I am having some difficulty understanding filters. (syslog-ng 1.3.17) I am trying to replicate Solaris's syslog.conf entry: *.err;kern.debug;daemon.notice;auth.err;news.none;user.none as far as I can tell this translates to: filter filname { priority(panic, alert, crit, error) and not facility(user, news); }; which is also the same as filter filname { priority(panic, alert, crit, error) and not facility(user) and not facility(news); }; kern doesn't seem to be logging at all... if I drop facility checking then kern logs.... Any thoughts? Also I noticed that there is a range operator (..) but the above priority(panic, alert, crit, error) does not seem to be the same as priority(panic..error). Am I right in thinking that (..) is broken or am misunderstanding what (..) does. ---------------------------------------------------------------------------- __o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__ _ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _ (_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)
Updated to 1.3.17 and create_dirs() works great. I have ran into a problem with the $PROGRAM macro coming from remote hosts. Here is a snippet of my conf destination d_facility { file("/var/log/syslog-ng/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" perm(0600)); }; destination d_program { file("/var/log/syslog-ng/$HOST/$YEAR/$MONTH/$DAY/$PROGRAM" perm(0600)); }; options { sync(0); use_dns(yes); create_dirs(yes); }; log { source("src"); destination("d_facility"); }; log { source("src"); destination("d_program"); }; The $PROGRAM expands as i would expect when recieving messages from the localhost, but when syslog-ng receives remote messages, $PROGRAM gets expanded to a file name (NULL) under the appropriate directory. however remote messages get expanded correctly with the $FACILITY macro. Did i miss something here? Chris Scheller System/Network Administration Network One Internet, inc. http://www.networkone.net/ 1.888.GOT-NET1
options { sync(0); use_dns(yes); create_dirs(yes); };
log { source("src"); destination("d_facility"); }; log { source("src"); destination("d_program"); };
The $PROGRAM expands as i would expect when recieving messages from the localhost, but when syslog-ng receives remote messages, $PROGRAM gets expanded to a file name (NULL) under the appropriate directory. however remote messages get expanded correctly with the $FACILITY macro. Did i miss something here?
Could you please provide some more context? What is the message which triggers the PROGRAM expansion bug? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
There is no specific message which triggers it. I was just going through the last few days of logs and it appears that any syslog message coming remotely doesn't get processed via the $PROGRAM macro. example; pppd,named,chat,ntpdate,sshd all get logged into the file (NULL). However messages coming from remote host get the $FACILITY macro applied correctly. Do you want to see my logs? My conf? What else would you like to see so i can be more helpful? Chris Scheller System/Network Administration Network One Internet, inc. http://www.networkone.net/ 1.888.GOT-NET1 On Mon, 21 Feb 2000, Balazs Scheidler wrote:
options { sync(0); use_dns(yes); create_dirs(yes); };
log { source("src"); destination("d_facility"); }; log { source("src"); destination("d_program"); };
The $PROGRAM expands as i would expect when recieving messages from the localhost, but when syslog-ng receives remote messages, $PROGRAM gets expanded to a file name (NULL) under the appropriate directory. however remote messages get expanded correctly with the $FACILITY macro. Did i miss something here?
Could you please provide some more context? What is the message which triggers the PROGRAM expansion bug?
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
On Mon, Feb 21, 2000 at 11:34:25AM -0800, Chris Scheller wrote:
There is no specific message which triggers it. I was just going through the last few days of logs and it appears that any syslog message coming remotely doesn't get processed via the $PROGRAM macro. example; pppd,named,chat,ntpdate,sshd all get logged into the file (NULL). However messages coming from remote host get the $FACILITY macro applied correctly. Do you want to see my logs? My conf? What else would you like to see so i can be more helpful?
a single message which was written to the file (NULL) would help. I tried the same locally, but $PROGRAM was expanded correctly. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
here in the last 3 lines of the (NULL) file... Feb 21 15:53:56 floyd/floyd sshd[12597]: Accepted password for red from 209.144.112.109 port 1050 Feb 21 15:54:01 floyd/floyd su[12608]: + pts/2 red-root Feb 21 16:00:07 floyd/floyd ntpdate[12633]: adjust time server 209.144.112.3 offset 0.094803 sec Chris Scheller System/Network Administration Network One Internet, inc. http://www.networkone.net/ 1.888.GOT-NET1 On Mon, 21 Feb 2000, Balazs Scheidler wrote:
On Mon, Feb 21, 2000 at 11:34:25AM -0800, Chris Scheller wrote:
There is no specific message which triggers it. I was just going through the last few days of logs and it appears that any syslog message coming remotely doesn't get processed via the $PROGRAM macro. example; pppd,named,chat,ntpdate,sshd all get logged into the file (NULL). However messages coming from remote host get the $FACILITY macro applied correctly. Do you want to see my logs? My conf? What else would you like to see so i can be more helpful?
a single message which was written to the file (NULL) would help. I tried the same locally, but $PROGRAM was expanded correctly.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
Feb 21 15:53:56 floyd/floyd sshd[12597]: Accepted password for red from 209.144.112.109 port 1050 Feb 21 15:54:01 floyd/floyd su[12608]: + pts/2 red-root Feb 21 16:00:07 floyd/floyd ntpdate[12633]: adjust time server 209.144.112.3 offset 0.094803 sec
I couldn't reproduce the problem. It worked great here, and created the files as needed. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
Hello! I have the exact same problem. I hadn't even thought of using $PROGRAM until I read about it in this thread. So I whacked together a very short syslog-ng.conf for testing. ------- options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); }; destination d_program { file("/var/syslog/$HOST/$PROGRAM"); }; destination d_facility {file("/var/syslog/$HOST/$FACILITY"); }; log { source("src"); destination("d_facility"); }; log { source("src"); destination("d_program"); }; ------- $HOST expands nicely but $PROGRAM and $FACILITY do not, unless the log message comes from the local machine. If the message is received via network everything ends up in "/var/syslog/$HOST/(NULL)" Here is an extract from one of the (NULL)-files. Feb 22 11:02:07 anarchy automount[13284]: running expiration on path /home Feb 22 11:02:07 anarchy automount[13284]: expired /home/fredrik Feb 22 11:02:07 anarchy automount[13284]: expired /home/fredrik Feb 22 11:02:07 anarchy automount[13284]: expired /home/www Feb 22 11:06:08 anarchy PAM_pwdb[13289]: (su) session opened for user news by (u id=9) Feb 22 11:06:08 anarchy PAM_pwdb[13289]: (su) session closed for user news Feb 22 11:07:07 anarchy automount[13334]: running expiration on path /home Feb 22 11:07:07 anarchy automount[13334]: expired /home/fredrik Feb 22 11:07:07 anarchy automount[13334]: expired /home/fredrik Feb 22 11:07:07 anarchy automount[13334]: expired /home/www Feb 22 11:08:32 anarchy logger: testing Feb 22 11:08:44 anarchy logger: testing again :-) Feb 22 11:10:03 anarchy sshd[13339]: log: Connection from 130.238.149.103 port 1021 Feb 22 11:10:04 anarchy sshd[13339]: fatal: Connection closed by remote host. /John On Tue, 22 Feb 2000, Balazs Scheidler wrote:
Feb 21 15:53:56 floyd/floyd sshd[12597]: Accepted password for red from 209.144.112.109 port 1050 Feb 21 15:54:01 floyd/floyd su[12608]: + pts/2 red-root Feb 21 16:00:07 floyd/floyd ntpdate[12633]: adjust time server 209.144.112.3 offset 0.094803 sec
I couldn't reproduce the problem. It worked great here, and created the files as needed.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
I have the exact same problem. I hadn't even thought of using $PROGRAM until I read about it in this thread. So I whacked together a very short syslog-ng.conf for testing.
Thanks. I've found the problem, it's more the bug of the Linux syslogd, than syslog-ng but I tried to hack a workaround. You'll have at least one problem with sendmail, it produces loglines like: IAA24582: from=<delphi@pc1.szechenyi-nkzsa.sulinet.hu>, size=2796, class=0, pri=32796, nrcpts=1, msgid=<BF40C17306@szechenyi-nkzsa.sulinet.hu>, proto=ESMTP, relay=elod.vein.hu [193.6.32.101] when sent over the network, this means that each message has the mail ID as programname. You could workaround this problem by trying to match a regexp to the above line and directing sendmail log to a different destination. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
So what your saying is, if i were to run syslog-ng on all my hosts and have them log remotely my problem would go away? Chris Scheller System/Network Administration Network One Internet, inc. http://www.networkone.net/ 1.888.GOT-NET1 On Tue, 22 Feb 2000, Balazs Scheidler wrote:
I have the exact same problem. I hadn't even thought of using $PROGRAM until I read about it in this thread. So I whacked together a very short syslog-ng.conf for testing.
Thanks. I've found the problem, it's more the bug of the Linux syslogd, than syslog-ng but I tried to hack a workaround. You'll have at least one problem with sendmail, it produces loglines like:
IAA24582: from=<delphi@pc1.szechenyi-nkzsa.sulinet.hu>, size=2796, class=0, pri=32796, nrcpts=1, msgid=<BF40C17306@szechenyi-nkzsa.sulinet.hu>, proto=ESMTP, relay=elod.vein.hu [193.6.32.101]
when sent over the network, this means that each message has the mail ID as programname. You could workaround this problem by trying to match a regexp to the above line and directing sendmail log to a different destination.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
On Tue, Feb 22, 2000 at 09:30:15AM -0800, Chris Scheller wrote:
So what your saying is, if i were to run syslog-ng on all my hosts and have them log remotely my problem would go away?
yes. but newer sysklogds seem to fix the problem as well (that's why I couldn't reproduce it here) the one in debian potato is ok, slink one is buggy. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Tue, 22 Feb 2000, Balazs Scheidler wrote:
On Tue, Feb 22, 2000 at 09:30:15AM -0800, Chris Scheller wrote:
So what your saying is, if i were to run syslog-ng on all my hosts and have them log remotely my problem would go away?
yes. but newer sysklogds seem to fix the problem as well (that's why I couldn't reproduce it here) the one in debian potato is ok, slink one is buggy.
I use a recent potato and 1.3.17 still created the logfile as '(NULL)'... 1.4.0-rc2 seems OK. endre
I just upgraded our logging host to 1.4.0rc2 and out of about 50 or so hosts, none have created the (NULL) file. and being able to sort all these hosts with the macros it very cool. Chris Scheller System/Network Administration Network One Internet, inc. http://www.networkone.net/ 1.888.GOT-NET1 On Tue, 22 Feb 2000, Hirling Endre wrote:
On Tue, 22 Feb 2000, Balazs Scheidler wrote:
On Tue, Feb 22, 2000 at 09:30:15AM -0800, Chris Scheller wrote:
So what your saying is, if i were to run syslog-ng on all my hosts and have them log remotely my problem would go away?
yes. but newer sysklogds seem to fix the problem as well (that's why I couldn't reproduce it here) the one in debian potato is ok, slink one is buggy.
I use a recent potato and 1.3.17 still created the logfile as '(NULL)'... 1.4.0-rc2 seems OK.
endre
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
Brad, On Fre, 18 Feb 2000, Brad Arlt wrote: [...]
Also I noticed that there is a range operator (..) but the above priority(panic, alert, crit, error) does not seem to be the same as priority(panic..error). Am I right in thinking that (..) is broken or am misunderstanding what (..) does.
Try priority(panic .. error), I think that there MUST be spaces seperating the ".." from the rest. Markus -- DPN Verbund-Zentrale http://www.dpn.de/ fon: +49 203 3093 101 Bismarckstr. 120 fax: +49 203 3093 112 D-47057 Duisburg Deutsches Provider Network Markus.Warg@dpn.de
participants (6)
-
Balazs Scheidler
-
Brad Arlt
-
Chris Scheller
-
Hirling Endre
-
John Källström
-
Markus Warg