Re: [syslog-ng] Syslog-ng beginners guide

1 Jul 2009

      Yes, that was the first thing i have checked, even now i have checked it 
again, and the logs are still comming to the linux box where syslog is 
installed.

/tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
96 bytes
15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none], 
proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 145
        Facility local7 (23), Severity notice (5)
        Msg: 126: *Jul  1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog]
15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none], 
proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 110
        Facility local7 (23), Severity notice (5)
        Msg: 127: *Jul  1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog]
15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none], 
proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 108
        Facility local7 (23), Severity notice (5)
        Msg: 128: *Jul  1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog]
15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none], 
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 112
        Facility local7 (23), Severity info (6)
        Msg: 129: *Jul  1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog]
15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none], 
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 112
        Facility local7 (23), Severity notice (5)
        Msg: 130: *Jul  1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog]

And unfortunattely, i'm the only person in the company that knows a 
little bit of linux so i don't have anybody to ask...
/

Ulrich.Wiemers@t-systems.com wrote:
...
Hi,
I don't see anything in your config...
Are you sure your syslog messages are sent to the UDP port syslog-ng 
is listing at (normally: 514)?
Did you proof the with one of snoop, ethereal, wireshark and the like?
Just an idea... hth
Ulli
------------------------------------------------------------------------
*Von:* syslog-ng-bounces@lists.balabit.hu 
[mailto:syslog-ng-bounces@lists.balabit.hu] *Im Auftrag von *Cosmin Neagu
*Gesendet:* Mittwoch, 1. Juli 2009 14:15
*An:* Syslog-ng users' and developers' mailing list
*Betreff:* Re: [syslog-ng] Syslog-ng beginners guide
Hello again,
Things are evolving a little bit.
Now the syslog-ng conf is configured like this:
/source s_router_udp { udp (); };
destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO 
syslog_incoming (facility, priority, date, time, host, message, seq) 
VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', 
'$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes));
};
log { source (s_router_udp); destination (d_mysql); };
log { source (s_sys); destination(d_mysql); };/
The second log statement is working, because i can see in the 
syslog_incoming tables, entries and also i see the log in Cacti:
/mysql> select * from syslog_incoming;
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
| facility | priority | date       | time     | host          | 
message                                                          | seq 
| status |
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
| syslog   | info     | 2009-07-01 | 14:56:45 | monitorizare1 | 
syslog-ng[20083]: Termination requested via signal, terminating; |  22 
|      0 |
| syslog   | notice   | 2009-07-01 | 14:56:45 | monitorizare1 | 
syslog-ng[20083]: syslog-ng shutting down; version='2.0.10'      |  23 
|      0 |
| syslog   | notice   | 2009-07-01 | 14:56:45 | monitorizare1 | 
syslog-ng[21587]: syslog-ng starting up; version='2.0.10'        |  24 
|      0 |
| authpriv | info     | 2009-07-01 | 11:56:06 | monitorizare1 | 
sshd[21567]: Connection closed by 127.0.0.1                      |  21 
|      0 |
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
4 rows in set (0.00 sec)/
But i don't know what is the problem and how to fix with the first log 
statement. Can anyone help a little? Maybe with some documentation, 
maybe someone encountered a similar problem?
PS: something else that i noticed and i don't know what it means.
One of the syslog-ng messages is like this:
/syslog-ng[20083]: Log statistics; 
*dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30', 
processed='center(received)=15', processed='destination(d_boot)=0', 
processed='destination(d_auth)=4', processed='destination(d_cron)=9', 
processed='destination(d_mysql)=15', 
processed='destination(d_mlal)=0', processed='destination(d_mesg)=2', 
processed='destination(d_cons)=0', processed='destination(d_spol)=0', 
processed='destination(d_mail)=0', processed='source(s_sys)=15', 
processed='source(s_router_udp)=0'/
What could be the cause for that "dropped" there? Should'nt be processed?
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro
Cosmin Neagu wrote:
...
Thanks allot Ulrich, that site contains great documentation, i'm 
starting to understand how syslog-ng works.
But, let me tell you the problem with wich i'm stuck right now.
A router is sending syslog messages to a linux box (Fedora) from 
10.0.0.1. I can see the messages arriving at the server.
/[root@monitorizare1 ~]# tcpdump -v src 10.0.0.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
96 bytes
10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none], 
proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 87
        Facility local7 (23), Severity error (3)
        Msg: 81: *Jul  1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]
10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], 
proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 110
        Facility local7 (23), Severity info (6)
        Msg: 82: *Jul  1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]
10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], 
proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 109
        Facility local7 (23), Severity notice (5)/
I have configured syslog-ng.conf like this:
/source s_router_udp {
        internal();
        file ("/proc/kmsg" log_prefix("kernel: "));
        udp (ip(0.0.0.0) port ( 514 ) );
        #unix-stream ("/dev/log");
};
destination d_localfile {
file ("/root/testlog");
};
log {
        source (s_router_udp);
        destination (d_localfile);
};/
The problem is that in /root/testlog i can't see any log, except 
those internal generated by syslog-ng:
/Jul  1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting 
up; version='2.0.10'
Jul  1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested 
via signal, terminating;
Jul  1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting 
up; version='2.0.10'
Jul  1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics; 
processed='center(queued)=6', processed='center(received)=6', 
processed='destination(d_boot)=0', processed='destination(d_auth)=2', 
processed='des
tination(d_cron)=2', processed='destination(d_mlal)=0', 
processed='destination(d_localfile)=1', 
processed='destination(d_mesg)=1', processed='destination(d_cons)=0', 
processed='destination(d_spol)=0', processed
='destination(d_mail)=0', processed='source(s_sys)=5', 
processed='source(s_router_udp)=1'
Jul  1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested 
via signal, terminating;
Jul  1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting 
up; version='2.0.10'
Jul  1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested 
via signal, terminating;
Jul  1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting 
up; version='2.0.10'/
I can't find anything in the syslog-ng guide admin about how can 
messages received from remote hosts can be inserted into files.
Can anyone help me? I feel that i'm close to a solution.
Ulrich.Wiemers@t-systems.com wrote:
...
Hi,
I was in a similar situation some weeks ago.
Admin Guide found at http://www.balabit.com/support/documentation/?product=syslog-ng was of great help to me.
And, of course, Google ,-)
hth
Ulli
-----Ursprüngliche Nachricht-----
Von: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Cosmin Neagu
Gesendet: Dienstag, 30. Juni 2009 14:49
An: syslog-ng@lists.balabit.hu
Betreff: [syslog-ng] Syslog-ng beginners guide
Hello everybody,
Sorry for bothering you with a beginners question.
I have a cacti implementation in my network and a want to integrate it with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.
I'm not able to find where the logs are kept, so this drives me crazy.
Do you know any site or resource where i can find some beginners guide about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before.
Thanks.
--
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html