<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#0050D0;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:#0050D0;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:#0050D0;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span style='color:#1F497D'>Hello<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Yup, I realized that. I thought
it was supposed to be the ip of the client. So I am using filters to cater for
the different clients..only issue is I will end up with lots of filtering..<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Do you have any example for
logging firewall logs..<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Regards<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Zoltán Pallagi
[mailto:pzolee@balabit.hu] <br>
<b>Sent:</b> Monday, July 19, 2010 9:39 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing le ist<br>
<b>Cc:</b> Khaleelah Peerbocus<br>
<b>Subject:</b> Re: [syslog-ng] configuring different sources on the syslog-ng
server<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Hi,<br>
<br>
Yes, because 192.168.180.179 seems not to be a real address of your server so
syslog-ng cannot assign the requested address.<br>
Let's see an example:<br>
addresses of your server are the following (in this example your server has two
network cards):<br>
192.168.20.1 (eth0)<br>
10.30.20.1 (eth1)<br>
127.0.0.1 (loopback)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>source apache_access{tcp(ip("192.168.20.1")
flags(no-parse));</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:#1F497D'>};<br>
<br>
syslog-ng will listen only on eth0:192.168.20.1</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>source apache_access{tcp(ip("10.30.20.1")
flags(no-parse));</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:#1F497D'>};<br>
</span><br>
syslog-ng will listen only on eth1:10.30.20.1<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>source apache_access{tcp(flags(no-parse));</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:#1F497D'>};<br>
</span><br>
syslog-ng will listen on all addresses of your server (eth0:192.168.20.1,
eth1:10.30.20.1, lo:127.0.0.1)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>source apache_access{tcp(ip("10.10.0.1")
flags(no-parse));</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>};<br>
</span><br>
syslog-ng cannot listen on this address, because it's not an address of the
server, you will receive <span style='color:#1F497D'>"Cannot assign
requested address"</span> error message.<br>
<br>
If you have no specieal reasons to limit it, just don't give "ip()"
option because it is not required (as Patrick wrote)<br>
<br>
2010.07.19. 8:14 keltezéssel, Khaleelah Peerbocus írta: <o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Still if I wanted to configure a
different source on the syslog-server as below (I will
eventually use filtering if I do not succeed in creating another source)</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>source apache_access{tcp(ip("192.168.180.179")
flags(no-parse));</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>};</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>destination d_apachemssql {</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>pipe("/tmp/apachepipe.pipe"</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>template("INSERT INTO
logapache(datetime,host,program,pid,message)VALUES('$R_DATE','$HOST','$PROGRAM','$PID','$MSGONLY');\n")template-escape(yes)
flags(no-multi-line));</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>};</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>log {</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>
source(apache_access);</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>
destination(d_apachemssql);</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>};</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>I get the following error when
trying to start syslog-ng</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Error binding socket;
addr='AF_INET(192.168.180.179:3331)', error='Cannot assign requested address
(99)'</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Error initializing source
driver; source='apache_access', id='apache_access#0'</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Error initializing message
pipeline;</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> <a
href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>
[<a href="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</a>]
<b>On Behalf Of </b>Patrick H.<br>
<b>Sent:</b> Monday, July 19, 2010 9:48 AM<br>
<b>To:</b> Syslog-ng users' and develops' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] configuring different sources on the syslog-ng
server</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Helvetica","sans-serif"'>Firstly
the "ip()" option of "tcp()" in a "source()" is
not required, it is optional. It specifies the IP address which syslog-ng will
listen on. If not provided, syslog-ng will listen on all interfaces.<br>
Seconly, you do not need a separate source for every client. You can use filter
rules to match on the client's hostname if you need to.<br>
<br>
You might want to go through the administrator's guide, it is an extremely good
documentation source with lots of examples. <a
href="http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf">http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf</a><br>
</span><br>
Sent: Sunday, July 18, 2010 11:28:25 PM<br>
From: Khaleelah Peerbocus <a href="mailto:systems2@maccs.mu"><systems2@maccs.mu></a><br>
To: 'Syslog-ng users' and developers' mailing list' <a
href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a>
<br>
Subject: [syslog-ng] configuring different sources on the syslog-ng server <o:p></o:p></p>
<p class=MsoNormal><span lang=FR>Hello</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>I would like to get some clarification on the
source tag in both syslog client and server.</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>I have different clients hosting apache /
weblogic</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>My Syslog-ng Server has ip 192.x.x.x</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>Apache (client) has ip 192.x.x.1</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>Weblogic (client) has ip 192.x.x.2</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>In all the clients syslog configuration files,
i have added </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>destination apacheaccesslog {</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>tcp("192.x.x.x " port(3331));</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>};</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>destination weblogiclog {</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>tcp("192.x.x.x " port(3332));</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>};</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>My issue is in the syslog-ng server
configuration file, if i add </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>source apache_access {tcp(ip(192.x.x.x)
port(3331));</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>};</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR>Should the ip be the server ip or the client
ip (in this example, i have put the syslog-ng server ip). Does the port number
differentiate the different sources we are receiving the log files ???</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" alt="logo-emailsignature.jpg"
style='position:absolute;margin-left:0;margin-top:0;width:60pt;height:75.75pt;
z-index:251658240;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;
mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;
mso-position-horizontal:left;mso-position-horizontal-relative:text;
mso-position-vertical-relative:line' o:allowoverlap="f">
<v:imagedata src="cid:image001.jpg@01CB27E2.A3C8D050" o:title="part1.06090203.07000109@balabit" />
<w:wrap type="square"/>
</v:shape><![endif]--><![if !vml]><img width=80 height=101
src="cid:image001.jpg@01CB27E2.A3C8D050" align=left hspace=12
alt=logo-emailsignature.jpg v:shapes="_x0000_s1026"><![endif]><span
style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>Khaleelah
Peerbocus – Systems Analyst</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Mauritius Cargo Community Services</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Business Registration No.: C08077158</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>VAT Registration No.: VAT20427044</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>1<sup>st</sup> Floor, Trade and Marketing Centre, Mer Rouge</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR style='font-size:7.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Port-Louis, Mauritius</span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR style='font-size:7.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Email: </span><span style='color:#1F497D'><a
href="mailto:HDagent6@maccs.mu"><span style='font-size:7.0pt;font-family:"Verdana","sans-serif"'>systems2@maccs.mu</span></a></span><span
style='font-size:7.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> -
Website: </span><span style='color:#1F497D'><a href="http://www.maccs.mu/"><span
style='font-size:7.0pt;font-family:"Verdana","sans-serif"'>http://www.maccs.mu</span></a></span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:7.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span lang=FR> </span><o:p></o:p></p>
<pre> <o:p></o:p></pre><pre style='text-align:center'><o:p> </o:p></pre><pre
style='text-align:center'>
<hr size=4 width="90%" align=center>
</pre><pre style='text-align:center'><o:p> </o:p></pre><pre
style='text-align:center'><o:p> </o:p></pre><pre style='text-align:center'> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>______________________________________________________________________________<o:p></o:p></pre><pre>Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><o:p></o:p></pre><pre>Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><o:p></o:p></pre><pre>FAQ: <a
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>______________________________________________________________________________<o:p></o:p></pre><pre>Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><o:p></o:p></pre><pre>Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><o:p></o:p></pre><pre>FAQ: <a
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:12.0pt;
font-family:"Times New Roman","serif";color:black'><o:p> </o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";
color:black'>-- <br>
pzolee<o:p></o:p></span></p>
</div>
</div>
</body>
</html>