What happens if you have the most basic syslog-ng.conf file with something like: source test { unix-stream("/dev/log"); }; destination debug { file("/usr/logs/syslog/messages.debug"); }; log { source(test); destination(debug); }; ----- Does it log through logger? What OS are you using? On Sun, 26 Sep 2004 14:20:28 -0700, Doug Hanks <dhanks@gmail.com> wrote:
Hello,
I have an interesting problem. I have a loghost with the servername of FFLOGSVR. Everything works wonderfully except that FFLOGSVR isn't logging its own logs. When I perform the command "logger FFLOGSVR" I do not see entry in my syslog.
I have attached my syslog-ng.conf for review.
Thank you in advance,
-- - Doug Hanks = dhanks(at)gmail(dot)com
# Syslog-ng (new generation) configuration file # syslog.conf by Doug Hanks 9/25/04
# Global options options { time_reopen (10); log_fifo_size (1000); long_hostnames (on); use_dns (yes); use_fqdn (no); create_dirs(yes); dns_cache(yes); keep_hostname(yes); };
# Define where the logs come from - udp and /dev/log only source gateway { unix-stream("/dev/log"); internal(); udp(port(514)); };
# Define some filters so we can break down the logs by facility
filter f_auth { facility(auth); }; filter f_syslog { not facility(authpriv, mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); };
# LogWatch filter f_logwatch { match("su") or match("ssh") or match("sudo"); };
# SU filter f_su_0 { match("su: from [a-zA-Z0-9]+ to") or # AIX match("'su [a-zA-Z0-9]+' succeeded for") or # Solaris match(": su : \+"); # HPUX };
filter f_su_1 { match("su: BAD SU from") or # AIX match("'su [a-zA-Z0-9]+' failed for") or # Solaris match(": su : \-"); # HPUX };
# SSH filter f_ssh_0 { match("Accepted [a-zA-Z0-9]+ for") or # AIX, Solaris, and HPUX match("[a-zA-Z0-9]+ authentication for user [a-zA-Z0-9]+ accepted"); # SAP };
filter f_ssh_1 { match("Failed [a-zA-Z0-9]+ for") or # AIX, Solaris, and HPUX match("[a-zA-Z0-9]+ authentication for user [a-zA-Z0-9]+ failed"); # SAP };
# SUDO filter f_sudo_0 { match("sudo:"); }; filter f_sudo_1 { match("sudo:") and ( match("command not allowed") or match("user NOT in sudoers") ); };
# Define containers where you want to stuff the logs destination localhost { file("/usr/logs/syslog/messages.all"); }; destination loghost { file("/usr/logs/HOSTS/$HOST/messages" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); };
# Program template for alerts destination fifo_alert { program("/usr/local/sbin/email-syslog-alert" template("$HOST:$PROGRAM:$MSG\n") template-escape(yes) ); };
# SU log destination su_0 { file("/usr/logs/syslog/messages.su0"); }; destination su_1 { file("/usr/logs/syslog/messages.su1"); };
# SSH logs destination ssh_0 { file("/usr/logs/syslog/messages.ssh0"); }; destination ssh_1 { file("/usr/logs/syslog/messages.ssh1"); };
# SUDO logs destination sudo_0 { file("/usr/logs/syslog/messages.sudo0"); }; destination sudo_1 { file("/usr/logs/syslog/messages.sudo1"); };
# LogWatch destination logwatch { file("/usr/logs/syslog/logwatch.log"); };
# Regular syslogs destination authlog { file("/usr/logs/syslog/messages.auth"); }; destination cron { file("/usr/logs/syslog/messages.cron"); }; destination daemon { file("/usr/logs/syslog/messages.daemon"); }; destination kern { file("/usr/logs/syslog/messages.kern"); }; destination lpr { file("/usr/logs/syslog/messages.lpr"); }; destination user { file("/usr/logs/syslog/messages.user"); }; destination mail { file("/usr/logs/syslog/messages.mail"); }; destination debug { file("/usr/logs/syslog/messages.debug"); }; destination messages { file("/usr/logs/syslog/messages"); }; destination console { file("/dev/console"); };
# Bring the sources, filters (if any) together and shove it in a log (read destination) log { source(gateway); destination(localhost); }; log { source(gateway); destination(loghost); };
# FIFO alert log { source(gateway); filter(f_su_1); destination(fifo_alert); }; log { source(gateway); filter(f_ssh_1); destination(fifo_alert); }; log { source(gateway); filter(f_sudo_1); destination(fifo_alert); };
# Log SU to roots log { source(gateway); filter(f_su_0); destination(su_0); }; log { source(gateway); filter(f_su_1); destination(su_1); };
# Log SSH stuff log { source(gateway); filter(f_ssh_0); destination(ssh_0); }; log { source(gateway); filter(f_ssh_1); destination(ssh_1); };
# Log SUDO stuff log { source(gateway); filter(f_sudo_0); destination(sudo_0); }; log { source(gateway); filter(f_sudo_1); destination(sudo_1); };
# A master log of SSH, SUDO and SU for LogWatch log { source(gateway); filter(f_logwatch); destination(logwatch); };
# Break down the logs further log { source(gateway); filter(f_auth); destination(authlog); }; log { source(gateway); filter(f_cron); destination(cron); }; log { source(gateway); filter(f_daemon); destination(daemon); }; log { source(gateway); filter(f_kern); destination(kern); }; log { source(gateway); filter(f_mail); destination(mail); }; log { source(gateway); filter(f_user); destination(user); }; log { source(gateway); filter(f_debug); destination(debug); }; log { source(gateway); filter(f_messages); destination(messages); }; log { source(gateway); filter(f_emergency); destination(console); }; _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html