Hello, I'm trying to sent all my logs
from one openbsd server with syslog-ng to a linux
ubuntu central log server also with syslog-ng of
course but only the syslog-ng logs are been logged..
also when I do a "logger test" for example it
gets log locally but not remotely to the log
server...
for the log server is basically the defaul of
ubuntu with my addtions at the end.. you will see
some commented is me trying to fix this issue.
cat syslog-ng/syslog-ng.conf
#
# Configuration file for syslog-ng under
Debian
#
# attempts at reproducing default syslog
behavior
# the standard syslog levels are (in
descending order of priority):
# emerg alert crit err warning notice info
debug
# the aliases "error", "panic", and "warn"
are deprecated
# the "none" priority found in the original
syslogd configuration is
# only used in internal messages created by
syslogd
######
# options
options {
# disable the chained hostname format
in logs
# (default is enabled)
chain_hostnames(0);
# the time to wait before a died
connection is re-established
# (default is 60)
time_reopen(10);
# the time to wait before an idle
destination file is closed
# (default is 60)
time_reap(360);
# the number of lines buffered before
written to file
# you might want to increase this if
your disk isn't catching with
# all the log messages you get or if
you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);
# the number of lines fitting in the
output queue
log_fifo_size(2048);
# enable or disable directory
creation for destination files
create_dirs(yes);
# default owner, group, and
permissions for log files
# (defaults are 0, 0, 0600)
#owner(root);
group(adm);
perm(0640);
# default owner, group, and
permissions for created directories
# (defaults are 0, 0, 0700)
#dir_owner(root);
#dir_group(root);
dir_perm(0755);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so
enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(yes);
# maximum length of message in bytes
# this is only limited by the program
listening on the /dev/log Unix
# socket, glibc can handle arbitrary
length log messages, but -- for
# example -- syslogd accepts only
1024 bytes
# (default is 2048)
#log_msg_size(2048);
#Disable statistic log messages.
stats_freq(0);
# Some program send log messages
through a private implementation.
# and sometimes that implementation
is bad. If this happen syslog-ng
# may recognise the program name as
hostname. Whit this option
# we tell the syslog-ng that if a
hostname match this regexp than that
# is not a real hostname.
bad_hostname("^gconfd$");
keep_hostname (yes);
};
######
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is
the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel:
"));
# use the following line if you want
to receive remote UDP logging messages
# (this is equivalent to the "-r"
syslogd flag)
# udp();
};
######
# destinations
# some standard log files
destination df_auth {
file("/var/log/auth.log"); };
destination df_syslog {
file("/var/log/syslog"); };
destination df_cron {
file("/var/log/cron.log"); };
destination df_daemon {
file("/var/log/daemon.log"); };
destination df_kern {
file("/var/log/kern.log"); };
destination df_lpr {
file("/var/log/lpr.log"); };
destination df_mail {
file("/var/log/mail.log"); };
destination df_user {
file("/var/log/user.log"); };
destination df_uucp {
file("/var/log/uucp.log"); };
# these files are meant for the mail system
log files
# and provide re-usable destinations for
{mail,cron,...}.info,
# {mail,cron,...}.notice, etc.
destination df_facility_dot_info {
file("/var/log/$FACILITY.info"); };
destination df_facility_dot_notice {
file("/var/log/$FACILITY.notice"); };
destination df_facility_dot_warn {
file("/var/log/$FACILITY.warn"); };
destination df_facility_dot_err {
file("/var/log/$FACILITY.err"); };
destination df_facility_dot_crit {
file("/var/log/$FACILITY.crit"); };
# these files are meant for the news system,
and are kept separated
# because they should be owned by "news"
instead of "root"
destination df_news_dot_notice {
file("/var/log/news/news.notice" owner("news"));
};
destination df_news_dot_err {
file("/var/log/news/news.err" owner("news")); };
destination df_news_dot_crit {
file("/var/log/news/news.crit" owner("news"));
};
# some more classical and useful files found
in standard syslog configurations
destination df_debug {
file("/var/log/debug"); };
destination df_messages {
file("/var/log/messages"); };
# pipes
# a console to view log messages under X
destination dp_xconsole {
pipe("/dev/xconsole"); };
# consoles
# this will send messages to everyone logged
in
destination du_all { usertty("*"); };
######
# filters
# all messages from the auth and authpriv
facilities
filter f_auth { facility(auth, authpriv); };
# all messages except from the auth and
authpriv facilities
filter f_syslog { not facility(auth,
authpriv); };
# respectively: messages from the cron,
daemon, kern, lpr, mail, news, user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
# some filters to select messages of priority
greater or equal to info, warn,
# and err
# (equivalents of syslogd's *.info, *.warn,
and *.err)
filter f_at_least_info { level(info..emerg);
};
filter f_at_least_notice {
level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg);
};
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg);
};
# all messages of priority debug not coming
from the auth, authpriv, news, and
# mail facilities
filter f_debug { level(debug) and not
facility(auth, authpriv, news, mail); };
# all messages of info, notice, or warn
priority not coming form the auth,
# authpriv, cron, daemon, mail, and news
facilities
filter f_messages {
level(info,notice,warn)
and not
facility(auth,authpriv,cron,daemon,mail,news);
};
# messages with priority emerg
filter f_emerg { level(emerg); };
# complex filter for messages usually sent to
the xconsole
filter f_xconsole {
facility(daemon,mail)
or level(debug,info,notice,warn)
or (facility(news)
and level(crit,err,notice));
};
######
# logs
# order matters if you use "flags(final);" to
mark the end of processing in a
# "log" statement
# these rules provide the same behavior as
the commented original syslogd rules
# auth,authpriv.*
/var/log/auth.log
log {
source(s_all);
filter(f_auth);
destination(df_auth);
};
# *.*;auth,authpriv.none
-/var/log/syslog
log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
};
# this is commented out in the default
syslog.conf
# cron.*
/var/log/cron.log
#log {
# source(s_all);
# filter(f_cron);
# destination(df_cron);
#};
# daemon.*
-/var/log/daemon.log
log {
source(s_all);
filter(f_daemon);
destination(df_daemon);
};
# kern.*
-/var/log/kern.log
log {
source(s_all);
filter(f_kern);
destination(df_kern);
};
# lpr.*
-/var/log/lpr.log
log {
source(s_all);
filter(f_lpr);
destination(df_lpr);
};
# mail.*
-/var/log/mail.log
log {
source(s_all);
filter(f_mail);
destination(df_mail);
};
# user.*
-/var/log/user.log
log {
source(s_all);
filter(f_user);
destination(df_user);
};
# uucp.*
/var/log/uucp.log
log {
source(s_all);
filter(f_uucp);
destination(df_uucp);
};
log {
source(s_all);
filter(f_mail);
filter(f_at_least_info);
destination(df_facility_dot_info);
};
# mail.warn
-/var/log/mail.warn
log {
source(s_all);
filter(f_mail);
filter(f_at_least_warn);
destination(df_facility_dot_warn);
};
# mail.err
/var/log/mail.err
log {
source(s_all);
filter(f_mail);
filter(f_at_least_err);
destination(df_facility_dot_err);
};
# news.crit
/var/log/news/news.crit
log {
source(s_all);
filter(f_news);
filter(f_at_least_crit);
destination(df_news_dot_crit);
};
# news.err
/var/log/news/news.err
log {
source(s_all);
filter(f_news);
filter(f_at_least_err);
destination(df_news_dot_err);
};
# news.notice
/var/log/news/news.notice
log {
source(s_all);
filter(f_news);
filter(f_at_least_notice);
destination(df_news_dot_notice);
};
# *.=debug;\
# auth,authpriv.none;\
# news.none;mail.none
-/var/log/debug
log {
source(s_all);
filter(f_debug);
destination(df_debug);
};
# *.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none
-/var/log/messages
log {
source(s_all);
filter(f_messages);
destination(d_eventdb);
};
# *.emerg *
log {
source(s_all);
filter(f_emerg);
destination(du_all);
};
# daemon.*;mail.*;\
# news.crit;news.err;news.notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn
|/dev/xconsole
log {
source(s_all);
filter(f_xconsole);
destination(dp_xconsole);
};
#syslog-ng2mysql destinations
source src_eventdb {
unix-stream("/dev/log");
udp(ip(0.0.0.0) port(514));
};
destination d_eventdb {
pipe(
"/usr/local/icinga/var/rw/syslog-ng.pipe",
template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")
template_escape(no)
);
};
filter f_at_least_warn {
# level(warn..emerg);
level(notice..emerg);
};
log {
# source(src_eventdb);
filter(f_at_least_warn);
# filter(f_syslog);
destination(d_eventdb);
};
#log {
# source(src_eventdb);
# filter(f_auth);
# destination(d_eventdb);
#};
HERE FOR THE BSD/CLIENT SIDE: same here is the
default with openbsd syslog-ng install
with my additions at the end.
cat /etc/syslog-ng.conf
#
# Syslog-ng example configuration for for
Debian GNU/Linux
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf.sample,v 1.3 2003/05/20
08:57:27 asd Exp $
#
# Syslog-ng configuration file, compatible
with default Debian syslogd
# installation.
#
options { long_hostnames(off); sync(0);
keep_hostname(yes); use_dns(yes); stats (3600);
};
#source src { unix-stream("/dev/log");
internal(); };
source src { unix-dgram("/dev/log");
internal(); };
source net { udp(); };
destination authlog {
file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog");
};
destination cron { file("/var/log/cron.log");
};
destination daemon {
file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log");
};
destination lpr { file("/var/log/lpr.log");
};
destination user { file("/var/log/user.log");
};
destination uucp { file("/var/log/uucp.log");
};
destination ppp { file("/var/log/ppp.log");
};
destination mail { file("/var/log/mail.log");
};
destination mailinfo { file("/var/log/
mail.info"); };
destination mailwarn {
file("/var/log/mail.warn"); };
destination mailerr {
file("/var/log/mail.err"); };
destination newscrit {
file("/var/log/news/news.crit"); };
destination newserr {
file("/var/log/news/news.err"); };
destination newsnotice {
file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug");
};
destination messages {
file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12");
};
#destination loghost { udp("loghost"
port(999)); };
destination xconsole { pipe("/dev/xconsole");
};
#ssh filter
filter f_sshderr { match('^sshd\[[0-9]+\]:
error:'); };
filter f_sshd {
match('^sshd\[[0-9]+\]:'); };
#
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv);
};
filter f_syslog { not facility(authpriv,
mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_ppp { facility(local2); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv,
news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv,
mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
log { source(src); filter(f_authpriv);
destination(authlog); };
log { source(src); filter(f_syslog);
destination(syslog); };
log { source(src); filter(f_cron);
destination(cron); };
log { source(src); filter(f_daemon);
destination(daemon); };
log { source(src); filter(f_kern);
destination(kern); };
log { source(src); filter(f_lpr);
destination(lpr); };
log { source(src); filter(f_mail);
destination(mail); };
log { source(src); filter(f_user);
destination(user); };
log { source(src); filter(f_uucp);
destination(uucp); };
log { source(src); filter(f_mail);
filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail);
filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail);
filter(f_err); destination(mailerr); };
log { source(src); filter(f_news);
filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news);
filter(f_err); destination(newserr); };
log { source(src); filter(f_news);
filter(f_notice); destination(newsnotice); };
log { source(src); filter(f_debug);
destination(debug); };
log { source(src); filter(f_messages);
destination(messages); };
log { source(src); filter(f_emergency);
destination(console); };
log { source(src); filter(f_ppp);
destination(ppp); };
log { source(src); destination(console_all);
};
#sent to our central log server running
eventdb
destination loghost { udp("192.168.xxx.xxx"
port(514)); };
log { source(src); filter(f_info);
destination(loghost); };
log { source(src); filter(f_syslog);
destination(loghost); };
log { source(src); filter(f_authpriv);
destination(loghost); };
log { source(src); filter(f_user);
destination(loghost); };
log { source(src); filter(f_emergency);
destination(loghost); };
log { source(src); filter(f_sshd);
destination(loghost); };
log { source(src); filter(f_sshderr);
destination(loghost); };
log { source(src); filter(f_kern);
destination(loghost); };