Hi, Sorry for answering so slowly... On Fri, 2009-05-08 at 10:23 -0400, Nate Hausrath wrote:
Thanks for the response.
It looks like there may be a problem with my install or a bug somewhere. With the config file below, I'm still not getting messages in my /var/log/remote/parsed.log file. However, when I comment out "parser(p_db);" in the log section of the config, messages begin showing up.
After a bit more investigations, when I receive the first remote log message over UDP, the following appears in my /var/log/messages:
kernel: : [89941.138626] syslog-ng[16473]: segfault at 00000010 eip 08063e49 esp bfa1a490 error 4
Even after this, the process is still running and the ports are still open. At this point, I'm not really sure how to diagnose the problem.
Basically you have two problems, let's see one after the other. 1, You are using syslog-ng OSE which has support for db-parser pattern version 1 only while you have a version 2 pattern xml (version 2 is only included in the PE and the website provided xmls also in version 2). This way you end up without any actual rule and therefore no matching or parsing would occur. You can find an XML schema in the distribution which specifies the xml format to be used. I am currently working on porting the version 2 format to OSE and sorry for any inconvenience I might caused with the different versions. Meanwhile you can use the version 1 style xml: <?xml version='1.0' encoding='UTF-8'?> <patterndb version='1' pub_date='2009-05-07'> <program name='windows'> <pattern>MSWinEventLog</pattern> <rules> <rule provider='nate' id='1' class='system'> <pattern>540</pattern> <description>This is a terrible terrible message to receive. Game over man! Game over!</description> </rule> </rules> </program> </patterndb> 2, You have a segfault. I would need a backtrace or a core file to track down the problem. To get a core file you can use the --enable-core option to syslog-ng and gdb after that to get a backtrace. Sorry again for the version problem, I will push an update to my git tree with the new version 2 xml handling. best, Marton
-Nate
Other than that, here is my syslog-ng.conf file:
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { };
###### # sources source s_local { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" program_override("kernel: ")); };
source s_net { udp(); tcp(); };
parser p_db { db-parser(); };
###### # destinations destination d_messages { file("/var/log/messages"); }; destination d_parsed { file("/var/log/remote/parsed.log"); };
log { source(s_local); destination(d_messages); };
log { source(s_net); destination(d_parsed); parser(p_db); };
the log statements define a 'pipeline', thus your messages will reach the db-parser() only after having been written to the d_parsed destination.
And here is my windows.xml file:
<?xml version='1.0' encoding='UTF-8'?> <patterndb version='2' pub_date='2009-05-07'> <ruleset name='windows'> <pattern>MSWinEventLog</pattern> <rules> <rule provider='nate' id='1' class='system'> <patterns> <pattern>540</pattern> </patterns> <description>This is a terrible terrible message to receive. Game over man! Game over!</description> </rule> </rules> </ruleset> </patterndb>
As you see, to test I just want to match on the number '540' and put that log message in /var/log/remote/parsed.log. I have verified that messages that should match this are arriving at the machine when I send them. If i turn off the db-parser, the messages appear in the parsed.log file.
All messages should end up in your parsed.log file anyway. In order to only match those which matched any of the patterns, you need to put filters into your log statement.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D