Send a specific log by email
Hi friends I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com The following is the part of configuration for my syslog-ng.conf that related with remote servers. ============================================= source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; =============================================== Thanks Best Regards Reaky _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&...
Hi Reaky, define a new source with your specific IP and define a destination using "program" in stead of "file" (http://www.campin.net/newlogcheck.html "Email certain logs"). Finally you combine both in a new log-definition. regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: di 30-6-2009 11:20 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] Send a specific log by email Hi friends I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com The following is the part of configuration for my syslog-ng.conf that related with remote servers. ============================================= source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; =============================================== Thanks Best Regards Reaky _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&... kt=en-us
This's great But what about the perl escript, Could you please provide anexample for it, As I'm not good in programming. Thanks for your help Best Regards Bassam Muhammad
Date: Tue, 30 Jun 2009 19:04:55 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
Hi Reaky,
define a new source with your specific IP and define a destination using "program" in stead of "file" (http://www.campin.net/newlogcheck.html "Email certain logs"). Finally you combine both in a new log-definition.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: di 30-6-2009 11:20 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] Send a specific log by email
Hi friends I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com The following is the part of configuration for my syslog-ng.conf that related with remote servers. =============================================
source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); };
destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(s_remote); destination(d_separatedbyhosts); }; ===============================================
Thanks Best Regards Reaky
_________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&...
_________________________________________________________________ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx
Hi, the example script is in the same section of the page. Store it in the path of your destination -> program. Edit it and change the contents of the variable $TO to indicate the destination and check whether your system knows /usr/sbin/sendmail. regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: wo 1-7-2009 14:21 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email This's great But what about the perl escript, Could you please provide anexample for it, As I'm not good in programming. Thanks for your help Best Regards Bassam Muhammad
Date: Tue, 30 Jun 2009 19:04:55 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
Hi Reaky,
define a new source with your specific IP and define a destination using "program" in stead of "file" (http://www.campin.net/newlogcheck.html "Email certain logs"). Finally you combine both in a new log-definition.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: di 30-6-2009 11:20 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] Send a specific log by email
Hi friends I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com The following is the part of configuration for my syslog-ng.conf that related with remote servers. =============================================
source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); };
destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(s_remote); destination(d_separatedbyhosts); }; ===============================================
Thanks Best Regards Reaky
_________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&... kt=en-us
_________________________________________________________________ Drag n' drop-Get easy photo sharing with Windows LiveT Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx
Ohh Sorry I didn't note it, Thanks so much dear friend Best Regards Bassam Muhammad
Date: Wed, 1 Jul 2009 14:26:18 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
Hi,
the example script is in the same section of the page. Store it in the path of your destination -> program. Edit it and change the contents of the variable $TO to indicate the destination and check whether your system knows /usr/sbin/sendmail.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: wo 1-7-2009 14:21 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email
This's great But what about the perl escript, Could you please provide anexample for it, As I'm not good in programming. Thanks for your help
Best Regards Bassam Muhammad
Date: Tue, 30 Jun 2009 19:04:55 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
Hi Reaky,
define a new source with your specific IP and define a destination using "program" in stead of "file" (http://www.campin.net/newlogcheck.html "Email certain logs"). Finally you combine both in a new log-definition.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: di 30-6-2009 11:20 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] Send a specific log by email
Hi friends I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com The following is the part of configuration for my syslog-ng.conf that related with remote servers. =============================================
source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); };
destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(s_remote); destination(d_separatedbyhosts); }; ===============================================
Thanks Best Regards Reaky
_________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&...
_________________________________________________________________ Drag n' drop-Get easy photo sharing with Windows LiveT Photos.
http://www.microsoft.com/windows/windowslive/products/photos.aspx
_________________________________________________________________ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx
But I think as per the example the syslog will just send the log if it match specific string like ( attackalert ) in the example, But I want it send all new logs from this IP when comming without matching a specific string or word, Can you help in this ? From: reakyrok@hotmail.com To: syslog-ng@lists.balabit.hu Date: Wed, 1 Jul 2009 15:49:42 +0300 Subject: Re: [syslog-ng] Send a specific log by email Ohh Sorry I didn't note it, Thanks so much dear friend Best Regards Bassam Muhammad
Date: Wed, 1 Jul 2009 14:26:18 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
Hi,
the example script is in the same section of the page. Store it in the path of your destination -> program. Edit it and change the contents of the variable $TO to indicate the destination and check whether your system knows /usr/sbin/sendmail.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: wo 1-7-2009 14:21 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email
This's great But what about the perl escript, Could you please provide anexample for it, As I'm not good in programming. Thanks for your help
Best Regards Bassam Muhammad
Date: Tue, 30 Jun 2009 19:04:55 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
Hi Reaky,
define a new source with your specific IP and define a destination using "program" in stead of "file" (http://www.campin.net/newlogcheck.html "Email certain logs"). Finally you combine both in a new log-definition.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: di 30-6-2009 11:20 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] Send a specific log by email
Hi friends I have syslog-ng installed in RHEL5 server, I make it as CEntral log for all servers in my network, Filtered by IP Now What I want to do is make it send to me an email for a specific log for one of my server, In other word when any log sent from this IP (192.168.1.1 ) For example to send me email with this new log value to myemail@mydomain.com The following is the part of configuration for my syslog-ng.conf that related with remote servers. =============================================
source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); };
destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(s_remote); destination(d_separatedbyhosts); }; ===============================================
Thanks Best Regards Reaky
_________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&...
_________________________________________________________________ Drag n' drop-Get easy photo sharing with Windows LiveT Photos.
http://www.microsoft.com/windows/windowslive/products/photos.aspx
What can you do with the new Windows Live? Find out _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx
I guess that removing the filter statement (and restarting syslog-ng) is sufficient. regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: wo 1-7-2009 15:27 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email But I think as per the example the syslog will just send the log if it match specific string like ( attackalert ) in the example, But I want it send all new logs from this IP when comming without matching a specific string or word, Can you help in this ?
Dear I still have a problem, the following is my configuration file that realated with remote IP's ====================================================================================== ====================================================================================== # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; #============================================================== #Filtration for SME Alerts source s_remote { tcp(ip(163.121.189.131) port(514)); udp(ip(163.121.189.131) port(514)); }; destination syslogmail { program("/usr/local/bin/syslog-mail-perl"); }; log { source(r_remote); destination(syslogmail); }; #====================================================================================== #====================================================================================== The first part is the original for all remote IP's and It's working good The second is the part of the IP that I want to filter When I restart It gave m ethe following error WARNING: file source: default value of follow_freq in file sources is changing in 3.0 to '1' for all files except /proc/kmsg; Error in configuration, unresolved source reference; source='r_remote' Could u please help me in that Thanks
Date: Wed, 1 Jul 2009 15:41:59 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
I guess that removing the filter statement (and restarting syslog-ng) is sufficient.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: wo 1-7-2009 15:27 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email
But I think as per the example the syslog will just send the log if it match specific string like ( attackalert ) in the example, But I want it send all new logs from this IP when comming without matching a specific string or word, Can you help in this ?
_________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx
Correct the name of the source in the log-statement. You defined source s_remote and used r_remote in the log definition. regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: do 2-7-2009 10:13 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email Dear I still have a problem, the following is my configuration file that realated with remote IP's ============================================================================= ========= ============================================================================= ========= # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; #============================================================== #Filtration for SME Alerts source s_remote { tcp(ip(163.121.189.131) port(514)); udp(ip(163.121.189.131) port(514)); }; destination syslogmail { program("/usr/local/bin/syslog-mail-perl"); }; log { source(r_remote); destination(syslogmail); }; #============================================================================ ========== #============================================================================ ========== The first part is the original for all remote IP's and It's working good The second is the part of the IP that I want to filter When I restart It gave m ethe following error WARNING: file source: default value of follow_freq in file sources is changing in 3.0 to '1' for all files except /proc/kmsg; Error in configuration, unresolved source reference; source='r_remote' Could u please help me in that Thanks
Date: Wed, 1 Jul 2009 15:41:59 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
I guess that removing the filter statement (and restarting syslog-ng) is sufficient.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: wo 1-7-2009 15:27 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email
But I think as per the example the syslog will just send the log if it match specific string like ( attackalert ) in the example, But I want it send all new logs from this IP when comming without matching a specific string or word, Can you help in this ?
_________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx
I modefied it and it gave me the following result after restarting : Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED] I s it possible that this's becuese I used the same source name in the first part of configuration ?
Date: Thu, 2 Jul 2009 10:19:40 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
Correct the name of the source in the log-statement. You defined source s_remote and used r_remote in the log definition.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: do 2-7-2009 10:13 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email
Dear I still have a problem, the following is my configuration file that realated with remote IP's
====================================================================================== ======================================================================================
# Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); };
destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(s_remote); destination(d_separatedbyhosts); };
#============================================================== #Filtration for SME Alerts source s_remote { tcp(ip(163.121.189.131) port(514)); udp(ip(163.121.189.131) port(514)); };
destination syslogmail { program("/usr/local/bin/syslog-mail-perl"); }; log { source(r_remote); destination(syslogmail); };
#====================================================================================== #====================================================================================== The first part is the original for all remote IP's and It's working good The second is the part of the IP that I want to filter When I restart It gave m ethe following error
WARNING: file source: default value of follow_freq in file sources is changing in 3.0 to '1' for all files except /proc/kmsg; Error in configuration, unresolved source reference; source='r_remote'
Could u please help me in that Thanks
Date: Wed, 1 Jul 2009 15:41:59 +0200 From: Siem.Korteweg@qnh.nl To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng] Send a specific log by email
I guess that removing the filter statement (and restarting syslog-ng) is sufficient.
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Reaky Rok Verzonden: wo 1-7-2009 15:27 Aan: syslog-ng@lists.balabit.hu Onderwerp: Re: [syslog-ng] Send a specific log by email
But I think as per the example the syslog will just send the log if it match specific string like ( attackalert ) in the example, But I want it send all new logs from this IP when comming without matching a specific string or word, Can you help in this ?
_________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx
_________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&...
On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
I modefied it and it gave me the following result after restarting :
Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED]
I s it possible that this's becuese I used the same source name in the first part of configuration ?
Is 163.121.189.131 a local IP address? The ip() option of source drivers specify the bind address, not the address to accept messages from. -- Bazsi
Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way IT's routed IP not in the same subnet of the syslog server, But any way what the right option to filter the requests fom this IP only ???
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Fri, 3 Jul 2009 15:57:08 +0200 Subject: Re: [syslog-ng] Send a specific log by email
On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
I modefied it and it gave me the following result after restarting :
Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED]
I s it possible that this's becuese I used the same source name in the first part of configuration ?
Is 163.121.189.131 a local IP address? The ip() option of source drivers specify the bind address, not the address to accept messages from.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Windows Live™: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
Hi, Local means that the host syslog-ng is running on has the IP address configured on one of the network interfaces. Apps can bind only to 0.0.0.0 or to local IP addresses, not to remote addresses. I think you're after filtering based on the remote host's IP address, not binding to the IP address. Regards, Sandor 2009/7/4 Reaky Rok <reakyrok@hotmail.com>:
Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way IT's routed IP not in the same subnet of the syslog server, But any way what the right option to filter the requests fom this IP only ???
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Fri, 3 Jul 2009 15:57:08 +0200 Subject: Re: [syslog-ng] Send a specific log by email
On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
I modefied it and it gave me the following result after restarting :
Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED]
I s it possible that this's becuese I used the same source name in the first part of configuration ?
Is 163.121.189.131 a local IP address? The ip() option of source drivers specify the bind address, not the address to accept messages from.
-- Bazs i
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________ Windows Live™: Keep your life in sync. Check it out! ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
...and to provide actual help: use filters based on hostname or the IP address filter f_myhostname { host("^myhostname$"); # this is a regexp, not a simple string } filter f_myipaddress { netmask("127.0.0.1/32"); } later in your log definitions just use the filters: log { source(...); filter(...); destination(...); flags(final); # so the logs won't get processed by further log definitions } In the admin guide you can find more details about the configuration possibilities. hth, Sandor On Sat, Jul 4, 2009 at 12:48 PM, Sandor Geller<sandorg@morganstanley.com> wrote:
Hi,
Local means that the host syslog-ng is running on has the IP address configured on one of the network interfaces. Apps can bind only to 0.0.0.0 or to local IP addresses, not to remote addresses. I think you're after filtering based on the remote host's IP address, not binding to the IP address.
Regards,
Sandor
2009/7/4 Reaky Rok <reakyrok@hotmail.com>:
Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way IT's routed IP not in the same subnet of the syslog server, But any way what the right option to filter the requests fom this IP only ???
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Fri, 3 Jul 2009 15:57:08 +0200 Subject: Re: [syslog-ng] Send a specific log by email
On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
I modefied it and it gave me the following result after restarting :
Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED]
I s it possible that this's becuese I used the same source name in the first part of configuration ?
Is 163.121.189.131 a local IP address? The ip() option of source drivers specify the bind address, not the address to accept messages from.
-- Bazs i
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________ Windows Live™: Keep your life in sync. Check it out! ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Dear I don't know if the problem in me or what :) As I understood you send me configration related with which interface I'll use to receive logs, But this's not the problem, The problem is that I want when I receive logs from the remote server that It's IP is 163.121.189.131 to send the logs of this server to my email,I's sorry if I used a configration in wronge way make you not understand me. Any way , I'm trying now some kind of solution , I don't know if it can be a way to do what I want or not, I did the following: ======================================================================================== source sme {file (/var/log/syslog-ng/servers/163.121.189.131/local7.log); }; destination maillog { program ("/usr/local/bin/syslog-mail-perl" ); }; log {source(sme); destination(maillog); }; ======================================================================================== As you see I try to make the sourse is the file that contain the logs of the remote server 163.121.189.131 And try to send it to a script that mail it to me, But When I try nothing happened. I'll attache the full configuration file to you and the mail script, I make it send to root for example in the first configuaration file: ================================================================= # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; # This is the new part that I did source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); }; destination maillog { program ("/usr/local/bin/syslog-mail-perl" ); }; log {source(sme); destination(maillog); }; options { # Number of syslog lines stored in memory before being written to files flush_lines (0); # Syslog-ng uses queues log_fifo_size (1000); # Create log directories as needed create_dirs (yes); # Make the group "logs" own the log files and directories group (logs); dir_group (logs); # Set the file and directory permissions perm (0640); dir_perm (0750); # Check client hostnames for valid DNS characters check_hostname (yes); # Specify whether to trust hostname in the log message. # If "yes", then it is left unchanged, if "no" the server replaces # it with client's DNS lookup value. keep_hostname (yes); # Use DNS fully qualified domain names (FQDN) # for the names of log file folders use_fqdn (yes); use_dns (yes); # Cache DNS entries for up to 1000 hosts for 12 hours dns_cache (yes); dns_cache_size (1000); dns_cache_expire (43200); }; # Define all the source source s_localhost { pipe ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); }; # Define the destination "d_localhost" log directory destination d_localhost { file ("/var/log/syslog-ng/localhost/$FACILITY.log"); }; #================================ #================================ # Define all the sources of network generated syslog # messages and label it "d_network" source s_network { tcp(max-connections(5000)); udp(); }; # Define the destination "d_network" log directory destination d_network { file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log"); }; #======================= #======================= # Any logs that match the "s_localhost" source should be logged # in the "d_localhost" directory log { source(s_localhost); destination(d_localhost); }; #======================= =========================================================================== and the following is the mail script ++++++++++++++++++++++++++++++++++++++++===== #!/usr/bin/perl -n # thanks to Brian Dowling for an example with security in mind. $TO = 'root'; $FROM = $TO; s/^<\d{1,2}>//; open(MAIL, "|/usr/sbin/sendmail -t"); print MAIL <<"EOT"; To: $TO From: $FROM Subject: SME Log Alert: $_ $_ EOT close(MAIL); +++++++++++++++++++++++++++++++++++++++++++++++ Thanks for your patience and help Reaky
Date: Sat, 4 Jul 2009 13:02:37 +0200 From: Sandor.Geller@morganstanley.com To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Send a specific log by email
...and to provide actual help: use filters based on hostname or the IP address
filter f_myhostname { host("^myhostname$"); # this is a regexp, not a simple string }
filter f_myipaddress { netmask("127.0.0.1/32"); }
later in your log definitions just use the filters:
log { source(...); filter(...); destination(...); flags(final); # so the logs won't get processed by further log definitions }
In the admin guide you can find more details about the configuration possibilities.
hth,
Sandor
On Sat, Jul 4, 2009 at 12:48 PM, Sandor Geller<sandorg@morganstanley.com> wrote:
Hi,
Local means that the host syslog-ng is running on has the IP address configured on one of the network interfaces. Apps can bind only to 0.0.0.0 or to local IP addresses, not to remote addresses. I think you're after filtering based on the remote host's IP address, not binding to the IP address.
Regards,
Sandor
2009/7/4 Reaky Rok <reakyrok@hotmail.com>:
Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way IT's routed IP not in the same subnet of the syslog server, But any way what the right option to filter the requests fom this IP only ???
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Fri, 3 Jul 2009 15:57:08 +0200 Subject: Re: [syslog-ng] Send a specific log by email
On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
I modefied it and it gave me the following result after restarting :
Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED]
I s it possible that this's becuese I used the same source name in the first part of configuration ?
Is 163.121.189.131 a local IP address? The ip() option of source drivers specify the bind address, not the address to accept messages from.
-- Bazs i
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________ Windows Live™: Keep your life in sync. Check it out! ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx
Ok this woked successfuly now Thanks for help From: reakyrok@hotmail.com To: syslog-ng@lists.balabit.hu Date: Sun, 5 Jul 2009 23:38:04 +0300 Subject: Re: [syslog-ng] Send a specific log by email Dear I don't know if the problem in me or what :) As I understood you send me configration related with which interface I'll use to receive logs, But this's not the problem, The problem is that I want when I receive logs from the remote server that It's IP is 163.121.189.131 to send the logs of this server to my email,I's sorry if I used a configration in wronge way make you not understand me. Any way , I'm trying now some kind of solution , I don't know if it can be a way to do what I want or not, I did the following: ======================================================================================== source sme {file (/var/log/syslog-ng/servers/163.121.189.131/local7.log); }; destination maillog { program ("/usr/local/bin/syslog-mail-perl" ); }; log {source(sme); destination(maillog); }; ======================================================================================== As you see I try to make the sourse is the file that contain the logs of the remote server 163.121.189.131 And try to send it to a script that mail it to me, But When I try nothing happened. I'll attache the full configuration file to you and the mail script, I make it send to root for example in the first configuaration file: ================================================================= # configuration file for syslog-ng, customized for remote logging # source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); }; # This is the new part that I did source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); }; destination maillog { program ("/usr/local/bin/syslog-mail-perl" ); }; log {source(sme); destination(maillog); }; options { # Number of syslog lines stored in memory before being written to files flush_lines (0); # Syslog-ng uses queues log_fifo_size (1000); # Create log directories as needed create_dirs (yes); # Make the group "logs" own the log files and directories group (logs); dir_group (logs); # Set the file and directory permissions perm (0640); dir_perm (0750); # Check client hostnames for valid DNS characters check_hostname (yes); # Specify whether to trust hostname in the log message. # If "yes", then it is left unchanged, if "no" the server replaces # it with client's DNS lookup value. keep_hostname (yes); # Use DNS fully qualified domain names (FQDN) # for the names of log file folders use_fqdn (yes); use_dns (yes); # Cache DNS entries for up to 1000 hosts for 12 hours dns_cache (yes); dns_cache_size (1000); dns_cache_expire (43200); }; # Define all the source source s_localhost { pipe ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); }; # Define the destination "d_localhost" log directory destination d_localhost { file ("/var/log/syslog-ng/localhost/$FACILITY.log"); }; #================================ #================================ # Define all the sources of network generated syslog # messages and label it "d_network" source s_network { tcp(max-connections(5000)); udp(); }; # Define the destination "d_network" log directory destination d_network { file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log"); }; #======================= #======================= # Any logs that match the "s_localhost" source should be logged # in the "d_localhost" directory log { source(s_localhost); destination(d_localhost); }; #======================= =========================================================================== and the following is the mail script ++++++++++++++++++++++++++++++++++++++++===== #!/usr/bin/perl -n # thanks to Brian Dowling for an example with security in mind. $TO = 'root'; $FROM = $TO; s/^<\d{1,2}>//; open(MAIL, "|/usr/sbin/sendmail -t"); print MAIL <<"EOT"; To: $TO From: $FROM Subject: SME Log Alert: $_ $_ EOT close(MAIL); +++++++++++++++++++++++++++++++++++++++++++++++ Thanks for your patience and help Reaky
Date: Sat, 4 Jul 2009 13:02:37 +0200 From: Sandor.Geller@morganstanley.com To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Send a specific log by email
...and to provide actual help: use filters based on hostname or the IP address
filter f_myhostname { host("^myhostname$"); # this is a regexp, not a simple string }
filter f_myipaddress { netmask("127.0.0.1/32"); }
later in your log definitions just use the filters:
log { source(...); filter(...); destination(...); flags(final); # so the logs won't get processed by further log definitions }
In the admin guide you can find more details about the configuration possibilities.
hth,
Sandor
On Sat, Jul 4, 2009 at 12:48 PM, Sandor Geller<sandorg@morganstanley.com> wrote:
Hi,
Local means that the host syslog-ng is running on has the IP address configured on one of the network interfaces. Apps can bind only to 0.0.0.0 or to local IP addresses, not to remote addresses. I think you're after filtering based on the remote host's IP address, not binding to the IP address.
Regards,
Sandor
2009/7/4 Reaky Rok <reakyrok@hotmail.com>:
Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way IT's routed IP not in the same subnet of the syslog server, But any way what the right option to filter the requests fom this IP only ???
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Fri, 3 Jul 2009 15:57:08 +0200 Subject: Re: [syslog-ng] Send a specific log by email
On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
I modefied it and it gave me the following result after restarting :
Error binding socket; addr='AF_INET(163.121.189.131:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote', id='s_remote#0' Error initializing message pipeline; [FAILED]
I s it possible that this's becuese I used the same source name in the first part of configuration ?
Is 163.121.189.131 a local IP address? The ip() option of source drivers specify the bind address, not the address to accept messages from.
-- Bazs i
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________ Windows Live™: Keep your life in sync. Check it out! ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
See all the ways you can stay connected to friends and family _________________________________________________________________ Windows Live™: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
participants (4)
-
Balazs Scheidler
-
Reaky Rok
-
Sandor Geller
-
Siem Korteweg