I'm running into all kinds of problems running syslog-ng. It won't create the files in subdirectories like I want, it won't feed the named pipes I want... The following is my configuration (and I'm running sec against the pipes - since I need a reader before I start the writer on AIX): # cat /etc/syslog-ng/syslog-ng.conf options { sync (0); chain_hostnames (no); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); dir_owner(syslog); dir_group(syslog); dir_perm(0660); owner(syslog); group(syslog); perm(0660); }; source s_cron { unix-dgram("/dev/cron"); internal(); }; source s_snmp { unix-dgram("/dev/snmp"); internal(); }; source s_sys { unix-dgram("/dev/log"); internal(); }; source s_udp { udp(ip("0.0.0.0") port(514)); }; source s_udp_s { udp(ip("0.0.0.0") port(601)); }; source s_tcp { tcp(ip("0.0.0.0") port(601)); }; source s_tcp1 { tcp(ip("0.0.0.0") port(1026)); }; source s_tcp2 { tcp(ip("0.0.0.0") port(5140)); }; destination d_cons { file("/data/logs/console" perm(0660)); }; destination d_mesg { file("/data/logs/syslog.log" perm(0660)); }; destination d_mail { file("/data/logs/mail.log" perm(0660)); }; destination d_mlrt { usertty("root"); }; destination d_mlal { usertty("*"); }; destination allmessages { file("/data/logs/$YEAR$MONTH$DAY.allmessages.log" owner(syslog) group(syslog) perm(0660)); }; destination netmessages { file("/data/logs/$YEAR$MONTH$DAY.netmessages.log" owner(syslog) group(syslog) perm(0660)); }; destination d_vpn { file("/data/logs/vpn/$YEAR$MONTH$DAY.vpn.log" owner(syslog) group(syslog) perm(0660)); }; destination d_switch { file("/data/logs/switch/$YEAR$MONTH$DAY.switch.log" owner(syslog) group(syslog) perm(0660)); }; destination d_router { file("/data/logs/router/$YEAR$MONTH$DAY.router.log" owner(syslog) group(syslog) perm(0660)); }; destination d_pixen { file("/data/logs/pixen/$YEAR$MONTH$DAY.pixen.log" owner(syslog) group(syslog) perm(0660)); }; destination d_ids { file("/data/logs/ids/$YEAR$MONTH$DAY.ids.log" owner(syslog) group(syslog) perm(0660)); }; destination vpn_pipe { pipe("/data/pipes/vpn_pipe"); }; # destination net_pipe { pipe("/data/pipes/net_pipe"); }; destination fire_pipe { pipe("/data/pipes/fire_pipe"); }; filter f_filter1 { facility(mail) and level(debug); }; filter f_filter2 { (facility(mail) and level(debug)) or level(info); }; filter f_filter3 { level(alert); }; filter f_filter4 { level(emerg); }; filter f_fl2r16 { netmask(1.1.253.5/255.255.255.255); }; filter f_fl2r17 { netmask(1.1.253.6/255.255.255.255); }; filter f_fl2f12 { netmask(1.1.253.2/255.255.255.255); }; filter f_fl2f1 { netmask(1.1.253.2/255.255.255.255); }; filter f_fl2f2 { netmask(1.1.62.10/255.255.255.255); }; filter f_fl2f11 { netmask(1.1.193.10/255.255.255.255); }; filter f_fl1f1 { netmask(1.1.253.212/255.255.255.255); }; log { source(s_sys); filter(f_filter1); destination(d_mail); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_cons); destination(d_mlrt); }; log { source(s_sys); filter(f_filter4); destination(d_mlal); }; # log { source(s_sys); source(s_cron); source(s_snmp); destination (allmessages); }; log { source(s_sys); source(s_cron); destination (allmessages); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); destination(netmessages); }; # log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); destination(net_pipe); }; log { source(s_udp); filter(f_fl2r16); filter(f_fl2r17); filter(f_fl2f12); destination(vpn_pipe); }; log { source(s_udp); filter(f_fl2r16); filter(f_fl2r17); filter(f_fl2f12); destination(d_vpn); }; log { source(s_udp); filter(f_fl2f1); filter(f_fl2f2); filter(f_fl2f11); filter(f_fl2f12); filter(f_fl1f1); destination(fire_pipe); }; log { source(s_udp); filter(f_fl2f1); filter(f_fl2f2); filter(f_fl2f11); filter(f_fl2f12); filter(f_fl1f1); destination(d_pixen); }; The command I'm running (and I'm TRYING to run it from inittab): syslog-ng:23456789:respawn:/usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -u syslog -g <me> -p /etc/syslog-ng.pid
No one with an idea of what might be going on here? I've reread most of the documentation for syslog-ng and can't figure it out...perhaps its an AIX/fs permissions issue? On 9/25/06, Brian Loe <knobdy@gmail.com> wrote:
I'm running into all kinds of problems running syslog-ng. It won't create the files in subdirectories like I want, it won't feed the named pipes I want... The following is my configuration (and I'm running sec against the pipes - since I need a reader before I start the writer on AIX):
# cat /etc/syslog-ng/syslog-ng.conf options { sync (0); chain_hostnames (no); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); dir_owner(syslog); dir_group(syslog); dir_perm(0660); owner(syslog); group(syslog); perm(0660); };
source s_cron { unix-dgram("/dev/cron"); internal(); }; source s_snmp { unix-dgram("/dev/snmp"); internal(); }; source s_sys { unix-dgram("/dev/log"); internal(); }; source s_udp { udp(ip("0.0.0.0") port(514)); }; source s_udp_s { udp(ip("0.0.0.0") port(601)); }; source s_tcp { tcp(ip("0.0.0.0") port(601)); }; source s_tcp1 { tcp(ip("0.0.0.0") port(1026)); }; source s_tcp2 { tcp(ip("0.0.0.0") port(5140)); };
destination d_cons { file("/data/logs/console" perm(0660)); }; destination d_mesg { file("/data/logs/syslog.log" perm(0660)); }; destination d_mail { file("/data/logs/mail.log" perm(0660)); }; destination d_mlrt { usertty("root"); }; destination d_mlal { usertty("*"); };
destination allmessages { file("/data/logs/$YEAR$MONTH$DAY.allmessages.log" owner(syslog) group(syslog) perm(0660)); }; destination netmessages { file("/data/logs/$YEAR$MONTH$DAY.netmessages.log" owner(syslog) group(syslog) perm(0660)); }; destination d_vpn { file("/data/logs/vpn/$YEAR$MONTH$DAY.vpn.log" owner(syslog) group(syslog) perm(0660)); }; destination d_switch { file("/data/logs/switch/$YEAR$MONTH$DAY.switch.log" owner(syslog) group(syslog) perm(0660)); }; destination d_router { file("/data/logs/router/$YEAR$MONTH$DAY.router.log" owner(syslog) group(syslog) perm(0660)); }; destination d_pixen { file("/data/logs/pixen/$YEAR$MONTH$DAY.pixen.log" owner(syslog) group(syslog) perm(0660)); }; destination d_ids { file("/data/logs/ids/$YEAR$MONTH$DAY.ids.log" owner(syslog) group(syslog) perm(0660)); };
destination vpn_pipe { pipe("/data/pipes/vpn_pipe"); }; # destination net_pipe { pipe("/data/pipes/net_pipe"); }; destination fire_pipe { pipe("/data/pipes/fire_pipe"); };
filter f_filter1 { facility(mail) and level(debug); }; filter f_filter2 { (facility(mail) and level(debug)) or level(info); }; filter f_filter3 { level(alert); }; filter f_filter4 { level(emerg); }; filter f_fl2r16 { netmask(1.1.253.5/255.255.255.255); }; filter f_fl2r17 { netmask(1.1.253.6/255.255.255.255); }; filter f_fl2f12 { netmask(1.1.253.2/255.255.255.255); }; filter f_fl2f1 { netmask(1.1.253.2/255.255.255.255); }; filter f_fl2f2 { netmask(1.1.62.10/255.255.255.255); }; filter f_fl2f11 { netmask(1.1.193.10/255.255.255.255); }; filter f_fl1f1 { netmask(1.1.253.212/255.255.255.255); };
log { source(s_sys); filter(f_filter1); destination(d_mail); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_cons); destination(d_mlrt); }; log { source(s_sys); filter(f_filter4); destination(d_mlal); }; # log { source(s_sys); source(s_cron); source(s_snmp); destination (allmessages); }; log { source(s_sys); source(s_cron); destination (allmessages); };
log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); destination(netmessages); };
# log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); destination(net_pipe); };
log { source(s_udp); filter(f_fl2r16); filter(f_fl2r17); filter(f_fl2f12); destination(vpn_pipe); };
log { source(s_udp); filter(f_fl2r16); filter(f_fl2r17); filter(f_fl2f12); destination(d_vpn); };
log { source(s_udp); filter(f_fl2f1); filter(f_fl2f2); filter(f_fl2f11); filter(f_fl2f12); filter(f_fl1f1); destination(fire_pipe); };
log { source(s_udp); filter(f_fl2f1); filter(f_fl2f2); filter(f_fl2f11); filter(f_fl2f12); filter(f_fl1f1); destination(d_pixen); };
The command I'm running (and I'm TRYING to run it from inittab): syslog-ng:23456789:respawn:/usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -u syslog -g <me> -p /etc/syslog-ng.pid
Brian Loe wrote:
No one with an idea of what might be going on here? I've reread most of the documentation for syslog-ng and can't figure it out...perhaps its an AIX/fs permissions issue?
Currently we are trying to track down a similar issue, but it might be unrelated. You aren't running syslog-ng as a superuser. Have you checked whether your syslog user has the needed permissions to create the files and open the pipes for writing? Some kind of trace output (like strace on linux) would be appreciated. -- Sandor Geller wildy@balabit.hu
What permissions does the syslog user need to do so? It creates the files in the base log directory (/data/logs) - but it won't create the subfolders or the files that go there. I'm working now on re-ordering the log commands... strace <syslog-ng command line> right? On 9/26/06, Sandor Geller <wildy@balabit.hu> wrote:
Brian Loe wrote:
No one with an idea of what might be going on here? I've reread most of the documentation for syslog-ng and can't figure it out...perhaps its an AIX/fs permissions issue?
Currently we are trying to track down a similar issue, but it might be unrelated. You aren't running syslog-ng as a superuser. Have you checked whether your syslog user has the needed permissions to create the files and open the pipes for writing?
Some kind of trace output (like strace on linux) would be appreciated.
Okay, running it with debug and verbose (-d -v) this is all I get in the log (allmessages as defined by syslog-ng configuration): Sep 26 12:57:08 machine syslog-ng[151718]: syslog-ng starting up; version='2.0rc1' Sep 26 12:57:08 machine syslog-ng[151718]: Initializing destination file writer; template='/data/logs/$YEAR$MONTH$DAY.allmessages.log', filename='/data/logs/20060926.allmessages.log' Sep 26 12:57:08 machine syslog-ng[151718]: Initializing destination file writer; template='/data/logs/$YEAR$MONTH$DAY.netmessages.log', filename='/data/logs/20060926.netmessages.log' Sep 26 12:57:38 machine syslog-ng[151718]: Reaping unused destination files; template='/data/logs/router/$YEAR$MONTH$DAY.router.log' Sep 26 12:57:38 machine syslog-ng[151718]: Reaping unused destination files; template='/data/logs/switch/$YEAR$MONTH$DAY.switch.log' Sep 26 12:57:38 machine syslog-ng[151718]: Reaping unused destination files; template='/data/logs/pixen/$YEAR$MONTH$DAY.pixen.log' Sep 26 12:57:38 machine syslog-ng[151718]: Reaping unused destination files; template='/data/logs/$YEAR$MONTH$DAY.netmessages.log' Sep 26 12:57:38 machine syslog-ng[151718]: Reaping unused destination files; template='/data/logs/ids/$YEAR$MONTH$DAY.ids.log' Sep 26 12:57:38 machine syslog-ng[151718]: Reaping unused destination files; template='/data/logs/$YEAR$MONTH$DAY.allmessages.log' Sep 26 12:57:38 machine syslog-ng[151718]: Reaping unused destination files; template='/data/logs/vpn/$YEAR$MONTH$DAY.vpn.log' Remember, I'm running this on AIX. I don't understand why its calling those destinations "unused", to of them are. Also, no mention of the pipes. Maybe its feeding the pipes though - I simply have no real way of knowing... On 9/26/06, Sandor Geller <wildy@balabit.hu> wrote:
Brian Loe wrote:
No one with an idea of what might be going on here? I've reread most of the documentation for syslog-ng and can't figure it out...perhaps its an AIX/fs permissions issue?
Currently we are trying to track down a similar issue, but it might be unrelated. You aren't running syslog-ng as a superuser. Have you checked whether your syslog user has the needed permissions to create the files and open the pipes for writing?
Some kind of trace output (like strace on linux) would be appreciated.
-- Sandor Geller wildy@balabit.hu _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Another update. I made the mistake of setting the -C option once and syslog-ng had no problem creating the folders based on that options arguments. It would seem that it might be a filter issue - since those destinations never receive a message, they're never created (and I've increased the timeout it waits to open the file)? How can I verify this issue - and as you can see, about the only filter I use is netmask() which I had working at one time. I'm tried mkfifo and mknod to create the pipes - both create them but again, I still don't see any data going to them. Something is broken... On 9/26/06, Brian Loe <knobdy@gmail.com> wrote:
Okay, running it with debug and verbose (-d -v) this is all I get in the log (allmessages as defined by syslog-ng configuration): Sep 26 12:57:08 machine syslog-ng[151718]: syslog-ng starting up; version='2.0rc1' Sep 26 12:57:08 machine syslog-ng[151718]: Initializing destination file writer; template='/data/logs/$YEAR$MONTH$DAY.allmessages.log', filename='/data/logs/20060926.allmessages.log'
Last time I'll respond to my own post - but I can't believe I didn't catch this. I hadn't listed every source for the proper destinations with the exception of the two files that were being opened. However, am I listing sources properly in the log statements? log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter (f_fire); destination(d_pixen); };
Brian Loe wrote:
Last time I'll respond to my own post - but I can't believe I didn't catch this. I hadn't listed every source for the proper destinations with the exception of the two files that were being opened.
However, am I listing sources properly in the log statements?
It is syntactically correct. However, nobody can answer your question properly (you are using the filter named f_fire which wasn't in your previous posts, so I have to assume that you have modified your configuration). Without knowing your current configuration I can only answer like this: if a message comes from your any of the sources and matches all of the filters then it will be logged through the destinations. When you don't see logs, check with tcpdump whether the log packets reach the syslog-ng server, do they contain the needed texts which the filters match, and so on... -- Sandor Geller wildy@balabit.hu
So they have to match all of the filters? I want all of the messages from 4 or 5 devices to go to one log file. I created a filter for each using the netmask filter. I then used listed each of those filter commands in the log statement... It seems that if I add multiple netmask() statements to a single filter is doesn't work. If I had multiple filter() statements (with a single device each) to a log statement it doesn't work... The following is what my final config was before I decided to blow it away and attack the issue at a much smaller scale (two log files, one filter, etc. - which is why I now believe the above): options { chain_hostnames (no); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); owner(syslog); group(syslog); perm(0660); dir_owner(syslog); dir_group(syslog); dir_perm(0660); time_reap(300); }; source s_cron { unix-dgram("/dev/cron"); internal(); }; source s_snmp { unix-dgram("/dev/snmp"); internal(); }; source s_sys { unix-dgram("/dev/log"); internal(); }; source s_udp { udp(ip("0.0.0.0") port(514)); }; source s_udp_s { udp(ip("0.0.0.0") port(601)); }; source s_tcp { tcp(ip("0.0.0.0") port(601)); }; source s_tcp1 { tcp(ip("0.0.0.0") port(1026)); }; source s_tcp2 { tcp(ip("0.0.0.0") port(5140)); }; destination d_cons { file("/data/logs/console.log"); }; destination d_mesg { file("/data/logs/syslog.log"); }; destination d_mail { file("/data/logs/mail.log"); }; destination d_mlrt { usertty("root"); }; destination d_mlal { usertty("*"); }; destination allmessages { file("/data/logs/$YEAR$MONTH$DAY.allmessages.log"); }; destination netmessages { file("/data/logs/$YEAR$MONTH$DAY.netmessages.log"); }; destination d_vpn { file("/data/logs/vpn/$YEAR$MONTH$DAY.vpn.log"); }; destination d_switch { file("/data/logs/switch/$YEAR$MONTH$DAY.switch.log"); }; destination d_router { file("/data/logs/router/$YEAR$MONTH$DAY.router.log"); }; destination d_pixen { file("/data/logs/pixen/$YEAR$MONTH$DAY.pixen.log"); }; destination d_ids { file("/data/logs/ids/$YEAR$MONTH$DAY.ids.log"); }; destination vpn_pipe { pipe("/data/pipes/vpn_pipe"); }; # destination net_pipe { pipe("/data/pipes/net_pipe"); }; destination fire_pipe { pipe("/data/pipes/fire_pipe"); }; filter f_filter1 { facility(mail) and level(debug); }; filter f_filter2 { (facility(mail) and level(debug)) or level(info); }; filter f_filter3 { level(alert); }; filter f_filter4 { level(emerg); }; filter f_vpn { netmask(1.1.1.5/255.255.255.255) and netmask(1.1.1.6/255.255.255.255) and netmask(1.1.1.2/255.255.255.255); }; filter f_fire { netmask(1.1.1.2/255.255.255.255) and netmask(1.1.1.10/255.255.255.255) and netmask(1.1.1 .10/255.255.255.255) and netmask(1.1.1.212/255.255.255.255); }; log { source(s_sys); filter(f_filter1); destination(d_mail); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_cons); destination(d_mlrt); }; log { source(s_sys); filter(f_filter4); destination(d_mlal); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter(f_vpn); destination(vpn_pipe); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter (f_fire); destination(fire_pipe); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter(f_vpn); destination(d_vpn); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); filter (f_fire); destination(d_pixen); }; log { source(s_sys); source(s_cron); source(s_snmp); destination (allmessages); }; log { source(s_udp); source (s_udp_s); source (s_tcp); source (s_tcp1); source (s_tcp2); destination(netmessages); }; On 9/27/06, Sandor Geller <wildy@balabit.hu> wrote:
It is syntactically correct. However, nobody can answer your question properly (you are using the filter named f_fire which wasn't in your previous posts, so I have to assume that you have modified your configuration).
Without knowing your current configuration I can only answer like this: if a message comes from your any of the sources and matches all of the filters then it will be logged through the destinations.
Brian Loe wrote:
So they have to match all of the filters?
Yes.
I want all of the messages from 4 or 5 devices to go to one log file. I created a filter for each using the netmask filter. I then used listed each of those filter commands in the log statement...
It seems that if I add multiple netmask() statements to a single filter is doesn't work. If I had multiple filter() statements (with a single device each) to a log statement it doesn't work...
It is certainly misconfigured:
filter f_vpn { netmask(1.1.1.5/255.255.255.255) and netmask(1.1.1.6/255.255.255.255) and netmask(1.1.1.2/255.255.255.255); };
filter f_fire { netmask(1.1.1.2/255.255.255.255) and netmask(1.1.1.10/255.255.255.255) and netmask(1.1.1 .10/255.255.255.255) and netmask(1.1.1.212/255.255.255.255); };
These netmasks exclude each other. Use 'or', not 'and'. -- Sandor Geller wildy@balabit.hu
Okay, I'm sorta responding to my own message but one of the problems I was having was that I was using "and" in my filters instead of "or". I've slammed my head against the wall and will get back to the list should another problem arise...I apologize for the wasted bandwidth. On 9/27/06, Sandor Geller <wildy@balabit.hu> wrote:
Brian Loe wrote:
Last time I'll respond to my own post - but I can't believe I didn't catch this. I hadn't listed every source for the proper destinations with the exception of the two files that were being opened.
However, am I listing sources properly in the log statements?
It is syntactically correct. However, nobody can answer your question properly (you are using the filter named f_fire which wasn't in your previous posts, so I have to assume that you have modified your configuration).
participants (2)
-
Brian Loe
-
Sandor Geller