Problem of recording
I am Stefano Tanfoglio, I work from one bank in Italy. I use syslog-ng for archive the log of 176 computer. ( 2 router - 125 windows server - 51 linux server ). In Windows server i use ntsyslog service. protocol = udp destination server = ip syslog-ng server destination port = 514 Ntsyslog send all log In Linux server i use the syslog auth.* @syslog01.xxxx.it authpriv.* @syslog01.xxxx.it kernel.=err;kernel.=warn @syslog01.xxxx.it mail.=err;mail.=warn @syslog01.xxxx.it daemon.=err;daemon.=warn @syslog01.xxxx.it local7.=err;local7.=warn @syslog01.xxxx.it ... ... Configuratione syslong-ng.conf: Versione: syslog-ng-1.4.14-2mdk options { sync (0); time_reopen (10); log_fifo_size (3000); long_hostnames (on); use_dns (yes); use_fqdn (yes); create_dirs (yes); keep_hostname (yes); }; source remote { udp(); }; destination linux { file("/var/log/HOSTS/LINUX/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; destination windows { file("/var/log/HOSTS/WINDOWS/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; destination router { file("/var/log/HOSTS/ROUTER/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; filter f_linux { host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|51"); } ; filter f_windows { host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|125"); }; filter f_router { host("name1.domain.tld|name2.domain.tld"); }; log { source(remote); filter(f_linux); destination(linux); }; log { source(remote); filter(f_windows); destination(windows); }; log { source(remote); filter(f_router); destination(router); }; Problem: 1) In the windows section I have 125 machine and only 80 recording. I try to move the last hostname in first position: filter f_windows { host("125|name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|124 "); }; the test it ok, hostname logger and recording. 2)Every 10-15 minutes the syslog-ng system it down. 3) I try the new version but I have not obtained the positive information. 4) I have modified the syslog-ng.conf: .... .... destination tem { file("/var/log/HOSTS/ALL/$HOST" dir_perm(0755) perm(0655)); }; ... ... ... log { source(remote); destination(tem); }; .. .. The all machine recording and the server don' t crash with this solution. I don't try the DB recording. Thanks for the collaboration. Stefano Tanfoglio Assyrus Srl www.assyrus.it ICQ:146827274
On Wed, 2002-11-06 at 11:53, Stefano Tanfoglio wrote: ....
filter f_windows { host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|125"); };
....
1) In the windows section I have 125 machine and only 80 recording. I try to move the last hostname in first position: filter f_windows { host("125|name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|124 "); }; the test it ok, hostname logger and recording.
Stefano, Try This: On the Linux server running Syslog-ng create virtual network interfaces, so that the box has more than one IP address. for example 10.10.10.1 and 10.10.10.2 and 10.10.10.3 In your syslog-ng configuration file you can add the sources: source s_win { udp( 10.10.10.1,514 ); }; source s_lin { udp( 10.10.10.2,514 ); }; source s_rtr { udp( 10.10.10.3,514 ); }; (EXAMPLE ONLY, read the syslog-ng.conf man page for proper syntax). Then configure all your Windows boxes to point at the IP address 10.10.10.1 And configure all your Linux boxes to point at the IP address 10.10.10.2 And configure all your Routers to point at the IP address 10.10.10.3 Just set up one filter Then in your log statement you can configure the sources for each destination. As far as your other problems, don't worry about them yet. Try to fix one thing at a time. -Ben.
On Wed, Nov 06, 2002 at 05:53:32PM +0100, Stefano Tanfoglio wrote:
I am Stefano Tanfoglio, I work from one bank in Italy. I use syslog-ng for archive the log of 176 computer. ( 2 router - 125 windows server - 51 linux server ).
In Windows server i use ntsyslog service.
protocol = udp destination server = ip syslog-ng server destination port = 514
Ntsyslog send all log
In Linux server i use the syslog
auth.* @syslog01.xxxx.it authpriv.* @syslog01.xxxx.it kernel.=err;kernel.=warn @syslog01.xxxx.it mail.=err;mail.=warn @syslog01.xxxx.it daemon.=err;daemon.=warn @syslog01.xxxx.it local7.=err;local7.=warn @syslog01.xxxx.it ... ...
Configuratione syslong-ng.conf: Versione: syslog-ng-1.4.14-2mdk
options { sync (0); time_reopen (10); log_fifo_size (3000); long_hostnames (on); use_dns (yes); use_fqdn (yes); create_dirs (yes); keep_hostname (yes); };
source remote { udp(); };
destination linux { file("/var/log/HOSTS/LINUX/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; destination windows { file("/var/log/HOSTS/WINDOWS/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; destination router { file("/var/log/HOSTS/ROUTER/$HOST/$FACILITY" dir_perm(0755) perm(0655)); };
filter f_linux { host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|51"); } ;
filter f_windows { host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|125"); };
filter f_router { host("name1.domain.tld|name2.domain.tld"); };
log { source(remote); filter(f_linux); destination(linux); }; log { source(remote); filter(f_windows); destination(windows); }; log { source(remote); filter(f_router); destination(router); };
Problem:
1) In the windows section I have 125 machine and only 80 recording. I try to move the last hostname in first position: filter f_windows { host("125|name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|124 "); }; the test it ok, hostname logger and recording.
the maximum length of the regular expressions in 1023 character
2)Every 10-15 minutes the syslog-ng system it down.
you might try 1.4.17 (stable) or 1.5.23 (soon to be stable) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Ben Russo
-
Stefano Tanfoglio