Anyone Using Mailgraph (an RRD based Tool) for Postfix Mail Logs???
Hello; I am in search for a way to graph my logs for four separate mailservers, since all four are logging onto the same syslog-ng host, I figured I'd use mailgraph, a tool which creates graphs using RRDtools. I got rrdtools installed and ran mailgraph, and after not receiving any graph data at all in my database (mailgraph.rrd file), I ran strace and saw: write(2, "WARNING: line not in syslog form"..., 209) = 209 write(2, "WARNING: line not in syslog form"..., 167) = 167 write(2, "WARNING: line not in syslog form"..., 172) = 172 write(2, "WARNING: line not in syslog form"..., 173) = 173 write(2, "WARNING: line not in syslog form"..., 194) = 194 write(2, "WARNING: line not in syslog form"..., 172) = 172 My syslog-ng.conf has the following relevant data for this particular source: options { chain_hostnames(no); create_dirs (yes); dir_perm(0755); use_dns (yes); dns_cache(yes); dns_cache_size(1000); dns_cache_expire(604800); keep_hostname(yes); log_fifo_size(10000); log_msg_size(8192); long_hostnames(on); perm(0644); stats(3600); sync(0); time_reopen (10); use_dns(yes); use_fqdn(yes); }; log { source(S_udp); filter(F_mailservers); destination(D_mailservers); flags(final); }; destination D_mailservers { file("/var/log/Acme-Hosts/MailServers/$FULLHOST.log" perm(0644)); }; My logs look like: Sep 5 16:31:45 mailserver.example.net/mailserver.example.net postfix/qmgr[27362]: [ID 197553 mail.info] 597816CB1E: from=<203176.549962556@abc.exampletest.com>, size=14602, nrcpt=1 (queue active) Sep 5 16:31:45 mailserver.mailserver.net/mailserver.example.net postfix/qmgr[27362]: [ID 197553 mail.info] 3081A6CB1C: removed Sep 5 16:31:45 mailserver.mailserver.net/mailserver.example.net postfix/qmgr[27362]: [ID 197553 mail.info] 1C0426CB1D: removed Is there a way that I can tel syslog-ng to output to two locations, on e in the format above, which I need, and another in the format that mailgraph expexts to see? I assume that mailgraph is not setup to see the HOSTNAME/HOSTNAME entries shown above. I am using syslog-ng, latest, and am purposely stuffing my data into files named after the host, into a directory named after the same. I am also using a FIFO to redirect all logged data into a mysql DB, but the script mailgraph is receiving it's data from the flat files above. Any help appreciated, especially in a way that would not require rewriting the way the data looks now. Thanks all, .vp
On Mon, Sep 8, 2008 at 5:51 AM, <wiskbroom@hotmail.com> wrote:
write(2, "WARNING: line not in syslog form"..., 172) = 172
My syslog-ng.conf has the following relevant data for this particular source:
options { ... long_hostnames(on); .. };
Set long_hostnames to off, and then when you no longer have hostnames like mailserver.mailserver.net/mailserver.example.net you'll probably be ok.
Date: Mon, 8 Sep 2008 07:09:37 -0700 From: infosec@gmail.com To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Anyone Using Mailgraph (an RRD based Tool) for Postfix Mail Logs???
On Mon, Sep 8, 2008 at 5:51 AM, <wiskbroom@hotmail.com> wrote:
write(2, "WARNING: line not in syslog form"..., 172) = 172
My syslog-ng.conf has the following relevant data for this particular source:
options { ... long_hostnames(on); .. };
Set long_hostnames to off, and then when you no longer have hostnames like mailserver.mailserver.net/mailserver.example.net you'll probably be ok.
Cat; This worked indeed! Thank you. Is there any other way to achieve this? While this fixes this problem, it breaks other functionality I have in place, i.e. my logrotate scripts and some other SEC rules. Thanks! .vp
On Mon, Sep 8, 2008 at 8:40 AM, <wiskbroom@hotmail.com> wrote:
This worked indeed! Thank you. Is there any other way to achieve this? While this fixes this problem, it breaks other functionality I have in place, i.e. my logrotate scripts and some other SEC rules.
Thanks!
No problem. I'd see about turning long_hostnames back on - then overriding the setting with a macro in a template, using something like $HOST_FROM or one of those. I'm sure you can find one that doesn't have the chained names in it. At that point, you just have the graphing scripts look at the templatized graphs. Feed the long hostnames (non-templatized logs) to SEC, and it should be happy. The only thing I can't speak to is your logrotate settings, since I don't know what it needs.
I'd see about turning long_hostnames back on - then overriding the setting with a macro in a template, using something like $HOST_FROM or one of those. I'm sure you can find one that doesn't have the chained names in it. At that point, you just have the graphing scripts look at the templatized graphs.
Err, have the graphing scripts look at the templatized logs. I need coffee. You probably knew what I meant. :)
Many thanks again! The fact that I am getting graphs now is great. .vp
Date: Mon, 8 Sep 2008 09:29:28 -0700 From: infosec@gmail.com To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Anyone Using Mailgraph (an RRD based Tool) for Postfix Mail Logs???
I'd see about turning long_hostnames back on - then overriding the setting with a macro in a template, using something like $HOST_FROM or one of those. I'm sure you can find one that doesn't have the chained names in it. At that point, you just have the graphing scripts look at the templatized graphs.
Err, have the graphing scripts look at the templatized logs. I need coffee. You probably knew what I meant. :)
participants (2)
-
concatenate
-
wiskbroom@hotmail.com