Hi All, I have made changes in syslog-ng.conf to redirect logs coming from other server to some specified log file and in some format source s_external { udp(port(514)); }; source s_stunnel { tcp(ip(127.0.0.1) port(514)); }; destination s_external { file("/mydir/syslogs/$HOST_syslog.log" \ owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); }; destination s_stunnel { file("/mydir/syslogs/$HOST/syslog.log" \ owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); }; log { source(s_external); destination(s_external); }; log { source(s_stunnel); destination(s_stunnel); }; But my log file is being created with name "syslog.log" and not as "<hostnmae/ip>_syslog.log" neither $HOST directory made, what may be the issue? Globle options are option{ long_hostname(off); sync(0); } -- Regards.. Abhay Singh.. 91-98804-55587 Sr. Software Engineer. Robust Designs India Pvt Ltd. Bangalore
On Tuesday 20 April 2010 08:38:51 abhay singh wrote:
Hi All,
I have made changes in syslog-ng.conf to redirect logs coming from other server to some specified log file and in some format
source s_external { udp(port(514)); }; source s_stunnel { tcp(ip(127.0.0.1) port(514)); };
destination s_external { file("/mydir/syslogs/$HOST_syslog.log" \ owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); };
destination s_stunnel { file("/mydir/syslogs/$HOST/syslog.log" \ owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); };
log { source(s_external); destination(s_external); }; log { source(s_stunnel); destination(s_stunnel); };
But my log file is being created with name "syslog.log" and not as "<hostnmae/ip>_syslog.log" neither $HOST directory made, what may be the issue?
Globle options are
option{
long_hostname(off); sync(0); }
Your sources and destinations have the same name. That is not allowed. Rename the destinations to d_<something> -- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions +27 11 575 7585 Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
I have made that changes and restarted syslog services even though its not working/// Now its like this options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); }; source s_external { udp(port(514)); #udp(ip("192.168.114.129") port(514)); #udp(ip("0.0.0.0") port(514)); }; # Specific source s_stunnel { tcp(ip("127.0.0.1") port(514) max-connections(1)); }; destination d_external { file("/data/extract/syslogs/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); }; destination d_stunnel{ file("/data/extract/syslogs/$HOST/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); }; log { source(s_external); destination(d_external); }; log { source(s_stunnel); destination(d_stunnel); }; On Tue, Apr 20, 2010 at 1:55 PM, Alan McKinnon <Alan.McKinnon@is.co.za>wrote:
On Tuesday 20 April 2010 08:38:51 abhay singh wrote:
Hi All,
I have made changes in syslog-ng.conf to redirect logs coming from other server to some specified log file and in some format
source s_external { udp(port(514)); }; source s_stunnel { tcp(ip(127.0.0.1) port(514)); };
destination s_external { file("/mydir/syslogs/$HOST_syslog.log" \ owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); };
destination s_stunnel { file("/mydir/syslogs/$HOST/syslog.log" \ owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); };
log { source(s_external); destination(s_external); }; log { source(s_stunnel); destination(s_stunnel); };
But my log file is being created with name "syslog.log" and not as "<hostnmae/ip>_syslog.log" neither $HOST directory made, what may be the issue?
Globle options are
option{
long_hostname(off); sync(0); }
Your sources and destinations have the same name. That is not allowed.
Rename the destinations to d_<something>
-- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions
+27 11 575 7585
Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Regards.. Abhay Singh.. 91-98804-55587 Sr. Software Engineer. Robust Designs India Pvt Ltd. Bangalore
Hi, Replace $HOST_syslog.log to $HOST-syslog.log and it will work. Syslog-ng seems to be handling wrong if underscore character is after macroname. Report a bug about it, please (https://bugzilla.balabit.com/) abhay singh wrote:
I have made that changes and restarted syslog services even though its not working/// Now its like this
options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); }; source s_external { udp(port(514)); #udp(ip("192.168.114.129") port(514)); #udp(ip("0.0.0.0") port(514)); }; # Specific source s_stunnel { tcp(ip("127.0.0.1") port(514) max-connections(1)); }; destination d_external { file("/data/extract/syslogs/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); };
destination d_stunnel{ file("/data/extract/syslogs/$HOST/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); };
log { source(s_external); destination(d_external); }; log { source(s_stunnel); destination(d_stunnel); };
On Tue, Apr 20, 2010 at 1:55 PM, Alan McKinnon <Alan.McKinnon@is.co.za <mailto:Alan.McKinnon@is.co.za>> wrote:
On Tuesday 20 April 2010 08:38:51 abhay singh wrote: > Hi All, > > I have made changes in syslog-ng.conf to redirect logs coming from other > server to some specified log file and in some format > > source s_external { > udp(port(514)); > }; > source s_stunnel { > tcp(ip(127.0.0.1) port(514)); > }; > > destination s_external { file("/mydir/syslogs/$HOST_syslog.log" \ > owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); > }; > > destination s_stunnel { file("/mydir/syslogs/$HOST/syslog.log" \ > owner(user) group(group) perm(0600) dir_perm(0700) create_dirs(yes)); > }; > > log { source(s_external); destination(s_external); }; > log { source(s_stunnel); destination(s_stunnel); }; > > But my log file is being created with name "syslog.log" and not as > "<hostnmae/ip>_syslog.log" neither $HOST directory made, what may be the > issue? > > Globle options are > > option{ > > long_hostname(off); > sync(0); > }
Your sources and destinations have the same name. That is not allowed.
Rename the destinations to d_<something>
-- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions
+27 11 575 7585
Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za <mailto:disclaimers@is.co.za> and a copy will be emailed to you. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Regards.. Abhay Singh.. 91-98804-55587 Sr. Software Engineer. Robust Designs India Pvt Ltd. Bangalore ------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
On Tue, 2010-04-20 at 12:38 +0200, Zoltán Pallagi wrote:
Hi,
Replace $HOST_syslog.log to $HOST-syslog.log and it will work. Syslog-ng seems to be handling wrong if underscore character is after macroname. Report a bug about it, please (https://bugzilla.balabit.com/)
this is not a bug, '_' is permitted in the name of a macro, thus $HOST_ is an - undefined - macro that syslog-ng expands to its value: nothing. you should use ${HOST} if you want to use the '_' This is the same as the UNIX shell behaviour btw. -- Bazsi
Hi, On Tue, Apr 20, 2010 at 12:15 PM, abhay singh <abhay.asingh@gmail.com> wrote:
I have made that changes and restarted syslog services even though its not working/// Now its like this
options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); }; source s_external { udp(port(514)); #udp(ip("192.168.114.129") port(514)); #udp(ip("0.0.0.0") port(514)); }; # Specific source s_stunnel { tcp(ip("127.0.0.1") port(514) max-connections(1)); }; destination d_external { file("/data/extract/syslogs/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); };
destination d_stunnel{ file("/data/extract/syslogs/$HOST/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); };
log { source(s_external); destination(d_external); }; log { source(s_stunnel); destination(d_stunnel); };
Could you show a few logged lines? Which version of syslog-ng you're using? $HOST should remain blank only when syslog-ng failed to parse the hostname part of the log. BTW it's better to use ${HOST} instead of plain $HOST especially when there are no delimeters around the macro. Regards, Sandor
Hi Am using syslog-ng 1.6.8, and syslogd 1.4.1. few lines from logs are Apr 21 08:54:59 xxx.xxx.xxx.xxx zzziper 86 [local0.info] zzziper: 2010-04-21 08:59:58 - zzziperSA-2 - [yyy.yyy.yyy.yyy] a.rico(RD Employee)[Outlook WEB Access Spain, Network Connect VPN Users] - Web SSO: Authentication successful. Credential Used: UserUID: xxx, Username: xxx, BasicHash: XXXXXX, Auth Type: (2) BasicAuth, Cred Type: (1) Variable Credential, Target: zzz.zzz.zzz.zzz, Password: XXXXXX, Policy Auth: (2) BasicAuth, Cred Label: BA_Upg_6, Apr 21 08:54:59 xxx.xxx.xxx.xxx zzziper 86 [local0.info] zzziper: 2010-04-21 08:59:58 - JuniperSA-2 - [yyy.yyy.yyy.yyy] a.rico(RD Employee)[Outlook WEB Access Spain, Network Connect VPN Users] - WebRequest completed, POLL to http://yyy.yyy.yyy.yyy//exchange/a.rico/Inbox<http://192.168.8.11//exchange/a.rico/Inbox>from yyy.yyy.yyy.yyy result=207 sent=36 received=292 in 1 seconds On Tue, Apr 20, 2010 at 4:10 PM, Sandor Geller < Sandor.Geller@morganstanley.com> wrote:
Hi,
On Tue, Apr 20, 2010 at 12:15 PM, abhay singh <abhay.asingh@gmail.com> wrote:
I have made that changes and restarted syslog services even though its not working/// Now its like this
options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); }; source s_external { udp(port(514)); #udp(ip("192.168.114.129") port(514)); #udp(ip("0.0.0.0") port(514)); }; # Specific source s_stunnel { tcp(ip("127.0.0.1") port(514) max-connections(1)); }; destination d_external { file("/data/extract/syslogs/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); };
destination d_stunnel{ file("/data/extract/syslogs/$HOST/$HOST_syslog.log" \ owner(cubot) group(users) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE \n") ); };
log { source(s_external); destination(d_external); }; log { source(s_stunnel); destination(d_stunnel); };
Could you show a few logged lines? Which version of syslog-ng you're using?
$HOST should remain blank only when syslog-ng failed to parse the hostname part of the log. BTW it's better to use ${HOST} instead of plain $HOST especially when there are no delimeters around the macro.
Regards,
Sandor
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Regards.. Abhay Singh.. 91-98804-55587 Sr. Software Engineer. Robust Designs India Pvt Ltd. Bangalore
participants (5)
-
abhay singh
-
Alan McKinnon
-
Balazs Scheidler
-
Sandor Geller
-
Zoltán Pallagi