configuring different sources on the syslog-ng server
Hello I would like to get some clarification on the source tag in both syslog client and server. I have different clients hosting apache / weblogic My Syslog-ng Server has ip 192.x.x.x Apache (client) has ip 192.x.x.1 Weblogic (client) has ip 192.x.x.2 In all the clients syslog configuration files, i have added destination apacheaccesslog { tcp("192.x.x.x " port(3331)); }; destination weblogiclog { tcp("192.x.x.x " port(3332)); }; My issue is in the syslog-ng server configuration file, if i add source apache_access {tcp(ip(192.x.x.x) port(3331)); }; Should the ip be the server ip or the client ip (in this example, i have put the syslog-ng server ip). Does the port number differentiate the different sources we are receiving the log files ??? logo-emailsignature.jpgKhaleelah Peerbocus - Systems Analyst Mauritius Cargo Community Services Business Registration No.: C08077158 VAT Registration No.: VAT20427044 1st Floor, Trade and Marketing Centre, Mer Rouge Port-Louis, Mauritius Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858 Email: <mailto:HDagent6@maccs.mu> systems2@maccs.mu - Website: <http://www.maccs.mu/> http://www.maccs.mu
Firstly the "ip()" option of "tcp()" in a "source()" is not required, it is optional. It specifies the IP address which syslog-ng will listen on. If not provided, syslog-ng will listen on all interfaces. Seconly, you do not need a separate source for every client. You can use filter rules to match on the client's hostname if you need to. You might want to go through the administrator's guide, it is an extremely good documentation source with lots of examples. http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf Sent: Sunday, July 18, 2010 11:28:25 PM From: Khaleelah Peerbocus <systems2@maccs.mu> To: 'Syslog-ng users' and developers' mailing list' <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] configuring different sources on the syslog-ng server
Hello
I would like to get some clarification on the source tag in both syslog client and server.
I have different clients hosting apache / weblogic
My Syslog-ng Server has ip 192.x.x.x
Apache (client) has ip 192.x.x.1
Weblogic (client) has ip 192.x.x.2
In all the clients syslog configuration files, i have added
destination apacheaccesslog {
tcp("192.x.x.x " port(3331));
};
destination weblogiclog {
tcp("192.x.x.x " port(3332));
};
My issue is in the syslog-ng server configuration file, if i add
source apache_access {tcp(ip(192.x.x.x) port(3331));
};
Should the ip be the server ip or the client ip (in this example, i have put the syslog-ng server ip). Does the port number differentiate the different sources we are receiving the log files ???
logo-emailsignature.jpgKhaleelah Peerbocus -- Systems Analyst
Mauritius Cargo Community Services
Business Registration No.: C08077158
VAT Registration No.: VAT20427044
1^st Floor, Trade and Marketing Centre, Mer Rouge
Port-Louis, Mauritius
Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858
Email: systems2@maccs.mu <mailto:HDagent6@maccs.mu> - Website: http://www.maccs.mu <http://www.maccs.mu/>
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Still if I wanted to configure a different source on the syslog-server as below (I will eventually use filtering if I do not succeed in creating another source) source apache_access{tcp(ip("192.168.180.179") flags(no-parse)); }; destination d_apachemssql { pipe("/tmp/apachepipe.pipe" template("INSERT INTO logapache(datetime,host,program,pid,message)VALUES('$R_DATE','$HOST','$PROGR AM','$PID','$MSGONLY');\n")template-escape(yes) flags(no-multi-line)); }; log { source(apache_access); destination(d_apachemssql); }; I get the following error when trying to start syslog-ng Error binding socket; addr='AF_INET(192.168.180.179:3331)', error='Cannot assign requested address (99)' Error initializing source driver; source='apache_access', id='apache_access#0' Error initializing message pipeline; From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Patrick H. Sent: Monday, July 19, 2010 9:48 AM To: Syslog-ng users' and develops' mailing list Subject: Re: [syslog-ng] configuring different sources on the syslog-ng server Firstly the "ip()" option of "tcp()" in a "source()" is not required, it is optional. It specifies the IP address which syslog-ng will listen on. If not provided, syslog-ng will listen on all interfaces. Seconly, you do not need a separate source for every client. You can use filter rules to match on the client's hostname if you need to. You might want to go through the administrator's guide, it is an extremely good documentation source with lots of examples. http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf Sent: Sunday, July 18, 2010 11:28:25 PM From: Khaleelah Peerbocus <mailto:systems2@maccs.mu> <systems2@maccs.mu> To: 'Syslog-ng users' and developers' mailing list' <mailto:syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] configuring different sources on the syslog-ng server Hello I would like to get some clarification on the source tag in both syslog client and server. I have different clients hosting apache / weblogic My Syslog-ng Server has ip 192.x.x.x Apache (client) has ip 192.x.x.1 Weblogic (client) has ip 192.x.x.2 In all the clients syslog configuration files, i have added destination apacheaccesslog { tcp("192.x.x.x " port(3331)); }; destination weblogiclog { tcp("192.x.x.x " port(3332)); }; My issue is in the syslog-ng server configuration file, if i add source apache_access {tcp(ip(192.x.x.x) port(3331)); }; Should the ip be the server ip or the client ip (in this example, i have put the syslog-ng server ip). Does the port number differentiate the different sources we are receiving the log files ??? logo-emailsignature.jpgKhaleelah Peerbocus - Systems Analyst Mauritius Cargo Community Services Business Registration No.: C08077158 VAT Registration No.: VAT20427044 1st Floor, Trade and Marketing Centre, Mer Rouge Port-Louis, Mauritius Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858 Email: <mailto:HDagent6@maccs.mu> systems2@maccs.mu - Website: <http://www.maccs.mu/> http://www.maccs.mu _____ ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, Yes, because 192.168.180.179 seems not to be a real address of your server so syslog-ng cannot assign the requested address. Let's see an example: addresses of your server are the following (in this example your server has two network cards): 192.168.20.1 (eth0) 10.30.20.1 (eth1) 127.0.0.1 (loopback) source apache_access{tcp(ip("192.168.20.1") flags(no-parse)); }; syslog-ng will listen only on eth0:192.168.20.1 source apache_access{tcp(ip("10.30.20.1") flags(no-parse)); }; syslog-ng will listen only on eth1:10.30.20.1 source apache_access{tcp(flags(no-parse)); }; syslog-ng will listen on all addresses of your server (eth0:192.168.20.1, eth1:10.30.20.1, lo:127.0.0.1) source apache_access{tcp(ip("10.10.0.1") flags(no-parse)); }; syslog-ng cannot listen on this address, because it's not an address of the server, you will receive "Cannot assign requested address" error message. If you have no specieal reasons to limit it, just don't give "ip()" option because it is not required (as Patrick wrote) 2010.07.19. 8:14 keltezéssel, Khaleelah Peerbocus írta:
Still if I wanted to configure a different source on the syslog-server as below (I will eventually use filtering if I do not succeed in creating another source)
source apache_access{tcp(ip("192.168.180.179") flags(no-parse));
};
destination d_apachemssql {
pipe("/tmp/apachepipe.pipe"
template("INSERT INTO logapache(datetime,host,program,pid,message)VALUES('$R_DATE','$HOST','$PROGRAM','$PID','$MSGONLY');\n")template-escape(yes) flags(no-multi-line));
};
log {
source(apache_access);
destination(d_apachemssql);
};
I get the following error when trying to start syslog-ng
Error binding socket; addr='AF_INET(192.168.180.179:3331)', error='Cannot assign requested address (99)'
Error initializing source driver; source='apache_access', id='apache_access#0'
Error initializing message pipeline;
*From:* syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *Patrick H. *Sent:* Monday, July 19, 2010 9:48 AM *To:* Syslog-ng users' and develops' mailing list *Subject:* Re: [syslog-ng] configuring different sources on the syslog-ng server
Firstly the "ip()" option of "tcp()" in a "source()" is not required, it is optional. It specifies the IP address which syslog-ng will listen on. If not provided, syslog-ng will listen on all interfaces. Seconly, you do not need a separate source for every client. You can use filter rules to match on the client's hostname if you need to.
You might want to go through the administrator's guide, it is an extremely good documentation source with lots of examples. http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf
Sent: Sunday, July 18, 2010 11:28:25 PM From: Khaleelah Peerbocus <systems2@maccs.mu> <mailto:systems2@maccs.mu> To: 'Syslog-ng users' and developers' mailing list' <syslog-ng@lists.balabit.hu> <mailto:syslog-ng@lists.balabit.hu> Subject: [syslog-ng] configuring different sources on the syslog-ng server
Hello
I would like to get some clarification on the source tag in both syslog client and server.
I have different clients hosting apache / weblogic
My Syslog-ng Server has ip 192.x.x.x
Apache (client) has ip 192.x.x.1
Weblogic (client) has ip 192.x.x.2
In all the clients syslog configuration files, i have added
destination apacheaccesslog {
tcp("192.x.x.x " port(3331));
};
destination weblogiclog {
tcp("192.x.x.x " port(3332));
};
My issue is in the syslog-ng server configuration file, if i add
source apache_access {tcp(ip(192.x.x.x) port(3331));
};
Should the ip be the server ip or the client ip (in this example, i have put the syslog-ng server ip). Does the port number differentiate the different sources we are receiving the log files ???
logo-emailsignature.jpgKhaleelah Peerbocus -- Systems Analyst
Mauritius Cargo Community Services
Business Registration No.: C08077158
VAT Registration No.: VAT20427044
1^st Floor, Trade and Marketing Centre, Mer Rouge
Port-Louis, Mauritius
Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858
Email: systems2@maccs.mu <mailto:HDagent6@maccs.mu> - Website: http://www.maccs.mu <http://www.maccs.mu/>
------------------------------------------------------------------------
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
Hello Yup, I realized that. I thought it was supposed to be the ip of the client. So I am using filters to cater for the different clients..only issue is I will end up with lots of filtering.. Do you have any example for logging firewall logs.. Regards From: Zoltán Pallagi [mailto:pzolee@balabit.hu] Sent: Monday, July 19, 2010 9:39 PM To: Syslog-ng users' and developers' mailing le ist Cc: Khaleelah Peerbocus Subject: Re: [syslog-ng] configuring different sources on the syslog-ng server Hi, Yes, because 192.168.180.179 seems not to be a real address of your server so syslog-ng cannot assign the requested address. Let's see an example: addresses of your server are the following (in this example your server has two network cards): 192.168.20.1 (eth0) 10.30.20.1 (eth1) 127.0.0.1 (loopback) source apache_access{tcp(ip("192.168.20.1") flags(no-parse)); }; syslog-ng will listen only on eth0:192.168.20.1 source apache_access{tcp(ip("10.30.20.1") flags(no-parse)); }; syslog-ng will listen only on eth1:10.30.20.1 source apache_access{tcp(flags(no-parse)); }; syslog-ng will listen on all addresses of your server (eth0:192.168.20.1, eth1:10.30.20.1, lo:127.0.0.1) source apache_access{tcp(ip("10.10.0.1") flags(no-parse)); }; syslog-ng cannot listen on this address, because it's not an address of the server, you will receive "Cannot assign requested address" error message. If you have no specieal reasons to limit it, just don't give "ip()" option because it is not required (as Patrick wrote) 2010.07.19. 8:14 keltezéssel, Khaleelah Peerbocus írta: Still if I wanted to configure a different source on the syslog-server as below (I will eventually use filtering if I do not succeed in creating another source) source apache_access{tcp(ip("192.168.180.179") flags(no-parse)); }; destination d_apachemssql { pipe("/tmp/apachepipe.pipe" template("INSERT INTO logapache(datetime,host,program,pid,message)VALUES('$R_DATE','$HOST','$PROGR AM','$PID','$MSGONLY');\n")template-escape(yes) flags(no-multi-line)); }; log { source(apache_access); destination(d_apachemssql); }; I get the following error when trying to start syslog-ng Error binding socket; addr='AF_INET(192.168.180.179:3331)', error='Cannot assign requested address (99)' Error initializing source driver; source='apache_access', id='apache_access#0' Error initializing message pipeline; From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Patrick H. Sent: Monday, July 19, 2010 9:48 AM To: Syslog-ng users' and develops' mailing list Subject: Re: [syslog-ng] configuring different sources on the syslog-ng server Firstly the "ip()" option of "tcp()" in a "source()" is not required, it is optional. It specifies the IP address which syslog-ng will listen on. If not provided, syslog-ng will listen on all interfaces. Seconly, you do not need a separate source for every client. You can use filter rules to match on the client's hostname if you need to. You might want to go through the administrator's guide, it is an extremely good documentation source with lots of examples. http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf Sent: Sunday, July 18, 2010 11:28:25 PM From: Khaleelah Peerbocus <mailto:systems2@maccs.mu> <systems2@maccs.mu> To: 'Syslog-ng users' and developers' mailing list' <mailto:syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] configuring different sources on the syslog-ng server Hello I would like to get some clarification on the source tag in both syslog client and server. I have different clients hosting apache / weblogic My Syslog-ng Server has ip 192.x.x.x Apache (client) has ip 192.x.x.1 Weblogic (client) has ip 192.x.x.2 In all the clients syslog configuration files, i have added destination apacheaccesslog { tcp("192.x.x.x " port(3331)); }; destination weblogiclog { tcp("192.x.x.x " port(3332)); }; My issue is in the syslog-ng server configuration file, if i add source apache_access {tcp(ip(192.x.x.x) port(3331)); }; Should the ip be the server ip or the client ip (in this example, i have put the syslog-ng server ip). Does the port number differentiate the different sources we are receiving the log files ??? logo-emailsignature.jpgKhaleelah Peerbocus Systems Analyst Mauritius Cargo Community Services Business Registration No.: C08077158 VAT Registration No.: VAT20427044 1st Floor, Trade and Marketing Centre, Mer Rouge Port-Louis, Mauritius Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858 Email: <mailto:HDagent6@maccs.mu> systems2@maccs.mu - Website: <http://www.maccs.mu/> http://www.maccs.mu _____ ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html -- pzolee
Hi, Perhaps I am wrong (so please correct me), but I assume you want to do the following: all of your clients read logs from two source (weblogic, apache) and send them to syslog-ng server via tcp. You would like to store these logs different place on syslog-ng server, one for weblogic logs and other one for apache logs. Is it true? If it is, you have a lot of possibility to do that. e.g.: 1, You can set different port numbers (but the same ip) for two destinations in client config, and set two sources on server side with these ports example: client side (as you wrote): destination apacheaccesslog { tcp("192.x.x.x " port(3331)); }; destination weblogiclog { tcp("192.x.x.x " port(3332)); }; server side: source apacheacceslog{tcp(port(3331));}; source weblogiclog{tcp(port(3332));}; After that you can use these sources in different log paths 2, You can use only one tcp destination in client configuration, in this case you need to split the logs with filters using program name or other entity (you can override value of $PROGRAM macro with program_override() option) on server side Also you may not know but you can also use macros in file path. On 2010-07-20 06:07, Khaleelah Peerbocus wrote:
Hello
Yup, I realized that. I thought it was supposed to be the ip of the client. So I am using filters to cater for the different clients..only issue is I will end up with lots of filtering..
Do you have any example for logging firewall logs..
Regards
*From:* Zoltán Pallagi [mailto:pzolee@balabit.hu] *Sent:* Monday, July 19, 2010 9:39 PM *To:* Syslog-ng users' and developers' mailing le ist *Cc:* Khaleelah Peerbocus *Subject:* Re: [syslog-ng] configuring different sources on the syslog-ng server
Hi,
Yes, because 192.168.180.179 seems not to be a real address of your server so syslog-ng cannot assign the requested address. Let's see an example: addresses of your server are the following (in this example your server has two network cards): 192.168.20.1 (eth0) 10.30.20.1 (eth1) 127.0.0.1 (loopback)
source apache_access{tcp(ip("192.168.20.1") flags(no-parse));
};
syslog-ng will listen only on eth0:192.168.20.1
source apache_access{tcp(ip("10.30.20.1") flags(no-parse));
};
syslog-ng will listen only on eth1:10.30.20.1
source apache_access{tcp(flags(no-parse));
};
syslog-ng will listen on all addresses of your server (eth0:192.168.20.1, eth1:10.30.20.1, lo:127.0.0.1)
source apache_access{tcp(ip("10.10.0.1") flags(no-parse));
};
syslog-ng cannot listen on this address, because it's not an address of the server, you will receive "Cannot assign requested address" error message.
If you have no specieal reasons to limit it, just don't give "ip()" option because it is not required (as Patrick wrote)
2010.07.19. 8:14 keltezéssel, Khaleelah Peerbocus írta:
Still if I wanted to configure a different source on the syslog-server as below (I will eventually use filtering if I do not succeed in creating another source)
source apache_access{tcp(ip("192.168.180.179") flags(no-parse));
};
destination d_apachemssql {
pipe("/tmp/apachepipe.pipe"
template("INSERT INTO logapache(datetime,host,program,pid,message)VALUES('$R_DATE','$HOST','$PROGRAM','$PID','$MSGONLY');\n")template-escape(yes) flags(no-multi-line));
};
log {
source(apache_access);
destination(d_apachemssql);
};
I get the following error when trying to start syslog-ng
Error binding socket; addr='AF_INET(192.168.180.179:3331)', error='Cannot assign requested address (99)'
Error initializing source driver; source='apache_access', id='apache_access#0'
Error initializing message pipeline;
*From:* syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu> [mailto:syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *Patrick H. *Sent:* Monday, July 19, 2010 9:48 AM *To:* Syslog-ng users' and develops' mailing list *Subject:* Re: [syslog-ng] configuring different sources on the syslog-ng server
Firstly the "ip()" option of "tcp()" in a "source()" is not required, it is optional. It specifies the IP address which syslog-ng will listen on. If not provided, syslog-ng will listen on all interfaces. Seconly, you do not need a separate source for every client. You can use filter rules to match on the client's hostname if you need to.
You might want to go through the administrator's guide, it is an extremely good documentation source with lots of examples. http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf
Sent: Sunday, July 18, 2010 11:28:25 PM From: Khaleelah Peerbocus <systems2@maccs.mu> <mailto:systems2@maccs.mu> To: 'Syslog-ng users' and developers' mailing list' <syslog-ng@lists.balabit.hu> <mailto:syslog-ng@lists.balabit.hu> Subject: [syslog-ng] configuring different sources on the syslog-ng server
Hello
I would like to get some clarification on the source tag in both syslog client and server.
I have different clients hosting apache / weblogic
My Syslog-ng Server has ip 192.x.x.x
Apache (client) has ip 192.x.x.1
Weblogic (client) has ip 192.x.x.2
In all the clients syslog configuration files, i have added
destination apacheaccesslog {
tcp("192.x.x.x " port(3331));
};
destination weblogiclog {
tcp("192.x.x.x " port(3332));
};
My issue is in the syslog-ng server configuration file, if i add
source apache_access {tcp(ip(192.x.x.x) port(3331));
};
Should the ip be the server ip or the client ip (in this example, i have put the syslog-ng server ip). Does the port number differentiate the different sources we are receiving the log files ???
logo-emailsignature.jpgKhaleelah Peerbocus -- Systems Analyst
Mauritius Cargo Community Services
Business Registration No.: C08077158
VAT Registration No.: VAT20427044
1^st Floor, Trade and Marketing Centre, Mer Rouge
Port-Louis, Mauritius
Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858
Email: systems2@maccs.mu <mailto:HDagent6@maccs.mu> - Website: http://www.maccs.mu <http://www.maccs.mu/>
------------------------------------------------------------------------
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
-- pzolee
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
HI U got it right.. the syslog-ng SERVER needs to handle log messages from different clients APACHE (one machine) , WEBLOGIC (another machine) Thanks for the explanation.. I will make use of different ports From: Zoltán Pallagi [mailto:pzolee@balabit.hu] Sent: Tuesday, July 20, 2010 12:46 PM To: Syslog-ng users' and developers' mailing list Cc: Khaleelah Peerbocus Subject: Re: [syslog-ng] configuring different sources on the syslog-ng server Hi, Perhaps I am wrong (so please correct me), but I assume you want to do the following: all of your clients read logs from two source (weblogic, apache) and send them to syslog-ng server via tcp. You would like to store these logs different place on syslog-ng server, one for weblogic logs and other one for apache logs. Is it true? If it is, you have a lot of possibility to do that. e.g.: 1, You can set different port numbers (but the same ip) for two destinations in client config, and set two sources on server side with these ports example: client side (as you wrote): destination apacheaccesslog { tcp("192.x.x.x " port(3331)); }; destination weblogiclog { tcp("192.x.x.x " port(3332)); }; server side: source apacheacceslog{tcp(port(3331));}; source weblogiclog{tcp(port(3332));}; After that you can use these sources in different log paths 2, You can use only one tcp destination in client configuration, in this case you need to split the logs with filters using program name or other entity (you can override value of $PROGRAM macro with program_override() option) on server side Also you may not know but you can also use macros in file path. On 2010-07-20 06:07, Khaleelah Peerbocus wrote: Hello Yup, I realized that. I thought it was supposed to be the ip of the client. So I am using filters to cater for the different clients..only issue is I will end up with lots of filtering.. Do you have any example for logging firewall logs.. Regards From: Zoltán Pallagi [mailto:pzolee@balabit.hu] Sent: Monday, July 19, 2010 9:39 PM To: Syslog-ng users' and developers' mailing le ist Cc: Khaleelah Peerbocus Subject: Re: [syslog-ng] configuring different sources on the syslog-ng server Hi, Yes, because 192.168.180.179 seems not to be a real address of your server so syslog-ng cannot assign the requested address. Let's see an example: addresses of your server are the following (in this example your server has two network cards): 192.168.20.1 (eth0) 10.30.20.1 (eth1) 127.0.0.1 (loopback) source apache_access{tcp(ip("192.168.20.1") flags(no-parse)); }; syslog-ng will listen only on eth0:192.168.20.1 source apache_access{tcp(ip("10.30.20.1") flags(no-parse)); }; syslog-ng will listen only on eth1:10.30.20.1 source apache_access{tcp(flags(no-parse)); }; syslog-ng will listen on all addresses of your server (eth0:192.168.20.1, eth1:10.30.20.1, lo:127.0.0.1) source apache_access{tcp(ip("10.10.0.1") flags(no-parse)); }; syslog-ng cannot listen on this address, because it's not an address of the server, you will receive "Cannot assign requested address" error message. If you have no specieal reasons to limit it, just don't give "ip()" option because it is not required (as Patrick wrote) 2010.07.19. 8:14 keltezéssel, Khaleelah Peerbocus írta: Still if I wanted to configure a different source on the syslog-server as below (I will eventually use filtering if I do not succeed in creating another source) source apache_access{tcp(ip("192.168.180.179") flags(no-parse)); }; destination d_apachemssql { pipe("/tmp/apachepipe.pipe" template("INSERT INTO logapache(datetime,host,program,pid,message)VALUES('$R_DATE','$HOST','$PROGR AM','$PID','$MSGONLY');\n")template-escape(yes) flags(no-multi-line)); }; log { source(apache_access); destination(d_apachemssql); }; I get the following error when trying to start syslog-ng Error binding socket; addr='AF_INET(192.168.180.179:3331)', error='Cannot assign requested address (99)' Error initializing source driver; source='apache_access', id='apache_access#0' Error initializing message pipeline; From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Patrick H. Sent: Monday, July 19, 2010 9:48 AM To: Syslog-ng users' and develops' mailing list Subject: Re: [syslog-ng] configuring different sources on the syslog-ng server Firstly the "ip()" option of "tcp()" in a "source()" is not required, it is optional. It specifies the IP address which syslog-ng will listen on. If not provided, syslog-ng will listen on all interfaces. Seconly, you do not need a separate source for every client. You can use filter rules to match on the client's hostname if you need to. You might want to go through the administrator's guide, it is an extremely good documentation source with lots of examples. http://www.balabit.com/dl/guides/syslog-ng-ose-v3.1-guide-admin-en.pdf Sent: Sunday, July 18, 2010 11:28:25 PM From: Khaleelah Peerbocus <mailto:systems2@maccs.mu> <systems2@maccs.mu> To: 'Syslog-ng users' and developers' mailing list' <mailto:syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] configuring different sources on the syslog-ng server Hello I would like to get some clarification on the source tag in both syslog client and server. I have different clients hosting apache / weblogic My Syslog-ng Server has ip 192.x.x.x Apache (client) has ip 192.x.x.1 Weblogic (client) has ip 192.x.x.2 In all the clients syslog configuration files, i have added destination apacheaccesslog { tcp("192.x.x.x " port(3331)); }; destination weblogiclog { tcp("192.x.x.x " port(3332)); }; My issue is in the syslog-ng server configuration file, if i add source apache_access {tcp(ip(192.x.x.x) port(3331)); }; Should the ip be the server ip or the client ip (in this example, i have put the syslog-ng server ip). Does the port number differentiate the different sources we are receiving the log files ??? logo-emailsignature.jpgKhaleelah Peerbocus Systems Analyst Mauritius Cargo Community Services Business Registration No.: C08077158 VAT Registration No.: VAT20427044 1st Floor, Trade and Marketing Centre, Mer Rouge Port-Louis, Mauritius Tel: +230 206 2970 - Cell: +230 498 7897 Fax: +230 216 8858 Email: <mailto:HDagent6@maccs.mu> systems2@maccs.mu - Website: <http://www.maccs.mu/> http://www.maccs.mu _____ ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html -- pzolee ____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (3)
-
Khaleelah Peerbocus
-
Patrick H.
-
Zoltán Pallagi