hi there syslog gurus.. Is the configuration below enough for me to log some of my routers ? 157.0.1.1 is my syslog server and im suppose to get logs frm a few routers. I have added appropriate logging commands on the routers to log to the syslog server but i don't see anything. syslog-ng is started and listening on both udp/tcp . Im running on freebsd --start-- ## syslog-ng source remote { unix-stream("/var/run/log"); internal(); pipe("/dev/klog"); udp(ip(157.0.1.1) port(514)); tcp(ip(157.0.1.1) port(514) keep-alive(yes)); }; destination std { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)); }; log { source(remote); destination(std); }; destination authlog { file("/var/log/auth.log"); }; destination cron { file("/var/log/cron.log"); }; destination debug { file("/var/log/debug.log"); }; destination kern { file("/var/log/kern.log"); }; destination user { file("/var/log/userlog"); }; destination maillog { file("/var/log/maillog"); }; destination security { file("/var/log/security"); }; destination messages { file("/var/log/messages"); }; --end-- any hints or help is much appreciated. thanks fico
On 9/26/05, fico gid <ficohertz@gmail.com> wrote:
hi there syslog gurus..
Is the configuration below enough for me to log some of my routers ? 157.0.1.1 <http://157.0.1.1> is my syslog server and im suppose to get logs frm a few routers. I have added appropriate logging commands on the routers to log to the syslog server but i don't see anything. syslog-ng is started and listening on both udp/tcp . Im running on freebsd
Ok so you verified that syslog-ng is still running? Good. At a glance your configs look good, I'd want to check that the packets are really making it to the log server. Use tcpdump or something similar to check the network, and during troubleshooting I'd clear any packet filters on the FreeBSD host ("ipf -F a" or whatever you have to do on FreeBSD these days).
Hi Catenate,
From the tcpdump i can see the packets coming into the syslog server but apparently it is not sorting out properly. It goes to the default directory differentiated by only date and not hostname.
What could be the problem ? thanks fico On 9/26/05, catenate <infosec@gmail.com> wrote:
On 9/26/05, fico gid <ficohertz@gmail.com> wrote:
hi there syslog gurus..
Is the configuration below enough for me to log some of my routers ? 157.0.1.1 is my syslog server and im suppose to get logs frm a few routers. I have added appropriate logging commands on the routers to log to the syslog server but i don't see anything. syslog-ng is started and listening on both udp/tcp . Im running on freebsd
Ok so you verified that syslog-ng is still running? Good.
At a glance your configs look good, I'd want to check that the packets are really making it to the log server. Use tcpdump or something similar to check the network, and during troubleshooting I'd clear any packet filters on the FreeBSD host ("ipf -F a" or whatever you have to do on FreeBSD these days).
On 9/26/05, fico gid <ficohertz@gmail.com> wrote:
Hi Catenate,
From the tcpdump i can see the packets coming into the syslog server but apparently it is not sorting out properly. It goes to the default directory differentiated by only date and not hostname.
What could be the problem ?
What exactly is happening - you mean it logs to your destinations like /var/log/kern.log or that it logs to files below /var/log/hosts but not separated by hostname? Initially you said nothing was being logged at all. Please be specific. Also, is that really your whole syslog-ng config file? Go ahead and send the whole thing, assuming it's not more than a few hundred lines.
Hi Again, Below is the whole syslog-ng.conf file . Yes, it is not separating as in /host/somehost/year/month/day .. -- ## syslog-ng source remote { unix-stream("/var/run/log"); internal(); pipe("/dev/klog"); udp(ip(157.1.1.13) port(514)); tcp(ip(157.1.1.13) port(514) keep-alive(yes)); }; destination std { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) grou p(root) perm(0644) dir_perm(0755) create_dirs(yes)); }; log { source(remote); destination(std); }; destination authlog { file("/var/log/auth.log"); }; destination cron { file("/var/log/cron.log"); }; destination debug { file("/var/log/debug.log"); }; destination kern { file("/var/log/kern.log"); }; destination user { file("/var/log/userlog"); }; # This files are the log come from the mail subsystem. # destination maillog { file("/var/log/maillog"); }; destination security { file("/var/log/security"); }; destination messages { file("/var/log/messages"); }; -- Let me know if you need more info, fico On 9/27/05, catenate <infosec@gmail.com> wrote:
On 9/26/05, fico gid <ficohertz@gmail.com> wrote:
Hi Catenate,
From the tcpdump i can see the packets coming into the syslog server but apparently it is not sorting out properly. It goes to the default directory differentiated by only date and not hostname.
What could be the problem ?
What exactly is happening - you mean it logs to your destinations like /var/log/kern.log or that it logs to files below /var/log/hosts but not separated by hostname? Initially you said nothing was being logged at all. Please be specific.
Also, is that really your whole syslog-ng config file? Go ahead and send the whole thing, assuming it's not more than a few hundred lines.
participants (2)
-
catenate
-
fico gid