[syslog-ng]new member

2 Aug 2003

      Hi 

My name is Shetkar Ravi and AS i am new to syslog-ng I am interested  to become a new syslog-ng member to learn more about syslog-ng.
I am currently working on logging server project. I searched the web and found lot of good things and recommendations about the syslog-ng and decided install and test in my solaris/HP/Aix environment.

I down loaded libol-0.3.9  and syslog-ng-1.6.0rc3 and installed and compiled on solaris 8 server. 

I added /etc/syslog-ng/syslog-ng.conf  file and modified the /etc/init.d/syslog file, but when try to start the syslog-ng (/etc/init.d/syslog start) it giving me following error on the console..

io.c: bind_inet_socket() bind failed 0.0.0.0:514 Address already in use

Need your help and suggestion for syslog-ng configuration...to make it work on my syslog -ng centralize logging server. 

Do i need to install syslog-ng on all the clients also or the default syslog will work.?
and then what will be the syslog.conf file on clients.

Follwing are my configuration files..

/etc/syslog-ng/syslog-ng.conf    file..
# more syslog-ng.conf
#
# Syslog-ng example configuration file for Solaris
#
#use_fqdn()             add FQDN instead of short hostname
#use_dns()              use DNS (may cause DOS)
#sync()                 number of lines buffered before written to file
#log_fifo_size()        number of lines fitting to the output queue
#
#options { use_fqdn(no);                
#          keep_hostname(yes);          
#          use_dns(no);         
#          long_hostnames(off);                 
#          sync(0);             
#          log_fifo_size(1000); };
options { sync(0); keep_hostname(yes); chain_hostnames(no);
log_fifo_size(30000); };
source s_local { sun-streams("/dev/log" door("/etc/.syslog_door"));
internal(); };
source s_net_udp { udp(); };
destination d_local { file("/logs/messages"); };
log { source(s_local); source(s_net_udp); destination(d_local); };
#
# local and network sources 
#
# + will accept udp/tcp connections on port 514 from any host
# + keepalive option is for tcp only and will keep connection open
#     when the SIGHUP signal is seen
# 
#source s_stream { sun-streams("/dev/log" door("/etc/.syslog_door"); };
#source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal();}; 
#source network { udp(); tcp(); };
#source s_tcp { tcp(ip(127.0.0.1) port(19990) max-connections(10)); };
#Source s_udp { udp(); };
#
# standard destinations for local standard system messages 
#
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination kern { file("/var/log/kern.log"); };
destination maillog { file("/var/log/maillog"); };
#
# special log destinations for our remote hosts
# (pixlog, switchlog) and for our IP Filter firewall (ipflog) 
#
#destination ipflog { file("/var/log/ipf.log"); };
#destination pixlog { file("/var/log/pix.log"); };
#destination switchlog { file("/var/log/switch.log"); };
#
# Some log files used to catch remaining messages
#
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
#
# console destination
#
destination console { file("/dev/sysmsg"); };
#
# filters for standard local system messages which come
# in on non-local facilities
#
filter f_authpriv { facility(auth) ; };
filter f_syslog { not facility(auth) and not facility(mail); };
filter f_kern { facility(kern); };
filter f_mail { facility(mail); };
#
# filters for IPFilter and the Cisco equipment
#
#filter f_ipf { facility(local0); };
#filter f_pix { facility(local4); };
#filter f_switch { facility(local6, local7); };
#
# catch the rest
#
filter f_debug { not facility(kern, auth, mail, local6, local7, local4, local0); };
filter f_messages { level(info .. warn) and not facility(auth, mail, local0, local4
, local6, local7); };
#
# filters for various emergency level messages
#
filter f_emergency { level(emerg); };
#
# log emergency level messages out to console
#
log { source(local); filter(f_emergency); destination(console); };
#
# log messages from local machine
#
log { source(local); filter(f_authpriv); destination(authlog); };
log { source(local); filter(f_syslog); destination(syslog); };
log { source(local); filter(f_kern); destination(kern); };
log { source(local); filter(f_mail); destination(maillog); };
#
# log IP Filter messages to the ipf.log
#
#log { source(local); filter(f_ipf); destination(ipflog); };
#
# log switch and pix messages
#
#log { source(network); filter(f_pix); destination(pixlog); };
#log { source(network); filter(f_switch); destination(switchlog); };
#
# catch the rest of the messages
#
log { source(local); source(network); filter(f_debug); destination(debug); };
log { source(local); source(network); filter(f_messages); destination(messages); };
#
# Automatic sorting of host messages by $HOST and $YEAR$MONTH$DAY
# 
# + will automatically create a directory structure for all messages
#   sorted first by host, then by date, then by facility.
# + with use_dns(no) we will have files based on ip address not hostname
#
destination hosts { file("/var/log/HOSTS/$HOST/$YEAR$MONTH$DAY/$FACILITY" owner(roo
t) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
#
# logs all incoming messages from network source to the sorted 
# destination
# 
log { source(network); destination(hosts); };

My /etc/init.d/syslog  file is

# more syslog
#!/sbin/sh
#
# script to start syslog-ng on boot up for a Solaris machine.  
# This script replaces /etc/init.d/syslog on a Solaris machine.
#
case "$1" in
'start')
        if [ -f /etc/syslog-ng.conf -a -f /usr/local/sbin/syslog-ng ];
then
                echo 'syslog-ng service starting.'
                #
                # Before syslogd starts, save any messages from previous
                # crash dumps so that messages appear in chronological order.
                #
                /usr/bin/savecore -m
                if [ -r /etc/dumpadm.conf ]; then
                        . /etc/dumpadm.conf
                        [ "x$DUMPADM_DEVICE" != xswap ] && \
                            /usr/bin/savecore -m -f $DUMPADM_DEVICE
                fi
                if [ ! -f /var/adm/messages ]; then
                        /usr/bin/cp /dev/null /var/adm/messages
                        /usr/bin/chmod 0644 /var/adm/messages
                fi
                /usr/local/sbin/syslog-ng >/dev/msglog 2>&1 &
        fi
        ;;
'stop')
        echo 'syslog-ng service stopping.'
        if [ -f /var/run/syslog-ng.pid ]; then
                syspid=`/usr/bin/cat /var/run/syslog-ng.pid`
                [ "$syspid" -gt 0 ] && kill -15 $syspid
        fi
        ;;
*)
        echo "Usage: $0 { start | stop }"
        exit 1
        ;;
esac 

my daemon is in /usr/loca/sbin/syslog-ng

thanks for your help.

Shetkar Ravi
Unix systel Administrator.
WebMD
rshetkar@webmd.net
rshetkar88@yahoo.com

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[syslog-ng]new member

Ravi shetkar