Remote SYSLOG-NG logging - can't log from remote
I am at my wits end with this. Some devices are logging remotely, but others are not. I can see the packets arrive on UDP port 514 using tcpdump, but the packets don't get recorded in the proper file. I have tried nearly everything, and I am certain I am doing something silly, but maybe you can help out. Here is my syslog-ng.conf.file: ************************************************************* source local { unix-dgram("/var/run/log"); udp(ip(0.0.0.0) port(514)); internal(); }; ### SECURITY LOG - This logs filter f_9 { facility(security) and level(debug..emerg); }; destination d_3 { file("/var/log/security" create_dirs(yes)); }; log { source(local); filter(f_9); destination(d_3); }; ### MAIL LOG - This logs filter f_12 { facility(mail) and level(info..emerg); }; destination d_5 { file("/var/log/maillog" create_dirs(yes)); }; log { source(local); filter(f_12); destination(d_5); }; ### PHONE DACS LOGS - This also logs filter f_40 { level(debug..emerg) and host("172.12.67.28"); }; destination d_60 { file("/var/log/dacs/ftldgaaw_dac_1.log" create_dirs(yes)); }; log{ source(local); filter(f_40); destination(d_60); }; ### ROUTER LOG - This does NOT log filter f_19 { host("192.168.1.128"); }; destination d_19 { file("/var/log/netrouter_pisst.log" create_dirs(yes)); }; log{ source(local); filter(f_19); destination(d_19); };
On Tue, May 02, 2006 at 10:24:27PM -0000, rlubbers@sysctl.net wrote:
I am at my wits end with this. Some devices are logging remotely, but others are not. I can see the packets arrive on UDP port 514 using tcpdump, but the packets don't get recorded in the proper file. I have tried nearly everything, and I am certain I am doing something silly, but maybe you can help out.
Here is my syslog-ng.conf.file:
*************************************************************
source local { unix-dgram("/var/run/log"); udp(ip(0.0.0.0) port(514)); internal(); };
### SECURITY LOG - This logs
filter f_9 { facility(security) and level(debug..emerg); };
destination d_3 { file("/var/log/security" create_dirs(yes)); };
log { source(local); filter(f_9); destination(d_3); };
Does your system define a "security" facility? Probably not. From /usr/include/sys/syslog.h on my Linux box: /* facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ #define LOG_FTP (11<<3) /* ftp daemon */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */ ...and from a solaris box: /* * Facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* netnews subsystem */ #define LOG_UUCP (8<<3) /* uucp subsystem */ #define LOG_CRON (15<<3) /* cron/at subsystem */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */ You need to pick from the available facilities. You might mean authpriv, if you're on a Linux box and messages are coming from a Linux box. If you're wondering what's coming in, define a catchall destination and see what's recorded: http://www.campin.net/syslog-ng/faq.html#logall You might define a template that includes the facility/severity in the logfile so you can set your filters accordingly: http://www.campin.net/syslog-ng/faq.html#template Something like this: destination std { file("/var/log/catchall.log" owner(syslog-ng) group (syslog-ng) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE\n") ); }; log { source(src); destination(std); }; -- Nate "I had to quit my job to have time to read my email." - Curry, Adam [MTV Host and net.legend] his occasional signature quote
participants (2)
-
Nate Campi
-
rlubbers@sysctl.net