Hi everyone,

 

I have a problems with a “source-file”. Syslog-ng can’t read my “source-file”. I don’t know why, please help me.

 

 

This is my simple syslog-ng.conf file (Vers- 1.6.11) on my Solaris 8 (Sparc.117350-16);

 

options    { mark(600); sync(0); use_dns(yes); create_dirs(yes);

};

source src_tail {

        file("/var/log/syslog-ng/mar" );

        internal();

};

source s_local   {

        sun-streams("/dev/log" door("/etc/.syslog_door"));

};

destination d_loghost_localhost {

        udp("10.10.10.48" port(514)); file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost.log");

};

log {

       source(src_tail); source(s_local); destination(d_loghost_localhost) ;

};

 

 

I can see on the remote central server log "10.10.10.48" that it is working with the internal messages;

 

15:11:50.193397 10.10.1.36.33055 > 10.10.10.48.syslog: udp 92 (DF)

0x0000   4500 0078 df47 4000 fd11 7ec5 0a0a 0124        E..x.G@...~....$

0x0010   0a0a 0a30 811f 0202 0064 9f5e 3c34 353e        ...0.....d.^<45>

0x0020   4f63 7420 2034 2031 353a 3131 3a35 3020        Oct..4.15:11:50.

0x0030   7372 635f 7461 696c 4061 7070 7331 6d6e        src_tail@testhos

0x0040   3120 7379 736c 6f67 2d6e 675b 3139 3933        t.syslog-ng[1993

0x0050   305d                                           0]

 

I make a test in the local server #logger -p local3.info test1 and I can see the message on tcpdump in the remote server;

 

15:22:58.946246 10.10.1.36.33318 > 10.10.10.48.syslog: udp 78 (DF)

0x0000   4500 006a 014e 4000 fd11 5ccd 0a0a 0124        E..j.N@...\....$

0x0010   0a0a 0a30 8226 0202 0056 852d 3c31 3538        ...0.&...V.-<158

0x0020   3e4f 6374 2020 3420 3135 3a32 323a 3538        >Oct..4.15:22:58

0x0030   2073 5f6c 6f63 616c 4061 7070 7331 6d6e        .s_local@testhos

0x0040   3120 6d61 7266 6162 6961 3a20 5b49 4420        t.marcos:.[ID.

0x0050   3730                                           70

 

The file destination local is writing only the internal() but nothing about my file “/var/log/syslog-ng/mar” ;

 

#tail  /var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost.log

Oct  4 15:22:54 src_tail@testhost syslog-ng[23738]: syslog-ng version 1.6.11 starting

Oct  4 15:32:54 src_tail@testhost syslog-ng[23738]: STATS: dropped 0

 

This test script is running  “while true; do date >>/var/log/syslog-ng/mar; sleep 5; done &” and it is writing every 5 seconds on my “source file” but I can see nothing on the remote host and nothing in local host (root@testhost# snoop -d hme0 10.10.10.48) or local file.

 

root@testhost # ps -ef|grep syslog

    root 28281     1  0   Sep 19 ?        0:00 /usr/sbin/syslogd

    root 28310     1  1 16:09:21 ?        0:00 /usr/local/sbin/syslog-ng -f /etc/syslog-ng.conf

root@testhost # ls -la /var/log/syslog-ng/mar

-rwxrwxrwx   1 root     other      64042 Oct  4 16:09 /var/log/syslog-ng/mar

 

 

 

Can you help me?

Thanks in advance,

 

Marcos Fabian.

 

 

PS- Also when I include the option “follow_freq(1)” on the syslog-ng.conf ;

source s_tail { file("/var/log/apache/access.log" follow_freq(1) flags(no-parse)); };

I have the next error;

# /usr/local/sbin/syslog-ng -d -v /etc/syslog-ng.conf

syntax error at 10

Parse error reading configuration file, exiting. (line 10)

 

---

Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.