Howdy -- I am a syslog-ng newbie, and am setting it up for the first time. I would like to have logs for all my machines end up in the same files they have always ended up in (messages, cron, maillog, etc), so I have setup rules, that so far seem to be handling this quite well :) However, I want to make sure that there aren't any unlogged requests coming through, so I tried setting up a catchall statement. However when I log something to local5.debug using logger (which there is no filter for), it doesn't end up in my "other" logfile. it just disappears as far as I can tell. I tried pasting the whole config file inline, however yahoo's editor screws up the formatting. SO, I've posted the config file at http://www.muck.net/syslog-ng/syslog-ng-conf.txt and I will paste the relevent lines below (note I do not have a filter statement for catchall, should I? I wouldn't know how to do that). destination other { file("/var/log/other" owner(root) group(root) perm(0600) ); }; log { source(src_local); source(src_network); destination(other); flags(fallback); }; Any help is greatly appreciated. :) __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com
Doug Peterson said:
Any help is greatly appreciated. :)
I do this for one of my syslog-ng clients which forwards to the syslog-ng server through a firewall: options { long_hostnames(off); sync(0); }; source src { unix-dgram("/dev/log"); unix-dgram("/etc/bind/dev/log"); internal(); }; destination d_tcp { tcp("216.39.174.24" port(24350)); }; filter all { level (debug..emerg); }; log { source(src); filter(all); destination(d_tcp); }; it seems to catch everything ?? nate
Thanks Nate -- I'm not sure this applies to me though. While yes that catches all specified levels, I was hoping to utilize the fallback flag. My understanding is that the fallback flag takes anything that hasn't been logged up until the log statement in which the fallback flag is in, gets logged to whatever destination you specify. Does the fallback flag do what I want? Also, I've read the descriptions of the "catchall" flag, but I don't fully understand it.. should I be using that instead? Thanks! BTW -- I'm using syslog-ng version 1.6.0rc1 --- nate <syslog-ng@aphroland.org> wrote:
Doug Peterson said:
Any help is greatly appreciated. :)
I do this for one of my syslog-ng clients which forwards to the syslog-ng server through a firewall:
options { long_hostnames(off); sync(0); }; source src { unix-dgram("/dev/log"); unix-dgram("/etc/bind/dev/log"); internal(); }; destination d_tcp { tcp("216.39.174.24" port(24350)); }; filter all { level (debug..emerg); }; log { source(src); filter(all); destination(d_tcp); };
it seems to catch everything ??
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com
On Thu, Apr 10, 2003 at 02:26:51PM -0700, Doug Peterson wrote:
Thanks Nate -- I'm not sure this applies to me though. While yes that catches all specified levels, I was hoping to utilize the fallback flag. My understanding is that the fallback flag takes anything that hasn't been logged up until the log statement in which the fallback flag is in, gets logged to whatever destination you specify.
Does the fallback flag do what I want? Also, I've read the descriptions of the "catchall" flag, but I don't fully understand it.. should I be using that instead?
Q: How can I filter messages so that only not-already-routed lines will be routed/filtered again? A: This is a catchall statement, and should catch all messages which were not accepted any of the previous statements. log { source(src); filter(DEFAULT); destination(dst); }; <URL:http://www.campin.net/syslog-ng/faq.html#catchall> Look at the "final" log flag to stop at that point/line and not log the message again. <URL:http://www.balabit.com/products/syslog_ng/reference/logpath.html#AEN155> -- Nate Campi http://www.campin.net
Q: How can I filter messages so that only not-already-routed lines will be routed/filtered again?
A: This is a catchall statement, and should catch all messages which were not accepted any of the previous statements.
log { source(src); filter(DEFAULT); destination(dst); };
Tried that already. It complained it couldn't parse it. I did not have a DEFAULT filter setup. Should I have? If so, what should it look like?
<URL:http://www.campin.net/syslog-ng/faq.html#catchall> Read that. In fact, I think I've read everything on your site :)
Look at the "final" log flag to stop at that point/line and not log the message again.
<URL:http://www.balabit.com/products/syslog_ng/reference/logpath.html#AEN155> I've read just about that entire DOC. However, I would really rather use flags(fallback) if possible. It sounds like thats perfect for what I'm trying to do. Am I way off base? I apologize if I'm missing anything, but I've read just about anything I can get my hands on :) __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com
On Thu, Apr 10, 2003 at 03:36:39PM -0700, Doug Peterson wrote:
Tried that already. It complained it couldn't parse it. I did not have a DEFAULT filter setup. Should I have? If so, what should it look like?
It's supposed to be magic from the looks of it, you don't need to define it. I have to admit I've never used it and relied on Bazsi's post about it for the entry in the FAQ.
<URL:http://www.campin.net/syslog-ng/faq.html#catchall>
Read that. In fact, I think I've read everything on your site :)
<bow>
I've read just about that entire DOC. However, I would really rather use flags(fallback) if possible. It sounds like thats perfect for what I'm trying to do. Am I way off base?
Fallback looks perfect, it would be the same as a catchall at the end, with no final flags in all the logs statements before it. I don't see where you specified your syslog-ng version. If you run a version I have in production somewhere I'll test out your config file. -- Nate Campi http://www.campin.net
<bow>
<applause> ;) Your site really is a wealth of information, I appreciate it quite a bit! (as I'm sure just about anyone else who is looking for a new logging solution does..)
Fallback looks perfect, it would be the same as a catchall at the end, with no final flags in all the logs statements before it.
Right -- flags(fallback) just seems cleaner to me.
I don't see where you specified your syslog-ng version. If you run a version I have in production somewhere I'll test out your config file.
syslog-ng 1.6.0rc1 Config: http://www.muck.net/syslog-ng/syslog-ng-conf.txt (It didn't paste very well into yahoo's text box, so I figured the web was a better solution). Thanks Much! :) __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com
A simple answer is to not have any filters and write a file until you are sure that nothing is missing, or better yet, create an inverse filter of all the other things you are filtering such that only what you may have missed would be written to the file. Richard
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Nate Campi Sent: Thursday, April 10, 2003 3:17 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Catch All Statement
On Thu, Apr 10, 2003 at 02:26:51PM -0700, Doug Peterson wrote:
Thanks Nate -- I'm not sure this applies to me though. While yes that catches all specified levels, I was hoping to utilize the fallback flag. My understanding is that the fallback flag takes anything that hasn't been logged up until the log statement in which the fallback flag is in, gets logged to whatever destination you specify.
Does the fallback flag do what I want? Also, I've read the descriptions of the "catchall" flag, but I don't fully understand it.. should I be using that instead?
Q: How can I filter messages so that only not-already-routed lines will be routed/filtered again?
A: This is a catchall statement, and should catch all messages which were not accepted any of the previous statements.
log { source(src); filter(DEFAULT); destination(dst); };
<URL:http://www.campin.net/syslog-ng/faq.html#catchall>
Look at the "final" log flag to stop at that point/line and not log the message again.
<URL:http://www.balabit.com/products/syslog_ng/reference/logpa th.html#AEN155> -- Nate Campi http://www.campin.net _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Thu, Apr 10, 2003 at 03:17:03PM -0700, Nate Campi wrote:
On Thu, Apr 10, 2003 at 02:26:51PM -0700, Doug Peterson wrote:
Thanks Nate -- I'm not sure this applies to me though. While yes that catches all specified levels, I was hoping to utilize the fallback flag. My understanding is that the fallback flag takes anything that hasn't been logged up until the log statement in which the fallback flag is in, gets logged to whatever destination you specify.
Does the fallback flag do what I want? Also, I've read the descriptions of the "catchall" flag, but I don't fully understand it.. should I be using that instead?
Q: How can I filter messages so that only not-already-routed lines will be routed/filtered again?
A: This is a catchall statement, and should catch all messages which were not accepted any of the previous statements.
log { source(src); filter(DEFAULT); destination(dst); };
this DEFAULT filter hack was present in 1.4.x and before, it was removed in the 1.5.x cycle. (and was replaced by the 'flags' feature) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
this DEFAULT filter hack was present in 1.4.x and before, it was removed in the 1.5.x cycle. (and was replaced by the 'flags' feature)
That would explain why it didn't work ;) I can't get the flags(fallback) feature to work either. Nate said he would take a look at it if had it in production, but I haven't heard back from him. Nate, did you get a chance to test my config? Thanks Folks! :) __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com
On Fri, Apr 11, 2003 at 12:22:12PM -0700, Doug Peterson wrote:
this DEFAULT filter hack was present in 1.4.x and before, it was removed in the 1.5.x cycle. (and was replaced by the 'flags' feature)
That would explain why it didn't work ;) I can't get the flags(fallback) feature to work either. Nate said he would take a look at it if had it in production, but I haven't heard back from him.
Nate, did you get a chance to test my config?
AFAICT, in 1.6.0rc2 the only flags that work are final and catchall. For the life of me I can't get fallback to work. -- Nate Campi http://www.campin.net
--- Nate Campi <nate@campin.net> wrote:
Nate, did you get a chance to test my config?
AFAICT, in 1.6.0rc2 the only flags that work are final and catchall. For the life of me I can't get fallback to work.
OK -- so is that on purpose? Any plans on fixing that? For now i'm just going to implement a series of final flags, but the fallback flag would sure be useful at some point :) Thanks for trying that out for me. Now I know I'm not crazy and/or stupid ;) TTYL! __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com
participants (5)
-
Balazs Scheidler
-
Doug Peterson
-
nate
-
Nate Campi
-
Richard E. Perlotto II