Re: [syslog-ng] Messages Not Getting Logged

21 Jul 2010


      Yea I created a catch all log statement and it turns out even though Im
specifying kern.crit to logger is coming accross as user.crit.. Looking into
this now.

Thx,
CC

On Wed, Jul 21, 2010 at 10:42 AM, Patrick H. <syslogng@feystorm.net> wrote:
...
Are you sure there's not something else going on? Try removing the filter
just to test and make sure its getting anything
processed='source(s_streams)=*26*'
Sent: Wednesday, July 21, 2010 11:35:13 AM
From: Me <infosec@gmail.com> <infosec@gmail.com>
To: chuck.carson@gmail.com, Syslog-ng users' and developers' mailing list
<syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Messages Not Getting Logged
I use a local source like this:
source local {
        sun-streams("/dev/log");
        udp(ip(0.0.0.0) port(514));
        internal();
};
Seems that at some point I started leaving off the "door" part. My
version control logs don't specify why, bummer. Give it a shot like
that.
I don't know if I ever got my solaris boxes onto syslog-ng version 3.x
though. Give this a quick shot and see if it makes things any better
with your version.
On Wed, Jul 21, 2010 at 10:28 AM, Chuck <chuck.carson@gmail.com> <chuck.carson@gmail.com> wrote:
Thanks for pointing that out.. I did find the correct door file:
Drw-r--r-- 1 root root 0 Jul 21 09:36 /var/run/syslog_door
I fixed the config and bounced syslog-ng but still not getting any log
messages.. Looking at the stats I do see where there are logs coming from
the internal() source:
'source(s_internal)=6', processed='center(queued)=0',
processed='destination(l_internal)=6'
Jul 21 09:34:56 asglogpup01 syslog-ng[8865]: Log statistics;
processed='center(received)=0', processed='destination(l_messages)=0',
processed='source(s_streams)=26', processed='src.internal(s_internal#0)=8',
stamp='src.internal(s_internal#0)=1279729796',
processed='source(s_internal)=8', processed='center(queued)=0',
processed='destination(l_internal)=8'
Anyone have any ideas?
Thx,
CC
On Wed, Jul 21, 2010 at 9:29 AM, Patrick H. <syslogng@feystorm.net> <syslogng@feystorm.net> wrote:
I had to set up some solaris boxes several months ago with syslog and had
trouble getting the exact config as well. Unfortunately those boxes are now
gone so I cant pull the configuration off them, but I do know that
/etc/.syslog_door was not the door file. I believe it was
/var/run/syslog_door
Sent: Wednesday, July 21, 2010 10:11:41 AM
From: Chuck <chuck.carson@gmail.com> <chuck.carson@gmail.com>
To: Syslog-ng users' and developers' mailing list<syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] Messages Not Getting Logged
Hello,
I am using the sunfreeware build of syslog-ng 3.04 on a Solaris 10 Update
8 system:
syslog-ng 3.0.4
Revision:ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 <ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master%231b5d618e301ad94aa20e692ffba16469dece8d10>
Compile-Date: Sep  2 2009 05:14:23
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: on
Enable-Sun-Door: on
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: off
Enable-Pcre: on
My internal() source is working but the sun-streams source is not.
Here are my options:
options {
                use_fqdn(no);
                flush_lines(0);
                dir_perm(0755);
                dir_group(sysadmin);
                dir_owner(root);
                perm(0644);
                stats_freq(300);
                use_dns(no);
                create_dirs(yes);
                time_reopen(10);
        };
Here are my sources:
source s_internal       { internal(); };
source s_udp            { udp(); };
source s_tcp            { tcp(); };
source s_streams        { sun-streams ("/dev/log"
door("/etc/.syslog_door")); };
Here are my filters so far:
# Level Filters
filter f_emerg   { level (emerg);            };
filter f_alert   { level (alert .. emerg);   };
filter f_crit    { level (crit .. emerg);    };
filter f_err     { level (err .. emerg);     };
filter f_warning { level (warning .. emerg); };
filter f_notice  { level (notice .. emerg);  };
filter f_info    { level (info .. emerg);    };
filter f_debug   { level (debug .. emerg);   };
# Facility Filters
filter f_kern   { facility (kern);   };
filter f_user   { facility (user);   };
filter f_mail   { facility (mail);   };
filter f_daemon { facility (daemon); };
filter f_auth   { facility (auth);   };
filter f_syslog { facility (syslog); };
filter f_lpr    { facility (lpr);    };
filter f_news   { facility (news);   };
filter f_uucp   { facility (uucp);   };
filter f_cron   { facility (cron);   };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };
Here are my destinations so far:
# Destinations: local files, the console, and the client files
destination l_internal { file ("/var/adm/syslog-ng"); };
destination l_authlog  { file ("/var/log/authlog");   };
destination l_messages { file ("/var/log/messages");  };
destination l_maillog  { file ("/var/log/maillog");   };
destination l_ipflog   { file ("/var/log/ipflog");    };
destination l_imaplog  { file ("/var/log/imaplog");   };
destination l_syslog   { file ("/var/log/syslog");    };
destination l_console  { file ("/dev/console");       };
Here are my log statements:
log { source (s_internal);      destination (l_internal); }; # <==== this
one is working
log { source (s_streams);       filter (f_kern); filter (f_debug);
destination (l_messages); };  #<====== this on is not working
I have tried the following logger tests and am not getting anything
logged:
logger -p kern.debug "some message"
logger -p kern.crit "some message"
logger -p kern.info "some message"
I have restarted syslog-ng and ensured that it is using my most recent
syslog-ng.conf file.
Thanks for any help,
CC
________________________________
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html