<br>Yea I created a catch all log statement and it turns out even though Im specifying kern.crit to logger is coming accross as user.crit.. Looking into this now.<br><br>Thx,<br>CC<br><br><div class="gmail_quote">On Wed, Jul 21, 2010 at 10:42 AM, Patrick H. <span dir="ltr"><<a href="mailto:syslogng@feystorm.net">syslogng@feystorm.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">Are you sure
there's not something else going on? Try removing the filter just to
test and make sure its getting anything<br>
</font></font><div class="im"><font color="#990000"><span style="font-family: courier new,monospace;">processed='source(s_streams)=<b>26</b>'</span></font><br>
<br></div>
Sent: Wednesday, July 21, 2010 11:35:13 AM<br>
From: Me <a href="mailto:infosec@gmail.com" target="_blank"><infosec@gmail.com></a><br>
To: <a href="mailto:chuck.carson@gmail.com" target="_blank">chuck.carson@gmail.com</a>, Syslog-ng users' and developers' mailing
list <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] Messages Not Getting Logged
<div><div></div><div class="h5"><blockquote type="cite">
<pre>I use a local source like this:
source local {
sun-streams("/dev/log");
udp(ip(0.0.0.0) port(514));
internal();
};
Seems that at some point I started leaving off the "door" part. My
version control logs don't specify why, bummer. Give it a shot like
that.
I don't know if I ever got my solaris boxes onto syslog-ng version 3.x
though. Give this a quick shot and see if it makes things any better
with your version.
On Wed, Jul 21, 2010 at 10:28 AM, Chuck <a href="mailto:chuck.carson@gmail.com" target="_blank"><chuck.carson@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre>Thanks for pointing that out.. I did find the correct door file:
Drw-r--r-- 1 root root 0 Jul 21 09:36 /var/run/syslog_door
I fixed the config and bounced syslog-ng but still not getting any log
messages.. Looking at the stats I do see where there are logs coming from
the internal() source:
'source(s_internal)=6', processed='center(queued)=0',
processed='destination(l_internal)=6'
Jul 21 09:34:56 asglogpup01 syslog-ng[8865]: Log statistics;
processed='center(received)=0', processed='destination(l_messages)=0',
processed='source(s_streams)=26', processed='src.internal(s_internal#0)=8',
stamp='src.internal(s_internal#0)=1279729796',
processed='source(s_internal)=8', processed='center(queued)=0',
processed='destination(l_internal)=8'
Anyone have any ideas?
Thx,
CC
On Wed, Jul 21, 2010 at 9:29 AM, Patrick H. <a href="mailto:syslogng@feystorm.net" target="_blank"><syslogng@feystorm.net></a> wrote:
</pre>
<blockquote type="cite">
<pre>I had to set up some solaris boxes several months ago with syslog and had
trouble getting the exact config as well. Unfortunately those boxes are now
gone so I cant pull the configuration off them, but I do know that
/etc/.syslog_door was not the door file. I believe it was
/var/run/syslog_door
Sent: Wednesday, July 21, 2010 10:11:41 AM
From: Chuck <a href="mailto:chuck.carson@gmail.com" target="_blank"><chuck.carson@gmail.com></a>
To: Syslog-ng users' and developers' mailing list
<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank"><syslog-ng@lists.balabit.hu></a>
Subject: [syslog-ng] Messages Not Getting Logged
Hello,
I am using the sunfreeware build of syslog-ng 3.04 on a Solaris 10 Update
8 system:
syslog-ng 3.0.4
Revision:
<a href="mailto:ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master%231b5d618e301ad94aa20e692ffba16469dece8d10" target="_blank">ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10</a>
Compile-Date: Sep 2 2009 05:14:23
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: on
Enable-Sun-Door: on
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: off
Enable-Pcre: on
My internal() source is working but the sun-streams source is not.
Here are my options:
options {
use_fqdn(no);
flush_lines(0);
dir_perm(0755);
dir_group(sysadmin);
dir_owner(root);
perm(0644);
stats_freq(300);
use_dns(no);
create_dirs(yes);
time_reopen(10);
};
Here are my sources:
source s_internal { internal(); };
source s_udp { udp(); };
source s_tcp { tcp(); };
source s_streams { sun-streams ("/dev/log"
door("/etc/.syslog_door")); };
Here are my filters so far:
# Level Filters
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
filter f_debug { level (debug .. emerg); };
# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_mail { facility (mail); };
filter f_daemon { facility (daemon); };
filter f_auth { facility (auth); };
filter f_syslog { facility (syslog); };
filter f_lpr { facility (lpr); };
filter f_news { facility (news); };
filter f_uucp { facility (uucp); };
filter f_cron { facility (cron); };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };
Here are my destinations so far:
# Destinations: local files, the console, and the client files
destination l_internal { file ("/var/adm/syslog-ng"); };
destination l_authlog { file ("/var/log/authlog"); };
destination l_messages { file ("/var/log/messages"); };
destination l_maillog { file ("/var/log/maillog"); };
destination l_ipflog { file ("/var/log/ipflog"); };
destination l_imaplog { file ("/var/log/imaplog"); };
destination l_syslog { file ("/var/log/syslog"); };
destination l_console { file ("/dev/console"); };
Here are my log statements:
log { source (s_internal); destination (l_internal); }; # <==== this
one is working
log { source (s_streams); filter (f_kern); filter (f_debug);
destination (l_messages); }; #<====== this on is not working
I have tried the following logger tests and am not getting anything
logged:
logger -p kern.debug "some message"
logger -p kern.crit "some message"
logger -p <a href="http://kern.info" target="_blank">kern.info</a> "some message"
I have restarted syslog-ng and ensured that it is using my most recent
syslog-ng.conf file.
Thanks for any help,
CC
________________________________
______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</div></div></div>
</blockquote></div><br>