 3.0.3, the current stable
version.
</PRE></BLOCKQUOTE></BODY></HTML>