<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
(Resending, msg was too big for mailing list)<br>
<br>
No, you dont have to have similar filter in each. Just saying the
message would have gotten to the server, then been filterd. But with
that new setting, it should be working.The line should end up in
/usr/local/icinga/var/rw/syslog-ng.pipe. With all the changes, maybe
you could repost the configs again, but as it is, I'm out of ideas
(as far as it being syslog-ng, could still be firewall, network, or
whatever it is that reads that pipe).<br>
<br>
-Patrick<br>
<br>
<br>
Sent: Mon Sep 19 2011 16:03:31 GMT-0600 (MST)<br>
From: rek2 <a class="moz-txt-link-rfc2396E"
href="mailto:rek2gnulinux@gmail.com"><rek2gnulinux@gmail.com></a><br>
To: Patrick H. <a class="moz-txt-link-rfc2396E"
href="mailto:syslogng@feystorm.net"><syslogng@feystorm.net></a>
<a class="moz-txt-link-abbreviated"
href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>
Subject: Re: [syslog-ng] Problem sending logs to central log
server..
<blockquote
cite="mid:CAL+4sRLqOyZsVN4fN66i539gUG5B7QUQa8SXLxAAFG=u+SCKEw@mail.gmail.com"
type="cite">
<div>I have this on my server that included "notice"</div>
<div><br>
</div>
<div><br>
</div>
<div>filter f_at_least_warn {</div>
<div># level(warn..emerg);</div>
<div># level(notice..emerg);</div>
<div> level(info, notice, warn, crit, err, debug);</div>
<div>};</div>
<div><br>
</div>
<div><br>
</div>
<div>and this on my client:</div>
<div><br>
</div>
<div>
<div>#sent to our central log server running eventdb #cfernandez</div>
<div>destination loghost { udp("192.168.xxx.xxx" port(514)); };</div>
<div>log { source(src); filter(f_info); destination(loghost); };</div>
<div>log { source(src); filter(f_emergency);
destination(loghost); };</div>
<div>log { source(src); filter(f_notice); destination(loghost);
};</div>
<div> log { source(src); filter(f_warn); destination(loghost);
};</div>
<div>log { source(src); filter(f_crit); destination(loghost); };</div>
<div>log { source(src); filter(f_err); destination(loghost); };</div>
</div>
<div><br>
</div>
<div>that also includes notice..</div>
<div><br>
</div>
<br>
<div class="gmail_quote">2011/9/19 rek2 <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:rek2gnulinux@gmail.com">rek2gnulinux@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;"> oh sorry Im used to list that will reply
by defaul to the list. sorry about that..
<div>I think I get what you mean..</div>
<div>so in the clients and in the server log I have to have
similar filters ?</div>
<div><br>
</div>
<div> Thanks
<div>
<div class="h5"><br>
<br>
<div class="gmail_quote">2011/9/19 Patrick H. <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:syslogng@feystorm.net"
target="_blank">syslogng@feystorm.net</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#0050d0"> Seriously,
dont remove the mailing list from the recipients.
Others may catch things I miss, or I might be gone
for a while, but someone else is around.<br>
<br>
That filter you have only logs warning through
emerg, while by default logger uses notice, which
is below warning.<br>
<br>
<br>
-Patrick<br>
<br>
<br>
<br>
Sent: Mon Sep 19 2011 15:26:05 GMT-0600 (MST)
<div>
<div><br>
From: rek2 <a moz-do-not-send="true"
href="mailto:rek2gnulinux@gmail.com"
target="_blank"><rek2gnulinux@gmail.com></a><br>
To: Patrick H. <a moz-do-not-send="true"
href="mailto:syslogng@feystorm.net"
target="_blank"><syslogng@feystorm.net></a>
<br>
Subject: Re: [syslog-ng] Problem sending logs
to central log server..
<blockquote type="cite">ops! I forgot to
uncoment that as well sorry.. so basically
do I have everything else ok?
<div>the thing is also that after I migrated
to syslog-ng in the BSD things are not
logging to their place</div>
<div>in /var/log either Im getting most of
the stuff on the /var/log/syslog even tho
as you can see in my other emails the
default config already define the
destinations for auth etc...<br>
<br>
<div class="gmail_quote">2011/9/19 Patrick
H. <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:syslogng@feystorm.net"
target="_blank">syslogng@feystorm.net</a>></span><br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#0050d0">
Dont forget to leave the mailing
list on the list of recips :-)<br>
<br>
Anyway, its still commented out in
your log {} block. If the log block
has no source, it wont log anything.
<div><br>
<div>log {</div>
<div># source(src_eventdb);</div>
<div> filter(f_at_least_warn);</div>
<div># filter(f_syslog);</div>
<div> destination(d_eventdb);</div>
<div>};<br>
<br>
</div>
<br>
</div>
-Patrick<br>
<br>
<br>
<br>
Sent: Mon Sep 19 2011 14:43:08
GMT-0600 (MST)
<div><br>
From: rek2 <a
moz-do-not-send="true"
href="mailto:rek2gnulinux@gmail.com"
target="_blank"><rek2gnulinux@gmail.com></a><br>
</div>
To: Patrick H. <a
moz-do-not-send="true"
href="mailto:syslogng@feystorm.net"
target="_blank"><syslogng@feystorm.net></a>
<br>
Subject: Re: [syslog-ng] Problem
sending logs to central log server..
<div>
<div>
<blockquote type="cite">Hi
Patrick, thanks for your
reply, yes you right sorry I
did the copy and paste before
I uncomented some lines since
Im testing here and there..
<div><br>
</div>
<div>this is how I have it
now.. the last part:</div>
<div><br>
</div>
<div> #syslog-ng2mysql
destinations
<div><br>
</div>
<div>source src_eventdb {</div>
<div>
unix-stream("/dev/log");</div>
<div> udp(ip(0.0.0.0)
port(514));</div>
<div>};</div>
<div><br>
</div>
<div>destination d_eventdb {</div>
<div> pipe(</div>
<div>
"/usr/local/icinga/var/rw/syslog-ng.pipe",</div>
<div>
template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")</div>
<div>
template_escape(no)</div>
<div> );</div>
<div>};</div>
<div><br>
</div>
<div>filter f_at_least_warn
{</div>
<div>#
level(warn..emerg);</div>
<div>#
level(notice..emerg);</div>
<div> level(info,
notice, warn, crit, err,
debug);</div>
<div>};</div>
<div><br>
</div>
<div>log {</div>
<div>#
source(src_eventdb);</div>
<div>
filter(f_at_least_warn);</div>
<div># filter(f_syslog);</div>
<div>
destination(d_eventdb);</div>
<div>};</div>
<div><br>
</div>
<div>#log {</div>
<div>#
source(src_eventdb);</div>
<div>#
filter(f_auth);</div>
<div>#
destination(d_eventdb);</div>
<div>#};</div>
<div><br>
</div>
<br>
<div class="gmail_quote">2011/9/19
Patrick H. <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:syslogng@feystorm.net" target="_blank">syslogng@feystorm.net</a>></span><br>
<blockquote
class="gmail_quote"
style="margin: 0pt 0pt
0pt 0.8ex; border-left:
1px solid rgb(204, 204,
204); padding-left:
1ex;">
<div bgcolor="#ffffff"
text="#0050d0"> In
your server config,
the only listener you
have on udp port 514
is defined in
src_eventdb, and all
src_eventdb entries
are commented out.<br>
<br>
-Patrick<br>
<br>
<br>
Sent: Mon Sep 19 2011
11:40:15 GMT-0600
(MST)<br>
From: rek2 <a
moz-do-not-send="true"
href="mailto:rek2gnulinux@gmail.com" target="_blank"><rek2gnulinux@gmail.com></a><br>
To: <a
moz-do-not-send="true"
href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>
<br>
Subject: [syslog-ng]
Problem sending logs
to central log
server..
<blockquote
type="cite">
<div>
<div>Hello, I'm
trying to sent
all my logs from
one openbsd
server with
syslog-ng to a
linux ubuntu
central log
server also with
syslog-ng of
course but only
the syslog-ng
logs are been
logged..
<div>also when I
do a "logger
test" for
example it
gets log
locally but
not remotely
to the log
server...</div>
<div>here are my
configs:</div>
<div><br>
</div>
<div>for the log
server is
basically the
defaul of
ubuntu with my
addtions at
the end.. you
will see</div>
<div>some
commented is
me trying to
fix this
issue.</div>
<SNIP><br>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>