I have tryed like this: On a remote linux host (Ubuntu 9.04) i have configured syslog-ng like this: /source s_internal {internal();}; source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); }; destination d_localfile { file ("/home/cosmin/syslog.log"); }; *destination d_remote {tcp ("192.168.53.248" port(514)); };* //i have tried with udp also log { source(s_local); destination(d_localfile); }; log { source(s_internal); destination(d_localfile); }; *log { source(s_local); destination(d_remote); };*/ On the syslog server (Fedora c10), the configuration is: /*source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); }; * //i have tried with udp also. destination d_localfile {file ("/root/syslog.log"); }; log { source (s_remote_tcp); destination (d_localfile); };/ After a few tests, i have noticed (with the help of wireshark) the folowing: 1. In UDP case, it sends the logs, i can see the packets arriving on the server with tcpdump, but the the server returns an icmp error Destination Unreachable, with a code "Host Administrately Prohibited" 2. The same thing in TCP case, only that the message is not send, only the first syn pachet trying to establish the tcp connection and it receives the same icmp error from the server. On the server i have fedora core 10, with selinux disabled. No firewall at all. Actually i don't know yet how to configure iptables. I have noticed that on the server, if i try to define a source like this: /source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };/ it will give an error: /Starting syslog-ng: Error binding socket; addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote_tcp'/ Pls, can someone help me with this problem? I dont know what could be blocking the packets, if it is because of the OS or because of syslog-ng configuration. Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro Siem Korteweg wrote:
Hi,
try to split the sources. The following works for me (tcp in stead of udp) for OSE 3.0.2. All syslog-ng clients (and server) have the following sources and destinations:
source s_internal { internal(); };
destination d_syslogng_log { file("/var/log/syslog-ng.log"); };
source s_local { unix-dgram("/dev/log"); file("/proc/kmsg" program_override("kernel:")); };
destination d_remote { tcp("logserver.f.q.d.n" port(514) ) ; };
destination d_local { file("/var/log/messages"); };
log { source( s_internal ); destination( d_remote ); }; log { source( s_internal ); destination( d_syslogng_log ); }; log { source( s_local ); destination( d_remote ); }; log { source( s_local ); destination( d_local ); };
All messages are logged in the local file /var/log/messages or in /var/log/syslog-ng.log and forwarded to the logserver. The syslog-ng server has the following additional sources and destinations:
source s_network { tcp (ip("logserver.f.q.d.n") port(514)); };
destination d_network { file (
"/var/log/syslog-ng/hosts/$HOST_FROM/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY " create_dirs(yes) ); };
log { source( s_network ); destination( d_network ); };
Change tcp to udp and change the fqdn to 0.0.0.0. Check /var/log/syslog-ng.log for errors during the processing of messages.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Cosmin Neagu Verzonden: wo 1-7-2009 14:25 Aan: Syslog-ng users' and developers' mailing list Onderwerp: Re: [syslog-ng] Syslog-ng beginners guide
Yes, that was the first thing i have checked, even now i have checked it again, and the logs are still comming to the linux box where syslog is installed.
/tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none], proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 145 Facility local7 (23), Severity notice (5) Msg: 126: *Jul 1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog] 15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none], proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 110 Facility local7 (23), Severity notice (5) Msg: 127: *Jul 1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog] 15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none], proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 108 Facility local7 (23), Severity notice (5) Msg: 128: *Jul 1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog] 15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none], proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 112 Facility local7 (23), Severity info (6) Msg: 129: *Jul 1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog] 15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none], proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 112 Facility local7 (23), Severity notice (5) Msg: 130: *Jul 1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog]
And unfortunattely, i'm the only person in the company that knows a little bit of linux so i don't have anybody to ask... /
Ulrich.Wiemers@t-systems.com wrote:
Hi, I don't see anything in your config... Are you sure your syslog messages are sent to the UDP port syslog-ng is listing at (normally: 514)? Did you proof the with one of snoop, ethereal, wireshark and the like? Just an idea... hth Ulli
------------------------------------------------------------------------ *Von:* syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] *Im Auftrag von *Cosmin Neagu *Gesendet:* Mittwoch, 1. Juli 2009 14:15 *An:* Syslog-ng users' and developers' mailing list *Betreff:* Re: [syslog-ng] Syslog-ng beginners guide
Hello again, Things are evolving a little bit.
Now the syslog-ng conf is configured like this:
/source s_router_udp { udp (); }; destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO syslog_incoming (facility, priority, date, time, host, message, seq) VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes)); }; log { source (s_router_udp); destination (d_mysql); }; log { source (s_sys); destination(d_mysql); };/
The second log statement is working, because i can see in the syslog_incoming tables, entries and also i see the log in Cacti: /mysql> select * from syslog_incoming;
+----------+----------+------------+----------+---------------+-------------- ----------------------------------------------------+-----+--------+
| facility | priority | date | time | host | message | seq | status |
+----------+----------+------------+----------+---------------+-------------- ----------------------------------------------------+-----+--------+
| syslog | info | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: Termination requested via signal, terminating; | 22 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: syslog-ng shutting down; version='2.0.10' | 23 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[21587]: syslog-ng starting up; version='2.0.10' | 24 | 0 | | authpriv | info | 2009-07-01 | 11:56:06 | monitorizare1 | sshd[21567]: Connection closed by 127.0.0.1 | 21 | 0 |
+----------+----------+------------+----------+---------------+-------------- ----------------------------------------------------+-----+--------+
4 rows in set (0.00 sec)/
But i don't know what is the problem and how to fix with the first log statement. Can anyone help a little? Maybe with some documentation, maybe someone encountered a similar problem?
PS: something else that i noticed and i don't know what it means. One of the syslog-ng messages is like this: /syslog-ng[20083]: Log statistics; *dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30', processed='center(received)=15', processed='destination(d_boot)=0', processed='destination(d_auth)=4', processed='destination(d_cron)=9', processed='destination(d_mysql)=15', processed='destination(d_mlal)=0', processed='destination(d_mesg)=2', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed='destination(d_mail)=0', processed='source(s_sys)=15', processed='source(s_router_udp)=0'/
What could be the cause for that "dropped" there? Should'nt be processed?
Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro
Cosmin Neagu wrote:
Thanks allot Ulrich, that site contains great documentation, i'm starting to understand how syslog-ng works. But, let me tell you the problem with wich i'm stuck right now.
A router is sending syslog messages to a linux box (Fedora) from 10.0.0.1. I can see the messages arriving at the server. /[root@monitorizare1 ~]# tcpdump -v src 10.0.0.1 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none], proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 87 Facility local7 (23), Severity error (3) Msg: 81: *Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog] 10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 110 Facility local7 (23), Severity info (6) Msg: 82: *Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog] 10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 109 Facility local7 (23), Severity notice (5)/
I have configured syslog-ng.conf like this: /source s_router_udp { internal(); file ("/proc/kmsg" log_prefix("kernel: ")); udp (ip(0.0.0.0) port ( 514 ) ); #unix-stream ("/dev/log"); }; destination d_localfile { file ("/root/testlog"); }; log { source (s_router_udp); destination (d_localfile); };/
The problem is that in /root/testlog i can't see any log, except those internal generated by syslog-ng: /Jul 1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting up; version='2.0.10' Jul 1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested via signal, terminating; Jul 1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting up; version='2.0.10' Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics; processed='center(queued)=6', processed='center(received)=6', processed='destination(d_boot)=0', processed='destination(d_auth)=2', processed='des tination(d_cron)=2', processed='destination(d_mlal)=0', processed='destination(d_localfile)=1', processed='destination(d_mesg)=1', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed ='destination(d_mail)=0', processed='source(s_sys)=5', processed='source(s_router_udp)=1' Jul 1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested via signal, terminating; Jul 1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up; version='2.0.10' Jul 1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested via signal, terminating; Jul 1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting up; version='2.0.10'/
I can't find anything in the syslog-ng guide admin about how can messages received from remote hosts can be inserted into files.
Can anyone help me? I feel that i'm close to a solution.
Ulrich.Wiemers@t-systems.com wrote:
Hi, I was in a similar situation some weeks ago. Admin Guide found at
http://www.balabit.com/support/documentation/?product=syslog-ng was of great help to me.
And, of course, Google ,-)
hth
Ulli
-----Ursprüngliche Nachricht----- Von: syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Cosmin Neagu
Gesendet: Dienstag, 30. Juni 2009 14:49 An: syslog-ng@lists.balabit.hu Betreff: [syslog-ng] Syslog-ng beginners guide
Hello everybody, Sorry for bothering you with a beginners question. I have a cacti implementation in my network and a want to integrate it
with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.
I'm not able to find where the logs are kept, so this drives me crazy. Do you know any site or resource where i can find some beginners guide
about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before.
Thanks.
-- Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro
_
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
_
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
------------------------------------------------------------------------
_
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
------------------------------------------------------------------------
_____________________________________________________________________________ _
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html