Hello, I'm configuring a centralized loghost (SLES 10 SP3) based on syslog-ng, for collecting mail log of different clients. Several machine which are entitled to log its mail logs on the central loghost (Debian), still use old syslogd as logger system. I configured one of this to send its mail logs to the loghost putting: mail.* @syslogmi01.local in /etc/syslog.conf file and restarted the service. Moreover on the loghost I set: source mail_gateway_src { udp(ip("0.0.0.0") port(514)); }; filter ernesto_mail_f { facility(mail); }; destination d_ernesto_mail { file("/var/log/ernesto_mail"); }; log { source(mail_gateway_src); filter(ernesto_mail_f); destination(d_ernesto_mail); }; And restarted it. But no file are created and so no log are saved on the loghost. With tcpdump I see the the log comes on the loghost, but syslog doesn't want to catch them. # tcpdump -vvv host 192.168.252.107 and port 514 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:04:57.046952 IP (tos 0x0, ttl 64, id 3157, offset 0, flags [DF], proto: UDP (17), length: 358) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 330 Facility mail (2), Severity info (6) Msg: postfix/smtpd[30946]: NOQUEUE: reject: RCPT from u[|syslog] 18:04:57.046962 IP (tos 0x0, ttl 64, id 3158, offset 0, flags [DF], proto: UDP (17), length: 360) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 332 I saw that the logs coming from Debian machine (so using syslogd) miss of timestamp and host name that generates host. Could be this a source of incompatibility between syslogd and syslog-ng? Or there is something that I'm wrong? Thanks in advance, rocsca
Hi, Try it without using the filter on the logserver, and see if the mail logs are processed by syslog-ng, and what do they look like. Maybe it is a parsing issue, or something related to the missing timestamp/host you mentioned. Regards, Robert Rocco Scappatura wrote:
Hello,
I'm configuring a centralized loghost (SLES 10 SP3) based on syslog-ng, for collecting mail log of different clients.
Several machine which are entitled to log its mail logs on the central loghost (Debian), still use old syslogd as logger system.
I configured one of this to send its mail logs to the loghost putting:
mail.* @syslogmi01.local
in /etc/syslog.conf file and restarted the service. Moreover on the loghost I set:
source mail_gateway_src { udp(ip("0.0.0.0") port(514)); };
filter ernesto_mail_f { facility(mail); };
destination d_ernesto_mail { file("/var/log/ernesto_mail"); };
log { source(mail_gateway_src); filter(ernesto_mail_f); destination(d_ernesto_mail); };
And restarted it.
But no file are created and so no log are saved on the loghost.
With tcpdump I see the the log comes on the loghost, but syslog doesn't want to catch them.
# tcpdump -vvv host 192.168.252.107 and port 514 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:04:57.046952 IP (tos 0x0, ttl 64, id 3157, offset 0, flags [DF], proto: UDP (17), length: 358) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 330 Facility mail (2), Severity info (6) Msg: postfix/smtpd[30946]: NOQUEUE: reject: RCPT from u[|syslog] 18:04:57.046962 IP (tos 0x0, ttl 64, id 3158, offset 0, flags [DF], proto: UDP (17), length: 360) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 332
I saw that the logs coming from Debian machine (so using syslogd) miss of timestamp and host name that generates host. Could be this a source of incompatibility between syslogd and syslog-ng? Or there is something that I'm wrong?
Thanks in advance,
rocsca
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello,
Try it without using the filter on the logserver, and see if the mail logs are processed by syslog-ng, and what do they look like. Maybe it is a parsing issue, or something related to the missing timestamp/host you mentioned.
I have disable filter, but nothing of interesting happen. I always see the UDP packet for port 514 arriving from the mail server, but it seems that they are not threated by the loghost. I have already turn off the firewall.. OPS.. I have found something in /var/log/messages... Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on special fil e /dev/xconsole Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on special fil e /dev/tty10 Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Cannot open file /data/tmp-backup/e rnesto_mail for writing (Permission denied) but: syslogmi01:~ # ls -la /data/ total 8 drwxr-xr-x 3 root root 4096 Dec 2 17:05 . drwxr-xr-x 21 root root 4096 Dec 2 17:05 .. drwxr-xr-x 2 root root 80 Dec 10 09:46 tmp-backup and syslogmi01:~ # mount .. 192.168.252.180:/fs_repository_unico_logs_nfs/syslogmi01 on /data/tmp-backup type nfs (rw,addr=192.168.252.180) .. Why it can't create log file? rocsca
Rocco Scappatura wrote:
Hello,
I'm configuring a centralized loghost (SLES 10 SP3) based on syslog-ng, for collecting mail log of different clients.
Several machine which are entitled to log its mail logs on the central loghost (Debian), still use old syslogd as logger system.
I configured one of this to send its mail logs to the loghost putting:
mail.* @syslogmi01.local
in /etc/syslog.conf file and restarted the service. Moreover on the loghost I set:
source mail_gateway_src { udp(ip("0.0.0.0") port(514)); };
filter ernesto_mail_f { facility(mail); };
destination d_ernesto_mail { file("/var/log/ernesto_mail"); };
log { source(mail_gateway_src); filter(ernesto_mail_f); destination(d_ernesto_mail); };
And restarted it.
But no file are created and so no log are saved on the loghost.
With tcpdump I see the the log comes on the loghost, but syslog doesn't want to catch them.
# tcpdump -vvv host 192.168.252.107 and port 514 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:04:57.046952 IP (tos 0x0, ttl 64, id 3157, offset 0, flags [DF], proto: UDP (17), length: 358) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 330 Facility mail (2), Severity info (6) Msg: postfix/smtpd[30946]: NOQUEUE: reject: RCPT from u[|syslog] 18:04:57.046962 IP (tos 0x0, ttl 64, id 3158, offset 0, flags [DF], proto: UDP (17), length: 360) 192.168.252.107.syslog > syslogmi01.local.syslog: SYSLOG, length: 332
I saw that the logs coming from Debian machine (so using syslogd) miss of timestamp and host name that generates host. Could be this a source of incompatibility between syslogd and syslog-ng? Or there is something that I'm wrong?
Thanks in advance,
rocsca
________________________________________________________________________ ______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog- ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________________________________________________ ______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello,
Try it without using the filter on the logserver, and see if the mail logs are processed by syslog-ng, and what do they look like. Maybe it is a parsing issue, or something related to the missing timestamp/host you mentioned.
I have disable filter, but nothing of interesting happen. I always see the UDP packet for port 514 arriving from the mail server, but it seems that they are not threated by the loghost.
I have already turn off the firewall..
OPS.. I have found something in /var/log/messages...
Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on special fil e /dev/xconsole Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on special fil e /dev/tty10 Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Cannot open file /data/tmp-backup/e rnesto_mail for writing (Permission denied)
but:
syslogmi01:~ # ls -la /data/ total 8 drwxr-xr-x 3 root root 4096 Dec 2 17:05 . drwxr-xr-x 21 root root 4096 Dec 2 17:05 .. drwxr-xr-x 2 root root 80 Dec 10 09:46 tmp-backup
and
syslogmi01:~ # mount .. 192.168.252.180:/fs_repository_unico_logs_nfs/syslogmi01 on /data/tmp-backup type nfs (rw,addr=192.168.252.180) ..
Why it can't create log file?
I have changed the destination (sit on a local file system) and syslog-ng is able to write logs into the destination file. But when the file is located on an NFS share, syslog is unable to write into the destination. I have a similar platform using syslog-ng-1.6.8-20.4 and I have no such problem. While the syslog-ng version on which I'm encountering the problem is syslog-ng-1.6.8-20.18. It could be due to the version? I need an hint! Thanks, rocsca
Unix/linux by default does not allow root write permissions to NFS mounted shares. I suspect this may be the problem. I would change the user:group that syslog-ng uses to write the data (if you *really* need to write to an NFS mount in the first place) -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Rocco Scappatura Sent: Thursday, December 10, 2009 5:01 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslogd and syslog-ng Hello,
Try it without using the filter on the logserver, and see if the mail logs are processed by syslog-ng, and what do they look like. Maybe it is a parsing issue, or something related to the missing timestamp/host you mentioned.
I have disable filter, but nothing of interesting happen. I always see the UDP packet for port 514 arriving from the mail server, but it seems that they are not threated by the loghost.
I have already turn off the firewall..
OPS.. I have found something in /var/log/messages...
Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on special fil e /dev/xconsole Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on special fil e /dev/tty10 Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Cannot open file /data/tmp-backup/e rnesto_mail for writing (Permission denied)
but:
syslogmi01:~ # ls -la /data/ total 8 drwxr-xr-x 3 root root 4096 Dec 2 17:05 . drwxr-xr-x 21 root root 4096 Dec 2 17:05 .. drwxr-xr-x 2 root root 80 Dec 10 09:46 tmp-backup
and
syslogmi01:~ # mount .. 192.168.252.180:/fs_repository_unico_logs_nfs/syslogmi01 on /data/tmp-backup type nfs (rw,addr=192.168.252.180) ..
Why it can't create log file?
I have changed the destination (sit on a local file system) and syslog-ng is able to write logs into the destination file. But when the file is located on an NFS share, syslog is unable to write into the destination. I have a similar platform using syslog-ng-1.6.8-20.4 and I have no such problem. While the syslog-ng version on which I'm encountering the problem is syslog-ng-1.6.8-20.18. It could be due to the version? I need an hint! Thanks, rocsca ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello,
Unix/linux by default does not allow root write permissions to NFS mounted shares.
I suspect this may be the problem.
I would change the user:group that syslog-ng uses to write the data (if you *really* need to write to an NFS mount in the first place)
Thanks for your answer. I sincerely hope that just is as you have stated. How I can change user:group as you mentioned above? Why you say '*really*'? Thanks, rocsca
The syslog-ng.conf specifies the user:group used for each destination (as well as permissions) Here is a quick example, but the manual is pretty comprehensive: #!# the main destination directory tree destination d_separatedbyhosts { file("/logs/syslog-ng/$HOST_FROM/$YEAR/$MONTH/$FACILITY.$PRIORITY.$YEAR.$MONT H.$DAY" owner("root") group("syslogng") perm(0640) dir_perm(0750) dir_group("sy slogng") create_dirs(yes)); }; The user and group used is entirely up to you based on how you want to grant access to these logs. My NFS comment is simply that if this is a central log server, I question why you would be using NFS mounted storage as opposed to local (direct attach or SAN) storage - but that is entirely up to you. Jim ---- Rocco Scappatura <Rocco.Scappatura@infracom.it> wrote:
Hello,
Unix/linux by default does not allow root write permissions to NFS mounted shares.
I suspect this may be the problem.
I would change the user:group that syslog-ng uses to write the data (if you *really* need to write to an NFS mount in the first place)
Thanks for your answer. I sincerely hope that just is as you have stated.
How I can change user:group as you mentioned above? Why you say '*really*'?
Thanks,
rocsca ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello Jim,
The syslog-ng.conf specifies the user:group used for each destination (as well as permissions) Here is a quick example, but the manual is pretty comprehensive: #!# the main destination directory tree destination d_separatedbyhosts { file("/logs/syslog- ng/$HOST_FROM/$YEAR/$MONTH/$FACILITY.$PRIORITY.$YEAR.$MONT H.$DAY" owner("root") group("syslogng") perm(0640) dir_perm(0750) dir_group("sy slogng") create_dirs(yes)); };
The user and group used is entirely up to you based on how you want to grant access to these logs.
This settings doesn't work anyway. Indeed, I discover that is not a matter of local or non local file system. Infact, umounting the NFS file system from '/data/tmp-backup' I saw that the log isn't write anyway (even if the permissions are properly set to /data dir). I have solved (but I can't really figure out the cause - maybe it is the case to ask to Novell support) mounting the NFS file system under '/var/log/tmp-backup'. It is really strange for me, but I only can guess that some path are 'protected' by OS. If someone know something more about this strange behavior I will be happy to get this information.
My NFS comment is simply that if this is a central log server, I question why you would be using NFS mounted storage as opposed to local (direct attach or SAN) storage - but that is entirely up to you.
You are right but I need to take the file on a NAS server an I have no possibility to link it directly to the log host. Thanks, rocsca
OK - If you can - take a look at the NAS server's export settings - it may have the ability to export root=<your server> or possibly no_root_squash (the options depend on the NFS server) Anyway - glad you have it working. Jim -----Original Message----- From: Rocco Scappatura [mailto:Rocco.Scappatura@infracom.it] Sent: Thursday, December 10, 2009 12:52 PM To: jrhendri@maine.rr.com; Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] Syslogd and syslog-ng Hello Jim,
The syslog-ng.conf specifies the user:group used for each destination (as well as permissions) Here is a quick example, but the manual is pretty comprehensive: #!# the main destination directory tree destination d_separatedbyhosts { file("/logs/syslog- ng/$HOST_FROM/$YEAR/$MONTH/$FACILITY.$PRIORITY.$YEAR.$MONT H.$DAY" owner("root") group("syslogng") perm(0640) dir_perm(0750) dir_group("sy slogng") create_dirs(yes)); };
The user and group used is entirely up to you based on how you want to grant access to these logs.
This settings doesn't work anyway. Indeed, I discover that is not a matter of local or non local file system. Infact, umounting the NFS file system from '/data/tmp-backup' I saw that the log isn't write anyway (even if the permissions are properly set to /data dir). I have solved (but I can't really figure out the cause - maybe it is the case to ask to Novell support) mounting the NFS file system under '/var/log/tmp-backup'. It is really strange for me, but I only can guess that some path are 'protected' by OS. If someone know something more about this strange behavior I will be happy to get this information.
My NFS comment is simply that if this is a central log server, I question why you would be using NFS mounted storage as opposed to local (direct attach or SAN) storage - but that is entirely up to you.
You are right but I need to take the file on a NAS server an I have no possibility to link it directly to the log host. Thanks, rocsca
Hi,
Indeed, I discover that is not a matter of local or non local file system. Infact, umounting the NFS file system from '/data/tmp-backup' I saw that the log isn't write anyway (even if the permissions are properly set to /data dir).
I have solved (but I can't really figure out the cause - maybe it is the case to ask to Novell support) mounting the NFS file system under '/var/log/tmp-backup'.
It is really strange for me, but I only can guess that some path are 'protected' by OS.
If someone know something more about this strange behavior I will be happy to get this information.
Apparmor being active causes such issues. Regards, Sandor
Hello Sandor!!
Indeed, I discover that is not a matter of local or non local file system. Infact, umounting the NFS file system from '/data/tmp-backup' I saw that the log isn't write anyway (even if the permissions are properly set to /data dir).
I have solved (but I can't really figure out the cause - maybe it is the case to ask to Novell support) mounting the NFS file system under '/var/log/tmp-backup'.
It is really strange for me, but I only can guess that some path are 'protected' by OS.
If someone know something more about this strange behavior I will be happy to get this information.
Apparmor being active causes such issues.
Simply great! Now I have really solved the mistake! Still thanks to all! rocsca
participants (5)
-
Jim Hendrick
-
jrhendri@maine.rr.com
-
Robert Fekete
-
Rocco Scappatura
-
Sandor Geller