My syslog-ng is now running. However, I cannot get the client to forward its messages to the server. To be certain, I have disabled my firewall, on both the client and server side, but still get the below errors in /var/adm/messages. The client is logging normally in /var/adm/messages. Aug 29 14:54:33 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:43 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:53 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:59 client1 syslog-ng[18639]: Log statistics; dropped='tcp(AF_INET(w.x.y.z:5140))=0', processed='center(queued)=8844', processed='center(received)=4424', processed='destination(messages)=4420', processed='destination(loghost)=4420', processed='destination(syslog)=4', processed='source(src)=4424' Aug 29 14:55:03 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' I have "destination loghost { tcp("w.x.y.z" port(5140)); };" in my syslog-ng.conf on the client1. Here's my complete syslog-ng.conf file on the client1 side. options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); }; source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; destination syslog { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("w.x.y.z" port(5140)); }; filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); }; log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); }; Any help/pointer is greatly appreciated. Thank you. ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
On 8/29/07, mailing list <sunlist@yahoo.com> wrote:
My syslog-ng is now running. However, I cannot get the client to forward its messages to the server. To be certain, I have disabled my firewall, on both the client and server side, but still get the below errors in /var/adm/messages. The client is logging normally in /var/adm/messages.
Aug 29 14:54:33 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:43 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:53 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:59 client1 syslog-ng[18639]: Log statistics; dropped='tcp(AF_INET(w.x.y.z:5140))=0', processed='center(queued)=8844', processed='center(received)=4424', processed='destination(messages)=4420', processed='destination(loghost)=4420', processed='destination(syslog)=4', processed='source(src)=4424' Aug 29 14:55:03 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10'
looks like you have not configured a source listening on the ip w.x.y.z and port 5140 on the server which should receive the syslog messages .... and of course you are only using w.x.y.z and not a valid ip adress do not reveal the ip to us ;-) in the servers syslo-ng config you have to configure: source loghost { tcp( ip(w.x.y.z) port(5140)); }; ... don't hesitate to read the manual ... it's good ;-)
I have "destination loghost { tcp("w.x.y.z" port(5140)); };" in my syslog-ng.conf on the client1. Here's my complete syslog-ng.conf file on the client1 side.
options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); };
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); };
destination syslog { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("w.x.y.z" port(5140)); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); };
Any help/pointer is greatly appreciated. Thank you.
____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
looks like you have not configured a source listening on the ip w.x.y.z and port 5140 on the server which should receive the syslog messages .... and of course you are only using w.x.y.z and not a valid ip adress do not reveal the ip to us ;-)
in the servers syslo-ng config you have to configure:
source loghost { tcp( ip(w.x.y.z) port(5140)); };
... don't hesitate to read the manual ... it's good ;-)
But I do have the "source loghost..." on the server side, not on the client side. Here's my syslog-ng.conf on the server side (server1). I read the manual but I'm not comprehending some of the explanations :-) I read the "Configuring syslog-ng client" but it gives a list of "to do" rather than "how to." syslog-ng 2.0.4, Solaris 10, client side is running MP (multi-path, and I'm not sure if MP causes any problem?) SERVER SIDE ##################################################################### options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); }; ##################################################################### source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; source loghost { tcp(ip(192.168.1.11) port(5140)); }; source s_tcp { tcp(port(5140) keep-alive(yes) max_connections(100)); }; destination syslog { file("/var/log/syslog"); }; destination mail { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); }; # log { source(loghost); }; log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); }; CLIENT SIDE ##################################################################### options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); }; ##################################################################### source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; destination syslog { file("/var/log/syslog"); }; # destination mail { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("192.168.1.11" port(5140)); }; filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); }; # log { source(loghost); }; log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); }; source s_localhost { tcp(ip(127.0.0.1) port(5140) ); }; log { source(s_localhost); destination(loghost); }; ____________________________________________________________________________________Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/
Hello,
But I do have the "source loghost..." on the server side, not on the client side. Here's my syslog-ng.conf on the server side (server1). I read the manual but I'm not comprehending some of the explanations :-) I read the "Configuring syslog-ng client" but it gives a list of "to do" rather than "how to."
syslog-ng 2.0.4, Solaris 10, client side is running MP (multi-path, and I'm not sure if MP causes any problem?)
SERVER SIDE #####################################################################
options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); };
#####################################################################
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; source loghost { tcp(ip(192.168.1.11) port(5140)); }; source s_tcp { tcp(port(5140) keep-alive(yes) max_connections(100)); };
destination syslog { file("/var/log/syslog"); }; destination mail { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
# log { source(loghost); }; log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); };
Please note that defining a source isn't enough. You have to use it in your log statements too. In your config you defined 3 sources, while in the log{} sections you're using only a single one. Either modify your sources definition to something like: source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); tcp(port(5140) keep-alive(yes) max_connections(100)); }; and then use your existing log{} sections, or add another log{} sections which use loghost and the s_tcp sources explicitely.
CLIENT SIDE #####################################################################
options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); };
#####################################################################
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); };
destination syslog { file("/var/log/syslog"); }; # destination mail { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("192.168.1.11" port(5140)); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
# log { source(loghost); }; log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); };
source s_localhost { tcp(ip(127.0.0.1) port(5140) ); }; log { source(s_localhost); destination(loghost); };
What I wrote above apply to this configuration too. You're defining s_localhost to be a tcp source (which shouldn't be used on clients only on servers and syslog relays). The logs generated on the client will come through the 'src' source, which won't get logged to the loghost. I recommend staring with a quite simple configuration like: source src { sun-stream("/dev/log" door ("/etc/.syslog_door")); internal(); }; destination syslog { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("192.168.1.11" port(5140)); }; filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); }; log { source(src); filter(f_mail); destination(syslog); destination(loghost); }; log { source(src); filter(f_not_mail); destination(messages); destination(loghost); }; Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
--- "Geller, Sandor (IT)" <Sandor.Geller@morganstanley.com> wrote:
SERVER SIDE #####################################################################
options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); };
#####################################################################
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; source loghost { tcp(ip(192.168.1.11) port(5140)); }; source s_tcp { tcp(port(5140) keep-alive(yes) max_connections(100)); };
destination syslog { file("/var/log/syslog"); }; destination mail { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
# log { source(loghost); }; log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); };
Please note that defining a source isn't enough. You have to use it in your log statements too. In your config you defined 3 sources, while in the log{} sections you're using only a single one. Either modify your sources definition to something like:
Thank you for pointing out this relationship. I read section 3.3 (sources) and 3.5 (log path) but it did not point this out (or maybe it did and I missed it).
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); tcp(port(5140) keep-alive(yes) max_connections(100)); };
and then use your existing log{} sections, or add another log{} sections which use loghost and the s_tcp sources explicitely.
CLIENT SIDE #####################################################################
options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); };
#####################################################################
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); };
destination syslog { file("/var/log/syslog"); }; # destination mail { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("192.168.1.11" port(5140)); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
# log { source(loghost); }; log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); };
source s_localhost { tcp(ip(127.0.0.1) port(5140) ); }; log { source(s_localhost); destination(loghost); };
What I wrote above apply to this configuration too. You're defining s_localhost to be a tcp source (which shouldn't be used on clients only on servers and syslog relays).
The logs generated on the client will come through the 'src' source, which won't get logged to the loghost. I recommend staring with a quite simple configuration like:
source src { sun-stream("/dev/log" door ("/etc/.syslog_door")); internal(); };
destination syslog { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("192.168.1.11" port(5140)); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
log { source(src); filter(f_mail); destination(syslog); destination(loghost); };
log { source(src); filter(f_not_mail); destination(messages); destination(loghost); };
Thank you all for your help. I was able to capture the log on the server from the client. A simple "logger -p daemon.crit syslog-ng test" from the client is now seen in /var/adm/messages on the server. ____________________________________________________________________________________ Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/
Could also be tcp wrappers if the destination host is a syslog-ng server. I got "hit" by this as the build changed somewhere around 2.0.3 to default to using tcpwrappers, or perhaps that is when that feature was added. I upgraded my central server, and lost all logging :-( Anyhow, it was easy to configure the /etc/hosts.allow file. Evan. mailing list wrote:
My syslog-ng is now running. However, I cannot get the client to forward its messages to the server. To be certain, I have disabled my firewall, on both the client and server side, but still get the below errors in /var/adm/messages. The client is logging normally in /var/adm/messages.
Aug 29 14:54:33 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:43 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:53 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:59 client1 syslog-ng[18639]: Log statistics; dropped='tcp(AF_INET(w.x.y.z:5140))=0', processed='center(queued)=8844', processed='center(received)=4424', processed='destination(messages)=4420', processed='destination(loghost)=4420', processed='destination(syslog)=4', processed='source(src)=4424' Aug 29 14:55:03 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10'
I have "destination loghost { tcp("w.x.y.z" port(5140)); };" in my syslog-ng.conf on the client1. Here's my complete syslog-ng.conf file on the client1 side.
options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); };
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); };
destination syslog { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("w.x.y.z" port(5140)); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); };
Any help/pointer is greatly appreciated. Thank you.
____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hello,
My syslog-ng is now running. However, I cannot get the client to forward its messages to the server. To be certain, I have disabled my firewall, on both the client and server side, but still get the below errors in /var/adm/messages. The client is logging normally in /var/adm/messages.
Aug 29 14:54:33 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:43 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:53 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10' Aug 29 14:54:59 client1 syslog-ng[18639]: Log statistics; dropped='tcp(AF_INET(w.x.y.z:5140))=0', processed='center(queued)=8844', processed='center(received)=4424', processed='destination(messages)=4420', processed='destination(loghost)=4420', processed='destination(syslog)=4', processed='source(src)=4424'
This message shows your syslog-ng received 4424 messages, 4 out of 4424 were logged to /var/log/syslog, 4420 were sent to /var/adm/messages and (I think the same) 4420 were sent to the loghost destination.
Aug 29 14:55:03 client1 syslog-ng[18639]: Connection failed; error='Connection refused (146)', time_reopen='10'
You should look after why the peer is refusing the connections. You've got a few hints already from other list members.
I have "destination loghost { tcp("w.x.y.z" port(5140)); };" in my syslog-ng.conf on the client1. Here's my complete syslog-ng.conf file on the client1 side.
options { long_hostnames(off); log_msg_size(8192); sync(1); log_fifo_size(2048); bad_hostname("^(ctld.|cmd|tmd|last)$"); time_reopen(10); };
source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); };
destination syslog { file("/var/log/syslog"); }; destination messages { file("/var/adm/messages"); }; destination loghost { tcp("w.x.y.z" port(5140)); };
filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); };
log { source(src); filter(f_mail); destination(syslog); }; log { source(src); filter(f_not_mail); destination(messages); };
Any help/pointer is greatly appreciated. Thank you.
Here is no indication why syslog-ng should send messages to the loghost destination. Something tells me this is NOT the actual syslog-ng.conf that your syslog-ng is using. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
participants (4)
-
Andreas Kurz
-
Evan Rempel
-
Geller, Sandor (IT)
-
mailing list