Hi, Try it without using the filter on the logserver, and see if the mail logs are processed by syslog-ng, and what do they look like. Maybe it is a parsing issue, or something related to the missing timestamp/host you mentioned. Regards, Robert Rocco Scappatura wrote:
Hello,
I'm configuring a centralized loghost (SLES 10 SP3) based on syslog-ng, for collecting mail log of different clients.
Several machine which are entitled to log its mail logs on the central loghost (Debian), still use old syslogd as logger system.
I configured one of this to send its mail logs to the loghost putting:
mail.* @syslogmi01.local
in /etc/syslog.conf file and restarted the service. Moreover on the loghost I set:
source mail_gateway_src { udp(ip("0.0.0.0") port(514)); };
filter ernesto_mail_f { facility(mail); };
destination d_ernesto_mail { file("/var/log/ernesto_mail"); };
log { source(mail_gateway_src); filter(ernesto_mail_f); destination(d_ernesto_mail); };
And restarted it.
But no file are created and so no log are saved on the loghost.
With tcpdump I see the the log comes on the loghost, but syslog doesn't want to catch them.
# tcpdump -vvv host 192.168.252.107 and port 514 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:04:57.046952 IP (tos 0x0, ttl 64, id 3157, offset 0, flags [DF], proto: UDP (17), length: 358) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 330 Facility mail (2), Severity info (6) Msg: postfix/smtpd[30946]: NOQUEUE: reject: RCPT from u[|syslog] 18:04:57.046962 IP (tos 0x0, ttl 64, id 3158, offset 0, flags [DF], proto: UDP (17), length: 360) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 332
I saw that the logs coming from Debian machine (so using syslogd) miss of timestamp and host name that generates host. Could be this a source of incompatibility between syslogd and syslog-ng? Or there is something that I'm wrong?
Thanks in advance,
rocsca
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html