Ok great On Thu, Oct 11, 2018, 3:25 PM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error:
Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); };
Since you did not provided any error message/output from your instance, I can not investigate it any further currently.
If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only)
Br, Laci
On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell < hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < peter.kokai@oneidentity.com> wrote:
> Hello, > > If you starg syslogng with -Fe it might give you a clue. > Also 0.0.0.0 is a no - routable address, so it is fine for source, > not so much for destination, you should check out on which ip graylog > listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or > other valid ip, but lo would be preferable). > > -- > Kokan > > On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, < > hardworker30@gmail.com> wrote: > >> I have install syslog-ng 3.5 and I am configuring it to send all >> logs to Graylog but once changes are made syslog-ng is failing. I change >> the address of graylog server to 0.0.0.0 >> >> >> @version:3.5 >> @include "scl.conf" >> >> # syslog-ng configuration file. >> # >> # This should behave pretty much like the original syslog on >> RedHat. But >> # it could be configured a lot smarter. >> # >> # See syslog-ng(8) and syslog-ng.conf(5) for more information. >> # >> # Note: it also sources additional configuration files (*.conf) >> # located in /etc/syslog-ng/conf.d/ >> >> options { >> flush_lines (0); >> time_reopen (10); >> log_fifo_size (1000); >> chain_hostnames (off); >> use_dns (no); >> use_fqdn (no); >> create_dirs (no); >> keep_hostname (yes); >> }; >> >> source s_sys { >> system(); >> internal(); >> udp(ip(0.0.0.0) port(514)); >> }; >> >> source s_net { >> udp(ip(0.0.0.0) port(514)); >> tcp(ip(0.0.0.0) port(514) max-connections(256)); >> }; >> >> destination d_cons { file("/dev/console"); }; >> destination d_mesg { file("/var/log/messages"); }; >> destination d_auth { file("/var/log/secure"); }; >> destination d_mail { file("/var/log/maillog" flush_lines(10)); }; >> destination d_spol { file("/var/log/spooler"); }; >> destination d_boot { file("/var/log/boot.log"); }; >> destination d_cron { file("/var/log/cron"); }; >> destination d_kern { file("/var/log/kern"); }; >> destination d_mlal { usertty("*"); }; >> >> >> destination d_graylog { >> tcp("0.0.0.0" >> port (12201) >> spoof_sources(yes) >> ); >> }; >> >> >> filter f_kernel { facility(kern); }; >> filter f_default { level(info..emerg) and >> not (facility(mail) >> or facility(authpriv) >> or facility(cron)); }; >> filter f_auth { facility(authpriv); }; >> filter f_mail { facility(mail); }; >> filter f_emergency { level(emerg); }; >> filter f_news { facility(uucp) or >> (facility(news) >> and level(crit..emerg)); }; >> filter f_boot { facility(local7); }; >> filter f_cron { facility(cron); }; >> >> #log { source(s_sys); filter(f_kernel); destination(d_cons); }; >> log { source(s_sys); filter(f_kernel); destination(d_kern); }; >> log { source(s_sys); filter(f_default); destination(d_mesg); }; >> log { source(s_sys); filter(f_auth); destination(d_auth); }; >> log { source(s_sys); filter(f_mail); destination(d_mail); }; >> log { source(s_sys); filter(f_emergency); destination(d_mlal); }; >> log { source(s_sys); filter(f_news); destination(d_spol); }; >> log { source(s_sys); filter(f_boot); destination(d_boot); }; >> log { source(s_sys); filter(f_cron); destination(d_cron); }; >> >> >> >> log { source(s_net); destination(d_graylog); }; >> log { source(s_sys); filter(f_default); destination(d_graylog);}; >> >> # Source additional configuration files (.conf extension only) >> @include "/etc/syslog-ng/conf.d/*.conf" >> >> >> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: >> >> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: >> http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> >> > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq