why i have to restart syslog to have the new apache log??
hi i am using syslog-ng 2.0.9.1 on open suse 11.0 i configured this littele script in /etc/syslog-ng/syslog-ng.conf source my_src { file("/var/log/apache2/error_log"); };
#filter my_filter { };
destination my_dest{ file("/var/log/Sami/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(my_src); #filter(my_filter); destination(my_dest); };
the problem is when i restart apache2 while using the *tail -f /var/log/Sami/$HOST/messages *nothing happens i have to restart syslog-ng to see those errors by the way i stoped the apparmor to avoid a permission denied on the destination driver i need help plz tks
On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote:
hi i am using syslog-ng 2.0.9.1 on open suse 11.0
i configured this littele script in /etc/syslog-ng/syslog-ng.conf
source my_src { file("/var/log/apache2/error_log"); };
#filter my_filter { };
destination my_dest{ file("/var/log/Sami/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(my_src); #filter(my_filter); destination(my_dest); }; the problem is when i restart apache2 while using the tail -f /var/log/Sami/$HOST/messages
nothing happens i have to restart syslog-ng to see those errors
by the way i stoped the apparmor to avoid a permission denied on the destination driver
Since you are using 2.0, you need to explicitly specify for syslog-ng that you want to poll the file for changes. You can do this via the follow-freq() option, e.g. file("/var/log/apache2/error_log" follow_freq(1)); In 3.0, the default value for follow_freq() for regular files is 1 seconds, so you wouldn't have to specify it explicitly. -- Bazsi
thks but i want the change bee sent in (real time) if we can use this term because follow_freq(1) means that syslog need to check tchangee in the fie every 1 second is there any way to make it 0 second ====> detect changes in the apache error log as they happen thks 2009/3/10 Balazs Scheidler <bazsi@balabit.hu>
On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote:
hi i am using syslog-ng 2.0.9.1 on open suse 11.0
i configured this littele script in /etc/syslog-ng/syslog-ng.conf
source my_src { file("/var/log/apache2/error_log"); };
#filter my_filter { };
destination my_dest{ file("/var/log/Sami/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(my_src); #filter(my_filter); destination(my_dest); }; the problem is when i restart apache2 while using the tail -f /var/log/Sami/$HOST/messages
nothing happens i have to restart syslog-ng to see those errors
by the way i stoped the apparmor to avoid a permission denied on the destination driver
Since you are using 2.0, you need to explicitly specify for syslog-ng that you want to poll the file for changes. You can do this via the follow-freq() option, e.g.
file("/var/log/apache2/error_log" follow_freq(1));
In 3.0, the default value for follow_freq() for regular files is 1 seconds, so you wouldn't have to specify it explicitly.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:
thks but i want the change bee sent in (real time) if we can use this term because follow_freq(1) means that syslog need to check tchangee in the fie every 1 second is there any way to make it 0 second ====> detect changes in the apache error log as they happen thks
Following the file is implemented by polling it every once in a while. With syslog-ng 3.0 you can specify subsecond time resolution (e.g. 0.1 seconds) Also, when syslog-ng detects that there are unsent messages in a file, it sends several messages, not just one. And syslog-ng does the file check every time something wakes it up (e.g. udp/local process logging), so the 1second is the worst case scenario. If you want even less latency, then configure apache to send its logs to syslog. (google for apache & syslog, you'll find plenty of articles describing that). -- Bazsi
On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:
thks but i want the change bee sent in (real time) if we can use this term because follow_freq(1) means that syslog need to check tchangee in the fie every 1 second is there any way to make it 0 second ====> detect changes in the apache error log as they happen thks
Hi, Real time is a tricky thing. There will be always some latency unless you configure your apache to send logs to syslog-ng directly (over a pipe or fifo). Even pipes and fifos have a little latency though we usually ignore that. If you check from a file you can either lower the frequency of checking for changes or the PE has inotify support under linux to detect file changes. Lower the frequency though results in higher CPU load as syslog-ng will be busy checking, stat()-ing the file. To lower the frequency in 3.0, just set a smaller floating number for follow_freq(). 760 | KW_FOLLOW_FREQ '(' FLOAT ')' { last_reader_options->follow_freq = (long) ($3 * 1000); } 761 | KW_FOLLOW_FREQ '(' NUMBER ')' { last_reader_options->follow_freq = ($3 * 1000); } to set it for 0.5 sec use follow_freq(0.5) On the other hand I think 1 sec latency should not be a problem, but logging through pipe is probably a better choice. Also apache can send error log directly to syslog. http://httpd.apache.org/docs/1.3/mod/core.html#errorlog cheers, Marton
2009/3/10 Balazs Scheidler <bazsi@balabit.hu>
On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote: > hi i am using syslog-ng 2.0.9.1 on open suse 11.0 > > i configured this littele script in /etc/syslog-ng/syslog-ng.conf > > source my_src { file("/var/log/apache2/error_log"); }; > > #filter my_filter { }; > > destination my_dest{ file("/var/log/Sami/$HOST/messages" > owner("root") group("root") perm(0640) dir_perm(0750) > create_dirs(yes)); > }; > > log { source(my_src); #filter(my_filter); > destination(my_dest); }; > the problem is when i restart apache2 while using the tail > -f /var/log/Sami/$HOST/messages > > nothing happens i have to restart syslog-ng to see those errors > > by the way i stoped the apparmor to avoid a permission denied on the > destination driver
Since you are using 2.0, you need to explicitly specify for syslog-ng that you want to poll the file for changes. You can do this via the follow-freq() option, e.g.
file("/var/log/apache2/error_log" follow_freq(1));
In 3.0, the default value for follow_freq() for regular files is 1 seconds, so you wouldn't have to specify it explicitly.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D
thank you another thing please i would like to ask you if it is possible to change the TAG of sent message for example give the messages sent to a syslog server tag a value ( 0X11) and then in the server filter on this tag i am killing myself to tell my techer that the tag and priority flag are assigned automaticly by syslog and he insistes on the fact that we can change their value thks 2009/3/11 ILLES, Marton <illes.marton@balabit.hu>
On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:
thks but i want the change bee sent in (real time) if we can use this term because follow_freq(1) means that syslog need to check tchangee in the fie every 1 second is there any way to make it 0 second ====> detect changes in the apache error log as they happen thks
Hi,
Real time is a tricky thing. There will be always some latency unless you configure your apache to send logs to syslog-ng directly (over a pipe or fifo). Even pipes and fifos have a little latency though we usually ignore that.
If you check from a file you can either lower the frequency of checking for changes or the PE has inotify support under linux to detect file changes. Lower the frequency though results in higher CPU load as syslog-ng will be busy checking, stat()-ing the file. To lower the frequency in 3.0, just set a smaller floating number for follow_freq().
760 | KW_FOLLOW_FREQ '(' FLOAT ')' { last_reader_options->follow_freq = (long) ($3 * 1000); } 761 | KW_FOLLOW_FREQ '(' NUMBER ')' { last_reader_options->follow_freq = ($3 * 1000); }
to set it for 0.5 sec use follow_freq(0.5)
On the other hand I think 1 sec latency should not be a problem, but logging through pipe is probably a better choice. Also apache can send error log directly to syslog.
http://httpd.apache.org/docs/1.3/mod/core.html#errorlog
cheers,
Marton
2009/3/10 Balazs Scheidler <bazsi@balabit.hu>
On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote: > hi i am using syslog-ng 2.0.9.1 on open suse 11.0 > > i configured this littele script in /etc/syslog-ng/syslog-ng.conf > > source my_src { file("/var/log/apache2/error_log"); }; > > #filter my_filter { }; > > destination my_dest{ file("/var/log/Sami/$HOST/messages" > owner("root") group("root") perm(0640) dir_perm(0750) > create_dirs(yes)); > }; > > log { source(my_src); #filter(my_filter); > destination(my_dest); }; > the problem is when i restart apache2 while using the tail > -f /var/log/Sami/$HOST/messages > > nothing happens i have to restart syslog-ng to see those errors > > by the way i stoped the apparmor to avoid a permission denied on the > destination driver
Since you are using 2.0, you need to explicitly specify for syslog-ng that you want to poll the file for changes. You can do this via the follow-freq() option, e.g.
file("/var/log/apache2/error_log" follow_freq(1));
In 3.0, the default value for follow_freq() for regular files is 1 seconds, so you wouldn't have to specify it explicitly.
-- Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Thu, 2009-03-12 at 06:55 +0100, gatfi sami wrote:
thank you another thing please i would like to ask you if it is possible to change the TAG of sent message for example give the messages sent to a syslog server tag a value ( 0X11) and then in the server filter on this tag i am killing myself to tell my techer that the tag and priority flag are assigned automaticly by syslog and he insistes on the fact that we can change their value
it is not currently possible. you can rewrite all text based fields (host, program, msg) but you can't do it with non-text fields like the tag. There was a related mail the other day, read the mailing list archives. -- Bazsi
now when i use the TCP CONNECTION I CAN RECIVE NOTHING ******************syslog server**************** syslog 2.0.9 source my_tcp { tcp(ip(0.0.0.0) port (415)); // they saied 0.0.0.0 means recive from any ip adress i also tried tcp ( port(514)); same thing}; destination my_dest{ file("/var/log/Sami/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(my_tcp); #filter(my_filter); destination(my_dest); }; ************************************************************ ******************syslog client***************2syslog 2.0.10 source my_src { file("/var/log/apache2/error_log" follow_freq(1) ); }; #filter my_filter { }; destination my_dest{ tcp("192.168.1.64) port(514); }; log { source(my_src); #filter(my_filter); destination(my_dest); }; ********************************************************************************** where is the problem help me plz it was working on one machine but when i send to he syslog server i have nothing 2009/3/12 Balazs Scheidler <bazsi@balabit.hu>
On Thu, 2009-03-12 at 06:55 +0100, gatfi sami wrote:
thank you another thing please i would like to ask you if it is possible to change the TAG of sent message for example give the messages sent to a syslog server tag a value ( 0X11) and then in the server filter on this tag i am killing myself to tell my techer that the tag and priority flag are assigned automaticly by syslog and he insistes on the fact that we can change their value
it is not currently possible. you can rewrite all text based fields (host, program, msg) but you can't do it with non-text fields like the tag.
There was a related mail the other day, read the mailing list archives.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, 2009/3/18 gatfi sami <pfegatfi.sami@gmail.com>:
now when i use the TCP CONNECTION I CAN RECIVE NOTHING ******************syslog server**************** syslog 2.0.9 source my_tcp { tcp(ip(0.0.0.0) port (415)); // they saied 0.0.0.0 means recive from any ip adress i also tried tcp ( port(514)); same thing};
To correction your comment: listening on 0.0.0.0 (INADDR_ANY) means that syslog-ng will listen ON every IP addresses the host has. You have to ensure that the receiver and the sender are using the same port and protocol. You can verify with netstat, lsof which port(s) syslog-ng is listening on. Then the next debugging step would be capturing network traffic, whether the logs actually leave the sending side, and running another capture on the receiver side to see that logs reach that host. When the network seems to be OK then trace the receiver syslog-ng process to see what's going on.
destination my_dest{ file("/var/log/Sami/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(my_tcp); #filter(my_filter); destination(my_dest); }; ************************************************************
******************syslog client***************2syslog 2.0.10
source my_src { file("/var/log/apache2/error_log" follow_freq(1) ); }; #filter my_filter { }; destination my_dest{ tcp("192.168.1.64) port(514); }; log { source(my_src); #filter(my_filter); destination(my_dest); }; **********************************************************************************
Are you sure apache still writes to that file? Is the same inode used by apache to write logs which inode syslog-ng is reading? hth, Sandor
participants (4)
-
Balazs Scheidler
-
gatfi sami
-
ILLES, Marton
-
Sandor Geller (IT)