problem to filter remote-logs on syslog-server
I try to filter with syslog ng 3.2.4 log files from another server to local files. The syslog-server receives all log entries from the remote-server. If i let syslog-server write over "SOURCE network", the log is provided. But the integration in src local does not fold however. I.e on syslog-server this works: log { source(network); destination(foo); }; but log { source(src); filter (f_foo); destination (d_foo) }; doesn´t contains any entries from the remote server. remote-server-config: options { chain_hostnames(no); create_dirs(yes); dns_cache(yes); flush_lines(1); keep_hostname(yes); log_fifo_size(16384); log_msg_size(8192); long_hostnames(off); perm(0640); stats_freq(43200); time_reopen(10); use_dns(yes); use_fqdn(yes); }; destination remote { udp("syslog-server" port(514)); }; log { source(src); destination(remote); }; syslog-server-config: options as on the remote-server source src {internal(); udp(port(514)); unix-dgram("/dev/log"); unix-dgram("/var/lib/named/dev/log"); }; source network { udp(port(514)); };
"system@ra-schaal.de" <system@ra-schaal.de> writes:
I try to filter with syslog ng 3.2.4 log files from another server to local files.
The syslog-server receives all log entries from the remote-server.
If i let syslog-server write over "SOURCE network", the log is provided. But the integration in src local does not fold however.
I.e on syslog-server this works: log { source(network); destination(foo); };
but log { source(src); filter (f_foo); destination (d_foo) };
doesn´t contains any entries from the remote server.
That's because you have two sources that both try to listen on udp port 514, which will not work. A better solution would be to remove it from the src source, and use two sources in the log path. Something like this: source src {internal(); unix-dgram("/dev/log"); unix-dgram("/var/lib/named/dev/log"); }; source network { udp(port(514)); }; log { source(src); source(network); filter(f_foo); destination(d_foo); }; -- |8]
Am 08.06.2011 11:22, schrieb Gergely Nagy:
That's because you have two sources that both try to listen on udp port 514, which will not work.
A better solution would be to remove it from the src source, and use two sources in the log path.
Something like this:
source src {internal(); unix-dgram("/dev/log"); unix-dgram("/var/lib/named/dev/log"); }; source network { udp(port(514)); };
log { source(src); source(network); filter(f_foo); destination(d_foo); };
thanks. i removed source network. everything is working as expected now.
participants (2)
-
Gergely Nagy
-
system@ra-schaal.de