<div><div class="gmail_quote">On Mon, Jan 4, 2010 at 7:07 PM, Paul B. Henson <span dir="ltr"><<a href="mailto:henson@acm.org">henson@acm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I'm trying to upgrade from 2.1.3 to 3.0.4 under Linux, and am having<br>
trouble getting my kernel messages tagged appropriately.<br>
<br>
My previous configuration had the following:<br>
<br>
-----<br>
source k_src { pipe("/proc/kmsg" log_prefix("kernel: ")); };<br>
<br>
destination iptables { file("/var/log/iptables.log"); };<br>
filter f_iptables { match("iptables:"); };<br>
log { source(k_src); filter(f_iptables); destination(iptables); flags(final); };<br>
<br>
destination messages { file("/var/log/messages"); };<br>
log { source(src); source(k_src); destination(messages); };<br>
-----<br>
<br>
All of my kernel messages showed up with the "kernel:" prefix, and anything<br>
coming from iptables was dropped in a separate log.<br>
<br>
Based on the documentation, I modified my configuration to the following<br>
for 3.0.4:<br>
<br>
-----<br>
source k_src { file("/proc/kmsg" program_override("kernel")); };<br>
<br>
destination iptables { file("/var/log/iptables.log"); };<br>
filter f_iptables { program("^kernel$") and message("^iptables:"); };<br>
log { source(k_src); filter(f_iptables); destination(iptables);<br>
flags(final); };<br>
<br>
destination messages { file("/var/log/messages"); };<br>
log { source(src); source(k_src); destination(messages); };<br>
-----<br>
<br>
However, my kernel messages show up with no prefix. I tried starting up in<br>
debug mode:<br>
<br>
-----<br>
syslog-ng starting up; version='3.0.4'<br>
Incoming log entry; line='<6>usb 2-7: USB disconnect, address 8'<br>
Filter rule evaluation begins; filter_rule='f_iptables'<br>
Filter node evaluation result; filter_result='not-match'<br>
Filter node evaluation result; filter_result='not-match', filter_type='AND'<br>
Filter rule evaluation result; filter_result='not-match',<br>
filter_rule='f_iptables'<br>
Initializing destination file writer; template='/var/log/messages',<br>
filename='/var/log/messages'<br>
Incoming log entry; line='<4>iptables: IN=eth0 OUT=<br>
MAC=0:05:00:10:97:43:00:0SC147.5.2 S=2... E=8TS00 RC0C T= D363POO2'<br>
Filter rule evaluation begins; filter_rule='f_iptables'<br>
Filter node evaluation result; filter_result='not-match'<br>
Filter node evaluation result; filter_result='not-match', filter_type='AND'<br>
Filter rule evaluation result; filter_result='not-match',<br>
filter_rule='f_iptables'<br>
-----<br>
<br>
This didn't help me. Am I doing something wrong? I didn't find any<br>
complaints of this nature on the mailing list, which leads me to suspect<br>
I'm somehow being stupid, any pointers much appreciated.<br>
<br>
Thanks...<br>
<br>
<br>
--<br>
Paul B. Henson | (909) 979-6361 | <a href="http://www.csupomona.edu/~henson/" target="_blank">http://www.csupomona.edu/~henson/</a><br>
Operating Systems and Network Analyst | <a href="mailto:henson@csupomona.edu">henson@csupomona.edu</a><br>
California State Polytechnic University | Pomona CA 91768<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br>
______________________________________________________________________<br>
This email has been scanned by the MessageLabs Email Security System.<br>
For more information please visit <a href="http://www.messagelabs.com/email" target="_blank">http://www.messagelabs.com/email</a><br>
______________________________________________________________________<br>
</blockquote></div><div><br></div>Hello!<div><br></div><div>Syslog-ng 3.0.5 has the following in its bugfixes update:</div><div><br></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">* Fixed host_override/program_override options that were broken in 3<span class="il" style="background-image: initial; background-repeat: initial; background-attachment: initial; -webkit-background-clip: initial; -webkit-background-origin: initial; background-color: rgb(255, 255, 204); ">.0</span>.4.</span></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse; "><br></span></font></div><div><span class="Apple-style-span" style="font-size: 13px; "></span><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse; ">I'd grab version 3.0.5 regardless as it is a recommended upgrade with a number of bugfixes.</span></font></div>
<br clear="all"><br>-- <br>Lance Laursen<br>Demonware Systems Engineer<br>
</div>