Re: [syslog-ng] syslog-ng Digest, Vol 39, Issue 20
Thanks Bazsi for reply. Relevant portion is below ************************************************************** destination console { usertty("wimaxnoc"); }; filter ps_nt_re { match("PS NOT REACHABLE"); }; log { source(network); filter(ps_nt_re); destination(console); }; ************************************************************** Please help. Anurag aggarwal -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of syslog-ng-request@lists.balabit.hu Sent: Thursday, July 24, 2008 3:30 PM To: syslog-ng@lists.balabit.hu Subject: syslog-ng Digest, Vol 39, Issue 20 Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..." Today's Topics: 1. Re: Re : Re : Re : Syslogd + Syslog-ng (Christopher Cashell) 2. Re: Re : Re : Re : Syslogd + Syslog-ng (Leandro Ferreira da Silva) 3. Re: Using regexp in match() (Balazs Scheidler) 4. Re: Usertty sending messages to all user and without login also (Balazs Scheidler) ---------------------------------------------------------------------- Message: 1 Date: Wed, 23 Jul 2008 10:04:34 -0500 From: Christopher Cashell <ChristopherCashell@solutionary.com> Subject: Re: [syslog-ng] Re : Re : Re : Syslogd + Syslog-ng To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <48874882.8070904@solutionary.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
The configuration is the standart, I only do the follow changes.
# sources source src { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); udp(); internal(); file("/dev/klog"); };
I add this, source r_src { udp(ip("*client.domain*") port(514)); };
Here's your problem. For src, you define 'udp()' as one of your log sources, without including any specific options for it. This will cause syslog-ng to go with its defaults for udp(), which is bind to *all* IP addresses assigned to the box, on port 514. Then, for r_src, you are telling syslog-ng to bind to a specific IP address on the box and port 514. When syslog-ng attempts to start, it will fail with the error message you received because that ip/port is already in use (by the source src, which is bound to all IP's). Unless you have a need to bind to a specific IP address on the box, I'd recommend removing 'udp();' from src, and replacing the current 'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'. -- Christopher Cashell ------------------------------ Message: 2 Date: Wed, 23 Jul 2008 14:39:03 -0300 From: Leandro Ferreira da Silva <ferreira@iqm.unicamp.br> Subject: Re: [syslog-ng] Re : Re : Re : Syslogd + Syslog-ng To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <48876CB7.7080909@iqm.unicamp.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Christopher Cashell wrote:
Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
The configuration is the standart, I only do the follow changes.
# sources source src { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); udp(); internal(); file("/dev/klog"); };
I add this, source r_src { udp(ip("*client.domain*") port(514)); };
Here's your problem. For src, you define 'udp()' as one of your log sources, without including any specific options for it. This will cause syslog-ng to go with its defaults for udp(), which is bind to *all* IP addresses assigned to the box, on port 514.
Then, for r_src, you are telling syslog-ng to bind to a specific IP address on the box and port 514. When syslog-ng attempts to start, it
will fail with the error message you received because that ip/port is already in use (by the source src, which is bound to all IP's).
Unless you have a need to bind to a specific IP address on the box, I'd recommend removing 'udp();' from src, and replacing the current 'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'.
It worked!! The real problem was udp () at src. Thank you very much for all the help... Now I'll go complete my rules.. See you!! =P ------------------------------ Message: 3 Date: Thu, 24 Jul 2008 10:16:27 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [syslog-ng] Using regexp in match() To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Cc: documentation@balabit.com Message-ID: <1216887387.8130.5.camel@bzorp.balabit> Content-Type: text/plain; charset=UTF-8 On Tue, 2008-07-22 at 09:45 +0200, Jan Kreps wrote:
------------ P?vodn? zpr?va ------------ Od: Jan Kreps <krepsj@seznam.cz> P?edm?t: Re: [syslog-ng] Using regexp in match() Datum: 10.7.2008 10:29:35 ----------------------------------------
I'm trying to setup central syslog-ng server for my Exchange servers. On windows servers I use Epilog agent (brother of Snare) forwarding tracking logs to central syslog.
Obviously I have used bad regexp. Exchange tracking log uses tabs as delimiters. But when I saved $MSG string to text log, tabs was changed to '\011'.
So now I changed my regexp to use tabs as delimiters:
filter f_parsing { match("([^\t]*)\t([^\t]*)\t"); };
This works like charm and saves first two tab delimited fields (date and time in this case) to $1 and $2.
Some more remarks to subject.
Syslog-ng Administrator guide 1.1.1 Edition from May 2008 says on page 111:
"The regular expressions can use up to 255 regexp matches ($1 ... $255)."
and on page 112:
"Regarding braces around macro names, the following two formats are equivalent "$MSG" and "${MSG}"."
Fact is that for regexp matches greater than 9 it MUST be in ${} format. If you use for instance $12 it resolves as content of $1 + character '2'. I found that I have to use ${} syntax in ChangeLog remark for patch 137. I guess that should be stated in Admin Guide more clearly. In this respect, statement "The regular expressions can use up to 255 regexp matches ($1 ... $255)" is not true and should be corrected.
right, this should be fixed in the documentation.
And I have one question about file creation.
When something is logged a file is created according to destination(). But when I delete the file, it's not created anymore, until restart of syslog-ng. Is that correct/expected behaviour?
I run Debian Etch and syslog-ng 2.0.9-1 from unstable branch (in stable is still version 2.0.0)
Yes, you need to send the HUP signal to syslog-ng in order to reopen log files. This is the way UNIX works. (the application does not know about the deletion of a logfile) -- Bazsi ------------------------------ Message: 4 Date: Thu, 24 Jul 2008 10:28:06 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [syslog-ng] Usertty sending messages to all user and without login also To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <1216888086.8130.10.camel@bzorp.balabit> Content-Type: text/plain On Wed, 2008-07-23 at 13:39 +0530, Anurag Agarwal wrote:
Hello everybuddy,
I am using syslog-ng and used usertty in destination. I am using a user 'test' as destination. But other users can also see the message on their console e.g root and other users. Please help as this is creating a problem and NG not working as desired. OS: Solaris 10
It does work for me. Can you show us the relevant portions of your configuration file? I tried with this: source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; destination all { file("/var/log/messages"); }; log { source(local); destination(all); }; destination all_users { usertty("bazsi"); }; filter alert_emerg { level(err..emerg); }; log { source(local); filter(alert_emerg); destination(all_users); }; It correctly printed err..emerg messages on my tty, and not on others. The relevant portion of the code is here: #if HAVE_MODERN_UTMP if (ut->ut_type == USER_PROCESS && ((self->username->len == 1 && self->username->str[0] == '*') || (self->username->len <= sizeof(ut->ut_user) && memcmp(self->username->str, ut->ut_user, self->username->len) == 0))) #else if ((self->username->len == 1 && self->username->str[0] == '*') || (self->username->len <= sizeof(ut->ut_name) && memcmp(self->username->str, ut->ut_name, self->username->len) == 0)) #endif I don't see how this condition could match for everyone. Even if the wtmp format is different and ut->ut_name would contain a bogus value, the expected breakage would be to not display anywhere, not to display everywhere. -- Bazsi ------------------------------ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng End of syslog-ng Digest, Vol 39, Issue 20 *****************************************
On Thu, 2008-07-24 at 16:54 +0530, Anurag Agarwal wrote:
Thanks Bazsi for reply.
Relevant portion is below ************************************************************** destination console { usertty("wimaxnoc"); };
filter ps_nt_re { match("PS NOT REACHABLE"); };
log { source(network); filter(ps_nt_re); destination(console); }; **************************************************************
this seems to be fine. can you post a truss output for the syslog-ng process, while this configuration is processed? where did you get your binaries from? did you compile them yourself? -- Bazsi
participants (2)
-
Anurag Agarwal
-
Balazs Scheidler