I will retest my config On Thu, Oct 11, 2018, 3:41 PM Salih Haji <salihhaji631@gmail.com> wrote:
Really?
On Thu, 11 Oct 2018, 22:38 Rodney Bizzell, <hardworker30@gmail.com> wrote:
Should I make a change to the config
On Thu, Oct 11, 2018, 3:25 PM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error:
Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); };
Since you did not provided any error message/output from your instance, I can not investigate it any further currently.
If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only)
Br, Laci
On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell < hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
> Dear Rodney Bizzell, > sorry for the misunderstanding, now it is clear for us, that you > anonymised your config. just a note: it is preferable to use different > masking addresses for different original IP's. i.e.: I can not check this > source: "udp(ip(0.0.0.0) port(514));" > > Back to your problem. It is not clear for me what do you mean by > "once changes are made syslog-ng is failing" > It is not starting up at all? Or just not forwarding logs to your > Graylog server? > > Br, > Laci > > > On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell < > hardworker30@gmail.com> wrote: > >> I just changed my information on my graylog box 0.0.0.0 isn't what >> I had in there. The way the config is did that look syntax correctly >> >> On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < >> peter.kokai@oneidentity.com> wrote: >> >>> Hello, >>> >>> If you starg syslogng with -Fe it might give you a clue. >>> Also 0.0.0.0 is a no - routable address, so it is fine for source, >>> not so much for destination, you should check out on which ip graylog >>> listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or >>> other valid ip, but lo would be preferable). >>> >>> -- >>> Kokan >>> >>> On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, < >>> hardworker30@gmail.com> wrote: >>> >>>> I have install syslog-ng 3.5 and I am configuring it to send all >>>> logs to Graylog but once changes are made syslog-ng is failing. I change >>>> the address of graylog server to 0.0.0.0 >>>> >>>> >>>> @version:3.5 >>>> @include "scl.conf" >>>> >>>> # syslog-ng configuration file. >>>> # >>>> # This should behave pretty much like the original syslog on >>>> RedHat. But >>>> # it could be configured a lot smarter. >>>> # >>>> # See syslog-ng(8) and syslog-ng.conf(5) for more information. >>>> # >>>> # Note: it also sources additional configuration files (*.conf) >>>> # located in /etc/syslog-ng/conf.d/ >>>> >>>> options { >>>> flush_lines (0); >>>> time_reopen (10); >>>> log_fifo_size (1000); >>>> chain_hostnames (off); >>>> use_dns (no); >>>> use_fqdn (no); >>>> create_dirs (no); >>>> keep_hostname (yes); >>>> }; >>>> >>>> source s_sys { >>>> system(); >>>> internal(); >>>> udp(ip(0.0.0.0) port(514)); >>>> }; >>>> >>>> source s_net { >>>> udp(ip(0.0.0.0) port(514)); >>>> tcp(ip(0.0.0.0) port(514) max-connections(256)); >>>> }; >>>> >>>> destination d_cons { file("/dev/console"); }; >>>> destination d_mesg { file("/var/log/messages"); }; >>>> destination d_auth { file("/var/log/secure"); }; >>>> destination d_mail { file("/var/log/maillog" flush_lines(10)); }; >>>> destination d_spol { file("/var/log/spooler"); }; >>>> destination d_boot { file("/var/log/boot.log"); }; >>>> destination d_cron { file("/var/log/cron"); }; >>>> destination d_kern { file("/var/log/kern"); }; >>>> destination d_mlal { usertty("*"); }; >>>> >>>> >>>> destination d_graylog { >>>> tcp("0.0.0.0" >>>> port (12201) >>>> spoof_sources(yes) >>>> ); >>>> }; >>>> >>>> >>>> filter f_kernel { facility(kern); }; >>>> filter f_default { level(info..emerg) and >>>> not (facility(mail) >>>> or facility(authpriv) >>>> or facility(cron)); }; >>>> filter f_auth { facility(authpriv); }; >>>> filter f_mail { facility(mail); }; >>>> filter f_emergency { level(emerg); }; >>>> filter f_news { facility(uucp) or >>>> (facility(news) >>>> and level(crit..emerg)); }; >>>> filter f_boot { facility(local7); }; >>>> filter f_cron { facility(cron); }; >>>> >>>> #log { source(s_sys); filter(f_kernel); destination(d_cons); }; >>>> log { source(s_sys); filter(f_kernel); destination(d_kern); }; >>>> log { source(s_sys); filter(f_default); destination(d_mesg); }; >>>> log { source(s_sys); filter(f_auth); destination(d_auth); }; >>>> log { source(s_sys); filter(f_mail); destination(d_mail); }; >>>> log { source(s_sys); filter(f_emergency); destination(d_mlal); }; >>>> log { source(s_sys); filter(f_news); destination(d_spol); }; >>>> log { source(s_sys); filter(f_boot); destination(d_boot); }; >>>> log { source(s_sys); filter(f_cron); destination(d_cron); }; >>>> >>>> >>>> >>>> log { source(s_net); destination(d_graylog); }; >>>> log { source(s_sys); filter(f_default); destination(d_graylog);}; >>>> >>>> # Source additional configuration files (.conf extension only) >>>> @include "/etc/syslog-ng/conf.d/*.conf" >>>> >>>> >>>> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: >>>> >>>> >>>> ______________________________________________________________________________ >>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >>>> Documentation: >>>> http://www.balabit.com/support/documentation/?product=syslog-ng >>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >>>> >>>> >>> ______________________________________________________________________________ >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >>> Documentation: >>> http://www.balabit.com/support/documentation/?product=syslog-ng >>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >>> >>> >> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: >> http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> >> >> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq