Re: [syslog-ng] syslog-ng 3.0.8, 3.0.9 not sending logs to centralized log host
As I stated before, I ran tcpdump to monitor the network traffic leaving the client system and then attempted to generate some logs, there was no network traffic beyond SSH and some VMware stuff, so I know it wasn't networking, at least not yet, as the syslog-ng client daemon was not even generating network traffic. Anyway, I did figure out the issue. I was editing the wrong conf file, silly me! I was editing /etc/syslog-ng.conf when I should have been editing /opt/syslog-ng/etc/syslog-ng.conf. A coworker showed me this, proving that I had just been staring at the problem for too long to be able to see the answer ;) Thank you for your help guys! It helped us get the gears in our heads moving again! On Dec 21, 2010, at 17:09, Alan McKinnon wrote:
Your config appears correct - I use a similar setup on a wide variety of logging clients using all sorts of versions of sysloggers.
So I imagine your problem is more network and less syslog. You don't mention basic networking tests you might have done, such as can you ping the log host and can you telnet to the port and get a sensible result? I'd like to establish that packets can at least go from client to server. And don't forget to check silly things /etc/hosts - I once had a server listed there with address 127.0.0.1..... that took an awfully long time to find. [I see your config implies you send to an ip not a hostname. But still, basic checks are good.]
Apparently, though unproven, at 00:03 on Wednesday 22 December 2010, Jarrett Lee did opine thusly:
This is the client side that I'm having issues with, not the syslog server, or loghost, side. Does it really need network configuration information in the source statement? I thought that was on the server side to show it which interface/port to listen on for clients.
On Dec 21, 2010, at 16:59, Clayton Dukes wrote:
Looks like you need to define UDP or TCP (or both) in your src statement.
Here's a short (hopefully helpful) link to a video for syslog-ng configuration: http://www.logzilla.info/SearchResults.asp?Cat=49
<http://www.logzilla.info/SearchResults.asp?Cat=49>Full disclosure, LogZilla is my log analysis software, but hopefully the video helps.
______________________________________________________________
Clayton Dukes ______________________________________________________________
On Tue, Dec 21, 2010 at 4:43 PM, Jarrett Lee <jarrett.lee@oversightsystems.com<mailto:jarrett.lee@oversightsystems.com>
wrote: I have syslog-ng 3.0.9 (also tried 3.0.8) on a CentOS 5.5 system, firewall (iptables) turned off, and SELinux disabled. For some reason it refuses to send logs to my log host, though it will put them in my messages file. I've even broken out tcpdump to monitor the port while generating logs to see if I can see any network traffic generated, but it's crickets on the wire.
Anybody have this problem? Is there something I'm missing, perhaps I've been looking at it for too long and need fresh eyes? I've had this working before on other platforms, Solaris and other distros of Linux, but this time it's kicking my butt...
Here's my syslog-ng.conf (with IP and port redacted): #### BEGIN syslog-ng.conf #### @version: 3.0
options { };
source src { internal(); unix-stream("/dev/log"); file("/proc/kmsg" program_override("kernel: ")); };
destination local { file("/var/log/messages"); }; destination loghost { tcp("IPADDR" port(PORT)); };
log { source(src); destination(local); }; log { source(src); destination(loghost); }; #### END syslog-ng.conf ####
Thanks, Jarrett
Jarrett Lee, UNIX Administrator OVERSIGHT SYSTEMS | www.oversightsystems.com<http://www.oversightsystems.com/> __________________________________________________________________________ ____ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
___________________________________________________________________________ ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- alan dot mckinnon at gmail dot com
On Tue, Dec 21, 2010 at 05:33:03PM -0500, Jarrett Lee wrote:
Anyway, I did figure out the issue. I was editing the wrong conf file, silly me! I was editing /etc/syslog-ng.conf when I should have been editing /opt/syslog-ng/etc/syslog-ng.conf.
This confusion could be avoided in the longer term by creating a syslog-ng RPM using the spec file in the source code, and using this daemon in place of the system log daemon. Then you could install the RPM to all your new machines via kickstart, etc. and upgrade your old machines with the RPM to install to all your old machines. I've done something similar in my (admittedly non RPM based) environment. It really does make a big improvement when you package it. If you have a lot of different apps or logging scenarios that are in parallel to each other like we do here, you can write a "stub" syslog-ng configuration file, and use the include directive to include configurations from a directory such as /etc/syslog-ng.conf.d, or something such. Matthew.
If you have a lot of different apps or logging scenarios that are in parallel to each other like we do here, you can write a "stub" syslog-ng configuration file, and use the include directive to include configurations from a directory such as /etc/syslog-ng.conf.d, or something such.
I was unaware of an include directive. This is fantastic! Though I doubt I'll package it, I'll definitely use this to keep all my configs simple by having a default and then having a syslog-ng.conf.local or something.
From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Jarrett Lee [jarrett.lee@oversightsystems.com] Sent: Wednesday, December 22, 2010 7:35 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] syslog-ng 3.0.8, 3.0.9 not sending logs to centralized log host
If you have a lot of different apps or logging scenarios that are in parallel to each other like we do here, you can write a "stub" syslog-ng configuration file, and use the include directive to include configurations from a directory such as /etc/syslog-ng.conf.d, or something such.
I use this basic method for handling different host types in Puppet (a config mgmt tool). I combined it with sites config directory Apache uses. So I have a configs-available directory where I have *_server, *_relay, *_client files for each of the different types of syslog nodes, and the configs-enabled with symlinks to the right files based on the node type. It is working reasonably well. I get a few hiccups from time to time, such as "syslog-ng -s" not catching referenced but undefined objects such as destinations to sources. But overall it works decently enough. Will probably wind up writing a little sanity checker so I know what files are required by which files.
participants (3)
-
Bill Anderson
-
Jarrett Lee
-
Matthew Hall