Hi Every one,
I am new to concept of syslog-ng configuration.
Already syslog-ng configured in linux server
We have 6 syslog-ng server
4 location syslog-ng server receives logs from all the syslog client
.. working fine
1 centralized syslog-ng (server receives log from 4 locations .......
working fine
1 we have tcim syslog-ng server receives logs from centralized
syslog-ng server... it was working before for both solaris and linux .
Now suddenly not collecting logs only for linux. No changes were made.
Centalized syslog-ng configuration file
options {
log_fifo_size(8192);
create_dirs(yes);
group(sysgrp);
dir_group(sysgrp);
dir_perm(0750);
perm(0440);
chain_hostnames(no);
keep_hostname(yes);
stats(3600);
use_fqdn(yes);
use_time_recvd(yes);
};
Standard filters
# Level Filters
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
filter f_debug { level (debug .. emerg); };
# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_mail { facility (mail); };
filter f_daemon { facility (daemon); };
filter f_auth { facility (auth); };
filter f_authpriv { facility (authpriv); };
filter f_syslog { facility (syslog); };
filter f_lpr { facility (lpr); };
filter f_news { facility (news); };
filter f_uucp { facility (uucp); };
filter f_os_unix {
not program(EvntSLog)
and not program(NetScreen)
and not match ("NetScreen device_id")
and not match ("%AAA-")
and not match ("%AUTH-")
and not match ("%AUTHPRIV-")
and not match ("%CALLHOME-")
and not match ("%CDP-")
and not match ("%EARL-")
and not match ("%FILESYS-")
and not match ("%IMAGE_DNLD-SLOT")
and not match ("%IP-")
and not match ("%KERN-")
and not match ("%LICMGR-")
and not match ("%LINEPROTO-")
and not match ("%LINK-")
and not match ("%MCAST-")
and not match ("%MODULE-")
and not match ("%OSPF-")
and not match ("%PLATFORM-")
and not match ("%PRUNING-")
and not match ("%PORT-")
and not match ("%SPANTREE-")
and not match ("%SYS-")
and not match ("%UDLD-")
and not match ("%VSHD-")
source s_local {
unix-stream("/dev/log");
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(5149) max-connections(333));
internal();
pipe("/proc/kmsg");
};
destination dl_hosts-unix {
file("/var/log/syslog-ng/hosts-unix/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.$LEVEL");
};
log {
source(s_local);
filter(f_os_unix);
###not filter(f_os_switch);
destination(dl_hosts-unix);
};
destination dl_tcim {
udp("10.230.148.18" port(514) template("<$PRI> $DATE $HOST
$MESSAGE\r\n"));
};
log {
source(s_local);
destination(dl_tcim);
};
tcim server configurarion file.
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
# use_dns (no);
use_dns (yes);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source src {
udp();
tcp(port(514) keep-alive(yes));
filter f_lnx_hosts {
host("amex") or
host("green") or
host("sa") or
host("yellow") or
host("urinf01") or
etc..;
..
..
.
};
destination d_lnx {
file("/var/log/tcim/$HOST/syslog-$YEAR-$MONTH-$DAY.log"
template("<$PRI>$DATE $HOST $MSG\n")
create_dirs(yes)
owner(svc-tcim)
group(users)
perm(0660)
dir_owner(svc-tcim)
dir_group(users)
dir_perm(0770)
);
};
log { source(src); filter(f_lnx_hosts); destination(d_lnx); };
I did try below command in TCIM server to check the comunication
between centralized syslog-ng serer and tcim server
tcpdump -nn -tp -port 514..
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 375
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 193
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638
1740 packets captured
1740 packets received by filter
0 packets dropped by kernel
Packets are getting from centralised log server.
Do not know where the mistake is.
Please help to resolve this issue.