Hello again, Things are evolving a little bit. Now the syslog-ng conf is configured like this: /source s_router_udp { udp (); }; destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO syslog_incoming (facility, priority, date, time, host, message, seq) VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes)); }; log { source (s_router_udp); destination (d_mysql); }; log { source (s_sys); destination(d_mysql); };/ The second log statement is working, because i can see in the syslog_incoming tables, entries and also i see the log in Cacti: /mysql> select * from syslog_incoming; +----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+ | facility | priority | date | time | host | message | seq | status | +----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+ | syslog | info | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: Termination requested via signal, terminating; | 22 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: syslog-ng shutting down; version='2.0.10' | 23 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[21587]: syslog-ng starting up; version='2.0.10' | 24 | 0 | | authpriv | info | 2009-07-01 | 11:56:06 | monitorizare1 | sshd[21567]: Connection closed by 127.0.0.1 | 21 | 0 | +----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+ 4 rows in set (0.00 sec)/ But i don't know what is the problem and how to fix with the first log statement. Can anyone help a little? Maybe with some documentation, maybe someone encountered a similar problem? PS: something else that i noticed and i don't know what it means. One of the syslog-ng messages is like this: /syslog-ng[20083]: Log statistics; *dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30', processed='center(received)=15', processed='destination(d_boot)=0', processed='destination(d_auth)=4', processed='destination(d_cron)=9', processed='destination(d_mysql)=15', processed='destination(d_mlal)=0', processed='destination(d_mesg)=2', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed='destination(d_mail)=0', processed='source(s_sys)=15', processed='source(s_router_udp)=0'/ What could be the cause for that "dropped" there? Should'nt be processed? Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro Cosmin Neagu wrote:

Thanks allot Ulrich, that site contains great documentation, i'm starting to understand how syslog-ng works. But, let me tell you the problem with wich i'm stuck right now.

A router is sending syslog messages to a linux box (Fedora) from 10.0.0.1. I can see the messages arriving at the server. /[root@monitorizare1 ~]# tcpdump -v src 10.0.0.1 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none], proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 87 Facility local7 (23), Severity error (3) Msg: 81: *Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog] 10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 110 Facility local7 (23), Severity info (6) Msg: 82: *Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog] 10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 109 Facility local7 (23), Severity notice (5)/

I have configured syslog-ng.conf like this: /source s_router_udp { internal(); file ("/proc/kmsg" log_prefix("kernel: ")); udp (ip(0.0.0.0) port ( 514 ) ); #unix-stream ("/dev/log"); }; destination d_localfile { file ("/root/testlog"); }; log { source (s_router_udp); destination (d_localfile); };/

The problem is that in /root/testlog i can't see any log, except those internal generated by syslog-ng: /Jul 1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting up; version='2.0.10' Jul 1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested via signal, terminating; Jul 1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting up; version='2.0.10' Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics; processed='center(queued)=6', processed='center(received)=6', processed='destination(d_boot)=0', processed='destination(d_auth)=2', processed='des tination(d_cron)=2', processed='destination(d_mlal)=0', processed='destination(d_localfile)=1', processed='destination(d_mesg)=1', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed ='destination(d_mail)=0', processed='source(s_sys)=5', processed='source(s_router_udp)=1' Jul 1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested via signal, terminating; Jul 1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up; version='2.0.10' Jul 1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested via signal, terminating; Jul 1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting up; version='2.0.10'/

I can't find anything in the syslog-ng guide admin about how can messages received from remote hosts can be inserted into files.

Can anyone help me? I feel that i'm close to a solution.

Ulrich.Wiemers@t-systems.com wrote:

...

Hi, I was in a similar situation some weeks ago. Admin Guide found at http://www.balabit.com/support/documentation/?product=syslog-ng was of great help to me. And, of course, Google ,-)

hth

Ulli

-----Ursprüngliche Nachricht----- Von: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Cosmin Neagu Gesendet: Dienstag, 30. Juni 2009 14:49 An: syslog-ng@lists.balabit.hu Betreff: [syslog-ng] Syslog-ng beginners guide

Hello everybody, Sorry for bothering you with a beginners question. I have a cacti implementation in my network and a want to integrate it with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.

I'm not able to find where the logs are kept, so this drives me crazy. Do you know any site or resource where i can find some beginners guide about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before. Thanks.

-- Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

------------------------------------------------------------------------

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

Yes, that was the first thing i have checked, even now i have checked it again, and the logs are still comming to the linux box where syslog is installed. /tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none], proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 145 Facility local7 (23), Severity notice (5) Msg: 126: *Jul 1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog] 15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none], proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 110 Facility local7 (23), Severity notice (5) Msg: 127: *Jul 1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog] 15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none], proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 108 Facility local7 (23), Severity notice (5) Msg: 128: *Jul 1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog] 15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none], proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 112 Facility local7 (23), Severity info (6) Msg: 129: *Jul 1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog] 15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none], proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 112 Facility local7 (23), Severity notice (5) Msg: 130: *Jul 1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog] And unfortunattely, i'm the only person in the company that knows a little bit of linux so i don't have anybody to ask... / Ulrich.Wiemers@t-systems.com wrote:

Hi, I don't see anything in your config... Are you sure your syslog messages are sent to the UDP port syslog-ng is listing at (normally: 514)? Did you proof the with one of snoop, ethereal, wireshark and the like? Just an idea... hth Ulli

------------------------------------------------------------------------ *Von:* syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] *Im Auftrag von *Cosmin Neagu *Gesendet:* Mittwoch, 1. Juli 2009 14:15 *An:* Syslog-ng users' and developers' mailing list *Betreff:* Re: [syslog-ng] Syslog-ng beginners guide

Hello again, Things are evolving a little bit.

Now the syslog-ng conf is configured like this:

/source s_router_udp { udp (); }; destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO syslog_incoming (facility, priority, date, time, host, message, seq) VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes)); }; log { source (s_router_udp); destination (d_mysql); }; log { source (s_sys); destination(d_mysql); };/

The second log statement is working, because i can see in the syslog_incoming tables, entries and also i see the log in Cacti: /mysql> select * from syslog_incoming; +----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+ | facility | priority | date | time | host | message | seq | status | +----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+ | syslog | info | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: Termination requested via signal, terminating; | 22 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: syslog-ng shutting down; version='2.0.10' | 23 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[21587]: syslog-ng starting up; version='2.0.10' | 24 | 0 | | authpriv | info | 2009-07-01 | 11:56:06 | monitorizare1 | sshd[21567]: Connection closed by 127.0.0.1 | 21 | 0 | +----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+ 4 rows in set (0.00 sec)/

But i don't know what is the problem and how to fix with the first log statement. Can anyone help a little? Maybe with some documentation, maybe someone encountered a similar problem?

PS: something else that i noticed and i don't know what it means. One of the syslog-ng messages is like this: /syslog-ng[20083]: Log statistics; *dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30', processed='center(received)=15', processed='destination(d_boot)=0', processed='destination(d_auth)=4', processed='destination(d_cron)=9', processed='destination(d_mysql)=15', processed='destination(d_mlal)=0', processed='destination(d_mesg)=2', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed='destination(d_mail)=0', processed='source(s_sys)=15', processed='source(s_router_udp)=0'/

What could be the cause for that "dropped" there? Should'nt be processed?

Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro

Cosmin Neagu wrote:

...

Thanks allot Ulrich, that site contains great documentation, i'm starting to understand how syslog-ng works. But, let me tell you the problem with wich i'm stuck right now.

A router is sending syslog messages to a linux box (Fedora) from 10.0.0.1. I can see the messages arriving at the server. /[root@monitorizare1 ~]# tcpdump -v src 10.0.0.1 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none], proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 87 Facility local7 (23), Severity error (3) Msg: 81: *Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog] 10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 110 Facility local7 (23), Severity info (6) Msg: 82: *Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog] 10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 109 Facility local7 (23), Severity notice (5)/

I have configured syslog-ng.conf like this: /source s_router_udp { internal(); file ("/proc/kmsg" log_prefix("kernel: ")); udp (ip(0.0.0.0) port ( 514 ) ); #unix-stream ("/dev/log"); }; destination d_localfile { file ("/root/testlog"); }; log { source (s_router_udp); destination (d_localfile); };/

The problem is that in /root/testlog i can't see any log, except those internal generated by syslog-ng: /Jul 1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting up; version='2.0.10' Jul 1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested via signal, terminating; Jul 1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting up; version='2.0.10' Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics; processed='center(queued)=6', processed='center(received)=6', processed='destination(d_boot)=0', processed='destination(d_auth)=2', processed='des tination(d_cron)=2', processed='destination(d_mlal)=0', processed='destination(d_localfile)=1', processed='destination(d_mesg)=1', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed ='destination(d_mail)=0', processed='source(s_sys)=5', processed='source(s_router_udp)=1' Jul 1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested via signal, terminating; Jul 1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up; version='2.0.10' Jul 1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested via signal, terminating; Jul 1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting up; version='2.0.10'/

I can't find anything in the syslog-ng guide admin about how can messages received from remote hosts can be inserted into files.

Can anyone help me? I feel that i'm close to a solution.

Ulrich.Wiemers@t-systems.com wrote:

...

Hi, I was in a similar situation some weeks ago. Admin Guide found at http://www.balabit.com/support/documentation/?product=syslog-ng was of great help to me. And, of course, Google ,-)

hth

Ulli

-----Ursprüngliche Nachricht----- Von: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Cosmin Neagu Gesendet: Dienstag, 30. Juni 2009 14:49 An: syslog-ng@lists.balabit.hu Betreff: [syslog-ng] Syslog-ng beginners guide

Hello everybody, Sorry for bothering you with a beginners question. I have a cacti implementation in my network and a want to integrate it with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.

I'm not able to find where the logs are kept, so this drives me crazy. Do you know any site or resource where i can find some beginners guide about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before. Thanks.

-- Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

------------------------------------------------------------------------

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

------------------------------------------------------------------------

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

I have tryed like this: On a remote linux host (Ubuntu 9.04) i have configured syslog-ng like this: /source s_internal {internal();}; source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); }; destination d_localfile { file ("/home/cosmin/syslog.log"); }; *destination d_remote {tcp ("192.168.53.248" port(514)); };* //i have tried with udp also log { source(s_local); destination(d_localfile); }; log { source(s_internal); destination(d_localfile); }; *log { source(s_local); destination(d_remote); };*/ On the syslog server (Fedora c10), the configuration is: /*source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); }; * //i have tried with udp also. destination d_localfile {file ("/root/syslog.log"); }; log { source (s_remote_tcp); destination (d_localfile); };/ After a few tests, i have noticed (with the help of wireshark) the folowing: 1. In UDP case, it sends the logs, i can see the packets arriving on the server with tcpdump, but the the server returns an icmp error Destination Unreachable, with a code "Host Administrately Prohibited" 2. The same thing in TCP case, only that the message is not send, only the first syn pachet trying to establish the tcp connection and it receives the same icmp error from the server. On the server i have fedora core 10, with selinux disabled. No firewall at all. Actually i don't know yet how to configure iptables. I have noticed that on the server, if i try to define a source like this: /source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };/ it will give an error: /Starting syslog-ng: Error binding socket; addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote_tcp'/ Pls, can someone help me with this problem? I dont know what could be blocking the packets, if it is because of the OS or because of syslog-ng configuration. Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro Siem Korteweg wrote:

Hi,

try to split the sources. The following works for me (tcp in stead of udp) for OSE 3.0.2. All syslog-ng clients (and server) have the following sources and destinations:

source s_internal { internal(); };

destination d_syslogng_log { file("/var/log/syslog-ng.log"); };

source s_local { unix-dgram("/dev/log"); file("/proc/kmsg" program_override("kernel:")); };

destination d_remote { tcp("logserver.f.q.d.n" port(514) ) ; };

destination d_local { file("/var/log/messages"); };

log { source( s_internal ); destination( d_remote ); }; log { source( s_internal ); destination( d_syslogng_log ); }; log { source( s_local ); destination( d_remote ); }; log { source( s_local ); destination( d_local ); };

All messages are logged in the local file /var/log/messages or in /var/log/syslog-ng.log and forwarded to the logserver. The syslog-ng server has the following additional sources and destinations:

source s_network { tcp (ip("logserver.f.q.d.n") port(514)); };

destination d_network { file (

"/var/log/syslog-ng/hosts/$HOST_FROM/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY " create_dirs(yes) ); };

log { source( s_network ); destination( d_network ); };

Change tcp to udp and change the fqdn to 0.0.0.0. Check /var/log/syslog-ng.log for errors during the processing of messages.

regards,

Siem Korteweg

-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Cosmin Neagu Verzonden: wo 1-7-2009 14:25 Aan: Syslog-ng users' and developers' mailing list Onderwerp: Re: [syslog-ng] Syslog-ng beginners guide

Yes, that was the first thing i have checked, even now i have checked it again, and the logs are still comming to the linux box where syslog is installed.

/tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none], proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 145 Facility local7 (23), Severity notice (5) Msg: 126: *Jul 1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog] 15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none], proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 110 Facility local7 (23), Severity notice (5) Msg: 127: *Jul 1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog] 15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none], proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 108 Facility local7 (23), Severity notice (5) Msg: 128: *Jul 1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog] 15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none], proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 112 Facility local7 (23), Severity info (6) Msg: 129: *Jul 1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog] 15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none], proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 112 Facility local7 (23), Severity notice (5) Msg: 130: *Jul 1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog]

And unfortunattely, i'm the only person in the company that knows a little bit of linux so i don't have anybody to ask... /

Ulrich.Wiemers@t-systems.com wrote:

...

Hi, I don't see anything in your config... Are you sure your syslog messages are sent to the UDP port syslog-ng is listing at (normally: 514)? Did you proof the with one of snoop, ethereal, wireshark and the like? Just an idea... hth Ulli

------------------------------------------------------------------------ *Von:* syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] *Im Auftrag von *Cosmin Neagu *Gesendet:* Mittwoch, 1. Juli 2009 14:15 *An:* Syslog-ng users' and developers' mailing list *Betreff:* Re: [syslog-ng] Syslog-ng beginners guide

Hello again, Things are evolving a little bit.

Now the syslog-ng conf is configured like this:

/source s_router_udp { udp (); }; destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO syslog_incoming (facility, priority, date, time, host, message, seq) VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes)); }; log { source (s_router_udp); destination (d_mysql); }; log { source (s_sys); destination(d_mysql); };/

The second log statement is working, because i can see in the syslog_incoming tables, entries and also i see the log in Cacti: /mysql> select * from syslog_incoming;

+----------+----------+------------+----------+---------------+-------------- ----------------------------------------------------+-----+--------+

...

| facility | priority | date | time | host | message | seq | status |

+----------+----------+------------+----------+---------------+-------------- ----------------------------------------------------+-----+--------+

...

| syslog | info | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: Termination requested via signal, terminating; | 22 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[20083]: syslog-ng shutting down; version='2.0.10' | 23 | 0 | | syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 | syslog-ng[21587]: syslog-ng starting up; version='2.0.10' | 24 | 0 | | authpriv | info | 2009-07-01 | 11:56:06 | monitorizare1 | sshd[21567]: Connection closed by 127.0.0.1 | 21 | 0 |

+----------+----------+------------+----------+---------------+-------------- ----------------------------------------------------+-----+--------+

...

4 rows in set (0.00 sec)/

But i don't know what is the problem and how to fix with the first log statement. Can anyone help a little? Maybe with some documentation, maybe someone encountered a similar problem?

PS: something else that i noticed and i don't know what it means. One of the syslog-ng messages is like this: /syslog-ng[20083]: Log statistics; *dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30', processed='center(received)=15', processed='destination(d_boot)=0', processed='destination(d_auth)=4', processed='destination(d_cron)=9', processed='destination(d_mysql)=15', processed='destination(d_mlal)=0', processed='destination(d_mesg)=2', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed='destination(d_mail)=0', processed='source(s_sys)=15', processed='source(s_router_udp)=0'/

What could be the cause for that "dropped" there? Should'nt be processed?

Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro

Cosmin Neagu wrote:

...

Thanks allot Ulrich, that site contains great documentation, i'm starting to understand how syslog-ng works. But, let me tell you the problem with wich i'm stuck right now.

A router is sending syslog messages to a linux box (Fedora) from 10.0.0.1. I can see the messages arriving at the server. /[root@monitorizare1 ~]# tcpdump -v src 10.0.0.1 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none], proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 87 Facility local7 (23), Severity error (3) Msg: 81: *Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog] 10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 110 Facility local7 (23), Severity info (6) Msg: 82: *Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog] 10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog: SYSLOG, length: 109 Facility local7 (23), Severity notice (5)/

I have configured syslog-ng.conf like this: /source s_router_udp { internal(); file ("/proc/kmsg" log_prefix("kernel: ")); udp (ip(0.0.0.0) port ( 514 ) ); #unix-stream ("/dev/log"); }; destination d_localfile { file ("/root/testlog"); }; log { source (s_router_udp); destination (d_localfile); };/

The problem is that in /root/testlog i can't see any log, except those internal generated by syslog-ng: /Jul 1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting up; version='2.0.10' Jul 1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested via signal, terminating; Jul 1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting up; version='2.0.10' Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics; processed='center(queued)=6', processed='center(received)=6', processed='destination(d_boot)=0', processed='destination(d_auth)=2', processed='des tination(d_cron)=2', processed='destination(d_mlal)=0', processed='destination(d_localfile)=1', processed='destination(d_mesg)=1', processed='destination(d_cons)=0', processed='destination(d_spol)=0', processed ='destination(d_mail)=0', processed='source(s_sys)=5', processed='source(s_router_udp)=1' Jul 1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested via signal, terminating; Jul 1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up; version='2.0.10' Jul 1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested via signal, terminating; Jul 1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting up; version='2.0.10'/

I can't find anything in the syslog-ng guide admin about how can messages received from remote hosts can be inserted into files.

Can anyone help me? I feel that i'm close to a solution.

Ulrich.Wiemers@t-systems.com wrote:

...

Hi, I was in a similar situation some weeks ago. Admin Guide found at

http://www.balabit.com/support/documentation/?product=syslog-ng was of great help to me.

...

...

...

And, of course, Google ,-)

hth

Ulli

-----Ursprüngliche Nachricht----- Von: syslog-ng-bounces@lists.balabit.hu

[mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Cosmin Neagu

...

...

...

Gesendet: Dienstag, 30. Juni 2009 14:49 An: syslog-ng@lists.balabit.hu Betreff: [syslog-ng] Syslog-ng beginners guide

Hello everybody, Sorry for bothering you with a beginners question. I have a cacti implementation in my network and a want to integrate it

with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.

...

...

...

I'm not able to find where the logs are kept, so this drives me crazy. Do you know any site or resource where i can find some beginners guide

about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before.

...

...

...

Thanks.

-- Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro

---

_

...

...

...

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:

http://www.balabit.com/support/documentation/?product=syslog-ng

...

...

...

FAQ: http://www.campin.net/syslog-ng/faq.html

---

_

...

...

...

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:

http://www.balabit.com/support/documentation/?product=syslog-ng

...

...

...

FAQ: http://www.campin.net/syslog-ng/faq.html

------------------------------------------------------------------------

---

_

...

...

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:

http://www.balabit.com/support/documentation/?product=syslog-ng

...

...

FAQ: http://www.campin.net/syslog-ng/faq.html

------------------------------------------------------------------------

_____________________________________________________________________________ _

...

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:

http://www.balabit.com/support/documentation/?product=syslog-ng

...

FAQ: http://www.campin.net/syslog-ng/faq.html

------------------------------------------------------------------------

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

ok, thanks, i will eventually try the newer version, but will still need to use my own sql tables, cause they are part of a biger implementation. I never thought that syslog will be such a pain in the ... Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro Balazs Scheidler wrote:

On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:

...

I have tryed like this:

On a remote linux host (Ubuntu 9.04) i have configured syslog-ng like this:

source s_internal {internal();}; source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); };

destination d_localfile { file ("/home/cosmin/syslog.log"); }; destination d_remote {tcp ("192.168.53.248" port(514)); }; //i have tried with udp also

log { source(s_local); destination(d_localfile); }; log { source(s_internal); destination(d_localfile); }; log { source(s_local); destination(d_remote); };

On the syslog server (Fedora c10), the configuration is:

source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); }; //i have tried with udp also. destination d_localfile {file ("/root/syslog.log"); }; log { source (s_remote_tcp); destination (d_localfile); };

After a few tests, i have noticed (with the help of wireshark) the folowing: 1. In UDP case, it sends the logs, i can see the packets arriving on the server with tcpdump, but the the server returns an icmp error Destination Unreachable, with a code "Host Administrately Prohibited" 2. The same thing in TCP case, only that the message is not send, only the first syn pachet trying to establish the tcp connection and it receives the same icmp error from the server.

On the server i have fedora core 10, with selinux disabled. No firewall at all. Actually i don't know yet how to configure iptables.

I have noticed that on the server, if i try to define a source like this: source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); }; it will give an error: Starting syslog-ng: Error binding socket; addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote_tcp'

Pls, can someone help me with this problem? I dont know what could be blocking the packets, if it is because of the OS or because of syslog-ng configuration.

ICMP admin prohibited is probably generated by the packet filter. It cannot be generated by an application (unless it'd be injecting ICMP packets of its own, which syslog-ng doesn't do).

Also, I wanted to point out that starting with 2.1, syslog-ng has its own SQL destination, no need to mess with named pipes. But if you decide to use a newer version, I would recommend 3.0.3, the current stable version.

Sorry for answering so late. You were right guys about the firewall, on the Fedora server iptables was on, and as soon as I turned it off, everything worked great. Know i have to learn how to configure iptables, cause i don't want to leave it off. Anyone knows a good starting point for iptables? And another thing that bothers me...why the hell does the cpu stays most of the time at 100% because of the syslog-ng process? /top - 09:42:37 up 55 min, 2 users, load average: 1.10, 1.07, 0.98 Tasks: 134 total, 3 running, 131 sleeping, 0 stopped, 0 zombie Cpu(s): 12.3%us, 39.0%sy, 0.0%ni, 48.6%id, 0.0%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 2060488k total, 850036k used, 1210452k free, 77172k buffers Swap: 2931820k total, 0k used, 2931820k free, 460408k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2527 root 20 0 3344 1268 848 R *100* 0.1 32:13.86 syslog-ng 3028 root 20 0 305m 34m 11m S 2 1.7 1:04.90 Xorg 22 root 15 -5 0 0 0 S 0 0.0 0:00.12 ata/1 3788 cosmin 20 0 221m 102m 26m S 0 5.1 1:12.27 firefox /I have a dual core processor, and either CPU1 or CPU2 stays at 100% utilization... Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro Dave Edelman wrote:

The problem might be in this line: " Actually i don't know yet how to configure iptables"

They might be enabled by default so you might want to try this:

# iptables -L

If it shows anything but a bunch of lines saying policy accept and some header lines, then you (at your own risk) need to tell it to stop by issuing the magical incantation

# iptables -F

To keep the pesky safe guards off on a full time basis, you might want to do something like:

# chkconfig iptables off # service iptables stop

You need to do this with root access so sudo is your friend unless you are really brave and are logging on as root directly :)

--Dave

"I insist that my car has good brakes, they allow me to go faster"

-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Friday, July 03, 2009 10:03 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslog-ng beginners guide

On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:

...

I have tryed like this:

On a remote linux host (Ubuntu 9.04) i have configured syslog-ng like this:

source s_internal {internal();}; source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); };

destination d_localfile { file ("/home/cosmin/syslog.log"); }; destination d_remote {tcp ("192.168.53.248" port(514)); }; //i have tried with udp also

log { source(s_local); destination(d_localfile); }; log { source(s_internal); destination(d_localfile); }; log { source(s_local); destination(d_remote); };

On the syslog server (Fedora c10), the configuration is:

source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); }; //i have tried with udp also. destination d_localfile {file ("/root/syslog.log"); }; log { source (s_remote_tcp); destination (d_localfile); };

After a few tests, i have noticed (with the help of wireshark) the folowing: 1. In UDP case, it sends the logs, i can see the packets arriving on the server with tcpdump, but the the server returns an icmp error Destination Unreachable, with a code "Host Administrately Prohibited" 2. The same thing in TCP case, only that the message is not send, only the first syn pachet trying to establish the tcp connection and it receives the same icmp error from the server.

On the server i have fedora core 10, with selinux disabled. No firewall at all. Actually i don't know yet how to configure iptables.

I have noticed that on the server, if i try to define a source like this: source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); }; it will give an error: Starting syslog-ng: Error binding socket; addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested address (99)' Error initializing source driver; source='s_remote_tcp'

Pls, can someone help me with this problem? I dont know what could be blocking the packets, if it is because of the OS or because of syslog-ng configuration.

ICMP admin prohibited is probably generated by the packet filter. It cannot be generated by an application (unless it'd be injecting ICMP packets of its own, which syslog-ng doesn't do).

Also, I wanted to point out that starting with 2.1, syslog-ng has its own SQL destination, no need to mess with named pipes. But if you decide to use a newer version, I would recommend 3.0.3, the current stable version.

On Tue, 2009-07-07 at 09:49 +0300, Cosmin Neagu wrote:

Sorry for answering so late. You were right guys about the firewall, on the Fedora server iptables was on, and as soon as I turned it off, everything worked great. Know i have to learn how to configure iptables, cause i don't want to leave it off. Anyone knows a good starting point for iptables?

And another thing that bothers me...why the hell does the cpu stays most of the time at 100% because of the syslog-ng process?

top - 09:42:37 up 55 min, 2 users, load average: 1.10, 1.07, 0.98 Tasks: 134 total, 3 running, 131 sleeping, 0 stopped, 0 zombie Cpu(s): 12.3%us, 39.0%sy, 0.0%ni, 48.6%id, 0.0%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 2060488k total, 850036k used, 1210452k free, 77172k buffers Swap: 2931820k total, 0k used, 2931820k free, 460408k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2527 root 20 0 3344 1268 848 R 100 0.1 32:13.86 syslog-ng 3028 root 20 0 305m 34m 11m S 2 1.7 1:04.90 Xorg 22 root 15 -5 0 0 0 S 0 0.0 0:00.12 ata/1 3788 cosmin 20 0 221m 102m 26m S 0 5.1 1:12.27 firefox

I have a dual core processor, and either CPU1 or CPU2 stays at 100% utilization...

This seems to be a bug, however I don't know anything similar in 2.0. Can you please post your configuration file which shows this symptom? Do you get this right after you start syslog-ng? Is it always reproducible? Can you list the exact version you are using and the way you got it compiled? Is it a distribution package? So as you may see, we're happy to help you, but we need more information. -- Bazsi

Nope, i was hoping that everything will work fine with syslog-ng, but now it keeps the CPU again at 100 percent. /top - 15:40:20 up 6:53, 2 users, load average: 1.59, 3.35, 3.86 Tasks: 141 total, 2 running, 139 sleeping, 0 stopped, 0 zombie Cpu(s): 12.5%us, 38.4%sy, 0.0%ni, 48.9%id, 0.0%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 2060488k total, 1506968k used, 553520k free, 104856k buffers Swap: 2931820k total, 0k used, 2931820k free, 975856k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2528 root 20 0 3464 1416 832 R *100* 0.1 259:49.18 syslog-ng /I have attached the config file, instalation has been done with: sudo apt-get install syslog-ng. Version: cosmin@CosminDell:~$ syslog-ng -V syslog-ng 2.0.9 I was doing some learning with GNS3, and only 3 cisco IOS loaded. My machine has this hardware/software: Linux CosminDell 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 19:49:51 UTC 2009 i686 GNU/Linux cosmin@CosminDell:~$ cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 15 model name : Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz stepping : 13 cpu MHz : 2001.000 cache size : 2048 KB cosmin@CosminDell:~$ cat /proc/meminfo MemTotal: 2060488 kB MemFree: 553376 kB Buffers: 104980 kB Stiil the cpu stays at 100%. When i have install syslog-ng, the folowing repos were configured: cosmin@CosminDell:~$ less /etc/apt/sources.list | grep deb /deb http://ro.archive.ubuntu.com/ubuntu/ jaunty main restricted deb-src http://ro.archive.ubuntu.com/ubuntu/ jaunty main restricted deb http://ro.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted deb-src http://ro.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted deb http://ro.archive.ubuntu.com/ubuntu/ jaunty universe deb-src http://ro.archive.ubuntu.com/ubuntu/ jaunty universe deb http://ro.archive.ubuntu.com/ubuntu/ jaunty-updates universe deb-src http://ro.archive.ubuntu.com/ubuntu/ jaunty-updates universe deb http://ro.archive.ubuntu.com/ubuntu/ jaunty multiverse deb-src http://ro.archive.ubuntu.com/ubuntu/ jaunty multiverse deb http://ro.archive.ubuntu.com/ubuntu/ jaunty-updates multiverse deb-src http://ro.archive.ubuntu.com/ubuntu/ jaunty-updates multiverse deb http://security.ubuntu.com/ubuntu jaunty-security main restricted deb-src http://security.ubuntu.com/ubuntu jaunty-security main restricted deb http://security.ubuntu.com/ubuntu jaunty-security universe deb-src http://security.ubuntu.com/ubuntu jaunty-security universe deb http://security.ubuntu.com/ubuntu jaunty-security multiverse deb-src http://security.ubuntu.com/ubuntu jaunty-security multiverse deb http://archive.ubuntu.com/ubuntu jaunty universe multiverse deb-src http://archive.ubuntu.com/ubuntu jaunty universe multiverse/ I have even restarted syslog-ng, and still stays at 100%. / / Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro Cosmin Neagu wrote:

The config is like this (i will only show what i have added, the rest is the default config):

source s_internal { internal(); }; source s_local {file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); }; destination d_remote {udp ("192.168.53.248" port(514)); }; log { source(s_internal); destination(d_remote); };

The thing is that i have noticed this only twice, and the last time was when i have used the PC for a day, without network conectivity. I think that the next day, when i started the PC with network connectivity, syslog was taking his time sending all the logs from previos day. I will watch to see if that happends again and in what condition, until then, now is working ok, no high cpu anymore.

PS: i never doubt that i could'nt get help here, without your replys, syslog-ng would not have been running right now :)

Cosmin Neagu NOC Team Leader Str. I. G. Duca nr 36 Otopeni, Judetul Ilfov, 075100 Romania Tel: 021 303 3159 / 0732 669 193 www.omnilogic.ro

Balazs Scheidler wrote:

...

On Tue, 2009-07-07 at 09:49 +0300, Cosmin Neagu wrote:

...

Sorry for answering so late. You were right guys about the firewall, on the Fedora server iptables was on, and as soon as I turned it off, everything worked great. Know i have to learn how to configure iptables, cause i don't want to leave it off. Anyone knows a good starting point for iptables?

And another thing that bothers me...why the hell does the cpu stays most of the time at 100% because of the syslog-ng process?

top - 09:42:37 up 55 min, 2 users, load average: 1.10, 1.07, 0.98 Tasks: 134 total, 3 running, 131 sleeping, 0 stopped, 0 zombie Cpu(s): 12.3%us, 39.0%sy, 0.0%ni, 48.6%id, 0.0%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 2060488k total, 850036k used, 1210452k free, 77172k buffers Swap: 2931820k total, 0k used, 2931820k free, 460408k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2527 root 20 0 3344 1268 848 R 100 0.1 32:13.86 syslog-ng 3028 root 20 0 305m 34m 11m S 2 1.7 1:04.90 Xorg 22 root 15 -5 0 0 0 S 0 0.0 0:00.12 ata/1 3788 cosmin 20 0 221m 102m 26m S 0 5.1 1:12.27 firefox

I have a dual core processor, and either CPU1 or CPU2 stays at 100% utilization...

This seems to be a bug, however I don't know anything similar in 2.0.

Can you please post your configuration file which shows this symptom? Do you get this right after you start syslog-ng? Is it always reproducible? Can you list the exact version you are using and the way you got it compiled? Is it a distribution package?

So as you may see, we're happy to help you, but we need more information.

------------------------------------------------------------------------

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

# # Configuration file for syslog-ng under Debian # # attempts at reproducing default syslog behavior # the standard syslog levels are (in descending order of priority): # emerg alert crit err warning notice info debug # the aliases "error", "panic", and "warn" are deprecated # the "none" priority found in the original syslogd configuration is # only used in internal messages created by syslogd ###### # options options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0); # the time to wait before a died connection is re-established # (default is 60) time_reopen(10); # the time to wait before an idle destination file is closed # (default is 60) time_reap(360); # the number of lines buffered before written to file # you might want to increase this if your disk isn't catching with # all the log messages you get or if you want less disk activity # (say on a laptop) # (default is 0) #sync(0); # the number of lines fitting in the output queue log_fifo_size(2048); # enable or disable directory creation for destination files create_dirs(yes); # default owner, group, and permissions for log files # (defaults are 0, 0, 0600) #owner(root); group(adm); perm(0640); # default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) #dir_owner(root); #dir_group(root); dir_perm(0755); # enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(no); # maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) #log_msg_size(2048); #Disable statistic log messages. stats_freq(0); # Some program send log messages through a private implementation. # and sometimes that implementation is bad. If this happen syslog-ng # may recognise the program name as hostname. Whit this option # we tell the syslog-ng that if a hostname match this regexp than that # is not a real hostname. bad_hostname("^gconfd$"); }; ###### # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; ###### # destinations # some standard log files destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; destination df_cron { file("/var/log/cron.log"); }; destination df_daemon { file("/var/log/daemon.log"); }; destination df_kern { file("/var/log/kern.log"); }; destination df_lpr { file("/var/log/lpr.log"); }; destination df_mail { file("/var/log/mail.log"); }; destination df_user { file("/var/log/user.log"); }; destination df_uucp { file("/var/log/uucp.log"); }; # these files are meant for the mail system log files # and provide re-usable destinations for {mail,cron,...}.info, # {mail,cron,...}.notice, etc. destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; # these files are meant for the news system, and are kept separated # because they should be owned by "news" instead of "root" destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; # some more classical and useful files found in standard syslog configurations destination df_debug { file("/var/log/debug"); }; destination df_messages { file("/var/log/messages"); }; # pipes # a console to view log messages under X destination dp_xconsole { pipe("/dev/xconsole"); }; # consoles # this will send messages to everyone logged in destination du_all { usertty("*"); }; ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; # some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); }; # all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; # all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; # messages with priority emerg filter f_emerg { level(emerg); }; # complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); }; ###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement # these rules provide the same behavior as the commented original syslogd rules # auth,authpriv.* /var/log/auth.log log { source(s_all); filter(f_auth); destination(df_auth); }; # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf # cron.* /var/log/cron.log #log { # source(s_all); # filter(f_cron); # destination(df_cron); #}; # daemon.* -/var/log/daemon.log log { source(s_all); filter(f_daemon); destination(df_daemon); }; # kern.* -/var/log/kern.log log { source(s_all); filter(f_kern); destination(df_kern); }; # lpr.* -/var/log/lpr.log log { source(s_all); filter(f_lpr); destination(df_lpr); }; # mail.* -/var/log/mail.log log { source(s_all); filter(f_mail); destination(df_mail); }; # user.* -/var/log/user.log log { source(s_all); filter(f_user); destination(df_user); }; # uucp.* /var/log/uucp.log log { source(s_all); filter(f_uucp); destination(df_uucp); }; # mail.info -/var/log/mail.info log { source(s_all); filter(f_mail); filter(f_at_least_info); destination(df_facility_dot_info); }; # mail.warn -/var/log/mail.warn log { source(s_all); filter(f_mail); filter(f_at_least_warn); destination(df_facility_dot_warn); }; # mail.err /var/log/mail.err log { source(s_all); filter(f_mail); filter(f_at_least_err); destination(df_facility_dot_err); }; # news.crit /var/log/news/news.crit log { source(s_all); filter(f_news); filter(f_at_least_crit); destination(df_news_dot_crit); }; # news.err /var/log/news/news.err log { source(s_all); filter(f_news); filter(f_at_least_err); destination(df_news_dot_err); }; # news.notice /var/log/news/news.notice log { source(s_all); filter(f_news); filter(f_at_least_notice); destination(df_news_dot_notice); }; # *.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug log { source(s_all); filter(f_debug); destination(df_debug); }; # *.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages log { source(s_all); filter(f_messages); destination(df_messages); }; # *.emerg * log { source(s_all); filter(f_emerg); destination(du_all); }; # daemon.*;mail.*;\ # news.crit;news.err;news.notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole log { source(s_all); filter(f_xconsole); destination(dp_xconsole); }; source s_internal { internal(); }; source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); }; destination d_localfile { file ("/home/cosmin/syslog.log"); }; destination d_remote {udp ("192.168.53.248" port(514)); }; #log { source(s_local); destination(d_localfile); }; #log { source(s_internal); destination(d_localfile); }; #log { source(s_local); destination(d_remote); }; log { source(s_internal); destination(d_remote); };

On Tue, 2009-07-07 at 09:49 +0300, Cosmin Neagu wrote:

...

Sorry for answering so late. You were right guys about the firewall, on the Fedora server iptables was on, and as soon as I turned it off, everything worked great. Know i have to learn how to configure iptables, cause i don't want to leave it off. Anyone knows a good starting point for iptables?

And another thing that bothers me...why the hell does the cpu stays most of the time at 100% because of the syslog-ng process?

top - 09:42:37 up 55 min, 2 users, load average: 1.10, 1.07, 0.98 Tasks: 134 total, 3 running, 131 sleeping, 0 stopped, 0 zombie Cpu(s): 12.3%us, 39.0%sy, 0.0%ni, 48.6%id, 0.0%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 2060488k total, 850036k used, 1210452k free, 77172k buffers Swap: 2931820k total, 0k used, 2931820k free, 460408k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2527 root 20 0 3344 1268 848 R 100 0.1 32:13.86 syslog-ng 3028 root 20 0 305m 34m 11m S 2 1.7 1:04.90 Xorg 22 root 15 -5 0 0 0 S 0 0.0 0:00.12 ata/1 3788 cosmin 20 0 221m 102m 26m S 0 5.1 1:12.27 firefox

I have a dual core processor, and either CPU1 or CPU2 stays at 100% utilization...

This seems to be a bug, however I don't know anything similar in 2.0.

Can you please post your configuration file which shows this symptom? Do you get this right after you start syslog-ng? Is it always reproducible? Can you list the exact version you are using and the way you got it compiled? Is it a distribution package?

So as you may see, we're happy to help you, but we need more information.

-- Bazsi

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

I used shorewall to manage iptables of each and every servers i have, I used the example config for single interface and modify it on my preferences.

Hello, Does anyone has a clue why the processor is at 100 percent because of syslog-ng? Tasks: 131 total, 3 running, 128 sleeping, 0 stopped, 0 zombie Cpu(s): 14.0%us, 39.6%sy, 0.0%ni, 46.4%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2060488k total, 385816k used, 1674672k free, 16132k buffers Swap: 2931820k total, 0k used, 2931820k free, 205248k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2522 root 20 0 3340 1032 616 R *100* 0.1 6:43.19 *syslog-ng* 3622 cosmin 20 0 44928 19m 13m S 6 1.0 0:02.06 gnome-panel 3017 root 20 0 303m 33m 10m S 1 1.7 0:04.83 Xorg 1 root 20 0 1904 780 564 S 0 0.0 0:01.37 init I have added in the syslog-ng.conf the folowing: /source s_internal { internal(); }; source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); }; destination d_localfile { file ("/home/cosmin/syslog.log"); }; destination d_remote {udp ("192.168.53.248" port(514)); }; log { source(s_local); destination(d_localfile); }; log { source(s_internal); destination(d_localfile); }; log { source(s_local); destination(d_remote); };/