Problem sending logs to central log server..
Hello, I'm trying to sent all my logs from one openbsd server with syslog-ng to a linux ubuntu central log server also with syslog-ng of course but only the syslog-ng logs are been logged.. also when I do a "logger test" for example it gets log locally but not remotely to the log server... here are my configs: for the log server is basically the defaul of ubuntu with my addtions at the end.. you will see some commented is me trying to fix this issue. cat syslog-ng/syslog-ng.conf # # Configuration file for syslog-ng under Debian # # attempts at reproducing default syslog behavior # the standard syslog levels are (in descending order of priority): # emerg alert crit err warning notice info debug # the aliases "error", "panic", and "warn" are deprecated # the "none" priority found in the original syslogd configuration is # only used in internal messages created by syslogd ###### # options options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0); # the time to wait before a died connection is re-established # (default is 60) time_reopen(10); # the time to wait before an idle destination file is closed # (default is 60) time_reap(360); # the number of lines buffered before written to file # you might want to increase this if your disk isn't catching with # all the log messages you get or if you want less disk activity # (say on a laptop) # (default is 0) #sync(0); # the number of lines fitting in the output queue log_fifo_size(2048); # enable or disable directory creation for destination files create_dirs(yes); # default owner, group, and permissions for log files # (defaults are 0, 0, 0600) #owner(root); group(adm); perm(0640); # default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) #dir_owner(root); #dir_group(root); dir_perm(0755); # enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(yes); # maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) #log_msg_size(2048); #Disable statistic log messages. stats_freq(0); # Some program send log messages through a private implementation. # and sometimes that implementation is bad. If this happen syslog-ng # may recognise the program name as hostname. Whit this option # we tell the syslog-ng that if a hostname match this regexp than that # is not a real hostname. bad_hostname("^gconfd$"); keep_hostname (yes); }; ###### # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; ###### # destinations # some standard log files destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; destination df_cron { file("/var/log/cron.log"); }; destination df_daemon { file("/var/log/daemon.log"); }; destination df_kern { file("/var/log/kern.log"); }; destination df_lpr { file("/var/log/lpr.log"); }; destination df_mail { file("/var/log/mail.log"); }; destination df_user { file("/var/log/user.log"); }; destination df_uucp { file("/var/log/uucp.log"); }; # these files are meant for the mail system log files # and provide re-usable destinations for {mail,cron,...}.info, # {mail,cron,...}.notice, etc. destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; # these files are meant for the news system, and are kept separated # because they should be owned by "news" instead of "root" destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; # some more classical and useful files found in standard syslog configurations destination df_debug { file("/var/log/debug"); }; destination df_messages { file("/var/log/messages"); }; # pipes # a console to view log messages under X destination dp_xconsole { pipe("/dev/xconsole"); }; # consoles # this will send messages to everyone logged in destination du_all { usertty("*"); }; ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; # some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); }; # all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; # all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; # messages with priority emerg filter f_emerg { level(emerg); }; # complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); }; ###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement # these rules provide the same behavior as the commented original syslogd rules # auth,authpriv.* /var/log/auth.log log { source(s_all); filter(f_auth); destination(df_auth); }; # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf # cron.* /var/log/cron.log #log { # source(s_all); # filter(f_cron); # destination(df_cron); #}; # daemon.* -/var/log/daemon.log log { source(s_all); filter(f_daemon); destination(df_daemon); }; # kern.* -/var/log/kern.log log { source(s_all); filter(f_kern); destination(df_kern); }; # lpr.* -/var/log/lpr.log log { source(s_all); filter(f_lpr); destination(df_lpr); }; # mail.* -/var/log/mail.log log { source(s_all); filter(f_mail); destination(df_mail); }; # user.* -/var/log/user.log log { source(s_all); filter(f_user); destination(df_user); }; # uucp.* /var/log/uucp.log log { source(s_all); filter(f_uucp); destination(df_uucp); }; # mail.info -/var/log/mail.info log { source(s_all); filter(f_mail); filter(f_at_least_info); destination(df_facility_dot_info); }; # mail.warn -/var/log/mail.warn log { source(s_all); filter(f_mail); filter(f_at_least_warn); destination(df_facility_dot_warn); }; # mail.err /var/log/mail.err log { source(s_all); filter(f_mail); filter(f_at_least_err); destination(df_facility_dot_err); }; # news.crit /var/log/news/news.crit log { source(s_all); filter(f_news); filter(f_at_least_crit); destination(df_news_dot_crit); }; # news.err /var/log/news/news.err log { source(s_all); filter(f_news); filter(f_at_least_err); destination(df_news_dot_err); }; # news.notice /var/log/news/news.notice log { source(s_all); filter(f_news); filter(f_at_least_notice); destination(df_news_dot_notice); }; # *.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug log { source(s_all); filter(f_debug); destination(df_debug); }; # *.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages log { source(s_all); filter(f_messages); destination(d_eventdb); }; # *.emerg * log { source(s_all); filter(f_emerg); destination(du_all); }; # daemon.*;mail.*;\ # news.crit;news.err;news.notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole log { source(s_all); filter(f_xconsole); destination(dp_xconsole); }; #syslog-ng2mysql destinations source src_eventdb { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); }; destination d_eventdb { pipe( "/usr/local/icinga/var/rw/syslog-ng.pipe", template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n") template_escape(no) ); }; filter f_at_least_warn { # level(warn..emerg); level(notice..emerg); }; log { # source(src_eventdb); filter(f_at_least_warn); # filter(f_syslog); destination(d_eventdb); }; #log { # source(src_eventdb); # filter(f_auth); # destination(d_eventdb); #}; HERE FOR THE BSD/CLIENT SIDE: same here is the default with openbsd syslog-ng install with my additions at the end. cat /etc/syslog-ng.conf # # Syslog-ng example configuration for for Debian GNU/Linux # # Copyright (c) 1999 anonymous # Copyright (c) 1999 Balazs Scheidler # $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $ # # Syslog-ng configuration file, compatible with default Debian syslogd # installation. # options { long_hostnames(off); sync(0); keep_hostname(yes); use_dns(yes); stats (3600); }; #source src { unix-stream("/dev/log"); internal(); }; source src { unix-dgram("/dev/log"); internal(); }; source net { udp(); }; destination authlog { file("/var/log/auth.log"); }; destination syslog { file("/var/log/syslog"); }; destination cron { file("/var/log/cron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kern { file("/var/log/kern.log"); }; destination lpr { file("/var/log/lpr.log"); }; destination user { file("/var/log/user.log"); }; destination uucp { file("/var/log/uucp.log"); }; destination ppp { file("/var/log/ppp.log"); }; destination mail { file("/var/log/mail.log"); }; destination mailinfo { file("/var/log/mail.info"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); }; destination newscrit { file("/var/log/news/news.crit"); }; destination newserr { file("/var/log/news/news.err"); }; destination newsnotice { file("/var/log/news/news.notice"); }; destination debug { file("/var/log/debug"); }; destination messages { file("/var/log/messages"); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty12"); }; #destination loghost { udp("loghost" port(999)); }; destination xconsole { pipe("/dev/xconsole"); }; #ssh filter filter f_sshderr { match('^sshd\[[0-9]+\]: error:'); }; filter f_sshd { match('^sshd\[[0-9]+\]:'); }; # filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_ppp { facility(local2); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; log { source(src); filter(f_news); filter(f_err); destination(newserr); }; log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(f_ppp); destination(ppp); }; log { source(src); destination(console_all); }; #sent to our central log server running eventdb destination loghost { udp("192.168.xxx.xxx" port(514)); }; log { source(src); filter(f_info); destination(loghost); }; log { source(src); filter(f_syslog); destination(loghost); }; log { source(src); filter(f_authpriv); destination(loghost); }; log { source(src); filter(f_user); destination(loghost); }; log { source(src); filter(f_emergency); destination(loghost); }; log { source(src); filter(f_sshd); destination(loghost); }; log { source(src); filter(f_sshderr); destination(loghost); }; log { source(src); filter(f_kern); destination(loghost); };
In your server config, the only listener you have on udp port 514 is defined in src_eventdb, and all src_eventdb entries are commented out. -Patrick Sent: Mon Sep 19 2011 11:40:15 GMT-0600 (MST) From: rek2 <rek2gnulinux@gmail.com> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Problem sending logs to central log server..
Hello, I'm trying to sent all my logs from one openbsd server with syslog-ng to a linux ubuntu central log server also with syslog-ng of course but only the syslog-ng logs are been logged.. also when I do a "logger test" for example it gets log locally but not remotely to the log server... here are my configs:
for the log server is basically the defaul of ubuntu with my addtions at the end.. you will see some commented is me trying to fix this issue.
cat syslog-ng/syslog-ng.conf # # Configuration file for syslog-ng under Debian # # attempts at reproducing default syslog behavior
# the standard syslog levels are (in descending order of priority): # emerg alert crit err warning notice info debug # the aliases "error", "panic", and "warn" are deprecated # the "none" priority found in the original syslogd configuration is # only used in internal messages created by syslogd
###### # options
options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0);
# the time to wait before a died connection is re-established # (default is 60) time_reopen(10);
# the time to wait before an idle destination file is closed # (default is 60) time_reap(360);
# the number of lines buffered before written to file # you might want to increase this if your disk isn't catching with # all the log messages you get or if you want less disk activity # (say on a laptop) # (default is 0) #sync(0);
# the number of lines fitting in the output queue log_fifo_size(2048);
# enable or disable directory creation for destination files create_dirs(yes);
# default owner, group, and permissions for log files # (defaults are 0, 0, 0600) #owner(root); group(adm); perm(0640);
# default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) #dir_owner(root); #dir_group(root); dir_perm(0755);
# enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(yes);
# maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) #log_msg_size(2048);
#Disable statistic log messages. stats_freq(0);
# Some program send log messages through a private implementation. # and sometimes that implementation is bad. If this happen syslog-ng # may recognise the program name as hostname. Whit this option # we tell the syslog-ng that if a hostname match this regexp than that # is not a real hostname. bad_hostname("^gconfd$"); keep_hostname (yes);
};
###### # sources
# all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); };
###### # destinations
# some standard log files destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; destination df_cron { file("/var/log/cron.log"); }; destination df_daemon { file("/var/log/daemon.log"); }; destination df_kern { file("/var/log/kern.log"); }; destination df_lpr { file("/var/log/lpr.log"); }; destination df_mail { file("/var/log/mail.log"); }; destination df_user { file("/var/log/user.log"); }; destination df_uucp { file("/var/log/uucp.log"); };
# these files are meant for the mail system log files # and provide re-usable destinations for {mail,cron,...}.info, # {mail,cron,...}.notice, etc. destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
# these files are meant for the news system, and are kept separated # because they should be owned by "news" instead of "root" destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
# some more classical and useful files found in standard syslog configurations destination df_debug { file("/var/log/debug"); }; destination df_messages { file("/var/log/messages"); };
# pipes # a console to view log messages under X destination dp_xconsole { pipe("/dev/xconsole"); };
# consoles # this will send messages to everyone logged in destination du_all { usertty("*"); };
###### # filters
# all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); };
# all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); };
# respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); };
# some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); };
# all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
# all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); };
# messages with priority emerg filter f_emerg { level(emerg); };
# complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); };
###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement
# these rules provide the same behavior as the commented original syslogd rules
# auth,authpriv.* /var/log/auth.log log { source(s_all); filter(f_auth); destination(df_auth); };
# *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); };
# this is commented out in the default syslog.conf # cron.* /var/log/cron.log #log { # source(s_all); # filter(f_cron); # destination(df_cron); #};
# daemon.* -/var/log/daemon.log log { source(s_all); filter(f_daemon); destination(df_daemon); };
# kern.* -/var/log/kern.log log { source(s_all); filter(f_kern); destination(df_kern); };
# lpr.* -/var/log/lpr.log log { source(s_all); filter(f_lpr); destination(df_lpr); };
# mail.* -/var/log/mail.log log { source(s_all); filter(f_mail); destination(df_mail); };
# user.* -/var/log/user.log log { source(s_all); filter(f_user); destination(df_user); };
# uucp.* /var/log/uucp.log log { source(s_all); filter(f_uucp); destination(df_uucp); };
# mail.info <http://mail.info> -/var/log/mail.info <http://mail.info> log { source(s_all); filter(f_mail); filter(f_at_least_info); destination(df_facility_dot_info); };
# mail.warn -/var/log/mail.warn log { source(s_all); filter(f_mail); filter(f_at_least_warn); destination(df_facility_dot_warn); };
# mail.err /var/log/mail.err log { source(s_all); filter(f_mail); filter(f_at_least_err); destination(df_facility_dot_err); };
# news.crit /var/log/news/news.crit log { source(s_all); filter(f_news); filter(f_at_least_crit); destination(df_news_dot_crit); };
# news.err /var/log/news/news.err log { source(s_all); filter(f_news); filter(f_at_least_err); destination(df_news_dot_err); };
# news.notice /var/log/news/news.notice log { source(s_all); filter(f_news); filter(f_at_least_notice); destination(df_news_dot_notice); };
# *.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug log { source(s_all); filter(f_debug); destination(df_debug); };
# *.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages log { source(s_all); filter(f_messages); destination(d_eventdb); };
# *.emerg * log { source(s_all); filter(f_emerg); destination(du_all); };
# daemon.*;mail.*;\ # news.crit;news.err;news.notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole log { source(s_all); filter(f_xconsole); destination(dp_xconsole); }; #syslog-ng2mysql destinations
source src_eventdb { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); };
destination d_eventdb { pipe( "/usr/local/icinga/var/rw/syslog-ng.pipe",
template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n") template_escape(no) ); };
filter f_at_least_warn { # level(warn..emerg); level(notice..emerg); };
log { # source(src_eventdb); filter(f_at_least_warn); # filter(f_syslog); destination(d_eventdb); };
#log { # source(src_eventdb); # filter(f_auth); # destination(d_eventdb); #};
HERE FOR THE BSD/CLIENT SIDE: same here is the default with openbsd syslog-ng install with my additions at the end.
cat /etc/syslog-ng.conf # # Syslog-ng example configuration for for Debian GNU/Linux # # Copyright (c) 1999 anonymous # Copyright (c) 1999 Balazs Scheidler # $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $ # # Syslog-ng configuration file, compatible with default Debian syslogd # installation. #
options { long_hostnames(off); sync(0); keep_hostname(yes); use_dns(yes); stats (3600); };
#source src { unix-stream("/dev/log"); internal(); }; source src { unix-dgram("/dev/log"); internal(); }; source net { udp(); };
destination authlog { file("/var/log/auth.log"); }; destination syslog { file("/var/log/syslog"); }; destination cron { file("/var/log/cron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kern { file("/var/log/kern.log"); }; destination lpr { file("/var/log/lpr.log"); }; destination user { file("/var/log/user.log"); }; destination uucp { file("/var/log/uucp.log"); }; destination ppp { file("/var/log/ppp.log"); }; destination mail { file("/var/log/mail.log"); };
destination mailinfo { file("/var/log/mail.info <http://mail.info>"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); }; destination newserr { file("/var/log/news/news.err"); }; destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); }; destination messages { file("/var/log/messages"); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty12"); }; #destination loghost { udp("loghost" port(999)); };
destination xconsole { pipe("/dev/xconsole"); };
#ssh filter filter f_sshderr { match('^sshd\[[0-9]+\]: error:'); }; filter f_sshd { match('^sshd\[[0-9]+\]:'); }; # filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_ppp { facility(local2); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_emergency { level(emerg); };
filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); };
log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; log { source(src); filter(f_news); filter(f_err); destination(newserr); }; log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(f_ppp); destination(ppp); }; log { source(src); destination(console_all); };
#sent to our central log server running eventdb destination loghost { udp("192.168.xxx.xxx" port(514)); }; log { source(src); filter(f_info); destination(loghost); }; log { source(src); filter(f_syslog); destination(loghost); }; log { source(src); filter(f_authpriv); destination(loghost); }; log { source(src); filter(f_user); destination(loghost); }; log { source(src); filter(f_emergency); destination(loghost); }; log { source(src); filter(f_sshd); destination(loghost); }; log { source(src); filter(f_sshderr); destination(loghost); }; log { source(src); filter(f_kern); destination(loghost); };
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Patrick H.
-
rek2