Not able to recive all syslog messages
Hi, I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem. Request to please review syslog-ng config file and give some suggetion. config file ------------------------------------------------------------------------------------------------------------------------- # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); }; # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------ Regards, Add
Hello, On Wed, Nov 10, 2010 at 9:04 AM, add gy <addyg420@yahoo.com> wrote:
Hi,
I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem.
First you should check that the messages actually reach the host syslog-ng is running on. I guess your devices are using UDP otherwise with your config syslog-ng would reject a lot ot incoming TCP connections because you haven't raised the default value of max_connections() for your tcp() source. The default setting of max_connections for tcp sources is 10. When the logs reach your server and you're using UDP for the log transport then it could happen that the kernel is dropping the packets when the receive buffer is full. If you see significant log loss and syslog-ng doesn't complain about dropped logs in its log statistics then you should raise the size of the receive buffer using the so_rcvbuf() option. Regards, Sandor
Hi, you might have to increase your UDP receive buffer (so_recvbuf() option in syslog-ng) and the net.core.rmem_max option on your host, see http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... Others have reported similar problems recently with the default UDP settings of RHEL, you might have run into the same issue. Regards, Robert add gy wrote:
Hi,
I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem.
Request to please review syslog-ng config file and give some suggetion.
config file -------------------------------------------------------------------------------------------------------------------------
# configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------
Regards, Add
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Dear All, i am still suffring form the issue in syslog-ng can anyone please review my config file. And tell me where excatly i need to make changes. Regards, Add --- On Wed, 10/11/10, Fekete Robert <frobert@balabit.hu> wrote: From: Fekete Robert <frobert@balabit.hu> Subject: Re: [syslog-ng] Not able to recive all syslog messages To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Wednesday, 10 November, 2010, 2:52 PM Hi, you might have to increase your UDP receive buffer (so_recvbuf() option in syslog-ng) and the net.core.rmem_max option on your host, see http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... Others have reported similar problems recently with the default UDP settings of RHEL, you might have run into the same issue. Regards, Robert add gy wrote:
Hi, I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem. Request to please review syslog-ng config file and give some suggetion. config file ------------------------------------------------------------------------------------------------------------------------- # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------ Regards, Add
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi Thanks for replay. After making changes still i am not able to recive messages Is my config file ok , do i have to make any changes it. waiting for your help. Regards, Add --- On Wed, 10/11/10, add gy <addyg420@yahoo.com> wrote: From: add gy <addyg420@yahoo.com> Subject: [syslog-ng] Not able to recive all syslog messages To: syslog-ng@lists.balabit.hu Date: Wednesday, 10 November, 2010, 1:34 PM Hi, I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem. Request to please review syslog-ng config file and give some suggetion. config file ------------------------------------------------------------------------------------------------------------------------- # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); }; # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------ Regards, Add -----Inline Attachment Follows----- ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, I have also noted that i am only able to recive Info and warnning message i want to recive all messages from devices. Please can any one help , review syslog config file. Regards, Add --- On Wed, 10/11/10, add gy <addyg420@yahoo.com> wrote: From: add gy <addyg420@yahoo.com> Subject: [syslog-ng] Not able to recive all syslog messages To: syslog-ng@lists.balabit.hu Date: Wednesday, 10 November, 2010, 1:34 PM Hi, I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem. Request to please review syslog-ng config file and give some suggetion. config file ------------------------------------------------------------------------------------------------------------------------- # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); }; # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------ Regards, Add -----Inline Attachment Follows----- ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, Try: source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); so_recvbuf(2097152); }; and see if it improves your situation. But you should also: - use tcpdump to verify that the messages actually arrive to your logserver - probably increase the net.core.rmem_max parameter of your logserver (for example, to 1024000). See the redhat manuals for details on how to do this on your platform. Robert add gy wrote:
Hi,
I have also noted that i am only able to recive Info and warnning message i want to recive all messages from devices.
Please can any one help , review syslog config file.
Regards, Add
--- On *Wed, 10/11/10, add gy /<addyg420@yahoo.com>/* wrote:
From: add gy <addyg420@yahoo.com> Subject: [syslog-ng] Not able to recive all syslog messages To: syslog-ng@lists.balabit.hu Date: Wednesday, 10 November, 2010, 1:34 PM
Hi,
I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem.
Request to please review syslog-ng config file and give some suggetion.
config file -------------------------------------------------------------------------------------------------------------------------
# configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------
Regards, Add
-----Inline Attachment Follows-----
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
HI, Thanks for replay Fekete, I tryied it but no use i still only recive INFO and WARNING messages not able to recive debug and others. Regards, Add --- On Thu, 11/11/10, Fekete Robert <frobert@balabit.hu> wrote: From: Fekete Robert <frobert@balabit.hu> Subject: Re: [syslog-ng] Not able to recive all syslog messages To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Thursday, 11 November, 2010, 2:30 PM Hi, Try: source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); so_recvbuf(2097152); }; and see if it improves your situation. But you should also: - use tcpdump to verify that the messages actually arrive to your logserver - probably increase the net.core.rmem_max parameter of your logserver (for example, to 1024000). See the redhat manuals for details on how to do this on your platform. Robert add gy wrote:
Hi, I have also noted that i am only able to recive Info and warnning message i want to recive all messages from devices. Please can any one help , review syslog config file. Regards, Add
--- On *Wed, 10/11/10, add gy /<addyg420@yahoo.com>/* wrote:
From: add gy <addyg420@yahoo.com> Subject: [syslog-ng] Not able to recive all syslog messages To: syslog-ng@lists.balabit.hu Date: Wednesday, 10 November, 2010, 1:34 PM
Hi, I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem. Request to please review syslog-ng config file and give some suggetion. config file ------------------------------------------------------------------------------------------------------------------------- # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------ Regards, Add
-----Inline Attachment Follows-----
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
You should really provide proof that the messages actually reach your server. 1. run tcpdump/wireshark/snoop/whatever_else_you_prefer and show a few packets in decoded form 2. show the output of 'lsof -n -P -p <syslogngpid>' or 'netstat -l -n -p' so we could see that syslog-ng is listening on the right ports 3. run strace / truss syslog-ng to see what logs are arriving Without these information nobody can help you. On Thu, Nov 11, 2010 at 11:09 AM, add gy <addyg420@yahoo.com> wrote:
HI,
Thanks for replay Fekete,
I tryied it but no use i still only recive INFO and WARNING messages not able to recive debug and others.
Regards, Add
--- On Thu, 11/11/10, Fekete Robert <frobert@balabit.hu> wrote:
From: Fekete Robert <frobert@balabit.hu> Subject: Re: [syslog-ng] Not able to recive all syslog messages To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Thursday, 11 November, 2010, 2:30 PM
Hi, Try: source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); so_recvbuf(2097152); }; and see if it improves your situation.
But you should also: - use tcpdump to verify that the messages actually arrive to your logserver - probably increase the net.core.rmem_max parameter of your logserver (for example, to 1024000). See the redhat manuals for details on how to do this on your platform.
Robert
add gy wrote:
Hi,
I have also noted that i am only able to recive Info and warnning message i want to recive all messages from devices.
Please can any one help , review syslog config file.
Regards, Add
--- On *Wed, 10/11/10, add gy /<addyg420@yahoo.com>/* wrote:
From: add gy <addyg420@yahoo.com> Subject: [syslog-ng] Not able to recive all syslog messages To: syslog-ng@lists.balabit.hu Date: Wednesday, 10 November, 2010, 1:34 PM
Hi,
I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem.
Request to please review syslog-ng config file and give some suggetion.
config file -------------------------------------------------------------------------------------------------------------------------
# configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------
Regards, Add
-----Inline Attachment Follows-----
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi , Thanks Sandor for your replay please find outputs ----------------------------------------------------------------------------------------------------------------- netstat -l -n -p Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 21589/syslog-ng tcp 0 0 0.0.0.0:904 0.0.0.0:* LISTEN 2842/rpc.statd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3137/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2822/portmap tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 3055/vsftpd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 20707/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3111/sendmail: acce tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3137/smbd tcp 0 0 :::80 :::* LISTEN 3175/httpd tcp 0 0 :::22 :::* LISTEN 3004/sshd tcp 0 0 :::443 :::* LISTEN 3175/httpd udp 110400 0 0.0.0.0:514 0.0.0.0:* 21589/syslog-ng udp 0 0 0.0.0.0:898 0.0.0.0:* 2842/rpc.statd udp 0 0 0.0.0.0:901 0.0.0.0:* 2842/rpc.statd udp 0 0 172.16.1.200:137 0.0.0.0:* 3141/nmbd udp 0 0 202.138.117.51:137 0.0.0.0:* 3141/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 3141/nmbd udp 0 0 172.16.1.200:138 0.0.0.0:* 3141/nmbd udp 0 0 202.138.117.51:138 0.0.0.0:* 3141/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 3141/nmbd udp 0 0 0.0.0.0:111 0.0.0.0:* 2822/portmap udp 0 0 0.0.0.0:631 0.0.0.0:* 20707/cupsd Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 2104 1058/minilogd /dev/log unix 2 [ ACC ] STREAM LISTENING 7998 3164/gpm /dev/gpmctl unix 2 [ ACC ] STREAM LISTENING 8119 3205/xfs /tmp/.font-unix/fs7100 unix 2 [ ACC ] STREAM LISTENING 6391 2960/acpid /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 8197 3235/dbus-daemon-1 /var/run/dbus/system_bus_socket -------------------------------------------------------------------------------------------------------------------------------- lsof -n -P -p 21589 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME syslog-ng 21589 root cwd DIR 253,0 4096 2 / syslog-ng 21589 root rtd DIR 253,0 4096 2 / syslog-ng 21589 root txt REG 253,0 140428 1884183 /sbin/syslog-ng syslog-ng 21589 root mem REG 253,0 22524 6963247 /lib/libnss_dns-2.3.4.so syslog-ng 21589 root mem REG 253,0 112212 6964079 /lib/ld-2.3.4.so syslog-ng 21589 root mem REG 253,0 1543220 6964080 /lib/tls/libc-2.3.4.so syslog-ng 21589 root mem REG 253,0 16748 6964083 /lib/libdl-2.3.4.so syslog-ng 21589 root mem REG 253,0 214060 6964084 /lib/tls/libm-2.3.4.so syslog-ng 21589 root mem REG 253,0 107928 6964081 /lib/tls/libpthread-2.3.4.so syslog-ng 21589 root mem REG 253,0 505200 7813187 /usr/lib/libglib-2.0.so.0.400.7 syslog-ng 21589 root mem REG 253,0 81140 6964095 /lib/libresolv-2.3.4.so syslog-ng 21589 root mem REG 253,0 101748 6964087 /lib/libnsl-2.3.4.so syslog-ng 21589 root mem REG 253,0 28504 7809227 /usr/lib/libwrap.so.0.7.6 syslog-ng 21589 root mem REG 253,0 41392 7807119 /usr/lib/libevtlog.so.0.0.0 syslog-ng 21589 root mem REG 253,0 136308 7807107 /usr/lib/libdbi8.so.0.0.5 syslog-ng 21589 root mem REG 253,0 47420 6963250 /lib/libnss_files-2.3.4.so syslog-ng 21589 root mem REG 253,0 50716 6964088 /lib/tls/librt-2.3.4.so syslog-ng 21589 root mem REG 253,0 15440 7813189 /usr/lib/libgthread-2.0.so.0.400.7 syslog-ng 21589 root 0r CHR 1,3 2174 /dev/null syslog-ng 21589 root 1w CHR 1,3 2174 /dev/null syslog-ng 21589 root 2w CHR 1,3 2174 /dev/null syslog-ng 21589 root 3r FIFO 0,7 600630 pipe syslog-ng 21589 root 4w FIFO 0,7 600630 pipe syslog-ng 21589 root 5u IPv4 600631 TCP *:514 (LISTEN) syslog-ng 21589 root 6u IPv4 600632 UDP *:514 syslog-ng 21589 root 7w REG 253,0 166729 3654854 /var/log/syslog-ng.log syslog-ng 21589 root 8u IPv4 601698 TCP 172.16.1.200:514->172.16.1.48:4189 (CLOSE_WAIT) syslog-ng 21589 root 9w REG 253,0 208821114 3752054 /var/log/syslog-ng/172.16.16.13/messages syslog-ng 21589 root 10u REG 253,0 42205502 3833896 /var/log/syslog-ng/MUM4S01LBF5640ISA02/messages syslog-ng 21589 root 11u REG 253,0 46530 6964157 /var/log/syslog-ng/172.16.16.19/messages syslog-ng 21589 root 12w REG 253,0 2123 7389223 /var/log/syslog-ng/172.16.16.212/messages syslog-ng 21589 root 13u REG 253,0 103030 6438998 /var/log/syslog-ng/1/messages syslog-ng 21589 root 14w IPv4 601704 UDP 202.138.117.51:51455->202.138.96.2:53 syslog-ng 21589 root 19u REG 253,0 102774 5259345 /var/log/syslog-ng/220.226.204.56/messages ----------------------------------------------------------------------------------------------------------------------------- Some sample proof that the messages actually reach server Nov 11 00:34:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:49:40 WARNING Farm Super_Trade_1.111 Server 10.65.X.X Port 80 TCP Is Not Responding Nov 11 00:39:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:51:56 WARNING Farm RTrade_New_Feed_Test_10.25 Server 10.65.10.27 Port 80 TCP Is Not Responding Nov 11 00:40:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:52:36 WARNING Farm Farm_10.20 Server 10.65.10.9 Port 80 TCP Is Not Responding Nov 11 00:42:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:55:16 WARNING Farm Farm_10.20 Server 10.65.X.X Port 80 TCP Is Not Responding Nov 11 00:47:47 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:59:36 INFO Farm Farm_3 Server 10.65.X.X Up Nov 11 00:48:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:59:56 WARNING Farm Farm_4 Server 10.65.X.X Port 80 TCP Is Not Responding Nov 11 01:09:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 01:23:16 INFO Farm Super_Trade_1.111 Server 10.65.X.X Up Nov 11 07:30:28 172.16.32.219/172.16.32.219 AppDi11-11-2010 07:49:36 INFO Farm Farm_10.20 Server 10.65.X.X Up --------------------------------------------------------------------------------------------------------------------------------- Please also review config file. thanks Regards, Add
Hello,
netstat -l -n -p Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 21589/syslog-ng udp 110400 0 0.0.0.0:514 0.0.0.0:* 21589/syslog-ng
Ok, syslog-ng is listening on both UDP and TCP.
lsof -n -P -p 21589 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
[ cut ]
syslog-ng 21589 root 3r FIFO 0,7 600630 pipe syslog-ng 21589 root 4w FIFO 0,7 600630 pipe
Just out of curiousity: what are these pipes? IIRC your config doesn't contain pipes at all.
syslog-ng 21589 root 5u IPv4 600631 TCP *:514 (LISTEN) syslog-ng 21589 root 6u IPv4 600632 UDP *:514 syslog-ng 21589 root 7w REG 253,0 166729 3654854 /var/log/syslog-ng.log syslog-ng 21589 root 8u IPv4 601698 TCP 172.16.1.200:514->172.16.1.48:4189 (CLOSE_WAIT) syslog-ng 21589 root 9w REG 253,0 208821114 3752054 /var/log/syslog-ng/172.16.16.13/messages syslog-ng 21589 root 10u REG 253,0 42205502 3833896 /var/log/syslog-ng/MUM4S01LBF5640ISA02/messages syslog-ng 21589 root 11u REG 253,0 46530 6964157 /var/log/syslog-ng/172.16.16.19/messages syslog-ng 21589 root 12w REG 253,0 2123 7389223 /var/log/syslog-ng/172.16.16.212/messages syslog-ng 21589 root 13u REG 253,0 103030 6438998 /var/log/syslog-ng/1/messages syslog-ng 21589 root 14w IPv4 601704 UDP 202.138.117.51:51455->202.138.96.2:53 syslog-ng 21589 root 19u REG 253,0 102774 5259345 /var/log/syslog-ng/220.226.204.56/messages
Looks like your server is a multihomed host...
Some sample proof that the messages actually reach server
Nov 11 00:34:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:49:40 WARNING Farm Super_Trade_1.111 Server 10.65.X.X Port 80 TCP Is Not Responding Nov 11 00:39:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:51:56 WARNING Farm RTrade_New_Feed_Test_10.25 Server 10.65.10.27 Port 80 TCP Is Not Responding Nov 11 00:40:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:52:36 WARNING Farm Farm_10.20 Server 10.65.10.9 Port 80 TCP Is Not Responding Nov 11 00:42:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:55:16 WARNING Farm Farm_10.20 Server 10.65.X.X Port 80 TCP Is Not Responding Nov 11 00:47:47 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:59:36 INFO Farm Farm_3 Server 10.65.X.X Up Nov 11 00:48:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:59:56 WARNING Farm Farm_4 Server 10.65.X.X Port 80 TCP Is Not Responding Nov 11 01:09:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 01:23:16 INFO Farm Super_Trade_1.111 Server 10.65.X.X Up Nov 11 07:30:28 172.16.32.219/172.16.32.219 AppDi11-11-2010 07:49:36 INFO Farm Farm_10.20 Server 10.65.X.X Up
I don't know the format the above messages are using but it looks like these logs all have either INFO or WARNING severity. You should check and reconfigure your devices to send all logs to syslog-ng. Regards, Sandor
On Friday, November 12, 2010 06:21:17 Sandor Geller wrote:
Just out of curiousity: what are these pipes? IIRC your config doesn't contain pipes at all.
My guess without having time to read the source: they are probably used for connecting the master and slave syslog-ng processes for checking the status to keep syslog-ng running even if there are any crashes or errors.
Regards, Sandor
-- Matthew Hall
Hi, So what changes should i make in syslog config file ??? Regards, Add --- On Fri, 12/11/10, Matthew Hall <mhall@mhcomputing.net> wrote: From: Matthew Hall <mhall@mhcomputing.net> Subject: Re: [syslog-ng] Not able to recive all syslog messages To: syslog-ng@lists.balabit.hu Cc: "Sandor Geller" <Sandor.Geller@morganstanley.com> Date: Friday, 12 November, 2010, 11:08 PM On Friday, November 12, 2010 06:21:17 Sandor Geller wrote:
Just out of curiousity: what are these pipes? IIRC your config doesn't contain pipes at all.
My guess without having time to read the source: they are probably used for connecting the master and slave syslog-ng processes for checking the status to keep syslog-ng running even if there are any crashes or errors.
Regards, Sandor
-- Matthew Hall ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
probably just add @version 3.0 to the top of the configfile if you're running at syslog-ng 3.x, only that version communicates with the supervisor process using pipes. This is just a cosmetical change to silence syslog-ng 3.x otherwise it will complain about the configfile. As I mentioned your host doesn't even seem to receive the logs. As long as you don't see logs with DEBUG severity arriving to your server there is nothing to do on the server side. Did you check logging settings on your other devices? On Sat, Nov 13, 2010 at 11:45 AM, add gy <addyg420@yahoo.com> wrote:
Hi,
So what changes should i make in syslog config file ???
Regards, Add
--- On *Fri, 12/11/10, Matthew Hall <mhall@mhcomputing.net>* wrote:
From: Matthew Hall <mhall@mhcomputing.net> Subject: Re: [syslog-ng] Not able to recive all syslog messages
To: syslog-ng@lists.balabit.hu Cc: "Sandor Geller" <Sandor.Geller@morganstanley.com> Date: Friday, 12 November, 2010, 11:08 PM
On Friday, November 12, 2010 06:21:17 Sandor Geller wrote:
Just out of curiousity: what are these pipes? IIRC your config doesn't contain pipes at all.
My guess without having time to read the source: they are probably used for
connecting the master and slave syslog-ng processes for checking the status
to keep syslog-ng running even if there are any crashes or errors.
Regards, Sandor
-- Matthew Hall
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, So what syslog-ng config changes should i make ??? Regards, Add --- On Wed, 10/11/10, add gy <addyg420@yahoo.com> wrote: From: add gy <addyg420@yahoo.com> Subject: [syslog-ng] Not able to recive all syslog messages To: syslog-ng@lists.balabit.hu Date: Wednesday, 10 November, 2010, 1:34 PM Hi, I have installed syslog-ng on RHEL server as log host server for 250 router , switches but some time i recive messages some times i dont , when i check it on other syslog server on windows i revice syslog messages with any problem. Request to please review syslog-ng config file and give some suggetion. config file ------------------------------------------------------------------------------------------------------------------------- # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { # unix-dgram("/dev/log"); # file("/proc/kmsg" log_prefix("kernel:")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); }; # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0655) dir_perm(0744) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; ------------------------------------------------------------------------------------------------------------------------ Regards, Add -----Inline Attachment Follows----- ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (4)
-
add gy
-
Fekete Robert
-
Matthew Hall
-
Sandor Geller