Dear Valdis, Could OSSEC do the same thing as I want? Thanks. Regards, Wilson Lai System Engineer IT Dept., SJM Office ( : (853)2978585 Mobile ( : (853)66506709 Email +: : wilsonlai@macausjm.com -----Original Message----- From: syslog-ng-request@lists.balabit.hu [mailto:syslog-ng-request@lists.balabit.hu] Sent: Tuesday, October 09, 2007 6:00 PM To: syslog-ng@lists.balabit.hu Subject: syslog-ng Digest, Vol 30, Issue 6 Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..." Today's Topics: 1. Source-file not working (fabian marcos) 2. Re: E-mail alert from Syslog-NG! (Valdis.Kletnieks@vt.edu) 3. Re: Trying to build RPM (Balazs Scheidler) 4. Re: Source-file not working (Balazs Scheidler) ---------------------------------------------------------------------- Message: 1 Date: Mon, 8 Oct 2007 03:09:50 -0700 (PDT) From: fabian marcos <ositoll@yahoo.com> Subject: [syslog-ng] Source-file not working To: syslog-ng@lists.balabit.hu Message-ID: <255430.34734.qm@web50902.mail.re2.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" Hi everyone, I have a problems with a ?source-file?. Syslog-ng can?t read my ?source-file?. I don?t know why, please help me. This is my simple syslog-ng.conf file (Vers- 1.6.11) on my Solaris 8 (Sparc.117350-16); options { mark(600); sync(0); use_dns(yes); create_dirs(yes); }; source src_tail { file("/var/log/syslog-ng/mar" ); internal(); }; source s_local { sun-streams("/dev/log" door("/etc/.syslog_door")); }; destination d_loghost_localhost { udp("10.10.10.48" port(514)); file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost.log"); }; log { source(src_tail); source(s_local); destination(d_loghost_localhost) ; }; I can see on the remote central server log "10.10.10.48" that it is working with the internal messages; 15:11:50.193397 10.10.1.36.33055 > 10.10.10.48.syslog: udp 92 (DF) 0x0000 4500 0078 df47 4000 fd11 7ec5 0a0a 0124 E..x.G@...~....$ 0x0010 0a0a 0a30 811f 0202 0064 9f5e 3c34 353e ...0.....d.^<45> 0x0020 4f63 7420 2034 2031 353a 3131 3a35 3020 Oct..4.15:11:50. 0x0030 7372 635f 7461 696c 4061 7070 7331 6d6e src_tail@testhos 0x0040 3120 7379 736c 6f67 2d6e 675b 3139 3933 t.syslog-ng[1993 0x0050 305d 0] I make a test in the local server #logger -p local3.info test1 and I can see the message on tcpdump in the remote server; 15:22:58.946246 10.10.1.36.33318 > 10.10.10.48.syslog: udp 78 (DF) 0x0000 4500 006a 014e 4000 fd11 5ccd 0a0a 0124 E..j.N@...\....$ 0x0010 0a0a 0a30 8226 0202 0056 852d 3c31 3538 ...0.&...V.-<158 0x0020 3e4f 6374 2020 3420 3135 3a32 323a 3538

Oct..4.15:22:58 0x0030 2073 5f6c 6f63 616c 4061 7070 7331 6d6e .s_local@testhos 0x0040 3120 6d61 7266 6162 6961 3a20 5b49 4420 t.marcos:.[ID. 0x0050 3730 70

The file destination local is writing only the internal() but nothing about my file ?/var/log/syslog-ng/mar? ; #tail /var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost.log Oct 4 15:22:54 src_tail@testhost syslog-ng[23738]: syslog-ng version 1.6.11 starting Oct 4 15:32:54 src_tail@testhost syslog-ng[23738]: STATS: dropped 0 This test script is running ?while true; do date

...

/var/log/syslog-ng/mar; sleep 5; done &? and it is writing every 5 seconds on my ?source file? but I can see nothing on the remote host and nothing in local host (root@testhost# snoop -d hme0 10.10.10.48) or local file.

root@testhost # ps -ef|grep syslog root 28281 1 0 Sep 19 ? 0:00 /usr/sbin/syslogd root 28310 1 1 16:09:21 ? 0:00 /usr/local/sbin/syslog-ng -f /etc/syslog-ng.conf root@testhost # ls -la /var/log/syslog-ng/mar -rwxrwxrwx 1 root other 64042 Oct 4 16:09 /var/log/syslog-ng/mar Can you help me? Thanks in advance, Marcos Fabian. PS- Also when I include the option ?follow_freq(1)? on the syslog-ng.conf ; source s_tail { file("/var/log/apache/access.log" follow_freq(1) flags(no-parse)); }; I have the next error; # /usr/local/sbin/syslog-ng -d -v /etc/syslog-ng.conf syntax error at 10 Parse error reading configuration file, exiting. (line 10) --------------------------------- Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.