Hi,
I don't see anything in your config...
Are you sure your syslog messages are sent to the UDP port
syslog-ng is listing at (normally: 514)?
Did you proof the with one of snoop, ethereal, wireshark
and the like?
Just an idea... hth
Ulli
Hello again,
Things are evolving a little bit.
Now the
syslog-ng conf is configured like this:
source s_router_udp { udp ();
};
destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO
syslog_incoming (facility, priority, date, time, host, message, seq) VALUES (
'$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$HOST',
'$MSG', '$SEQ' );\n") template-escape(yes));
};
log { source
(s_router_udp); destination (d_mysql); };
log { source (s_sys);
destination(d_mysql); };
The second log statement is working, because
i can see in the syslog_incoming tables, entries and also i see the log in
Cacti:
mysql> select * from
syslog_incoming;
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
|
facility | priority | date |
time |
host |
message
| seq | status
|
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
|
syslog | info | 2009-07-01 | 14:56:45 |
monitorizare1 | syslog-ng[20083]: Termination requested via signal, terminating;
| 22 | 0 |
| syslog |
notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]:
syslog-ng shutting down; version='2.0.10' |
23 | 0 |
| syslog |
notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[21587]:
syslog-ng starting up;
version='2.0.10' | 24
| 0 |
| authpriv | info
| 2009-07-01 | 11:56:06 | monitorizare1 | sshd[21567]: Connection closed by
127.0.0.1
| 21 | 0
|
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
4
rows in set (0.00 sec)
But i don't know what is the problem and how
to fix with the first log statement. Can anyone help a little? Maybe with some
documentation, maybe someone encountered a similar problem?
PS:
something else that i noticed and i don't know what it means.
One of the
syslog-ng messages is like this:
syslog-ng[20083]: Log statistics;
dropped='pipe(/tmp/mysql.pipe)=0', processed='center(queued)=30',
processed='center(received)=15', processed='destination(d_boot)=0',
processed='destination(d_auth)=4', processed='destination(d_cron)=9',
processed='destination(d_mysql)=15', processed='destination(d_mlal)=0',
processed='destination(d_mesg)=2', processed='destination(d_cons)=0',
processed='destination(d_spol)=0', processed='destination(d_mail)=0',
processed='source(s_sys)=15', processed='source(s_router_udp)=0'
What
could be the cause for that "dropped" there? Should'nt be processed?
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro
Cosmin Neagu wrote:
Thanks allot Ulrich, that site contains great
documentation, i'm starting to understand how syslog-ng works.
But, let me
tell you the problem with wich i'm stuck right now.
A router is sending syslog messages to a linux box (Fedora) from 10.0.0.1. I
can see the messages arriving at the server.
[root@monitorizare1 ~]#
tcpdump -v src 10.0.0.1
tcpdump: listening on eth0, link-type EN10MB
(Ethernet), capture size 96 bytes
10:09:07.941254 IP (tos 0x0, ttl 255, id
80, offset 0, flags [none], proto UDP (17), length 115) 10.0.0.1.65150 >
192.168.53.248.syslog: SYSLOG, length:
87
Facility local7 (23),
Severity error (3)
Msg: 81:
*Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]
10:09:08.760267
IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], proto UDP (17), length
138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length:
110
Facility local7 (23),
Severity info (6)
Msg: 82:
*Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]
10:09:09.755868
IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], proto UDP (17), length
137) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length:
109
Facility local7 (23),
Severity notice (5)
I have configured syslog-ng.conf like
this:
source s_router_udp
{
internal();
file ("/proc/kmsg"
log_prefix("kernel: "));
udp
(ip(0.0.0.0) port ( 514 ) );
#unix-stream ("/dev/log");
};
destination d_localfile {
file
("/root/testlog");
};
log
{
source
(s_router_udp);
destination
(d_localfile);
};
The problem is that in /root/testlog i can't
see any log, except those internal generated by syslog-ng:
Jul 1
09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting up;
version='2.0.10'
Jul 1 09:32:49 monitorizare1 syslog-ng[17787]:
Termination requested via signal, terminating;
Jul 1 09:32:50
monitorizare1 syslog-ng[17812]: syslog-ng starting up;
version='2.0.10'
Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log
statistics; processed='center(queued)=6', processed='center(received)=6',
processed='destination(d_boot)=0', processed='destination(d_auth)=2',
processed='des
tination(d_cron)=2', processed='destination(d_mlal)=0',
processed='destination(d_localfile)=1', processed='destination(d_mesg)=1',
processed='destination(d_cons)=0', processed='destination(d_spol)=0',
processed
='destination(d_mail)=0', processed='source(s_sys)=5',
processed='source(s_router_udp)=1'
Jul 1 09:45:11 monitorizare1
syslog-ng[17812]: Termination requested via signal, terminating;
Jul
1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up;
version='2.0.10'
Jul 1 09:47:43 monitorizare1 syslog-ng[18840]:
Termination requested via signal, terminating;
Jul 1 09:47:43
monitorizare1 syslog-ng[19009]: syslog-ng starting up;
version='2.0.10'
I can't find anything in the syslog-ng guide admin
about how can messages received from remote hosts can be inserted into
files.
Can anyone help me? I feel that i'm close to a
solution.
Ulrich.Wiemers@t-systems.com wrote:
Hi,
I was in a similar situation some weeks ago.
Admin Guide found at http://www.balabit.com/support/documentation/?product=syslog-ng was of great help to me.
And, of course, Google ,-)
hth
Ulli
-----Ursprüngliche Nachricht-----
Von: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Cosmin Neagu
Gesendet: Dienstag, 30. Juni 2009 14:49
An: syslog-ng@lists.balabit.hu
Betreff: [syslog-ng] Syslog-ng beginners guide
Hello everybody,
Sorry for bothering you with a beginners question.
I have a cacti implementation in my network and a want to integrate it with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.
I'm not able to find where the logs are kept, so this drives me crazy.
Do you know any site or resource where i can find some beginners guide about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before.
Thanks.
--
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html