Dear I don't know if the problem in me or what :) As I understood you send me configration related with which interface I'll use to receive logs, But this's not the problem, The problem is that I want when I receive logs from the remote server that It's IP is 163.121.189.131 to send the logs of this server to my email,I's sorry if I used a configration in wronge way make you not understand me. Any way , I'm trying now some kind of solution , I don't know if it can be a way to do what I want or not, I did the following: ======================================================================================== source sme {file (/var/log/syslog-ng/servers/163.121.189.131/local7.log); }; destination maillog { program ("/usr/local/bin/syslog-mail-perl" ); }; log {source(sme); destination(maillog); }; ======================================================================================== As you see I try to make the sourse is the file that contain the logs of the remote server 163.121.189.131 And try to send it to a script that mail it to me, But When I try nothing happened. I'll attache the full configuration file to you and the mail script, I make it send to root for example in the first configuaration file: ================================================================= # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; # This is the new part that I did source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); }; destination maillog { program ("/usr/local/bin/syslog-mail-perl" ); }; log {source(sme); destination(maillog); }; options { # Number of syslog lines stored in memory before being written to files flush_lines (0); # Syslog-ng uses queues log_fifo_size (1000); # Create log directories as needed create_dirs (yes); # Make the group "logs" own the log files and directories group (logs); dir_group (logs); # Set the file and directory permissions perm (0640); dir_perm (0750); # Check client hostnames for valid DNS characters check_hostname (yes); # Specify whether to trust hostname in the log message. # If "yes", then it is left unchanged, if "no" the server replaces # it with client's DNS lookup value. keep_hostname (yes); # Use DNS fully qualified domain names (FQDN) # for the names of log file folders use_fqdn (yes); use_dns (yes); # Cache DNS entries for up to 1000 hosts for 12 hours dns_cache (yes); dns_cache_size (1000); dns_cache_expire (43200); }; # Define all the source source s_localhost { pipe ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); }; # Define the destination "d_localhost" log directory destination d_localhost { file ("/var/log/syslog-ng/localhost/$FACILITY.log"); }; #================================ #================================ # Define all the sources of network generated syslog # messages and label it "d_network" source s_network { tcp(max-connections(5000)); udp(); }; # Define the destination "d_network" log directory destination d_network { file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log"); }; #======================= #======================= # Any logs that match the "s_localhost" source should be logged # in the "d_localhost" directory log { source(s_localhost); destination(d_localhost); }; #======================= =========================================================================== and the following is the mail script ++++++++++++++++++++++++++++++++++++++++===== #!/usr/bin/perl -n # thanks to Brian Dowling for an example with security in mind. $TO = 'root'; $FROM = $TO; s/^<\d{1,2}>//; open(MAIL, "|/usr/sbin/sendmail -t"); print MAIL <<"EOT"; To: $TO From: $FROM Subject: SME Log Alert: $_ $_ EOT close(MAIL); +++++++++++++++++++++++++++++++++++++++++++++++ Thanks for your patience and help Reaky
Date: Sat, 4 Jul 2009 13:02:37 +0200 From: Sandor.Geller@morganstanley.com To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Send a specific log by email
...and to provide actual help: use filters based on hostname or the IP address
filter f_myhostname { host("^myhostname$"); # this is a regexp, not a simple string }
filter f_myipaddress { netmask("127.0.0.1/32"); }
later in your log definitions just use the filters:
log { source(...); filter(...); destination(...); flags(final); # so the logs won't get processed by further log definitions }
In the admin guide you can find more details about the configuration possibilities.
hth,
Sandor
On Sat, Jul 4, 2009 at 12:48 PM, Sandor Geller<sandorg@morganstanley.com> wrote:
Hi,
Local means that the host syslog-ng is running on has the IP address configured on one of the network interfaces. Apps can bind only to 0.0.0.0 or to local IP addresses, not to remote addresses. I think you're after filtering based on the remote host's IP address, not binding to the IP address.
Regards,
Sandor
2009/7/4 Reaky Rok <reakyrok@hotmail.com>:
Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way IT's routed IP not in the same subnet of the syslog server, But any way what the right option to filter the requests fom this IP only ???
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Fri, 3 Jul 2009 15:57:08 +0200 Subject: Re: [syslog-ng] Send a specific log by email
On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
I modefied it and it gave me the following result after restarting :
Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED]
I s it possible that this's becuese I used the same source name in the first part of configuration ?
Is 163.121.189.131 a local IP address? The ip() option of source drivers specify the bind address, not the address to accept messages from.
-- Bazs i
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________ Windows Live™: Keep your life in sync. Check it out! ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx