<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">You are
rewriting the outgoing destination format from the 'central' server
"udp(... template(...))". The receiving end probably does not like
this. Take out the template and see if it works. Also might just be a
copy-paste error, but you have no closing bracket for the source in
your 'tcim server' config.<br>
The easiest way to figure whats going on would probably be to just
launch syslog-ng in debug mode and look at all the messages it spits
out to see where the lines are getting dropped.<br>
<br>
-Patrick<br>
</font></font><br>
Sent: Wed Sep 29 2010 21:43:37 GMT-0600 (Mountain Daylight Time)<br>
From: anushri kannu <a class="moz-txt-link-rfc2396E" href="mailto:svanushri0514@gmail.com"><svanushri0514@gmail.com></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <br>
Subject: [syslog-ng] syslog-ng issue
<blockquote
cite="mid:AANLkTimNh=LUqvGbe3t5uMipehH2F5P8NEzxTfDnUQiA@mail.gmail.com"
type="cite">Hi Every one,<br>
<br>
<br>
I am new to concept of syslog-ng configuration.<br>
<br>
Already syslog-ng configured in linux server<br>
<br>
<br>
We have 6 syslog-ng server <br>
<br>
4 location syslog-ng server receives logs from all the syslog client
.. working fine<br>
1 centralized syslog-ng (server receives log from 4 locations .......
working fine<br>
1 we have tcim syslog-ng server receives logs from centralized
syslog-ng server... it was working before for both solaris and linux .
Now suddenly not collecting logs only for linux. No changes were made.<br>
<br>
<br>
<br>
Centalized syslog-ng configuration file <br>
<br>
options {<br>
log_fifo_size(8192);<br>
create_dirs(yes);<br>
group(sysgrp);<br>
dir_group(sysgrp);<br>
dir_perm(0750);<br>
perm(0440);<br>
chain_hostnames(no);<br>
keep_hostname(yes);<br>
stats(3600);<br>
use_fqdn(yes);<br>
use_time_recvd(yes);<br>
};<br>
<br>
<br>
Standard filters <br>
# Level Filters<br>
filter f_emerg { level (emerg); };<br>
filter f_alert { level (alert .. emerg); };<br>
filter f_crit { level (crit .. emerg); };<br>
filter f_err { level (err .. emerg); };<br>
filter f_warning { level (warning .. emerg); };<br>
filter f_notice { level (notice .. emerg); };<br>
filter f_info { level (info .. emerg); };<br>
filter f_debug { level (debug .. emerg); };<br>
<br>
# Facility Filters<br>
filter f_kern { facility (kern); };<br>
filter f_user { facility (user); };<br>
filter f_mail { facility (mail); };<br>
filter f_daemon { facility (daemon); };<br>
filter f_auth { facility (auth); };<br>
filter f_authpriv { facility (authpriv); };<br>
filter f_syslog { facility (syslog); };<br>
filter f_lpr { facility (lpr); };<br>
filter f_news { facility (news); };<br>
filter f_uucp { facility (uucp); };<br>
<br>
<br>
filter f_os_unix {<br>
not program(EvntSLog)<br>
and not program(NetScreen)<br>
and not match ("NetScreen device_id")<br>
and not match ("%AAA-")<br>
and not match ("%AUTH-")<br>
and not match ("%AUTHPRIV-")<br>
and not match ("%CALLHOME-")<br>
and not match ("%CDP-")<br>
and not match ("%EARL-")<br>
and not match ("%FILESYS-")<br>
and not match ("%IMAGE_DNLD-SLOT")<br>
and not match ("%IP-")<br>
and not match ("%KERN-")<br>
and not match ("%LICMGR-")<br>
and not match ("%LINEPROTO-")<br>
and not match ("%LINK-")<br>
and not match ("%MCAST-")<br>
and not match ("%MODULE-")<br>
and not match ("%OSPF-")<br>
and not match ("%PLATFORM-")<br>
and not match ("%PRUNING-")<br>
and not match ("%PORT-")<br>
and not match ("%SPANTREE-")<br>
and not match ("%SYS-")<br>
and not match ("%UDLD-")<br>
and not match ("%VSHD-")<br>
source s_local {<br>
unix-stream("/dev/log");<br>
udp(ip(0.0.0.0) port(514));<br>
tcp(ip(0.0.0.0) port(5149) max-connections(333));<br>
internal();<br>
pipe("/proc/kmsg");<br>
};<br>
<br>
destination dl_hosts-unix {<br>
file("/var/log/syslog-ng/hosts-unix/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.$LEVEL");<br>
};<br>
<br>
log {<br>
source(s_local);<br>
filter(f_os_unix);<br>
###not filter(f_os_switch);<br>
destination(dl_hosts-unix);<br>
};<br>
<br>
destination dl_tcim {<br>
udp("10.230.148.18" port(514) template("<$PRI> $DATE $HOST
$MESSAGE\r\n"));<br>
};<br>
log {<br>
source(s_local);<br>
destination(dl_tcim);<br>
};<br>
<br>
<br>
<br>
<br>
tcim server configurarion file.<br>
<br>
options {<br>
sync (0);<br>
time_reopen (10);<br>
log_fifo_size (1000);<br>
long_hostnames (off);<br>
# use_dns (no);<br>
use_dns (yes);<br>
use_fqdn (no);<br>
create_dirs (no);<br>
keep_hostname (yes);<br>
};<br>
<br>
source src {<br>
udp();<br>
tcp(port(514) keep-alive(yes));<br>
<br>
<br>
filter f_lnx_hosts {<br>
host("amex") or<br>
host("green") or<br>
host("sa") or<br>
host("yellow") or<br>
host("urinf01") or<br>
etc..;<br>
..<br>
..<br>
.<br>
};<br>
destination d_lnx {<br>
file("/var/log/tcim/$HOST/syslog-$YEAR-$MONTH-$DAY.log"<br>
template("<$PRI>$DATE $HOST $MSG\n")<br>
create_dirs(yes)<br>
owner(svc-tcim)<br>
group(users)<br>
perm(0660)<br>
dir_owner(svc-tcim)<br>
dir_group(users)<br>
dir_perm(0770)<br>
);<br>
};<br>
<br>
log { source(src); filter(f_lnx_hosts); destination(d_lnx); };<br>
<br>
<br>
<br>
<br>
<br>
<br>
I did try below command in TCIM server to check the comunication
between centralized syslog-ng serer and tcim server<br>
<br>
tcpdump -nn -tp -port 514.. <br>
<br>
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 375<br>
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 193<br>
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638<br>
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638<br>
<br>
1740 packets captured<br>
1740 packets received by filter<br>
0 packets dropped by kernel<br>
<br>
Packets are getting from centralised log server. <br>
<br>
Do not know where the mistake is.<br>
<br>
Please help to resolve this issue.<br>
<br>
<br>
<br>
<pre wrap="">
<hr size="4" width="90%">
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>