<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Dukes,<br>
<br>
In fact, there are some files configured by syslog-ng own.<br>
<br>
Below are the files that I myself had created. But only the uspcce.log
has been updated after the last change I've implemented.<br>
<br>
cefet.log<br>
cisco7206.log<br>
incor.log<br>
ufabc.log<br>
unesp.log<br>
unifesp.log<br>
uspcce.log<br>
<br>
Hugs,<br>
<pre class="moz-signature" cols="72">--
Wagner Pereira
PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
<a class="moz-txt-link-freetext" href="http://www.pop-sp.rnp.br">http://www.pop-sp.rnp.br</a>
Tel. (11) 3091-8901</pre>
<br>
Em 10/5/2010 12:12, Clayton Dukes escreveu:
<blockquote
cite="mid:AANLkTilA62o-bwhKCM5r_X6iXGoSxE04r8ikXYa_fdtq@mail.gmail.com"
type="cite">Hi Wagner,<br>
I see 21 log files configured in your syslog-ng.conf file, which ones
are missing?<br>
<br>
<div class="gmail_quote">On Mon, May 10, 2010 at 9:14 AM, Wagner
Pereira <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:wpereira@pop-sp.rnp.br">wpereira@pop-sp.rnp.br</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
Dukes,<br>
<br>
I implemented your changes and I can say that almost everything came
back to work correctly, but...<br>
<br>
At the beginning, I had seven .log files been incremented by the syslog
and now I have only one .log file been incremented.<br>
<br>
What can be still wrong?<br>
<br>
Hugs,
<div class="im"><br>
<pre cols="72">--
Wagner Pereira
PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
<a moz-do-not-send="true" href="http://www.pop-sp.rnp.br"
target="_blank">http://www.pop-sp.rnp.br</a>
Tel. (11) 3091-8901</pre>
<br>
</div>
Em 7/5/2010 12:28, Clayton Dukes escreveu:
<div>
<div class="h5">
<blockquote type="cite">Hi Wagner,<br>
A couple of problems with your config:<br>
1. I believe that prior to syslog-ng v3.x, you could only have one
source defined.<br>
try removing your source net definition, it's a duplicate of "s_all"
and there's no need for it.<br>
- be sure to update any reference to "net" and change them to "s_all"<br>
<br>
2. You have destinations and filters with the same name, I'm pretty
sure this is not allowed.<br>
<br>
Try something like this:<br>
<br>
source s_all {<br>
# message generated by Syslog-NG<br>
internal();<br>
# standard Linux log source (this is the default place for the
syslog()<br>
# function to send logs to)<br>
unix-stream("/dev/log");<br>
# messages from the kernel<br>
file("/proc/kmsg" log_prefix("kernel: "));<br>
# use the following line if you want to receive remote UDP
logging messages<br>
# (this is equivalent to the "-r" syslogd flag)<br>
udp();<br>
};<br>
<br>
destination d_Cisco7206 {<br>
file("/var/log/routers/cisco7206.log" <br>
create_dirs(yes) );<br>
<div bgcolor="#ffffff" text="#000000">};<br>
<br>
destination d_Metrosampa-USP_CCE {<br>
file("/var/log/routers/uspcce.log" <br>
create_dirs(yes) );<br>
};<br>
<br>
filter f_Cisco7206 {<br>
host("10.0.0.2");<br>
};<br>
<br>
filter f_Metrosampa-USP_CCE {<br>
host("10.0.0.3");<br>
};<br>
<br>
</div>
<br>
log {<br>
source(s_all);<br>
filter(f_Cisco7206);<br>
destination(d_Cisco7206);<br>
};<br>
<br>
log {<br>
source(s_all);<br>
filter(f_Metrosampa-USP_CCE);<br>
destination(d_Metrosampa-USP_CCE);<br>
<div bgcolor="#ffffff" text="#000000">};</div>
<br>
<br>
<br>
<br>
<div class="gmail_quote">On Fri, May 7, 2010 at 10:06 AM, Wagner
Pereira <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:wpereira@pop-sp.rnp.br" target="_blank">wpereira@pop-sp.rnp.br</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">Hi, Dukes. Thanks for
your
reply.<br>
<br>
At this moment, I must to turn back to log into the .log files, at the
same way of the beginning. This is urgent for now. (Below is my
syslog-ng.conf file)<br>
<br>
Next, my boss is asking me to test the Syslog plugin for Cacti.<br>
<br>
Finally, if this solution doesn't solve our demand, I will consider to
re-install and test the Logzilla.<br>
<br>
---------------------<br>
#<br>
# Configuration file for syslog-ng under Debian<br>
#<br>
# attempts at reproducing default syslog behavior<br>
<br>
# the standard syslog levels are (in descending order of priority):<br>
# emerg alert crit err warning notice info debug<br>
# the aliases "error", "panic", and "warn" are deprecated<br>
# the "none" priority found in the original syslogd configuration is<br>
# only used in internal messages created by syslogd<br>
<br>
<br>
######<br>
# options<br>
<br>
options {<br>
# disable the chained hostname format in logs<br>
# (default is enabled)<br>
chain_hostnames(0);<br>
<br>
# the time to wait before a died connection is re-established<br>
# (default is 60)<br>
time_reopen(10);<br>
<br>
# the time to wait before an idle destination file is closed<br>
# (default is 60)<br>
time_reap(360);<br>
<br>
# the number of lines buffered before written to file<br>
# you might want to increase this if your disk isn't catching
with<br>
# all the log messages you get or if you want less disk activity<br>
# (say on a laptop)<br>
# (default is 0)<br>
#sync(0);<br>
<br>
# the number of lines fitting in the output queue<br>
log_fifo_size(2048);<br>
<br>
# enable or disable directory creation for destination files<br>
create_dirs(yes);<br>
<br>
# default owner, group, and permissions for log files<br>
# (defaults are 0, 0, 0600)<br>
#owner(root);<br>
group(adm);<br>
perm(0640);<br>
<br>
# default owner, group, and permissions for created directories<br>
# (defaults are 0, 0, 0700)<br>
#dir_owner(root);<br>
#dir_group(root);<br>
dir_perm(0755);<br>
<br>
# enable or disable DNS usage<br>
# syslog-ng blocks on DNS queries, so enabling DNS may lead to<br>
# a Denial of Service attack<br>
# (default is yes)<br>
use_dns(yes);<br>
<br>
# maximum length of message in bytes<br>
# this is only limited by the program listening on the /dev/log
Unix<br>
# socket, glibc can handle arbitrary length log messages, but
-- for<br>
# example -- syslogd accepts only 1024 bytes<br>
# (default is 2048)<br>
#log_msg_size(2048);<br>
<br>
#Disable statistic log messages.<br>
stats_freq(0);<br>
<br>
# Some program send log messages through a private implementation.<br>
# and sometimes that implementation is bad. If this happen syslog-ng<br>
# may recognise the program name as hostname. Whit this option<br>
# we tell the syslog-ng that if a hostname match this regexp than
that<br>
# is not a real hostname.<br>
bad_hostname("^gconfd$");<br>
};<br>
<br>
<br>
######<br>
# sources<br>
<br>
# all known message sources<br>
source s_all {<br>
# message generated by Syslog-NG<br>
internal();<br>
# standard Linux log source (this is the default place for the
syslog()<br>
# function to send logs to)<br>
unix-stream("/dev/log");<br>
# messages from the kernel<br>
file("/proc/kmsg" log_prefix("kernel: "));<br>
# use the following line if you want to receive remote UDP
logging messages<br>
# (this is equivalent to the "-r" syslogd flag)<br>
udp();<br>
};<br>
<br>
source net {<br>
unix-stream("/dev/log");<br>
internal();<br>
udp(ip(0.0.0.0) port(514));<br>
};<br>
<br>
<br>
<br>
######<br>
# destinations<br>
<br>
# some standard log files<br>
destination df_auth { file("/var/log/auth.log"); };<br>
destination df_syslog { file("/var/log/syslog"); };<br>
destination df_cron { file("/var/log/cron.log"); };<br>
destination df_daemon { file("/var/log/daemon.log"); };<br>
destination df_kern { file("/var/log/kern.log"); };<br>
destination df_lpr { file("/var/log/lpr.log"); };<br>
destination df_mail { file("/var/log/mail.log"); };<br>
destination df_user { file("/var/log/user.log"); };<br>
destination df_uucp { file("/var/log/uucp.log"); };<br>
<br>
# these files are meant for the mail system log files<br>
# and provide re-usable destinations for {mail,cron,...}.info,<br>
# {mail,cron,...}.notice, etc.<br>
destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };<br>
destination df_facility_dot_notice { file("/var/log/$FACILITY.notice");
};<br>
destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };<br>
destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };<br>
destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };<br>
<br>
# these files are meant for the news system, and are kept separated<br>
# because they should be owned by "news" instead of "root"<br>
destination df_news_dot_notice { file("/var/log/news/news.notice"
owner("news")); };<br>
destination df_news_dot_err { file("/var/log/news/news.err"
owner("news")); };<br>
destination df_news_dot_crit { file("/var/log/news/news.crit"
owner("news")); };<br>
<br>
# some more classical and useful files found in standard syslog
configurations<br>
destination df_debug { file("/var/log/debug"); };<br>
destination df_messages { file("/var/log/messages"); };<br>
<br>
# pipes<br>
# a console to view log messages under X<br>
destination dp_xconsole { pipe("/dev/xconsole"); };<br>
<br>
# consoles<br>
# this will send messages to everyone logged in<br>
destination du_all { usertty("*"); };<br>
<br>
destination Cisco7206 {<br>
file("/var/log/routers/cisco7206.log" create_dirs(yes) );<br>
};<br>
<br>
destination Metrosampa-USP_CCE {<br>
file("/var/log/routers/uspcce.log" create_dirs(yes) );<br>
};<br>
<br>
<br>
######<br>
# filters<br>
<br>
# all messages from the auth and authpriv facilities<br>
filter f_auth { facility(auth, authpriv); };<br>
<br>
# all messages except from the auth and authpriv facilities<br>
filter f_syslog { not facility(auth, authpriv); };<br>
<br>
# respectively: messages from the cron, daemon, kern, lpr, mail, news,
user,<br>
# and uucp facilities<br>
filter f_cron { facility(cron); };<br>
filter f_daemon { facility(daemon); };<br>
filter f_kern { facility(kern); };<br>
filter f_lpr { facility(lpr); };<br>
filter f_mail { facility(mail); };<br>
filter f_news { facility(news); };<br>
filter f_user { facility(user); };<br>
filter f_uucp { facility(uucp); };<br>
<br>
# some filters to select messages of priority greater or equal to info,
warn,<br>
# and err<br>
# (equivalents of syslogd's *.info, *.warn, and *.err)<br>
filter f_at_least_info { level(info..emerg); };<br>
filter f_at_least_notice { level(notice..emerg); };<br>
filter f_at_least_warn { level(warn..emerg); };<br>
filter f_at_least_err { level(err..emerg); };<br>
filter f_at_least_crit { level(crit..emerg); };<br>
<br>
# all messages of priority debug not coming from the auth, authpriv,
news, and<br>
# mail facilities<br>
filter f_debug { level(debug) and not facility(auth, authpriv, news,
mail); };<br>
<br>
# all messages of info, notice, or warn priority not coming form the
auth,<br>
# authpriv, cron, daemon, mail, and news facilities<br>
filter f_messages {<br>
level(info,notice,warn)<br>
and not facility(auth,authpriv,cron,daemon,mail,news);<br>
};<br>
<br>
# messages with priority emerg<br>
filter f_emerg { level(emerg); };<br>
<br>
# complex filter for messages usually sent to the xconsole<br>
filter f_xconsole {<br>
facility(daemon,mail)<br>
or level(debug,info,notice,warn)<br>
or (facility(news)<br>
and level(crit,err,notice));<br>
};<br>
<br>
filter Cisco7206 {<br>
host("10.0.0.2");<br>
};<br>
<br>
filter Metrosampa-USP_CCE {<br>
host("10.0.0.3");<br>
};<br>
<br>
######<br>
# logs<br>
# order matters if you use "flags(final);" to mark the end of
processing in a<br>
# "log" statement<br>
<br>
# these rules provide the same behavior as the commented original
syslogd rules<br>
<br>
# auth,authpriv.* /var/log/auth.log<br>
log {<br>
source(s_all);<br>
filter(f_auth);<br>
destination(df_auth);<br>
};<br>
<br>
# *.*;auth,authpriv.none -/var/log/syslog<br>
log {<br>
source(s_all);<br>
filter(f_syslog);<br>
destination(df_syslog);<br>
};<br>
<br>
# this is commented out in the default syslog.conf<br>
# cron.* /var/log/cron.log<br>
#log {<br>
# source(s_all);<br>
# filter(f_cron);<br>
# destination(df_cron);<br>
#};<br>
<br>
# daemon.* -/var/log/daemon.log<br>
log {<br>
source(s_all);<br>
filter(f_daemon);<br>
destination(df_daemon);<br>
};<br>
<br>
# kern.* -/var/log/kern.log<br>
log {<br>
source(s_all);<br>
filter(f_kern);<br>
destination(df_kern);<br>
};<br>
<br>
# lpr.* -/var/log/lpr.log<br>
log {<br>
source(s_all);<br>
filter(f_lpr);<br>
destination(df_lpr);<br>
};<br>
<br>
# mail.* -/var/log/mail.log<br>
log {<br>
source(s_all);<br>
filter(f_mail);<br>
destination(df_mail);<br>
};<br>
<br>
# user.* -/var/log/user.log<br>
log {<br>
source(s_all);<br>
filter(f_user);<br>
destination(df_user);<br>
};<br>
<br>
# uucp.* /var/log/uucp.log<br>
log {<br>
source(s_all);<br>
filter(f_uucp);<br>
destination(df_uucp);<br>
};<br>
<br>
# <a moz-do-not-send="true" href="http://mail.info" target="_blank">mail.info</a>
-/var/log/<a moz-do-not-send="true" href="http://mail.info"
target="_blank">mail.info</a><br>
log {<br>
source(s_all);<br>
filter(f_mail);<br>
filter(f_at_least_info);<br>
destination(df_facility_dot_info);<br>
};<br>
<br>
# mail.warn -/var/log/mail.warn<br>
log {<br>
source(s_all);<br>
filter(f_mail);<br>
filter(f_at_least_warn);<br>
destination(df_facility_dot_warn);<br>
};<br>
<br>
# mail.err /var/log/mail.err<br>
log {<br>
source(s_all);<br>
filter(f_mail);<br>
filter(f_at_least_err);<br>
destination(df_facility_dot_err);<br>
};<br>
<br>
# news.crit /var/log/news/news.crit<br>
log {<br>
source(s_all);<br>
filter(f_news);<br>
filter(f_at_least_crit);<br>
destination(df_news_dot_crit);<br>
};<br>
<br>
# news.err /var/log/news/news.err<br>
log {<br>
source(s_all);<br>
filter(f_news);<br>
filter(f_at_least_err);<br>
destination(df_news_dot_err);<br>
};<br>
<br>
# news.notice /var/log/news/news.notice<br>
log {<br>
source(s_all);<br>
filter(f_news);<br>
filter(f_at_least_notice);<br>
destination(df_news_dot_notice);<br>
};<br>
<br>
<br>
# *.=debug;\<br>
# auth,authpriv.none;\<br>
# news.none;mail.none -/var/log/debug<br>
log {<br>
source(s_all);<br>
filter(f_debug);<br>
destination(df_debug);<br>
};<br>
<br>
<br>
# *.=info;*.=notice;*.=warn;\<br>
# auth,authpriv.none;\<br>
# cron,daemon.none;\<br>
# mail,news.none -/var/log/messages<br>
log {<br>
source(s_all);<br>
filter(f_messages);<br>
destination(df_messages);<br>
};<br>
<br>
# *.emerg *<br>
log {<br>
source(s_all);<br>
filter(f_emerg);<br>
destination(du_all);<br>
};<br>
<br>
<br>
# daemon.*;mail.*;\<br>
# news.crit;news.err;news.notice;\<br>
# *.=debug;*.=info;\<br>
# *.=notice;*.=warn |/dev/xconsole<br>
log {<br>
source(s_all);<br>
filter(f_xconsole);<br>
destination(dp_xconsole);<br>
};<br>
<br>
log {<br>
source(net);<br>
filter(Cisco7206);<br>
destination(Cisco7206);<br>
};<br>
<br>
log {<br>
source(net);<br>
filter(Metrosampa-USP_CCE);<br>
destination(Metrosampa-USP_CCE);<br>
};<br>
---------------------------------<br>
<pre cols="72">--
Wagner Pereira
PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
<div><a moz-do-not-send="true" href="http://www.pop-sp.rnp.br"
target="_blank">http://www.pop-sp.rnp.br</a>
Tel. (11) 3091-8901</div></pre>
<br>
Em 7/5/2010 10:19, Clayton Dukes escreveu:
<div>
<div>
<blockquote type="cite">Hi Wagner,<br>
If you need help with LogZilla, please let me know.<br>
For syslog-ng, it would help if you posted your syslog-ng.conf file.<br>
<br>
<br>
<div class="gmail_quote">On Fri, May 7, 2010 at 9:08 AM,
Wagner
Pereira <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:wpereira@pop-sp.rnp.br" target="_blank">wpereira@pop-sp.rnp.br</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,
all.<br>
<br>
When I installed Syslog-ng, I configured it to log all the device's<br>
activities into the .log files. It worked well for some weeks.<br>
<br>
In the last week, I tried to use Logzilla ( former PhP-Syslog-ng) but I<br>
can't successful, then I removed Logzilla yesterday.<br>
<br>
After I removed Logzilla, I noticed that all the activities are been<br>
recorded into the /var/log/messages file and no longer into the .log<br>
files I've created for this purpose, originally.<br>
<br>
What should I configure to turn logging in those .log files? I already<br>
have the syslog-ng.conf configured properly.<br>
<br>
Thanks in advance.<br>
<br>
--<br>
<br>
Wagner Pereira<br>
<br>
PoP-SP/RNP - Ponto de Presença da RNP em São Paulo<br>
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo<br>
<a moz-do-not-send="true" href="http://www.pop-sp.rnp.br"
target="_blank">http://www.pop-sp.rnp.br</a><br>
Tel. (11) 3091-8901<br>
<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
______________________________________________________________ <br>
<br>
Clayton Dukes<br>
______________________________________________________________<br>
<pre><fieldset></fieldset>
______________________________________________________________________________
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true"
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
______________________________________________________________ <br>
<br>
Clayton Dukes<br>
______________________________________________________________<br>
<pre><fieldset></fieldset>
______________________________________________________________________________
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true"
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
______________________________________________________________ <br>
<br>
Clayton Dukes<br>
______________________________________________________________<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>