syslog-ng is skipping syslog events with no PRI
syslog-ng is *NOT* writing syslog like this to a file which has no <*PRI*> 23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................ syslog-ng is writing syslog like this to a file *OK * 23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................ Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); }; I am using syslog-ng version 3.5.6 on centos 7 Any idea why syslog-ng is writing the first log event into a file? Appreciate any help! -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Hi Asif! I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")` The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"} The filter statement uses the `match()` filter which works on both the header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work. Regards, Gabor On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no <*PRI*>
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Tue, Mar 20, 2018 at 7:21 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif!
I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")`
The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"}
The filter statement uses the `match()` filter which works on both the header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work.
That was it. It is working now!! BTW, is there a way to generate a feed a pcap to some program on the terminal to generate a json formatted output like this short from modifying the syslog-ng config for destination to a template like you are showing? Thanks for your help and I see the logs being written to the file now!
Regards, Gabor
On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no <*PRI*
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Hi! You're welcome. Well I don't know a command line tool to convert a pcap file to a json output by experience. What I saw searching that tshark should be able to do it. On Tue, Mar 20, 2018 at 3:23 PM, Asif Iqbal <vadud3@gmail.com> wrote:
On Tue, Mar 20, 2018 at 7:21 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif!
I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")`
The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"}
The filter statement uses the `match()` filter which works on both the header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work.
That was it. It is working now!!
BTW, is there a way to generate a feed a pcap to some program on the terminal to generate a json formatted output like this short from modifying the syslog-ng config for destination to a template like you are showing?
Thanks for your help and I see the logs being written to the file now!
Regards, Gabor
On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no < *PRI*>
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Tue, Mar 20, 2018 at 10:23 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Tue, Mar 20, 2018 at 7:21 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif!
I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")`
The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"}
The filter statement uses the `match()` filter which works on both the header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work.
That was it. It is working now!!
With global option keep_hostname(no) and use_dns(yes), I get the host A record gets prepended to the log. But I like to have the hostname of the client prepended instead, which is not same as the dns A name of the client I have about 40 clients in this group If I use keep_hostname(yes), it provides no hostname at all, probably because of these syslogs do not conform with syslog RFC standard? source s_alarm { udp( port(514) keep_hostname(yes) ); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("PROGRAM")); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); }; faxmodem (from #syslog-ng) gave me few options like using local /etc/hosts for lookup or using a metadata[1] from external file. That feature, looks like, introduced on version 3.8. I am running latest centos 7 with syslog-ng version 3.5.6. Is there a easy way to prepend the actual hostname of the client? Thanks for your help [1] https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-n...
BTW, is there a way to generate a feed a pcap to some program on the terminal to generate a json formatted output like this short from modifying the syslog-ng config for destination to a template like you are showing?
Thanks for your help and I see the logs being written to the file now!
Regards, Gabor
On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no < *PRI*>
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Hi Asif, If you need add-contextual-data can you upgrade using one of our unofficial binaries maybe? https://syslog-ng.com/blog/installing-latest-syslog-ng- on-rhel-and-other-rpm-distributions/#_ga=2.60852911. 24278624.1521459042-804758321.1501593964 Can you describe your use case with examples, please? Even if you set keep-hostname to 'yes' and message doesn't contain a hostname, syslog-ng will add a hostname/IP to the message depending on use-dns() option. See `keep-hostname` option in doc: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-n... Regards, Gabor On Wed, Mar 21, 2018 at 12:48 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Tue, Mar 20, 2018 at 10:23 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Tue, Mar 20, 2018 at 7:21 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif!
I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")`
The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"}
The filter statement uses the `match()` filter which works on both the header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work.
That was it. It is working now!!
With global option keep_hostname(no) and use_dns(yes), I get the host A record gets prepended to the log.
But I like to have the hostname of the client prepended instead, which is not same as the dns A name of the client
I have about 40 clients in this group
If I use keep_hostname(yes), it provides no hostname at all, probably because of these syslogs do not conform with syslog RFC standard?
source s_alarm { udp( port(514) keep_hostname(yes) ); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("PROGRAM")); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); };
faxmodem (from #syslog-ng) gave me few options like using local /etc/hosts for lookup or using a metadata[1] from external file. That feature, looks like, introduced on version 3.8. I am running latest centos 7 with syslog-ng version 3.5.6.
Is there a easy way to prepend the actual hostname of the client?
Thanks for your help
[1] https://syslog-ng.com/documents/html/syslog-ng-ose- latest-guides/en/syslog-ng-ose-guide-admin/html/data- enrichment-add-contextual-data.html
BTW, is there a way to generate a feed a pcap to some program on the terminal to generate a json formatted output like this short from modifying the syslog-ng config for destination to a template like you are showing?
Thanks for your help and I see the logs being written to the file now!
Regards, Gabor
On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no < *PRI*>
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Wed, Mar 21, 2018 at 8:26 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif,
If you need add-contextual-data can you upgrade using one of our unofficial binaries maybe? https://syslog-ng.com/blog/installing-latest-syslog-ng-on- rhel-and-other-rpm-distributions/#_ga=2.60852911.24278624. 1521459042-804758321.1501593964
Can you describe your use case with examples, please?
My client hostname is svl-search-01 and its IP resolves to svl-remote-01. Its syslogs do not have any PRI or hostname in HOST field. I like to have svl-search-01 in the HOST field.
Even if you set keep-hostname to 'yes' and message doesn't contain a hostname, syslog-ng will add a hostname/IP to the message depending on use-dns() option. See `keep-hostname` option in doc: https://syslog-ng.com/documents/html/syslog-ng-ose- latest-guides/en/syslog-ng-ose-guide-admin/html/reference-options.html
Regards, Gabor
On Wed, Mar 21, 2018 at 12:48 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Tue, Mar 20, 2018 at 10:23 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Tue, Mar 20, 2018 at 7:21 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif!
I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")`
The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"}
The filter statement uses the `match()` filter which works on both the header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work.
That was it. It is working now!!
With global option keep_hostname(no) and use_dns(yes), I get the host A record gets prepended to the log.
But I like to have the hostname of the client prepended instead, which is not same as the dns A name of the client
I have about 40 clients in this group
If I use keep_hostname(yes), it provides no hostname at all, probably because of these syslogs do not conform with syslog RFC standard?
source s_alarm { udp( port(514) keep_hostname(yes) ); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("PROGRAM")); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); };
faxmodem (from #syslog-ng) gave me few options like using local /etc/hosts for lookup or using a metadata[1] from external file. That feature, looks like, introduced on version 3.8. I am running latest centos 7 with syslog-ng version 3.5.6.
Is there a easy way to prepend the actual hostname of the client?
Thanks for your help
[1] https://syslog-ng.com/documents/html/syslog-ng-ose-lates t-guides/en/syslog-ng-ose-guide-admin/html/data-enrichme nt-add-contextual-data.html
BTW, is there a way to generate a feed a pcap to some program on the terminal to generate a json formatted output like this short from modifying the syslog-ng config for destination to a template like you are showing?
Thanks for your help and I see the logs being written to the file now!
Regards, Gabor
On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no < *PRI*>
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
My client hostname is svl-search-01 and its IP resolves to svl-remote-01. Its syslogs do not have any PRI or hostname in HOST field.
I like to have svl-search-01 in the HOST field.
In that case the only sensible options are: * upgrade & use add-contextual-dat or * use /etc/hosts and keep-hostname(no)
On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
My client hostname is svl-search-01 and its IP resolves to svl-remote-01. Its syslogs do not have any PRI or hostname in HOST field.
I like to have svl-search-01 in the HOST field.
In that case the only sensible options are:
* upgrade & use add-contextual-dat
or
* use /etc/hosts and keep-hostname(no)
I noticed if I have mutiple source files I only get logs from the last source only. Does that make sense? source s_sys { file ("/proc/kmsg" program_override("kernel: ")); system(); internal(); udp(ip(0.0.0.0) port(514)); }; source s_udp { udp(ip(0.0.0.0) port(514)); }; source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); }; log { source(s_sys); filter(f_ciena); destination(d_ciena); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); }; As soon as I commented all the other sources and only kept the s_sys, I started getting logs again from those routers.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
On Wed, Mar 21, 2018 at 10:29 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
My client hostname is svl-search-01 and its IP resolves to svl-remote-01. Its syslogs do not have any PRI or hostname in HOST field.
I like to have svl-search-01 in the HOST field.
In that case the only sensible options are:
* upgrade & use add-contextual-dat
or
* use /etc/hosts and keep-hostname(no)
I noticed if I have mutiple source files I only get logs from the last source only. Does that make sense?
source s_sys { file ("/proc/kmsg" program_override("kernel: ")); system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_udp { udp(ip(0.0.0.0) port(514)); };
source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); };
log { source(s_sys); filter(f_ciena); destination(d_ciena); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); };
As soon as I commented all the other sources and only kept the s_sys, I started getting logs again from those routers.
OK I verified. I cannot have two source like this. logs with source s_udp stop receiving data. source s_udp { udp(ip(0.0.0.0) port(514)); }; source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); }; I need most sources use the default use_dns(yes) and only a handful of source with use_dns(persist_only). How do I configure that?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
On Wed, Mar 21, 2018 at 3:49 PM, Asif Iqbal <vadud3@gmail.com> wrote:
On Wed, Mar 21, 2018 at 10:29 AM, Asif Iqbal <vadud3@gmail.com> wrote:
On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
My client hostname is svl-search-01 and its IP resolves to svl-remote-01. Its syslogs do not have any PRI or hostname in HOST field.
I like to have svl-search-01 in the HOST field.
In that case the only sensible options are:
* upgrade & use add-contextual-dat
or
* use /etc/hosts and keep-hostname(no)
I noticed if I have mutiple source files I only get logs from the last source only. Does that make sense?
source s_sys { file ("/proc/kmsg" program_override("kernel: ")); system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_udp { udp(ip(0.0.0.0) port(514)); };
source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); };
log { source(s_sys); filter(f_ciena); destination(d_ciena); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); };
As soon as I commented all the other sources and only kept the s_sys, I started getting logs again from those routers.
OK I verified. I cannot have two source like this. logs with source s_udp stop receiving data.
source s_udp { udp(ip(0.0.0.0) port(514)); }; source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); };
syslog-ng should report this issue at startup and not start. Did it do that properly?
I need most sources use the default use_dns(yes) and only a handful of source with use_dns(persist_only).
you'd have to use separate ports or IPs for this to work.
How do I configure that?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Tue, Mar 20, 2018 at 7:21 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif!
I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")`
The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"}
The issue came back after the client OS upgrade. Logs are coming in like this and filter f_versa { match("alarmLog"); }; does not seem to catching it. 12:53:46.579473 IP 192.168.1.100.58708 > 192.168.100.1.514: [|syslog] E.....@.>......u.....T......2018-03-23T12:53:46+0000 alarmLog, applianceName=MCCOLLISTER-NEWARK-7091, tenantName=MCCOLLISTER, alarmType=nexthop-down, alarmKey=209.36.106.241|10, generateTime=1521838473, applianceId=1, vsnId=0, tenantId=2, alarmCause=causeOther, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=41, alarmText="Nexthop 209.36.106.241/INTERNET-Transport-VR is up.", siteName= e= -VR) is up", I could not turn on debug, since I am receiving log from 1000s of routers as well and logs coming so fast to catch this issue. Appreciate your help! The filter statement uses the `match()` filter which works on both the
header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work.
Regards, Gabor
On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no <*PRI*
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Hi Asif! There seems to be no problem with the log structure from the filter point of view. I have checked it and the match() filter matched the log message. I would recommend to debug it, e.g. in a separate environment. Regards, Gabor On Fri, Mar 23, 2018 at 3:19 PM, Asif Iqbal <vadud3@gmail.com> wrote:
On Tue, Mar 20, 2018 at 7:21 AM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:
Hi Asif!
I think the problem with the first message comes from the message structure and the filter statement. Its structure does not conform to either syslog RFC standards (RFC3164 or RFC5424). Syslog-ng still tries to parse the log message by its internal heuristics and the "alarmLog" text is parsed as the 'program' field. You can debug syslog-ng parsing with the format-json template in the destination: `template("$(format-json -s syslog-proto)\n")`
The output for this was: {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText=delay:9 msec, siteName=Branch-UC1","HOST":"+0000","FACILITY":"user","DATE":"Mar 13 23:49:48"}
The issue came back after the client OS upgrade. Logs are coming in like this and filter f_versa { match("alarmLog"); }; does not seem to catching it.
12:53:46.579473 IP 192.168.1.100.58708 > 192.168.100.1.514: [|syslog] E.....@.>......u.....T......2018-03-23T12:53:46+0000 alarmLog, applianceName=MCCOLLISTER-NEWARK-7091, tenantName=MCCOLLISTER, alarmType=nexthop-down, alarmKey=209.36.106.241|10, generateTime=1521838473, applianceId=1, vsnId=0, tenantId=2, alarmCause=causeOther, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=41, alarmText="Nexthop 209.36.106.241/INTERNET-Transport-VR is up.", siteName= e=
-VR) is up",
I could not turn on debug, since I am receiving log from 1000s of routers as well and logs coming so fast to catch this issue.
Appreciate your help!
The filter statement uses the `match()` filter which works on both the
header and message part of the log message and thus would match for the first log message if the `value("MESSAGE")` part would not be there. With that you restricted the filter to match only on the message part. If you remove the value("MESSAGE") from the filter statement it will work.
Regards, Gabor
On Tue, Mar 20, 2018 at 1:52 AM, Asif Iqbal <vadud3@gmail.com> wrote:
syslog-ng is *NOT* writing syslog like this to a file which has no < *PRI*>
23:49:48.306587 IP 192.168.1.100.39567 > 192.168.100.100.514: [|syslog] E.....@.>..U...g..........T.2018-03-19T23:49:48+0000 alarmLog, applianceName=Branch-UC1, tenantName=DEMO-CORP, alarmType=sla-not-met, alarmKey=INTERNET, generateTime=1521503387, applianceId=1, vsnId=0, tenantId=2, alarmCause=datapathState, alarmClearable=yes, alarmClass=cleared, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=cleared, alarmOwner=tenant, alarmSeqNo=1568, alarmText="delay:9 msec", siteName=Branch-UC1 ................
syslog-ng is writing syslog like this to a file *OK *
23:50:26.930023 IP 192.168.1.100.55078 > 192.168.100.100.514: SYSLOG mail.info, length: 76 E..h.B@.>......g.....&...Tt.<22>Mar 19 23:50:26 SVL-remotehost-02 root: this is third test alarmLog................
Here is my syslog-ng config source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_alarm { file("/var/log/alarms.log"); }; filter f_alarm { match("alarmLog" value("MESSAGE")); }; log { source(s_udp); filter(f_alarm); destination(d_alarm); };
I am using syslog-ng version 3.5.6 on centos 7
Any idea why syslog-ng is writing the first log event into a file?
Appreciate any help!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Asif Iqbal
-
Fabien Wernli
-
Nagy, Gábor
-
Scheidler, Balázs