I am trying to setup a central log host and am having trouble getting events registered on the central server. It looks like the remote host does register with the central host but nothing shows in a log anywhere for it. I really need another set of eyes on this as I cannot figure this out for the life of me and I need to get this going. Here is the excerpt from /var/log/messages (cleaned on the ip numbers): --------8<--------8<--------8<-------- Feb 18 14:19:45 sec5 syslog-ng[27866]: syslog-ng version 1.6.5 starting Feb 18 14:19:45 sec5 syslog-ng[27866]: Changing permissions on special file /dev/tty12 Feb 18 14:24:00 sec5 syslog-ng[27866]: AF_INET client connected from 1.2.3.4, port 50378 --------8<--------8<--------8<-------- Here is the central loghost config file: --------8<--------8<--------8<-------- options { long_hostnames(off); sync(0); stats(43200); dns_cache(yes); use_fqdn(no); keep_hostname(yes); use_dns(yes); }; source gateway { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); }; source tcpgateway { unix-stream("/dev/log"); internal(); tcp(ip(0.0.0.0) port(514) max_connections(1000)); }; destination hosts { file("/var/log/syslogs/$HOST/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log { source(gateway); destination(hosts); }; log { source(tcpgateway); destination(hosts); }; --------8<--------8<--------8<-------- The remote host config file is: --------8<--------8<--------8<-------- options { long_hostnames(off); sync(0); stats(43200); }; source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; source gateway { unix-stream("/dev/log" max_connections(1000)); internal(); }; destination messages { file("/var/log/messages"); }; # By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; destination shell { tcp("1.2.3.1" port(514)); }; log { source(src); destination(messages); }; log { source(src); destination(console_all); }; log { source(gateway); destination(shell); }; --------8<--------8<--------8<-------- -- -------------------------- Ed Davison Sr. Systems Analyst McCombs School of Business 512-232-6620 voice
Any thoughts? Ed On Tue, 2005-02-22 at 16:10 -0600, Ed Davison wrote:
I am trying to setup a central log host and am having trouble getting events registered on the central server. It looks like the remote host does register with the central host but nothing shows in a log anywhere for it.
I really need another set of eyes on this as I cannot figure this out for the life of me and I need to get this going.
Here is the excerpt from /var/log/messages (cleaned on the ip numbers):
--------8<--------8<--------8<-------- Feb 18 14:19:45 sec5 syslog-ng[27866]: syslog-ng version 1.6.5 starting Feb 18 14:19:45 sec5 syslog-ng[27866]: Changing permissions on special file /dev/tty12 Feb 18 14:24:00 sec5 syslog-ng[27866]: AF_INET client connected from 1.2.3.4, port 50378 --------8<--------8<--------8<--------
Here is the central loghost config file:
--------8<--------8<--------8<-------- options { long_hostnames(off); sync(0); stats(43200); dns_cache(yes); use_fqdn(no); keep_hostname(yes); use_dns(yes); };
source gateway { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); };
source tcpgateway { unix-stream("/dev/log"); internal(); tcp(ip(0.0.0.0) port(514) max_connections(1000)); };
destination hosts { file("/var/log/syslogs/$HOST/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
log { source(gateway); destination(hosts); };
log { source(tcpgateway); destination(hosts); };
--------8<--------8<--------8<--------
The remote host config file is:
--------8<--------8<--------8<-------- options { long_hostnames(off); sync(0); stats(43200); };
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
source gateway { unix-stream("/dev/log" max_connections(1000)); internal(); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12... destination console_all { file("/dev/tty12"); };
destination shell { tcp("1.2.3.1" port(514)); };
log { source(src); destination(messages); }; log { source(src); destination(console_all); };
log { source(gateway); destination(shell); }; --------8<--------8<--------8<--------
-- -------------------------- Ed Davison Sr. Systems Analyst McCombs School of Business 512-232-6620 voice
On Mon, Feb 28, 2005 at 12:15:54PM -0600, Ed Davison wrote:
Any thoughts?
Here's some thoughts, don't duplicate sources in your source{} (unix-stream("/dev/log"); and internal); directives, set up a source once and use it in multiple log{} statements. Since you do that on your clients and server, it might be the cause of all your problems. I know that when I accidentally tried to use a TCP socket in multiple source{} statements it didn't work, so I assume it's the same with the unix-stream() and internal() sources. Let the list know if this doesn't fix the problem. -- Nate "Fifty years of programming language research, and we end up with C++ ???" - Richard A. O'Keefe.
On Mon, 2005-02-28 at 21:53 -0800, Nate Campi wrote:
On Mon, Feb 28, 2005 at 12:15:54PM -0600, Ed Davison wrote:
Any thoughts?
Here's some thoughts, don't duplicate sources in your source{} (unix-stream("/dev/log"); and internal); directives, set up a source once and use it in multiple log{} statements.
Let the list know if this doesn't fix the problem.
Well, well, well ... I had no idea this would be a problem but when I dropped the extra source line all started logging on the remote host! Seems like something that should be in the docs or in a faq somewhere. Thanks! -- -------------------------- Ed Davison Sr. Systems Analyst McCombs School of Business 512-232-6620 voice
On Wed, Mar 02, 2005 at 10:55:02AM -0600, Ed Davison wrote:
Well, well, well ... I had no idea this would be a problem but when I dropped the extra source line all started logging on the remote host!
Seems like something that should be in the docs or in a faq somewhere.
It doesn't seem to come up, but I'd bumped against it myself once so I was able to spot it. I think it belongs in the regular docs, Baszi you agree? -- Nate "Morals are an acquirement - like music, like a foreign language, like piety, poker, paralysis - no man is born with them." - Samuel Clemens
On Wed, Mar 02, 2005 at 10:55:02AM -0600, Ed Davison wrote:
Seems like something that should be in the docs or in a faq somewhere.
Allrighty then... http://www.campin.net/syslog-ng/faq.html#dupe_sources -- Nate "Few things are harder to put up with than the annoyance of a good example." - Pudd'nhead Wilson's Calendar(1894) - Samuel Clemens
participants (2)
-
Ed Davison
-
Nate Campi