2011/9/19 rek2 <rek2gnulinux@gmail.com>

oh sorry Im used to list that will reply by defaul to the list. sorry about that..
I think I get what you mean..
so in the clients and in the server log I have to have similar filters ?
Thanks
2011/9/19 Patrick H. <syslogng@feystorm.net>
Seriously, dont remove the mailing list from the recipients. Others may catch things I miss, or I might be gone for a while, but someone else is around.

That filter you have only logs warning through emerg, while by default logger uses notice, which is below warning.

-Patrick

Sent: Mon Sep 19 2011 15:26:05 GMT-0600 (MST)
From: rek2 <rek2gnulinux@gmail.com>
To: Patrick H. <syslogng@feystorm.net>
Subject: Re: [syslog-ng] Problem sending logs to central log server..
ops! I forgot to uncoment that as well sorry.. so basically do I have everything else ok?
the thing is also that after I migrated to syslog-ng in the BSD things are not logging to their place
in /var/log either Im getting most of the stuff on the /var/log/syslog even tho as you can see in my other emails the default config already define the destinations for auth etc...
2011/9/19 Patrick H. <syslogng@feystorm.net>
Dont forget to leave the mailing list on the list of recips :-)

Anyway, its still commented out in your log {} block. If the log block has no source, it wont log anything.

log {

# source(src_eventdb);

filter(f_at_least_warn);

# filter(f_syslog);

destination(d_eventdb);

};

-Patrick

Sent: Mon Sep 19 2011 14:43:08 GMT-0600 (MST)

From: rek2 <rek2gnulinux@gmail.com>

To: Patrick H. <syslogng@feystorm.net>
Subject: Re: [syslog-ng] Problem sending logs to central log server..
Hi Patrick, thanks for your reply, yes you right sorry I did the copy and paste before I uncomented some lines since Im testing here and there..

this is how I have it now.. the last part:
#syslog-ng2mysql destinations

source src_eventdb {

unix-stream("/dev/log");

udp(ip(0.0.0.0) port(514));

};

destination d_eventdb {

pipe(

"/usr/local/icinga/var/rw/syslog-ng.pipe",

template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")

template_escape(no)

);

};

filter f_at_least_warn {

# level(warn..emerg);

# level(notice..emerg);

level(info, notice, warn, crit, err, debug);

};

log {

# source(src_eventdb);

filter(f_at_least_warn);

# filter(f_syslog);

destination(d_eventdb);

};

#log {

# source(src_eventdb);

# filter(f_auth);

# destination(d_eventdb);

#};
2011/9/19 Patrick H. <syslogng@feystorm.net>
In your server config, the only listener you have on udp port 514 is defined in src_eventdb, and all src_eventdb entries are commented out.

-Patrick

Sent: Mon Sep 19 2011 11:40:15 GMT-0600 (MST)
From: rek2 <rek2gnulinux@gmail.com>
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] Problem sending logs to central log server..
Hello, I'm trying to sent all my logs from one openbsd server with syslog-ng to a linux ubuntu central log server also with syslog-ng of course but only the syslog-ng logs are been logged..
also when I do a "logger test" for example it gets log locally but not remotely to the log server...

here are my configs:

for the log server is basically the defaul of ubuntu with my addtions at the end.. you will see

some commented is me trying to fix this issue.

cat syslog-ng/syslog-ng.conf

#

# Configuration file for syslog-ng under Debian

#

# attempts at reproducing default syslog behavior

# the standard syslog levels are (in descending order of priority):

# emerg alert crit err warning notice info debug

# the aliases "error", "panic", and "warn" are deprecated

# the "none" priority found in the original syslogd configuration is

# only used in internal messages created by syslogd

######

# options

options {

# disable the chained hostname format in logs

# (default is enabled)

chain_hostnames(0);

# the time to wait before a died connection is re-established

# (default is 60)

time_reopen(10);

# the time to wait before an idle destination file is closed

# (default is 60)

time_reap(360);

# the number of lines buffered before written to file

# you might want to increase this if your disk isn't catching with

# all the log messages you get or if you want less disk activity

# (say on a laptop)

# (default is 0)

#sync(0);

# the number of lines fitting in the output queue

log_fifo_size(2048);

# enable or disable directory creation for destination files

create_dirs(yes);

# default owner, group, and permissions for log files

# (defaults are 0, 0, 0600)

#owner(root);

group(adm);

perm(0640);

# default owner, group, and permissions for created directories

# (defaults are 0, 0, 0700)

#dir_owner(root);

#dir_group(root);

dir_perm(0755);

# enable or disable DNS usage

# syslog-ng blocks on DNS queries, so enabling DNS may lead to

# a Denial of Service attack

# (default is yes)

use_dns(yes);

# maximum length of message in bytes

# this is only limited by the program listening on the /dev/log Unix

# socket, glibc can handle arbitrary length log messages, but -- for

# example -- syslogd accepts only 1024 bytes

# (default is 2048)

#log_msg_size(2048);

#Disable statistic log messages.

stats_freq(0);

# Some program send log messages through a private implementation.

# and sometimes that implementation is bad. If this happen syslog-ng

# may recognise the program name as hostname. Whit this option

# we tell the syslog-ng that if a hostname match this regexp than that

# is not a real hostname.

bad_hostname("^gconfd$");

keep_hostname (yes);

};

######

# sources

# all known message sources

source s_all {

# message generated by Syslog-NG

internal();

# standard Linux log source (this is the default place for the syslog()

# function to send logs to)

unix-stream("/dev/log");

# messages from the kernel

file("/proc/kmsg" log_prefix("kernel: "));

# use the following line if you want to receive remote UDP logging messages

# (this is equivalent to the "-r" syslogd flag)

# udp();

};

######

# destinations

# some standard log files

destination df_auth { file("/var/log/auth.log"); };

destination df_syslog { file("/var/log/syslog"); };

destination df_cron { file("/var/log/cron.log"); };

destination df_daemon { file("/var/log/daemon.log"); };

destination df_kern { file("/var/log/kern.log"); };

destination df_lpr { file("/var/log/lpr.log"); };

destination df_mail { file("/var/log/mail.log"); };

destination df_user { file("/var/log/user.log"); };

destination df_uucp { file("/var/log/uucp.log"); };

# these files are meant for the mail system log files

# and provide re-usable destinations for {mail,cron,...}.info,

# {mail,cron,...}.notice, etc.

destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };

destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };

destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };

destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };

destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };

# these files are meant for the news system, and are kept separated

# because they should be owned by "news" instead of "root"

destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };

destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };

destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };

# some more classical and useful files found in standard syslog configurations

destination df_debug { file("/var/log/debug"); };

destination df_messages { file("/var/log/messages"); };

# pipes

# a console to view log messages under X

destination dp_xconsole { pipe("/dev/xconsole"); };

# consoles

# this will send messages to everyone logged in

destination du_all { usertty("*"); };

######

# filters

# all messages from the auth and authpriv facilities

filter f_auth { facility(auth, authpriv); };

# all messages except from the auth and authpriv facilities

filter f_syslog { not facility(auth, authpriv); };

# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,

# and uucp facilities

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_news { facility(news); };

filter f_user { facility(user); };

filter f_uucp { facility(uucp); };

# some filters to select messages of priority greater or equal to info, warn,

# and err

# (equivalents of syslogd's *.info, *.warn, and *.err)

filter f_at_least_info { level(info..emerg); };

filter f_at_least_notice { level(notice..emerg); };

filter f_at_least_warn { level(warn..emerg); };

filter f_at_least_err { level(err..emerg); };

filter f_at_least_crit { level(crit..emerg); };

# all messages of priority debug not coming from the auth, authpriv, news, and

# mail facilities

filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };

# all messages of info, notice, or warn priority not coming form the auth,

# authpriv, cron, daemon, mail, and news facilities

filter f_messages {

level(info,notice,warn)

and not facility(auth,authpriv,cron,daemon,mail,news);

};

# messages with priority emerg

filter f_emerg { level(emerg); };

# complex filter for messages usually sent to the xconsole

filter f_xconsole {

facility(daemon,mail)

or level(debug,info,notice,warn)

or (facility(news)

and level(crit,err,notice));

};

######

# logs

# order matters if you use "flags(final);" to mark the end of processing in a

# "log" statement

# these rules provide the same behavior as the commented original syslogd rules

# auth,authpriv.* /var/log/auth.log

log {

source(s_all);

filter(f_auth);

destination(df_auth);

};

# *.*;auth,authpriv.none -/var/log/syslog

log {

source(s_all);

filter(f_syslog);

destination(df_syslog);

};

# this is commented out in the default syslog.conf

# cron.* /var/log/cron.log

#log {

# source(s_all);

# filter(f_cron);

# destination(df_cron);

#};

# daemon.* -/var/log/daemon.log

log {

source(s_all);

filter(f_daemon);

destination(df_daemon);

};

# kern.* -/var/log/kern.log

log {

source(s_all);

filter(f_kern);

destination(df_kern);

};

# lpr.* -/var/log/lpr.log

log {

source(s_all);

filter(f_lpr);

destination(df_lpr);

};

# mail.* -/var/log/mail.log

log {

source(s_all);

filter(f_mail);

destination(df_mail);

};

# user.* -/var/log/user.log

log {

source(s_all);

filter(f_user);

destination(df_user);

};

# uucp.* /var/log/uucp.log

log {

source(s_all);

filter(f_uucp);

destination(df_uucp);

};

# mail.info -/var/log/mail.info

log {

source(s_all);

filter(f_mail);

filter(f_at_least_info);

destination(df_facility_dot_info);

};

# mail.warn -/var/log/mail.warn

log {

source(s_all);

filter(f_mail);

filter(f_at_least_warn);

destination(df_facility_dot_warn);

};

# mail.err /var/log/mail.err

log {

source(s_all);

filter(f_mail);

filter(f_at_least_err);

destination(df_facility_dot_err);

};

# news.crit /var/log/news/news.crit

log {

source(s_all);

filter(f_news);

filter(f_at_least_crit);

destination(df_news_dot_crit);

};

# news.err /var/log/news/news.err

log {

source(s_all);

filter(f_news);

filter(f_at_least_err);

destination(df_news_dot_err);

};

# news.notice /var/log/news/news.notice

log {

source(s_all);

filter(f_news);

filter(f_at_least_notice);

destination(df_news_dot_notice);

};

# *.=debug;\

# auth,authpriv.none;\

# news.none;mail.none -/var/log/debug

log {

source(s_all);

filter(f_debug);

destination(df_debug);

};

# *.=info;*.=notice;*.=warn;\

# auth,authpriv.none;\

# cron,daemon.none;\

# mail,news.none -/var/log/messages

log {

source(s_all);

filter(f_messages);

destination(d_eventdb);

};

# *.emerg *

log {

source(s_all);

filter(f_emerg);

destination(du_all);

};

# daemon.*;mail.*;\

# news.crit;news.err;news.notice;\

# *.=debug;*.=info;\

# *.=notice;*.=warn |/dev/xconsole

log {

source(s_all);

filter(f_xconsole);

destination(dp_xconsole);

};

#syslog-ng2mysql destinations

source src_eventdb {

unix-stream("/dev/log");

udp(ip(0.0.0.0) port(514));

};

destination d_eventdb {

pipe(

"/usr/local/icinga/var/rw/syslog-ng.pipe",

template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")

template_escape(no)

);

};

filter f_at_least_warn {

# level(warn..emerg);

level(notice..emerg);

};

log {

# source(src_eventdb);

filter(f_at_least_warn);

# filter(f_syslog);

destination(d_eventdb);

};

#log {

# source(src_eventdb);

# filter(f_auth);

# destination(d_eventdb);

#};

HERE FOR THE BSD/CLIENT SIDE: same here is the default with openbsd syslog-ng install

with my additions at the end.

cat /etc/syslog-ng.conf

#

# Syslog-ng example configuration for for Debian GNU/Linux

#

# Copyright (c) 1999 anonymous

# Copyright (c) 1999 Balazs Scheidler

# $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $

#

# Syslog-ng configuration file, compatible with default Debian syslogd

# installation.

#

options { long_hostnames(off); sync(0); keep_hostname(yes); use_dns(yes); stats (3600); };

#source src { unix-stream("/dev/log"); internal(); };

source src { unix-dgram("/dev/log"); internal(); };

source net { udp(); };

destination authlog { file("/var/log/auth.log"); };

destination syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination uucp { file("/var/log/uucp.log"); };

destination ppp { file("/var/log/ppp.log"); };

destination mail { file("/var/log/mail.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

#destination loghost { udp("loghost" port(999)); };

destination xconsole { pipe("/dev/xconsole"); };

#ssh filter

filter f_sshderr { match('^sshd\[[0-9]+\]: error:'); };

filter f_sshd { match('^sshd\[[0-9]+\]:'); };

#

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_uucp { facility(cron); };

filter f_ppp { facility(local2); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_syslog); destination(syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(src); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_uucp); destination(uucp); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };

log { source(src); filter(f_news); filter(f_err); destination(newserr); };

log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

log { source(src); filter(f_ppp); destination(ppp); };

log { source(src); destination(console_all); };

#sent to our central log server running eventdb

destination loghost { udp("192.168.xxx.xxx" port(514)); };

log { source(src); filter(f_info); destination(loghost); };

log { source(src); filter(f_syslog); destination(loghost); };

log { source(src); filter(f_authpriv); destination(loghost); };

log { source(src); filter(f_user); destination(loghost); };

log { source(src); filter(f_emergency); destination(loghost); };

log { source(src); filter(f_sshd); destination(loghost); };

log { source(src); filter(f_sshderr); destination(loghost); };

log { source(src); filter(f_kern); destination(loghost); };
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq