<div dir="ltr"><div dir="ltr">Dear Rodney,<div> I kindly ask you to add more effort into summarising your problem. (Most of the time I figure out something by myself just by trying to put it into proper words.)</div><div> Sandor asked you at least 5 questions in his previous email. You sent 2 one line answer in the last 10 minutes. Only answering the version number.</div><div><br></div><div><br></div><div><br></div><div> As Sandor pointed out, syslog-ng actually writes the /var/log/messages file. If you want to forward "it's content" towards your graylog server, than you have to actually "divert" it earlier.</div><div><br></div><div> In a different way: With a VERY big simplification, your log messages takes the following route:</div><div> SOURCE -> FILTER -> DESTINATION</div><div><br></div><div> You have to investigate your "log" statements. Decide which one of your logs you want to forward towards graylog, instead of the current destination(xxx), and modify it.</div><div> (Note: Duplicating the logs, and store them on both location is also possible, but you have to clearly express your use case.)</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>Best regards,</div><div>Laci</div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 6, 2018 at 4:19 PM, Rodney Bizzell <span dir="ltr"><<a href="mailto:hardworker30@gmail.com" target="_blank">hardworker30@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">I am using syslog-ng version 3.5</div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 6, 2018, 10:09 AM Sandor Geller <<a href="mailto:sandor.geller@ericsson.com" target="_blank">sandor.geller@ericsson.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_-2129505069397886728m_3983337667446425968moz-cite-prefix">Hello,<br>
<br>
syslog-ng is configured to write that file:<br>
<tt><br>
</tt>source s_sys {<br>
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>system();<br>
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>internal();<br>
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>udp(ip(0.0.0.0) port(514));<br>
};<br>
<br>
destination d_mesg { file("/var/log/messages"); };<br>
<br>
filter f_default<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space"> </span>{
level(info..emerg) and<br>
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>not (facility(mail)<br>
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>or facility(authpriv)<br>
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>or facility(cron)); };<br>
<br>
log { source(s_sys); filter(f_default); destination(d_mesg); };<br>
<tt><tt><br>
</tt></tt>This should get read as:<br>
<br>
whatever is read from system(), internal() or udp port 514 AND
f_default matches on it will get written to /var/log/messages<br>
You're using the same source/filter pair in<br>
<br>
log { source(s_sys); filter(f_default); destination(d_graylog); };<br>
<br>
so d_graylog should get the same messages as d_mesg. From this
point the configuration and your observation don't match.<br>
<br>
Is there anything else on your machine writing to
/var/log/messages? Did you remove the duplicate udp() source to
make sure that the s_sys and s_net sources don't collide?<br>
<br>
What level of troubleshooting / testing was done? Packet capture,
syslog trace, ... ? Which syslog-ng version was used (there was no
@version in the config), what warnings/ errors did it emit during
startup and later?<br>
<br>
Regards,<br>
Sandor<br>
<br>
On 11/06/2018 03:52 PM, Rodney Bizzell wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">/var/log/messages </div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Nov 6, 2018, 9:50 AM Sandor Geller <<a href="mailto:sandor.geller@ericsson.com" rel="noreferrer" target="_blank">sandor.geller@ericsson.com</a> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976moz-cite-prefix">Hello,<br>
<br>
On 11/06/2018 01:57 PM, Rodney Bizzell wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">If you look to the bottom of the config I
have made changes to source(sys) pointing it to my
graylog server. I am reading through the documentation I
am thinking that should send the logs to graylog server
I am just asking I apologize if I am making
assumptions. The documentation isn't always clear, so I
am just asking if I want to send /var/logs to my graylog
server do I need to add a new source for var log?</div>
</blockquote>
<br>
There is no such thing as /var/logs, please be much more
precise. It doesn't make any sense to read back contents of
files written by syslog-ng itself, such potential logging
loops should get avoided anyway. If you've got additional
stuff under /var/log (some apps could log there directly)
then you can add these files as sources to process them by
syslog-ng. Your current configuration doesn't contain such
source definitions.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div> <span>options {</span></div>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>flush_lines (0);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>time_reopen (10);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>log_fifo_size (250000);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>chain_hostnames (off);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>use_dns (no);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>use_fqdn (no);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>create_dirs (no);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>keep_hostname (yes);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">};</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">source s_sys {</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>system();</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>internal();</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>udp(ip(0.0.0.0) port(514));</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">};</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">source s_net {</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">udp(ip(0.0.0.0)
port(514));</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">tcp(ip(0.0.0.0)
port(514) max-connections(256));</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">};</p>
</div>
</blockquote>
Note: you're using the same udp() source twice (the first
occurence is in the s_sys source) so one of them won't
receive messages
<blockquote type="cite">
<div dir="ltr">
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_cons { file("/dev/console"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_mesg { file("/var/log/messages"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_auth { file("/var/log/secure"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_mail { file("/var/log/maillog" flush_lines(10)); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_spol { file("/var/log/spooler"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_boot { file("/var/log/boot.log"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_cron { file("/var/log/cron"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_kern { file("/var/log/kern"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_mlal { usertty("*"); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">destination
d_graylog {</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">tcp("graylog.server”</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">port (12201)</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">);</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">};</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter
f_kernel <span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ facility(kern); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter
f_default<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ level(info..emerg) and</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>not (facility(mail)</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>or facility(authpriv)</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>or facility(cron)); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter f_auth
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ facility(authpriv); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter f_mail
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ facility(mail); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter
f_emergency<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ level(emerg); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter f_news
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ facility(uucp) or</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>(facility(news)</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1"><span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>and
level(crit..emerg)); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter f_boot
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ facility(local7); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">filter f_cron
<span class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-Apple-converted-space">
</span>{ facility(cron); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_kernel); destination(d_cons);
};</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_kernel); destination(d_kern);
};</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_default); destination(d_mesg);
};</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_auth); destination(d_auth); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_mail); destination(d_mail); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_emergency);
destination(d_mlal); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_news); destination(d_spol); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_boot); destination(d_boot); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_cron); destination(d_cron); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p2"><br>
</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_net); destination(d_graylog); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_default);
destination(d_graylog);};</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_kernel);
destination(d_graylog); };</p>
<p class="m_-2129505069397886728m_3983337667446425968m_-2743256449419163976gmail-p1">log {
source(s_sys); filter(f_default);
destination(d_graylog); };</p>
</div>
</blockquote>
Note: the last line is a duplicate of the entry two lines
earlier so will duplicate the data sent to d_graylog so it
should get deleted. Also note that the intersection of the
f_kernel and f_default filters isn't empty so some kernel
messages would be sent twice to d_graylog.<br>
<br>
Regards,<br>
Sandor<br>
<br>
</div>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset class="m_-2129505069397886728m_3983337667446425968mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>______________________________<wbr>__________________
Member info: <a class="m_-2129505069397886728m_3983337667446425968moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>
Documentation: <a class="m_-2129505069397886728m_3983337667446425968moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>
FAQ: <a class="m_-2129505069397886728m_3983337667446425968moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>
</pre>
</blockquote>
<p><br>
</p>
</div>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</blockquote></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>