Hi, We run a rather large network, and are looking at running a secured machine for syslog, running syslog-ng hopefully. Obviously, we want to seperate out the log files for each host. Due to the number of hosts, this looks most easily done with the latest beta having the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 . I made a rough fast configuration (see below). The idea is that the files end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which I guessed (docs are rather vague on most things) would make it use long host names for comparisons. To test, I didn't create the /syslog/name directories, and ran syslog-ng -d -v and it came up with "unable to open /syslog/max1/debug". Obviously this is incorrect as I wanted it to have a long host name. I thought the obvious method here, is to just remove hostnames all together, and use ip addresses (we use ip's for all radius related stuff, to stop dns dependency). So I remove resolv.conf and restart it with syslog-ng -d -v, this time it comes up with "unable to open /syslog/1.1.1.1/debug" which is fine. So I create the directory 1.1.1.1 and restart the daemon, now it comes up with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch the names back on and try, and it writes the file fine under /syslog/max1/debug. Turn names off again, and once again it will not write the file. Any ideas ? or is this a bug that may be fixed soon =) The program looks great from where I am standing, if I could sort out this problem. My other annoyance, is that it does partial name matches, unless there is some way to turn this off that I havn't come across. Even with ip addresses, using host(1.1.1.1) matches 1.1.1.1 and 1.1.1.10,100,101 etc etc. Any help greatly appreciated. --- Nigel Bovey IHUG Network Operations Team -------------------------------------------------------------------------- options { long_hostnames(on); sync(0); }; source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); }; # filters filter f_auth { facility(auth, authpriv); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn); }; filter f_emergency { level(emerg); }; # destinations destination auth { file("/syslog/$HOST/auth"); }; destination cron { file("/syslog/$HOST/cron"); }; destination daemon { file("/syslog/$HOST/daemon"); }; destination kern { file("/syslog/$HOST/kern"); }; destination lpr { file("/syslog/$HOST/lpr"); }; destination mail { file("/syslog/$HOST/mail"); }; destination user { file("/syslog/$HOST/user"); }; destination uucp { file("/syslog/$HOST/uucp"); }; destination news { file("/syslog/$HOST/news"); }; destination debug { file("/syslog/$HOST/debug"); }; destination emergency { file("/syslog/$HOST/emergency"); }; destination messages { file("/syslog/$HOST/messages"); }; # log statements log { source(src); filter(f_auth); destination(auth); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(emergency); };
last i heard the macro expansion is not able to create directories, just files. Which is why you are seeing the errors you are. Chris Scheller Network One Internet, inc. http://www.networkone.net/ System/Network Administration 1.888.GOT-NET1 On Thu, 9 Dec 1999, Nigel Bovey wrote:
Hi,
We run a rather large network, and are looking at running a secured machine for syslog, running syslog-ng hopefully.
Obviously, we want to seperate out the log files for each host. Due to the number of hosts, this looks most easily done with the latest beta having the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 .
I made a rough fast configuration (see below). The idea is that the files end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which I guessed (docs are rather vague on most things) would make it use long host names for comparisons.
To test, I didn't create the /syslog/name directories, and ran syslog-ng -d -v and it came up with "unable to open /syslog/max1/debug". Obviously this is incorrect as I wanted it to have a long host name.
I thought the obvious method here, is to just remove hostnames all together, and use ip addresses (we use ip's for all radius related stuff, to stop dns dependency). So I remove resolv.conf and restart it with syslog-ng -d -v, this time it comes up with "unable to open /syslog/1.1.1.1/debug" which is fine.
So I create the directory 1.1.1.1 and restart the daemon, now it comes up with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch the names back on and try, and it writes the file fine under /syslog/max1/debug. Turn names off again, and once again it will not write the file.
Any ideas ? or is this a bug that may be fixed soon =) The program looks great from where I am standing, if I could sort out this problem.
My other annoyance, is that it does partial name matches, unless there is some way to turn this off that I havn't come across. Even with ip addresses, using host(1.1.1.1) matches 1.1.1.1 and 1.1.1.10,100,101 etc etc.
Any help greatly appreciated.
--- Nigel Bovey IHUG Network Operations Team
--------------------------------------------------------------------------
options { long_hostnames(on); sync(0); };
source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); };
# filters
filter f_auth { facility(auth, authpriv); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn); }; filter f_emergency { level(emerg); };
# destinations
destination auth { file("/syslog/$HOST/auth"); }; destination cron { file("/syslog/$HOST/cron"); }; destination daemon { file("/syslog/$HOST/daemon"); }; destination kern { file("/syslog/$HOST/kern"); }; destination lpr { file("/syslog/$HOST/lpr"); }; destination mail { file("/syslog/$HOST/mail"); }; destination user { file("/syslog/$HOST/user"); }; destination uucp { file("/syslog/$HOST/uucp"); }; destination news { file("/syslog/$HOST/news"); }; destination debug { file("/syslog/$HOST/debug"); }; destination emergency { file("/syslog/$HOST/emergency"); }; destination messages { file("/syslog/$HOST/messages"); };
# log statements
log { source(src); filter(f_auth); destination(auth); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(emergency); };
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
On Wed, 8 Dec 1999, Chris Scheller wrote:
last i heard the macro expansion is not able to create directories, just files. Which is why you are seeing the errors you are.
Which would make sense, if I hadn't created the directories. But seeing as I had, it doesn't make sense =) --- Nigel Bovey IHUG Network Operations Team
are you still using destination auth { file("/syslog/$HOST/auth"); }; as your entries? i would imagine that the $HOST entry needs to be replaced with the actual hostname. such as destination auth { file("/syslog/1.1.1.1/auth"); }; wherer you have created the dir 1.1.1.1 Chris Scheller Network One Internet, inc. http://www.networkone.net/ System/Network Administration 1.888.GOT-NET1 On Thu, 9 Dec 1999, Nigel Bovey wrote:
On Wed, 8 Dec 1999, Chris Scheller wrote:
last i heard the macro expansion is not able to create directories, just files. Which is why you are seeing the errors you are.
Which would make sense, if I hadn't created the directories. But seeing as I had, it doesn't make sense =)
--- Nigel Bovey IHUG Network Operations Team
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng
On Wed, 8 Dec 1999, Chris Scheller wrote:
are you still using destination auth { file("/syslog/$HOST/auth"); };
Yes I am.
as your entries? i would imagine that the $HOST entry needs to be replaced with the actual hostname. such as
No, in the latest beta it automatically replaces $HOST with the host name or in this case, ip. Saves writing individual lines for all 500 odd hosts I need to log to this machine =) --- Nigel Bovey IHUG Network Operations Team
We run a rather large network, and are looking at running a secured machine for syslog, running syslog-ng hopefully.
Obviously, we want to seperate out the log files for each host. Due to the number of hosts, this looks most easily done with the latest beta having the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 .
I made a rough fast configuration (see below). The idea is that the files end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which I guessed (docs are rather vague on most things) would make it use long host names for comparisons.
log_hostnames() means that each hop on which the message traverses gets added to the host field: Message on host1, from source src: src@host1 As this message is forwarded to host2, the _source_ hostname is appended: src@host1/host1, then if it is again forwarded to host3: src@host1/host1/host2 and so on. This is needed if the message passes several firewalls. The $HOST macro always uses the first hostname.
To test, I didn't create the /syslog/name directories, and ran syslog-ng -d -v and it came up with "unable to open /syslog/max1/debug". Obviously this is incorrect as I wanted it to have a long host name.
I thought the obvious method here, is to just remove hostnames all together, and use ip addresses (we use ip's for all radius related stuff, to stop dns dependency). So I remove resolv.conf and restart it with syslog-ng -d -v, this time it comes up with "unable to open /syslog/1.1.1.1/debug" which is fine.
So I create the directory 1.1.1.1 and restart the daemon, now it comes up with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch the names back on and try, and it writes the file fine under /syslog/max1/debug. Turn names off again, and once again it will not write the file.
Any ideas ? or is this a bug that may be fixed soon =) The program looks great from where I am standing, if I could sort out this problem.
If I understand correctly the above, if names can be resolved, everything works well. If they cannot, syslog-ng gives you "unable to write to file, because it's a directory"
My other annoyance, is that it does partial name matches, unless there is some way to turn this off that I havn't come across. Even with ip addresses, using host(1.1.1.1) matches 1.1.1.1 and 1.1.1.10,100,101 etc etc.
You should use regular expressions here, host("^1\.1\.1\.1$") should match only 1.1.1.1. I would disable DNS, and add all logging hosts to the /etc/hosts file, because otherwise syslog-ng may block on DNS lookups. Maybe I'll have to add an option to disable DNS lookups completely, because it may easily lead to DoS attacks. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Thu, 9 Dec 1999, Balazs Scheidler wrote:
log_hostnames() means that each hop on which the message traverses gets added to the host field:
Ahh ok, this makes complete sense now.
If I understand correctly the above, if names can be resolved, everything works well. If they cannot, syslog-ng gives you "unable to write to file, because it's a directory"
Yes, that is correct.
You should use regular expressions here, host("^1\.1\.1\.1$") should match only 1.1.1.1.
Noted. Didn't think to try regexp here.
I would disable DNS, and add all logging hosts to the /etc/hosts file, because otherwise syslog-ng may block on DNS lookups. Maybe I'll have to add an option to disable DNS lookups completely, because it may easily lead to DoS attacks.
I'll stick with ip based myself, as this makes it easier when using the $HOST variable for splitting. With domain names we could end up with a lot of dupes (eg max1.akl.ihug.co.nz, max1.chc.ihug.co.nz) . The no dns option would be appeciated as well when you have time. --- Nigel Bovey IHUG Network Operations Team
participants (3)
-
Balazs Scheidler
-
Chris Scheller
-
Nigel Bovey