July 2004 - syslog-ng - lists.balabit.hu

Cisco Syslog with Syslog-ng
by Davis, Jay 01 Jul '04

01 Jul '04

From: amy wong amywsp(a)gmail.com Date: Tue, 29 Jun 2004 17:03:14 +0800 Subject: Cisco Log To: bazsi(a)balabit.hu Hi, I'm new in syslog-ng. Currently install syslog-ng-1.4.7. I have got the cisco router monitor, and log can be seen on /var/log/messages but not /var/log/cisco.log. My questions are do the cisco.log file will be created automatically? and would you show me the right way in setting up? source remote {tcp(); udp();}; destination d_cisco { file("/var/log/cisco.log); }; filter f_cisco_info { level(info); }; filter f_cisco_notice { level(notice); }; filter f_cisco_warn { level(warn); }; filter f_cisco_crit { level(crit); }; filter f_cisco_err { level(err); }; log { source(remote); filter(f_cisco_info); destination(d_cisco); }; log { source(remote); filter(f_cisco_notice); destination(d_cisco); }; log { source(remote); filter(f_cisco_warn); destination(d_cisco); }; log { source(remote); filter(f_cisco_crit); destination(d_cisco); }; log { source(remote); filter(f_cisco_err); destination(d_cisco); }; destination hosts { file("/var/log/HOSTS/$HOSTS/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log { source(remote); destination(hosts); }; +++++++++++++++++++++++++++++++ Had to cut and paste First the setup on the Cisco devices. Cisco uses facility 7 for syslog. You need to set the proper severity levels for what you plan on sending to your syslog host. Do not use debug, you will kill the router or switch possibly. YMMV. I took some snippets of our config file here. The filter just puts all levels of syslog into one file which is parsed by netcool. You will have to play around with the severities. Cisco is kind of confused (being nice) on some severities. I think you will end up adjusting and using what you think is critical than using what they think is critical. Remember that you can filter specific messages using syslog-ng i.e. LINK-5-UPDOWN. The 5 is severity. I hope this helps. # The udp and port 514 are defaults but sometimes we change them here for diagnostics. # It is easier to leave in so you don't have to dig through docs to find out how to set the port source s_udpmessages {udp(ip(<IPADDRESSOFLOCALINTERFACETOLISTENON>) port(514));}; #This is a log file for Netcool destination d_mesg { file("/var/log/ncolog"); }; filter f_filter7 { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); }; log { source(s_udpmessages); filter(f_filter7); destination(d_mesg); };

2 1

Re: [syslog-ng]problem on HPUX with s_tcp snd d_tcp
by Stephan Hendl 01 Jul '04

01 Jul '04

maybe the problem is that the server side (central syslog) is hpux. Unfortunately I do not have a linux box for this purpose... With a tcpdump on the server-side you can see that even the syslog-ng daemon is down there are many tcp pakets going from the clients to the server. The clients do not recognise that the server process has died. On client side I have syslog-ng 1.6.0-rc4 where I have on the hpux server side 1.6.4. What can I do with the socket(7) option? I am not familiar with tcp/ip internals ;-((( Stephan >>> lool+syslog(a)via.ecp.fr 01.07.2004 14:52:21 >>> Stephan Hendl <Stephan.Hendl(a)lds.brandenburg.de> - Thu, Jul 01, 2004: > It seems to me that the state 'FIN_WAIT_2' doesn't allow the hpux > syslog-ng to accept data from the linux clients and this state is quite > very long. I could not reproduce this on my Linux 2.6 system: - I killed syslog-ng with SIGTERM, SIGINT, SIGKILL, and SIGHUP while a telnet connection was open to the TCP port; - I restarted syslog-ng as soon as it was dead, and telneted successfully to the same port again, and syslog-ng saw my connection. Could it be a problem on the client side? My TCP connection gets closed when I kill -HUP syslog-ng. Or could it be a socket(7) option missing on the listening TCP socket? I do a setsockopt with SO_REUSEADDR on my sockets prior to binding them, which does not seem to be in syslog-ng. -- Loïc Minier <lool(a)dooz.org> _______________________________________________ syslog-ng maillist - syslog-ng(a)lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

1 0

RE: [syslog-ng]use_time_recvd() not working?
by Hall J D (ISeLS) 01 Jul '04

01 Jul '04

Thanks to Michael pointing me at the mail archive I now understand that use_time_recvd() only applies to macros used in filename expansion and logformat templates. So to get the behaviour I was expecting, that use_time_recvd(yes) would effect the "default" template, I need to define a template for my destination. Would template("$DATE $HOST $MSG\n") cover it? While looking through the mail archives I saw mention of many other macros, R_DATE, S_DATE etc., which don't appear in the documentation. Do these still exist and if so what do they do? Are they left out of the documentation for a reason? Thanks again, Jonathan -----Original Message----- From: Trapp, Michael [mailto:michael.trapp@sap.com] Sent: 30 June 2004 16:04 To: Hall J D (ISeLS) Cc: 'syslog-ng(a)lists.balabit.hu' Subject: RE: [syslog-ng]use_time_recvd() not working? hi jonathan, have a look at https://lists.balabit.hu/pipermail/syslog-ng/2002-September/003874.html regards michael -----Original Message----- From: syslog-ng-admin(a)lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Hall J D (ISeLS) Sent: Mittwoch, 30. Juni 2004 16:53 To: syslog-ng(a)lists.balabit.hu Subject: [syslog-ng]use_time_recvd() not working? Hello all, I've recently installed Syslog-ng 1.6.2 on a FreeBSD 4.9 to act as my new collector and I can't get the use_time_recvd() option to work properly. No matter if I specify use_time_recvd(yes) or use_time_recvd(no) the messages, from a Cisco PIX firewall, are still getting recorded with the time from the message and not the local time. Is this a know issue, or am I doing something really silly? Below are the relevant bits from my config Thanks, Jonathan options { long_hostnames(off); sync(0); use_time_recvd(yes); create_dirs(yes); dir_perm(0750); }; source net { udp(ip(193.63.147.98) port(514)); tcp(ip(193.63.147.98) port(1740) keep-alive(yes)); }; destination fwall { file("/var/log/firewalls/$HOST.$YEAR.$MONTH.$DAY.log" perm(0640)); }; filter f_pixmsg { match("%PIX"); }; filter f_local0 { facility(local0); }; log { source(net); filter(f_local0); filter(f_pixmsg); destination(fwall); };

1 0

problem on HPUX with s_tcp snd d_tcp
by Stephan Hendl 01 Jul '04

01 Jul '04

Hi all, I have an central syslog host on hpux 11.0 running syslog-ng-1.6.2 for five linux systems (pns[3-7]). The linux systems send syslog data via tcp to port 10514 on the hpux system (pns1). The hpux system listen on that port, gets the data and put them into a file called 'cic.log' as well as to localhost Port 10514, where a ssh-tunnel is listening. The normal behaviour is like root@pns1:/> netstat -a | grep 10514 tcp 0 0 localhost.49297 localhost.10514 TIME_WAIT tcp 0 0 pns1.10514 *.* LISTEN tcp 0 0 localhost.10514 *.* LISTEN tcp 98 0 localhost.10514 localhost.49153 ESTABLISHED tcp 0 0 pns1.10514 pns3.55228 ESTABLISHED tcp 98 0 pns1.10514 pns4.16048 ESTABLISHED tcp 0 0 pns1.10514 pns5.55717 ESTABLISHED tcp 0 0 pns1.10514 pns6.32356 ESTABLISHED tcp 0 0 pns1.10514 pns7.49633 ESTABLISHED tcp 0 98 localhost.49153 localhost.10514 ESTABLISHED root@pns1:/> After a 'kill -HUP $PID' due to confoguration changes of the syslog-ng process on the hpux box the syslog-ng doesn't get anymore data via tcp (the file cic.log as well as the stream to the tunnel are empty). The netstat output is like root@pns1:/var/adm/syslog> netstat -a | grep 514 tcp 0 0 localhost.49618 localhost.10514 TIME_WAIT tcp 0 0 localhost.49587 localhost.10514 TIME_WAIT tcp 0 0 localhost.49619 localhost.10514 ESTABLISHED tcp 0 0 pns1.10514 pns3.55228 FIN_WAIT_2 tcp 0 0 pns1.10514 pns4.16048 FIN_WAIT_2 tcp 0 0 pns1.10514 pns5.55717 FIN_WAIT_2 tcp 0 0 pns1.10514 pns6.32356 FIN_WAIT_2 tcp 0 0 pns1.10514 pns7.49633 FIN_WAIT_2 tcp 0 0 localhost.10514 *.* LISTEN tcp 0 0 pns1.10514 *.* LISTEN tcp 0 0 localhost.10514 localhost.49619 ESTABLISHED root@pns1:/var/adm/syslog> It seems to me that the state 'FIN_WAIT_2' doesn't allow the hpux syslog-ng to accept data from the linux clients and this state is quite very long. Then I inserted the prameter 'keep-alive(no)' into the configuration file of the hpux box but it doesn't help. The only thing that helps is a 'service syslog-ng restart' on every linux client. But that cannot be done autimatically ;-(( and is not the preferred way. Maybe there are some problems in the tcp/ip code of syslog-ng running on hpux? Thanks for helping me! regards Stephan

2 1