<div dir="auto">/var/log/messages </div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 6, 2018, 9:50 AM Sandor Geller <<a href="mailto:sandor.geller@ericsson.com">sandor.geller@ericsson.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_-2743256449419163976moz-cite-prefix">Hello,<br>
<br>
On 11/06/2018 01:57 PM, Rodney Bizzell wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">If you look to the bottom of the config I have made
changes to source(sys) pointing it to my graylog server. I am
reading through the documentation I am thinking that should send
the logs to graylog server I am just asking I apologize if I
am making assumptions. The documentation isn't always clear, so
I am just asking if I want to send /var/logs to my graylog
server do I need to add a new source for var log?</div>
</blockquote>
<br>
There is no such thing as /var/logs, please be much more precise. It
doesn't make any sense to read back contents of files written by
syslog-ng itself, such potential logging loops should get avoided
anyway. If you've got additional stuff under /var/log (some apps
could log there directly) then you can add these files as sources to
process them by syslog-ng. Your current configuration doesn't
contain such source definitions.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div> <span>options {</span></div>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>flush_lines
(0);</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>time_reopen
(10);</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>log_fifo_size
(250000);</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>chain_hostnames
(off);</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>use_dns
(no);</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>use_fqdn
(no);</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>create_dirs
(no);</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>keep_hostname
(yes);</p>
<p class="m_-2743256449419163976gmail-p1">};</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p1">source s_sys {</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>system();</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>internal();</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>udp(ip(0.0.0.0)
port(514));</p>
<p class="m_-2743256449419163976gmail-p1">};</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p1">source s_net {</p>
<p class="m_-2743256449419163976gmail-p1">udp(ip(0.0.0.0) port(514));</p>
<p class="m_-2743256449419163976gmail-p1">tcp(ip(0.0.0.0) port(514) max-connections(256));</p>
<p class="m_-2743256449419163976gmail-p1">};</p>
</div>
</blockquote>
Note: you're using the same udp() source twice (the first occurence
is in the s_sys source) so one of them won't receive messages
<blockquote type="cite">
<div dir="ltr">
<p class="m_-2743256449419163976gmail-p1">destination d_cons { file("/dev/console"); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_mesg { file("/var/log/messages"); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_auth { file("/var/log/secure"); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_mail { file("/var/log/maillog"
flush_lines(10)); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_spol { file("/var/log/spooler"); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_boot { file("/var/log/boot.log"); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_cron { file("/var/log/cron"); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_kern { file("/var/log/kern"); };</p>
<p class="m_-2743256449419163976gmail-p1">destination d_mlal { usertty("*"); };</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p1">destination d_graylog {</p>
<p class="m_-2743256449419163976gmail-p1">tcp("graylog.server”</p>
<p class="m_-2743256449419163976gmail-p1">port (12201)</p>
<p class="m_-2743256449419163976gmail-p1">);</p>
<p class="m_-2743256449419163976gmail-p1">};</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p1">filter f_kernel <span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
facility(kern); };</p>
<p class="m_-2743256449419163976gmail-p1">filter f_default<span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
level(info..emerg) and</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space">
</span>not (facility(mail)</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space">
</span>or facility(authpriv)</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space">
</span>or facility(cron)); };</p>
<p class="m_-2743256449419163976gmail-p1">filter f_auth <span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
facility(authpriv); };</p>
<p class="m_-2743256449419163976gmail-p1">filter f_mail <span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
facility(mail); };</p>
<p class="m_-2743256449419163976gmail-p1">filter f_emergency<span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
level(emerg); };</p>
<p class="m_-2743256449419163976gmail-p1">filter f_news <span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
facility(uucp) or</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space">
</span>(facility(news)</p>
<p class="m_-2743256449419163976gmail-p1"><span class="m_-2743256449419163976gmail-Apple-converted-space">
</span>and level(crit..emerg)); };</p>
<p class="m_-2743256449419163976gmail-p1">filter f_boot <span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
facility(local7); };</p>
<p class="m_-2743256449419163976gmail-p1">filter f_cron <span class="m_-2743256449419163976gmail-Apple-converted-space"> </span>{
facility(cron); };</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_kernel);
destination(d_cons); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_kernel);
destination(d_kern); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_default);
destination(d_mesg); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_auth);
destination(d_auth); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_mail);
destination(d_mail); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_emergency);
destination(d_mlal); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_news);
destination(d_spol); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_boot);
destination(d_boot); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_cron);
destination(d_cron); };</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_net); destination(d_graylog); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_default);
destination(d_graylog);};</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_kernel);
destination(d_graylog); };</p>
<p class="m_-2743256449419163976gmail-p1">log { source(s_sys); filter(f_default);
destination(d_graylog); };</p>
</div>
</blockquote>
Note: the last line is a duplicate of the entry two lines earlier so
will duplicate the data sent to d_graylog so it should get deleted.
Also note that the intersection of the f_kernel and f_default
filters isn't empty so some kernel messages would be sent twice to
d_graylog.<br>
<br>
Regards,<br>
Sandor<br>
<br>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>