<div dir="ltr">Hi ,<div>I have used same configuration as you have sent ,</div><div>client IP:- 192.168.122.61</div><div>central server IP:- 192.168.122.184</div><div>my Client configuration file:-</div><div><br></div><div><div>@version:3.13</div><div>@include "scl.conf"</div><div><br></div><div># syslog-ng configuration file.</div><div>#</div><div># This should behave pretty much like the original syslog on RedHat. But</div><div># it could be configured a lot smarter.</div><div>#</div><div># See syslog-ng(8) and syslog-ng.conf(5) for more information.</div><div>#</div><div># Note: it also sources additional configuration files (*.conf)</div><div># located in /etc/syslog-ng/conf.d/</div><div><br></div><div>options {</div><div> flush_lines (0);</div><div> time_reopen (10);</div><div> log_fifo_size (1000);</div><div> chain_hostnames (off);</div><div> use_dns (no);</div><div> use_fqdn (no);</div><div> create_dirs (no);</div><div> keep_hostname (yes);</div><div>};</div><div><br></div><div>source s_sys {</div><div> system();</div><div> internal();</div><div> # udp(ip(0.0.0.0) port(514));</div><div>};</div><div><br></div><div>destination d_cons { file("/dev/console"); };</div><div>destination d_mesg { file("/var/log/messages"); };</div><div>destination d_auth { file("/var/log/secure"); };</div><div>destination d_mail { file("/var/log/maillog" flush_lines(10)); };</div><div>destination d_spol { file("/var/log/spooler"); };</div><div>destination d_boot { file("/var/log/boot.log"); };</div><div>destination d_cron { file("/var/log/cron"); };</div><div>destination d_kern { file("/var/log/kern"); };</div><div>destination d_mlal { usertty("*"); };</div><div><br></div><div>filter f_kernel { facility(kern); };</div><div>filter f_default { level(info..emerg) and</div><div> not (facility(mail)</div><div> or facility(authpriv) </div><div> or facility(cron)); };</div><div>filter f_auth { facility(authpriv); };</div><div>filter f_mail { facility(mail); };</div><div>filter f_emergency { level(emerg); };</div><div>filter f_news { facility(uucp) or</div><div> (facility(news) </div><div> and level(crit..emerg)); };</div><div>filter f_boot { facility(local7); };</div><div>filter f_cron { facility(cron); };</div><div><br></div><div>#log { source(s_sys); filter(f_kernel); destination(d_cons); };</div><div>log { source(s_sys); filter(f_kernel); destination(d_kern); };</div><div>log { source(s_sys); filter(f_default); destination(d_mesg); };</div><div>log { source(s_sys); filter(f_auth); destination(d_auth); };</div><div>log { source(s_sys); filter(f_mail); destination(d_mail); };</div><div>log { source(s_sys); filter(f_emergency); destination(d_mlal); };</div><div>log { source(s_sys); filter(f_news); destination(d_spol); };</div><div>log { source(s_sys); filter(f_boot); destination(d_boot); };</div><div>log { source(s_sys); filter(f_cron); destination(d_cron); };</div><div><br></div><div><br></div><div># Source additional configuration files (.conf extension only)</div><div>@include "/etc/syslog-ng/conf.d/*.conf"</div><div><br></div><div><br></div><div># vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:</div><div>#</div><div><br></div><div><br></div><div><br></div><div>source s_apache {</div><div> wildcard-file(</div><div> base-dir("/var/log/httpd/")</div><div> filename-pattern("*access_*")</div><div> flags(no-parse)</div><div> )</div><div><br></div><div><br></div><div>destination d_central {</div><div> network("192.168.122.184" port(udp))</div><div>}</div><div><br></div><div><br></div><div>log {</div><div> source(s_apache)</div><div> destination(d_central)</div><div>}</div></div><div><br></div><div>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ERROR<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<</div><div>If I am starting syslog-ng then ,its showing below error</div><div><br></div><div><br></div><div><div>[root@master syslog-ng]# service syslog-ng start</div><div>Error parsing source, syntax error, unexpected KW_DESTINATION, expecting ';' in /etc/syslog-ng/syslog-ng.conf at line 83, column 1:</div><div><br></div><div>destination d_central {</div><div>^^^^^^^^^^^</div><div><br></div><div>syslog-ng documentation: <a href="https://www.balabit.com/support/documentation?product=syslog-ng-ose">https://www.balabit.com/support/documentation?product=syslog-ng-ose</a></div><div>contact: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></div><div>[root@master syslog-ng]# </div><div><br></div></div><div><br></div><div>So,Please help to configure client and central server.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><b><font color="#0000ff"><i>Thanks & Regards </i></font>:-<br></b></div><b>VINOD SINGH SAUD<br></b></div><div><b>(M):- 09718663552<br></b></div><div><b><font color="#00ff00">(W):-09997645597</font><br></b></div><div><b>(E) :- <a href="mailto:vinod.samant.123@gmail.com" target="_blank">vinod.samant.123@gmail.com</a><br></b></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, May 7, 2018 at 7:30 PM, Gergely Nagy <span dir="ltr"><<a href="mailto:algernon@balabit.com" target="_blank">algernon@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Hi!<br>
<br>
>>>>> "vinod" == vinod samant <<a href="mailto:vinod.samant.123@gmail.com">vinod.samant.123@gmail.com</a>> writes:<br>
<br>
</span> vinod> 1.first one is using command yum install syslog-ng , and it has been<br>
vinod> installed ,if this way is wright then what will be the client and server<br>
vinod> side configuration,Suppose<br>
<br>
The client should be configured to read the logs, the server to accept<br>
them and put them where you want 'em. See below for two simple examples.<br>
<br>
vinod> apache writing custom log on<br>
vinod> /usr/local/apache/logs/xyz_<wbr>access_2018-05-07.log ,Client IP:- 10.10.64.1<br>
vinod> ,server IP:- 10.10.64.100.<br>
<br>
It looks like you're using files with dates in them, so you'll need a<br>
wildcard source. Something along these lines may serve as a starting<br>
point:<br>
<br>
------------------------- * -------------------------<br>
<br>
# client config<br>
<br>
@version: 3.15<br>
<br>
source s_apache {<br>
wildcard-file(<br>
base-dir("/usr/local/apache/<wbr>logs");<br>
filename-pattern("*_access_*.<wbr>log");<br>
flags(no-parse);<br>
);<br>
};<br>
<br>
destination d_central {<br>
network("10.0.0.1" port(1234));<br>
};<br>
<br>
log {<br>
source(s_apache);<br>
destination(d_central);<br>
};<br>
<br>
------------------------- * -------------------------<br>
<br>
# server config<br>
<br>
@version: 3.15<br>
<br>
source s_network {<br>
network(port(1234));<br>
};<br>
<br>
destination d_all {<br>
file("/var/log/all.log" template("${MSG}\n");<br>
};<br>
<br>
log {<br>
source(s_network);<br>
destination(d_all);<br>
};<br>
<br>
------------------------- * -------------------------<br>
<br>
If you want to have the same filename on the server side, that becomes a<br>
bit less trivial, but still doable. You'll have to transfer the filename<br>
too, and extract it on the server side.<br>
<br>
This should be doable, because the ${FILE_NAME} macro on the client<br>
contains the file a log line was read from, you can put this into the<br>
message sent to the server, where it can be extracted and used to<br>
construct the file the message gets saved to.<br>
<br>
The following thread might be of use if you want to go down this path:<br>
<a href="https://lists.balabit.hu/pipermail/syslog-ng/2015-March/021906.html" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>pipermail/syslog-ng/2015-<wbr>March/021906.html</a><br>
<br>
I also recommend reading - or at least browsing the relevant parts of -<br>
the syslog-ng administrator's guide. It has a lot of helpful information<br>
about the configuration file syntax, options, and whatnot:<br>
<a href="https://syslog-ng.com/documents/html/syslog-ng-ose-3.14-guides/en/syslog-ng-ose-guide-admin/html/index.html" rel="noreferrer" target="_blank">https://syslog-ng.com/<wbr>documents/html/syslog-ng-ose-<wbr>3.14-guides/en/syslog-ng-ose-<wbr>guide-admin/html/index.html</a><br>
<br>
vinod> 2. Second i have downloaded tar.gz file form github and trying to install<br>
vinod> ,But i am facing lots of dependency problem.<br>
<br>
vinod> Can you explain difference between both way installation which i am triyng<br>
vinod> ?<br>
<br>
If you install from a binary package, you won't have to compile<br>
anything. But you are limited to the version of syslog-ng your<br>
distribution ships with (unless you use a third-party repository, which<br>
you don't appear to be using). When compiling from source, you'll need<br>
plenty of development tools - I'd recommend checking out the<br>
docker-based building solution Laszlo Budai mentioned in his reply:<br>
<a href="https://github.com/balabit/syslog-ng/blob/master/dbld/images/centos6.dockerfile" rel="noreferrer" target="_blank">https://github.com/balabit/<wbr>syslog-ng/blob/master/dbld/<wbr>images/centos6.dockerfile</a><br>
<br>
This should make it a *lot* easier to compile from source, as it has all<br>
the dependencies already installed. There are some notes on how to use<br>
the Dockerfile here:<br>
<a href="https://github.com/balabit/syslog-ng/tree/master/dbld" rel="noreferrer" target="_blank">https://github.com/balabit/<wbr>syslog-ng/tree/master/dbld</a><br>
<br>
The main difference between source and binary package is like the<br>
difference between a recipe and a finished dish: if you have the recipe<br>
(source), the ingredients and tools (dependencies, compiler, etc), then<br>
you can cook the dish (binary package). Or you can order (download) the<br>
finshed food (binary package), where someone else did the cooking for<br>
you. :)<br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
|8]<br>
</font></span></blockquote></div><br></div>