On Mon, Jan 4, 2010 at 7:07 PM, Paul B. Henson <henson@acm.org> wrote:
I'm trying to upgrade from 2.1.3 to 3.0.4 under Linux, and am having trouble getting my kernel messages tagged appropriately.
My previous configuration had the following:
----- source k_src { pipe("/proc/kmsg" log_prefix("kernel: ")); };
destination iptables { file("/var/log/iptables.log"); }; filter f_iptables { match("iptables:"); }; log { source(k_src); filter(f_iptables); destination(iptables); flags(final); };
destination messages { file("/var/log/messages"); }; log { source(src); source(k_src); destination(messages); }; -----
All of my kernel messages showed up with the "kernel:" prefix, and anything coming from iptables was dropped in a separate log.
Based on the documentation, I modified my configuration to the following for 3.0.4:
----- source k_src { file("/proc/kmsg" program_override("kernel")); };
destination iptables { file("/var/log/iptables.log"); }; filter f_iptables { program("^kernel$") and message("^iptables:"); }; log { source(k_src); filter(f_iptables); destination(iptables); flags(final); };
destination messages { file("/var/log/messages"); }; log { source(src); source(k_src); destination(messages); }; -----
However, my kernel messages show up with no prefix. I tried starting up in debug mode:
----- syslog-ng starting up; version='3.0.4' Incoming log entry; line='<6>usb 2-7: USB disconnect, address 8' Filter rule evaluation begins; filter_rule='f_iptables' Filter node evaluation result; filter_result='not-match' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_iptables' Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages' Incoming log entry; line='<4>iptables: IN=eth0 OUT= MAC=0:05:00:10:97:43:00:0SC147.5.2 S=2... E=8TS00 RC0C T= D363POO2' Filter rule evaluation begins; filter_rule='f_iptables' Filter node evaluation result; filter_result='not-match' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_iptables' -----
This didn't help me. Am I doing something wrong? I didn't find any complaints of this nature on the mailing list, which leads me to suspect I'm somehow being stupid, any pointers much appreciated.
Thanks...
-- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson@csupomona.edu California State Polytechnic University | Pomona CA 91768
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hello! Syslog-ng 3.0.5 has the following in its bugfixes update: * Fixed host_override/program_override options that were broken in 3.0.4. I'd grab version 3.0.5 regardless as it is a recommended upgrade with a number of bugfixes. -- Lance Laursen Demonware Systems Engineer