<div dir="ltr"><div dir="ltr">Here is my config<div><div>@version:3.18</div><div>@include "scl.conf"</div><div><br></div><div># syslog-ng configuration file.</div><div>#</div><div># This should behave pretty much like the original syslog on RedHat. But</div><div># it could be configured a lot smarter.</div><div>#</div><div># See syslog-ng(8) and syslog-ng.conf(5) for more information.</div><div>#</div><div># Note: it also sources additional configuration files (*.conf)</div><div># located in /etc/syslog-ng/conf.d/</div><div><br></div><div>options {</div><div> flush_lines (10);</div><div> time_reopen (10);</div><div># chain_hostnames (off);</div><div> use_dns (yes);</div><div> use_fqdn (no);</div><div> create_dirs (no);</div><div> keep_hostname (yes);</div><div>};</div><div><br></div><div>source s_sys {</div><div> system();</div><div> internal();</div><div># udp(ip(0.0.0.0) port(514));</div><div>};</div><div><br></div><div>source s_net {</div><div>udp(ip(0.0.0.0) port(514));</div><div>tcp(ip(0.0.0.0) port(514) max-connections(256));</div><div>#log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));</div><div>};</div><div><br></div><div>destination d_cons { file("/dev/console"); };</div><div>destination d_mesg { file("/var/log/messages"); };</div><div>destination d_auth { file("/var/log/secure"); };</div><div>destination d_mail { file("/var/log/maillog" flush_lines(10)); };</div><div>destination d_spol { file("/var/log/spooler"); };</div><div>destination d_boot { file("/var/log/boot.log"); };</div><div>destination d_cron { file("/var/log/cron"); };</div><div>destination d_kern { file("/var/log/kern"); };</div><div>destination d_mlal { usertty("*"); };</div><div><br></div><div><br></div><div>destination d_graylog {</div><div>tcp("hostname of Graylog server"</div><div>port (12201)</div><div>);</div><div>};</div><div><br></div><div><br></div><div>filter f_kernel { facility(kern); };</div><div>filter f_default { level(info..emerg) and</div><div> not (facility(mail)</div><div> or facility(authpriv) </div><div> or facility(cron)); };</div><div>filter f_auth { facility(authpriv); };</div><div>filter f_mail { facility(mail); };</div><div>filter f_emergency { level(emerg); };</div><div>filter f_news { facility(uucp) or</div><div> (facility(news) </div><div> and level(crit..emerg)); };</div><div>filter f_boot { facility(local7); };</div><div>filter f_cron { facility(cron); };</div><div><br></div><div>log { source(s_sys); filter(f_kernel); destination(d_cons); };</div><div>log { source(s_sys); filter(f_kernel); destination(d_kern); };</div><div>log { source(s_sys); filter(f_default); destination(d_mesg); };</div><div>log { source(s_sys); filter(f_auth); destination(d_auth); };</div><div>log { source(s_sys); filter(f_mail); destination(d_mail); };</div><div>log { source(s_sys); filter(f_emergency); destination(d_mlal); };</div><div>log { source(s_sys); filter(f_news); destination(d_spol); };</div><div>log { source(s_sys); filter(f_boot); destination(d_boot); };</div><div>log { source(s_sys); filter(f_cron); destination(d_cron); };</div><div><br></div><div><br></div><div><br></div><div>log { source(s_net); destination(d_graylog); };</div><div>log { source(s_sys); destination(d_graylog); };</div><div><br></div><div><br></div><div># Source additional configuration files (.conf extension only)</div><div>@include "/etc/syslog-ng/conf.d/*.conf"</div><div><br></div><div><br></div><div># vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:</div></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 12, 2018 at 2:02 PM PÁSZTOR György <<a href="mailto:pasztor@linux.gyakg.u-szeged.hu">pasztor@linux.gyakg.u-szeged.hu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rodney,<br>
<br>
"Rodney Bizzell" <<a href="mailto:hardworker30@gmail.com" target="_blank">hardworker30@gmail.com</a>> írta 2018-11-12 13:28-kor:<br>
> So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was<br>
<br>
Just to run syslog-ng-debun, you should not had to upgrade your syslog-ng.<br>
syslog-ng-debun is a simple all in one portable shell script which's<br>
purpose is to gather information about any kind of syslog-ng installation.<br>
Always safe to use the latest one of this from the master branch, as I<br>
suggested to download via wget.<br>
<br>
> reading through the documentation and when I issue syslog-ng-debun -d -P<br>
> 'port 12201' should I see anything on standard out because all that happen<br>
> was it displayed the options for the command. That is all that happened<br>
<br>
Yepp. In the meantime János Szigetrvári added an extra -r option to the<br>
script and that changed the default behaviour. Without the -r option it's<br>
just a "--dry-run"-ish parametering. It does nothing, except test the<br>
parameters.<br>
You can see that changeset following this link:<br>
<a href="https://github.com/balabit/syslog-ng/commit/f9312f87b758c450c6108abe8da9cf0b4d16ced4" rel="noreferrer" target="_blank">https://github.com/balabit/syslog-ng/commit/f9312f87b758c450c6108abe8da9cf0b4d16ced4</a><br>
<br>
So, from that point on, every syslog-ng-debun command should be replaced<br>
with the same, just adding an extra -r option.<br>
<br>
Which in your case, means: you should've run:<br>
syslog-ng-debun -r -d -P 'port 12201'<br>
<br>
> when I issued the command below in this email. I tried to run<br>
> syslog-ng-debun -r and that executed and created a tarball.<br>
<br>
Yep. This -r -d -P 'port 12201' will also create a tarball. Just a more<br>
useful one: It will run tcpdump in the bacground, to collect network<br>
traffic at the same time, matching the "port 12201" filtering expression.<br>
<br>
Btw.: Make sure, you have tcpdump installed on the system. Otherwise the<br>
script won't be able to run tcpdump.<br>
<br>
When you finished, we need that tarball what the script created.<br>
<br>
Regards,<br>
Gyu<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>