Hi there, Damn. Too much of a hurry, missed the subject line the first time. On Wed, 1 Nov 2006 Nick Baronian wrote:
2. logs written twice (Nick Baronian)
I setup a syslog-ng server to get logs from various boxes and devices. I think I am a little confused about the correct way to set this up. I am seeing a lot of logs getting written twice.
Is there a way I can duplicate the name schema the remote box is using
I don't know exactly what you mean by that, and I do't think I'd know the answer if I did. :)
[snip] filter pump_renewal { not program("pumpd") or not level(info,debug); }; filter imap_debug { not program("imapd") or not level(info,debug); }; filter ipop3_debug { not program("ipop3d") or not level(info,debug); }; filter sshd_debug { not program("sshd") or not level(debug); }; filter f_attack_alert { match("attackalert"); }; filter f_ssh_login_attempt { program("sshd.*") and match("(Failed|Accepted)") and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)"); }; [snip]
If I understand what you're trying to so, I don't think you're approaching this the right way at all. Think of a filter as being like a sieve. You keep what's filtered because you want it, you don't throw it away by 'filter'ing it out. Your filter 'sshd_debug' isn't being referenced at all, so it won't give you any output. If I wanted to see ssh debug messages (assuming that the ssh daemon was logging anything at the DEBUG level) then the filter I would use would be something like filter f_sshd_debug { program("sshd") and level(debug); }; log { source(src); filter(f_sshd_debug); destination(whatever); }; The problem with using 'or' is that not program("sshd") or not level(debug) will give you stuff that ISN'T sshd if it also ISN'T debug. Check out deMorgan's theorem on the Web. If I've got the wrong end of the stick here, a flame to my personal email address is in order but one to the list isn't. :) -- 73, Ged.
Thanks Ged, I didn't see that and I am not sure how those lines slipped in there. I piece-mealed this conf from an old logging server I was asked to replace. I didn't notice them before. I will re-do the conf using the example conf and see what happens then.
Is there a way I can duplicate the name schema the remote box is using
I don't know exactly what you mean by that, and I do't think I'd know the answer if I did. :)
What I mean is if I have two boxes I want to log to this syslog-ng server, one is an old Unix box that is logging *.info;mail.none locally to /var/adm/syslog/syslog.log and the other is a RH Linux box that logs *.info;mail.none locally to /var/log/messages is there a way the remote syslog-ng server can be configured to write the *.info;mail.none for the Linux box to a messages file and for logs it receives from the Unix box to a syslog.log file? My guess is that I could but not with out a bunch of whacky rules that is dependent on each host. Nick
Okay I think I see my problem. Currently, I am getting the same messages logged to a couple files For instance, the localhost's log directory has the following in it -rw-r----- 1 root root 107 Nov 1 14:39 messages -rw-r----- 1 root root 107 Nov 1 14:39 syslog both files contain the same messages in the log. I guess because of my filter lines the syslog file and the messages file are going to log a lot of the same stuff. Is this correct? filter f_syslog { not facility(authpriv, mail) and not match(ppp.*LCP); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; destination syslog { file("/u01/logs/$HOST/syslog"); }; destination messages { file("/u01/logs/$HOST/messages"); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_messages); destination(messages); }; Is this what most people do? Why not just remove the filter for the messages since the syslog kind of catches it all and the messages drops so little? If I don't want the the same messages logged to both files I would need to remove one of the two filters, right? Thanks, Nick
On Wed, 01 Nov 2006 15:07:01 EST, Nick Baronian said:
filter f_syslog { not facility(authpriv, mail) and not match(ppp.*LCP); }; filter f_messages { level(info..warn) and not facility(auth, authpriv,mail, news); };
Is this what most people do? Why not just remove the filter for the messages since the syslog kind of catches it all and the messages drops so little?
This would probably make more sense if you had more than 2 filter statements, and had ones for facility 'mail' and 'auth*'... Here's what you probably wanted (or something similar): filter f_mail { facility(mail); }; filter f_auth { facility(auth) or facility(authpriv); }; filter f_syslog { not facility(authpriv, mail) and not match(ppp.*LCP); }; filter f_messages { level(info..warn) and not facility(auth, authpriv,mail, news); }; The reasoning is that maillog and newslog can each be hundreds of meg or even gigabytes per day on a busy system, so you want those split out so if you're looking for a mail-related syslog msg, you can grep that one gigabyte file, but if you wanted anything else, you can save a lot of resources. seclog is separate because it probably wants mode 0600, while most logfiles can be 0644. I admit not understanding why you had a syslog and messages that were almost identical, unless the plan was to have them with different permissions, so different people could read them (in production, the biggest likely difference is that f_messages will catch all your LCP messages and f_syslog won't.)
participants (3)
-
G.W. Haywood
-
Nick Baronian
-
Valdis.Kletnieks@vt.edu