Hallo, I'm trying to configure syslog-ng to log windows client, i downloaded and installed snare agent and I added the following to the conf file: filter windows { program(MSWinEventLog); }; destination windows { file("/var/log/archive/windows/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY" template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no) ); }; log { source(local); filter(windows); destination(windows); flags(final); }; when i type syslog-ng -f /etc/syslog-nf.conf i get this error message: # syslog-ng -f /etc/syslog-ng.conf unresolved reference: local thank in advance for your help bye antonio
Hi,
I'm trying to configure syslog-ng to log windows client, i downloaded and installed snare agent and I added the following to the conf file:
you mentioned that you added the following below, how does the whole config file look like?
filter windows { program(MSWinEventLog); }; destination windows { file("/var/log/archive/windows/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY" template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no) ); }; log { source(local); filter(windows); destination(windows); flags(final); };
May I suggest that you maybe think about your naming convention? It could prove helpful prefixing filters with "f_", destinations with "d_" and sources with "s_" to omit naming confusions (there should not be a name space collision though).
when i type syslog-ng -f /etc/syslog-nf.conf i get this error message:
# syslog-ng -f /etc/syslog-ng.conf unresolved reference: local
Do you have a local source entry in your config file somewhere? For example something along the lines of: source local { internal(); unix-stream("/dev/log"); file("/proc/kmsg"); }; HTH, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
Roberto Nibali wrote:
May I suggest that you maybe think about your naming convention? It could prove helpful prefixing filters with "f_", destinations with "d_" and sources with "s_" to omit naming confusions (there should not be a name space collision though).
when i type syslog-ng -f /etc/syslog-nf.conf i get this error message:
# syslog-ng -f /etc/syslog-ng.conf unresolved reference: local
Do you have a local source entry in your config file somewhere? For example something along the lines of:
source local { internal(); unix-stream("/dev/log"); file("/proc/kmsg");
yes i do... here is my conf file.. as you can see this is the sample conf file... what i need more is to log windows pc at the moment. # Syslog-ng example configuration for for Debian GNU/Linux # # Copyright (c) 1999 anonymous # Copyright (c) 1999 Balazs Scheidler # $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $ # # Syslog-ng configuration file, compatible with default Debian syslogd # installation. # options { long_hostnames(off); sync(0); }; ####windows logging#### filter windows { program(MSWinEventLog); }; destination windows { file("/var/log/archive/windows/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY" template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no) ); }; log { source(local); filter(windows); destination(windows); flags(final); }; ####windows logging#### source src { unix-stream("/dev/log"); internal(); }; source net { udp(); }; destination authlog { file("/var/log/auth.log"); }; destination syslog { file("/var/log/syslog"); }; destination cron { file("/var/log/cron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kern { file("/var/log/kern.log"); }; #destination lpr { file("/var/log/lpr.log"); }; destination user { file("/var/log/user.log"); }; #destination uucp { file("/var/log/uucp.log"); }; #destination ppp { file("/var/log/ppp.log"); }; destination mail { file("/var/log/mail.log"); }; destination mailinfo { file("/var/log/mail.info"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); }; destination newscrit { file("/var/log/news/news.crit"); }; destination newserr { file("/var/log/news/news.err"); }; destination newsnotice { file("/var/log/news/news.notice"); }; destination debug { file("/var/log/debug"); }; destination messages { file("/var/log/messages"); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty12"); }; #destination loghost { udp("loghost" port(999)); }; destination xconsole { pipe("/dev/xconsole"); }; filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; #filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; #filter f_uucp { facility(cron); }; #filter f_ppp { facility(local2); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; #log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; #log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; log { source(src); filter(f_news); filter(f_err); destination(newserr); }; log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; #log { source(src); filter(f_ppp); destination(ppp); }; log { source(src); destination(console_all); };
here is my conf file.. as you can see this is the sample conf file... what i need more is to log windows pc at the moment.
Colour me blind but I don't see the source local definition. I only see a source src definition.
options { long_hostnames(off); sync(0); };
####windows logging####
filter windows { program(MSWinEventLog); }; destination windows { file("/var/log/archive/windows/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY" template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no) ); }; log { source(local); filter(windows); destination(windows);
s/local/src/ should do the trick.
flags(final); };
####windows logging#### source src { unix-stream("/dev/log"); internal(); };
or you add following line to your configuration file: source local { unix-stream("/dev/log"); internal(); }; Either way, you need to have the source defined which you want to use in your log statement. Cheers, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
participants (2)
-
antonio
-
Roberto Nibali