Thanks here my syslog-ng.conf Server# cat /usr/local/etc/syslog-ng.conf # # This sample configuration file is essentially equilivent to the stock # FreeBSD /etc/syslog.conf file. # # # options # options { long_hostnames(off); sync(0); }; # # sources # source src { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); udp(); internal(); file("/dev/klog"); }; source net { udp(ip(127.0.0.1) port(514)); }; # # destinations # destination messages { file("/var/log/messages"); }; destination security { file("/var/log/security"); }; destination authlog { file("/var/log/auth.log"); }; destination maillog { file("/var/log/maillog"); }; destination lpd-errs { file("/var/log/lpd-errs"); }; destination xferlog { file("/var/log/xferlog"); }; destination cron { file("/var/log/cron"); }; destination debuglog { file("/var/log/debug.log"); }; destination consolelog { file("/var/log/console.log"); }; destination all { file("/var/log/all.log"); }; destination newscrit { file("/var/log/news/news.crit"); }; destination newserr { file("/var/log/news/news.err"); }; destination newsnotice { file("/var/log/news/news.notice"); }; destination slip { file("/var/log/slip.log"); }; destination ppp { file("/var/log/ppp.log"); }; destination console { file("/dev/console"); }; destination allusers { usertty("*"); }; #destination loghost { udp("loghost" port(514)); }; destination serveurname { file("/var/log/SERVEURNAME/$YEAR/$MONTH/$DAY/$HOST.log" owner(root) group(wheel) perm(0600) dir_perm(0700) create_dirs(yes)); }; # # log facility filters # filter f_auth { facility(auth); }; filter f_authpriv { facility(authpriv); }; filter f_not_authpriv { not facility(authpriv); }; filter f_console { facility(console); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_ftp { facility(ftp); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_security { facility(security); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; filter f_local0 { facility(local0); }; filter f_local1 { facility(local1); }; filter f_local2 { facility(local2); }; filter f_local3 { facility(local3); }; filter f_local4 { facility(local4); }; filter f_local5 { facility(local5); }; filter f_local6 { facility(local6); }; filter f_local7 { facility(local7); }; # # log level filters # filter f_emerg { level(emerg); }; filter f_alert { level(alert..emerg); }; filter f_crit { level(crit..emerg); }; filter f_err { level(err..emerg); }; filter f_warning { level(warning..emerg); }; filter f_notice { level(notice..emerg); }; filter f_info { level(info..emerg); }; filter f_debug { level(debug..emerg); }; filter f_is_debug { level(debug); }; # # program filters # filter f_ppp { program("ppp"); }; filter f_slip { program("startslip"); }; # # *.err;kern.warning;auth.notice;mail.crit /dev/console # log { source(src); filter(f_err); destination(console); }; log { source(src); filter(f_kern); filter(f_warning); destination(console); }; log { source(src); filter(f_auth); filter(f_notice); destination(console); }; log { source(src); filter(f_mail); filter(f_crit); destination(console); }; # # *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages # log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); }; log { source(src); filter(f_kern); filter(f_debug); destination(messages); }; log { source(src); filter(f_lpr); filter(f_info); destination(messages); }; log { source(src); filter(f_mail); filter(f_crit); destination(messages); }; log { source(src); filter(f_news); filter(f_err); destination(messages); }; # # security.* /var/log/security # log { source(src); filter(f_security); destination(security); }; # # auth.info;authpriv.info /var/log/auth.log log { source(src); filter(f_auth); filter(f_info); destination(authlog); }; log { source(src); filter(f_authpriv); filter(f_info); destination(authlog); }; # # mail.info /var/log/maillog # log { source(src); filter(f_mail); filter(f_info); destination(maillog); }; # # lpr.info /var/log/lpd-errs # log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); }; # # ftp.info /var/log/xferlog # log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); }; # # cron.* /var/log/cron # log { source(src); filter(f_cron); destination(cron); }; # # *.=debug /var/log/debug.log # log { source(src); filter(f_is_debug); destination(debuglog); }; # # *.emerg * # log { source(src); filter(f_emerg); destination(allusers); }; # # uncomment this to log all writes to /dev/console to /var/log/console.log # console.info /var/log/console.log # #log { source(src); filter(f_console); filter(f_info); destination(consolelog); }; # # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work # *.* /var/log/all.log # #log { source(src); destination(all); }; # # uncomment this to enable logging to a remote loghost named loghost # *.* @loghost # #log { source(src); destination(loghost); }; # # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice # #log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; #log { source(src); filter(f_news); filter(f_err); destination(newserr); }; #log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; # # !startslip # *.* /var/log/slip.log # log { source(src); filter(f_slip); destination(slip); }; # # !ppp # *.* /var/log/ppp.log # log { source(src); filter(f_ppp); destination(ppp); }; ####################### ### Remote Hosts ###### ####################### # *.err;kern.warning;auth.notice;mail.crit log { source(net); filter(f_err); destination(SERVEURNAME); }; log { source(net); filter(f_kern); filter(f_warning); destination(SERVEURNAME); }; log { source(net); filter(f_auth); filter(f_notice); destination(SERVEURNAME); }; log { source(net); filter(f_mail); filter(f_crit); destination(SERVEURNAME); }; # *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err log { source(net); filter(f_notice); filter(f_not_authpriv); destination(SERVEURNAME); }; log { source(net); filter(f_kern); filter(f_debug); destination(SERVEURNAME); }; log { source(net); filter(f_lpr); filter(f_info); destination(SERVEURNAME); }; log { source(net); filter(f_mail); filter(f_crit); destination(SERVEURNAME); }; log { source(net); filter(f_news); filter(f_err); destination(SERVEURNAME); }; # security.* log { source(net); filter(f_security); destination(SERVEURNAME); }; # auth.info;authpriv.info log { source(net); filter(f_auth); filter(f_info); destination(SERVEURNAME); }; log { source(net); filter(f_authpriv); filter(f_info); destination(SERVEURNAME); }; # mail.info log { source(net); filter(f_mail); filter(f_info); destination(SERVEURNAME); }; # cron.* log { source(net); filter(f_cron); destination(SERVEURNAME); }; # *.=debug log { source(net); filter(f_is_debug); destination(SERVEURNAME); }; # *.emerg log { source(net); filter(f_emerg); destination(SERVEURNAME); }; # local.* log { source(net); filter(f_local0); destination(SERVEURNAME); }; log { source(net); filter(f_local1); destination(SERVEURNAME); }; log { source(net); filter(f_local2); destination(SERVEURNAME); }; log { source(net); filter(f_local3); destination(SERVEURNAME); }; log { source(net); filter(f_local4); destination(SERVEURNAME); }; log { source(net); filter(f_local5); destination(SERVEURNAME); }; log { source(net); filter(f_local6); destination(SERVEURNAME); }; log { source(net); filter(f_local7); destination(SERVEURNAME); }; Francis Provencher Ministère de la Sécurité publique du Québec Direction des technologies de l'information Division de la sécurité informatique Tél: 1 418 646-3258 Courriel: Francis.provencher@Msp.gouv.qc.ca CEH - Certified Ethical Hackers SSCP - System Security Certified Practitionner Sec+ - Security +

...

...

Evan Rempel <erempel@uvic.ca> 2/11/2007 11:35 >>>

FRANCIS PROVENCHER wrote:

Hi all,

I configure a central syslogger. In my syslog-ng.conf

destination "servername" { file("/var/log/"servername"/$YEAR/$MONTH/$DAY/$HOST.log" owner(root) group(wheel) perm(0600) dir_perm(0700) create_dirs(yes)); };

But the syslog call/errors from "servername" is write in /var/log/messages ... What i'm making wrong?

Can you post your entire syslog-ng.conf file. With the information you have provided, the best I can do is refer you to the documentation. -- Evan Rempel _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

I'v put the localhost on source, but it's an error, i change it for the Ip adress of the nic that i connect to the tap. But syslog call from remote server continu to goes in the /var/log/message instead of /var/log/SPSSOWL1/$YEAR/$MONTH/$DAY/$HOST.log" Like it's configure in the syslog-ng.conf. Do you want i paste here my syslog-ng.conf ? (i only change source net { udp(ip(127.0.0.1) port(514)); }; for source net { udp(ip(192.168.33.8) port(514)); }; Francis Provencher Ministère de la Sécurité publique du Québec Direction des technologies de l'information Division de la sécurité informatique Tél: 1 418 646-3258 Courriel: Francis.provencher@Msp.gouv.qc.ca CEH - Certified Ethical Hackers SSCP - System Security Certified Practitionner Sec+ - Security +

Thanks for your help, but im not sure to understant. For the moment's i received syslog alert from other host's in the network, but syslog put the alert message in /var/log/message instead of /var/log/nameofserver. I dont understand what i'm doing wrong.

Do you want i paste here my syslog-ng.conf ? (i only change source net { udp(ip(127.0.0.1) port(514)); }; for source net { udp(ip(192.168.33.8) port(514)); };

Without looking up the source my first guess would be that the problem is caused by having udp() in your configuration twice. The 'src' and the 'net' sources both have udp(). It is possible that the second bind was unsuccessful as syslog-ng already has bound to 0.0.0.0:514 UDP port.Check your logs whether this is the case, it should be logged. Optionally remove udp() from the 'src' source if you're not logging from jails running on the local machine. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html Francis Provencher Ministère de la Sécurité publique du Québec Direction des technologies de l'information Division de la sécurité informatique Tél: 1 418 646-3258 Courriel: Francis.provencher@Msp.gouv.qc.ca CEH - Certified Ethical Hackers SSCP - System Security Certified Practitionner Sec+ - Security +

On Mon, 2007-11-05 at 16:34 -0500, FRANCIS PROVENCHER wrote:

I'v start manualy the syslog-ng service and i received this error;

Nov 5 16:55:03 ServerNAae syslog-ng[4948]: Reaping unused destination files; template='/var/log/ServerName/$YEAR/$MONTH/$DAY/$HOST.log'

Some one know what is going wrong? This message is repeating numerous time..

I look for the permission of the user that run de syslog-ng service, it have rigth to write on partition.

This is not an error message, in fact if I remember correctly it is a debug message emitted only if -d parameter is used. It means that the idle destination files are being closed. -- Bazsi