Here is my config @version:3.18 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (10); time_reopen (10); # chain_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); # udp(ip(0.0.0.0) port(514)); }; source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); #log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; destination d_graylog { tcp("hostname of Graylog server" port (12201) ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; log { source(s_net); destination(d_graylog); }; log { source(s_sys); destination(d_graylog); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: On Mon, Nov 12, 2018 at 2:02 PM PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi Rodney,
"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-12 13:28-kor:
So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was
Just to run syslog-ng-debun, you should not had to upgrade your syslog-ng. syslog-ng-debun is a simple all in one portable shell script which's purpose is to gather information about any kind of syslog-ng installation. Always safe to use the latest one of this from the master branch, as I suggested to download via wget.
reading through the documentation and when I issue syslog-ng-debun -d -P 'port 12201' should I see anything on standard out because all that happen was it displayed the options for the command. That is all that happened
Yepp. In the meantime János Szigetrvári added an extra -r option to the script and that changed the default behaviour. Without the -r option it's just a "--dry-run"-ish parametering. It does nothing, except test the parameters. You can see that changeset following this link:
https://github.com/balabit/syslog-ng/commit/f9312f87b758c450c6108abe8da9cf0b...
So, from that point on, every syslog-ng-debun command should be replaced with the same, just adding an extra -r option.
Which in your case, means: you should've run: syslog-ng-debun -r -d -P 'port 12201'
when I issued the command below in this email. I tried to run syslog-ng-debun -r and that executed and created a tarball.
Yep. This -r -d -P 'port 12201' will also create a tarball. Just a more useful one: It will run tcpdump in the bacground, to collect network traffic at the same time, matching the "port 12201" filtering expression.
Btw.: Make sure, you have tcpdump installed on the system. Otherwise the script won't be able to run tcpdump.
When you finished, we need that tarball what the script created.
Regards, Gyu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq