Re: [syslog-ng] Logging only certain logs to a remote syslog server

16 Nov 2009

      flags(final) means "if you follow this path don't follow any subsequent ones"

-----Original Message-----
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Paras Fadte
Sent: 16 November 2009 12:44
To: Pallagi Zoltán
Cc: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Logging only certain logs to a remote syslog server

Hi,

Got around that problem of postgres messages  getting logged to
/var/log/messages . But I have encountered an issues while trying to
dump logs to remote syslog server . Following explains the same :

Client running syslog-ng version 1.6.8 and OS suse 10.1
Syslog server runinng syslog version 1.6.12 and OS suse 10.3

The problem is postgres logs don't seem to get written to syslog
server whereas  mail logs are written to it . the "log" directives
used in syslog-ng config uses the same "destination" definition.

Client config:

filter f_postgres { facility(local0) and match('postgres'); };

destination postgres { file("/home/postgres/logs/postgres"); };
                       # postgres logs are written to local filesystem
log { source(src); filter(f_postgres);  destination(postgres); flags(final); };

destination postgresloghost {udp("192.68.10.1" port(5140)); };
log { source(src); filter(f_postgres); destination(postgresloghost);
};                       # this doesn't write postgres logs to remote
syslog server
log { source(src); filter(f_mail); destination(postgresloghost); };
                          # this writes the mail logs to remote syslog
server

On syslog server I have defined  following in syslog-ng config :
----------------------------------------------------------------------------------------

filter f_postgres   { facility(local0); };
filter f_notpostgres { not filter(f_postgres); };

destination std { file
("/home/logs/HOSTS/$YEAR-$MONTH-$DAY/$HOST/$FACILITY-$YEAR-$MONTH-$DAY-$HOUR"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) );
};
log {
        source(src);
        filter(f_notpostgres);
        destination(std);
};

destination postgres { file
("/home/logs/HOSTS/$YEAR-$MONTH-$DAY/$HOST/Postgres-$HOUR" owner(root)
group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); };
log {
        source(src);
        filter(f_postgres);
        destination(postgres);
};

What could be the issue ? I stopped Apparmor on both the machines and
checked but the postgres logs are not written to syslog server.  The
postgres version used is 8.4.1

Thank you.

-Paras

On Mon, Nov 9, 2009 at 3:50 PM, Pallagi Zoltán <pzolee@balabit.hu> wrote:
...
Hi,
Paras Fadte írta:
Hi Bill,
Thanks for the response . When I tried the following it didn't seem to
work. The remote host doesn't show any logs .
source postgreslog {file("/home/postgres/data_log-8_4_1"); };
destination postgresloghost { udp("192.168.1.8" port(5140)); };
log { source(postgreslog);  destination(postgresloghost); };
Are you really sure that your psql logs come from
"/home/postgres/data_log-8_4_1"?
You can run syslog-ng with "-Fevd" options to watch what syslog-ng reads
from this file (to check this just send a plain text line to this file and
you should see it on the screen of syslog-ng)
But the following works :
filter f_postgres { facility(local0) and match('postgres'); };
destination postgresloghost { udp("192.168.1.8" port(5140)); };
log { source(src); filter(f_postgres);  destination(postgresloghost);
flags(final); };
Can you show me your full source src{...} line in config? Because your psql
logs seem to be coming from /dev/log
What could be wrong ? I have also noticed that the remote syslog
server logs these messages in its /var/log/messages file also . Can
this be prevented ?
Yes because your sources also should be splitted to different destinations.
For example:
source s_net {udp(port(5140));};
destination psql_file{file("/var/log/psql.log");};
log {source(s_net);destination(psql_file);};
Thank you
-Paras
On Thu, Nov 5, 2009 at 9:12 PM, Bill Nash <billn@billn.net> wrote:
Sure, it's very easy. Create a source stanza for the files you want to
monitor. Create a destination stanza for the host you want to send to. Add
another log stanza containing them both.
source mysqllog { file("/var/lib/mysql/mysql.err" log_prefix("mysql: "); };
destination mysqlloghost { udp("192.168.1.1" port (514)); };
log{ source(mysqllog); destination(mysqlloghost); };
- billn
On Thu, Nov 5, 2009 at 2:00 AM, Paras Fadte <plfgoa@gmail.com> wrote:
Hi,
Is it possible to log only a particular logs to a remote syslog server
? For example logging only mysql/postgres logs to a remote host .
syslog-ng version used is syslog-ng 1.6.8
Thank you.
-Paras
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
--
- billn
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

Re: [syslog-ng] Logging only certain logs to a remote syslog server

Fegan, Joe