Thanks for the response. It looks like there may be a problem with my install or a bug somewhere. With the config file below, I'm still not getting messages in my /var/log/remote/parsed.log file. However, when I comment out "parser(p_db);" in the log section of the config, messages begin showing up. After a bit more investigations, when I receive the first remote log message over UDP, the following appears in my /var/log/messages: kernel: : [89941.138626] syslog-ng[16473]: segfault at 00000010 eip 08063e49 esp bfa1a490 error 4 Even after this, the process is still running and the ports are still open. At this point, I'm not really sure how to diagnose the problem. -Nate
Other than that, here is my syslog-ng.conf file:
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { };
###### # sources source s_local { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" program_override("kernel: ")); };
source s_net { udp(); tcp(); };
parser p_db { db-parser(); };
###### # destinations destination d_messages { file("/var/log/messages"); }; destination d_parsed { file("/var/log/remote/parsed.log"); };
log { source(s_local); destination(d_messages); };
log { source(s_net); destination(d_parsed); parser(p_db); };
the log statements define a 'pipeline', thus your messages will reach the db-parser() only after having been written to the d_parsed destination.
And here is my windows.xml file:
<?xml version='1.0' encoding='UTF-8'?> <patterndb version='2' pub_date='2009-05-07'> <ruleset name='windows'> <pattern>MSWinEventLog</pattern> <rules> <rule provider='nate' id='1' class='system'> <patterns> <pattern>540</pattern> </patterns> <description>This is a terrible terrible message to receive. Game over man! Game over!</description> </rule> </rules> </ruleset> </patterndb>
As you see, to test I just want to match on the number '540' and put that log message in /var/log/remote/parsed.log. I have verified that messages that should match this are arriving at the machine when I send them. If i turn off the db-parser, the messages appear in the parsed.log file.
All messages should end up in your parsed.log file anyway. In order to only match those which matched any of the patterns, you need to put filters into your log statement.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html