weird problems logging kern.notice with syslog-ng
Hi. I am running the latest syslog-ng under Solaris 2.7 and I'm having problems getting it to do anything with messages of type "kern.notice". Here are the relevant lines in my syslog-ng conf : filter f_auth { facility(auth); }; filter f_kern { facility(kern); }; filter f_notice { level(notice); }; destination messages { file("/var/adm/messages"); }; destination syslog { file("/var/log/syslog"); }; destination authlog { file("/var/log/authlog"); }; destination remote { tcp("xxx.xxx.xxx.xxx" port(514) ); }; # kern.notice /dev/console log { source("system"); filter("f_kern"); filter("f_notice"); destination("console"); destination("messages"); destination("remote"); }; # auth.notice /dev/console log { source("system"); filter("f_auth"); filter("f_notice"); destination("console"); destination("authlog"); destination("messages"); destination("remote"); }; --- Notice that the auth.notice and kern.notice areas are identical, except for the f_kern vs. f_auth filters. -- [happy] /var/adm # logger -p auth.notice AUTH NOTICE TEST #5 [happy] /var/adm # logger -p kern.notice KERN NOTICE TEST #5 [happy] /var/adm # tail messages Jun 8 11:19:32 system@w4 root: AUTH NOTICE TEST #5 -- Anyone have any idea why syslog-ng is picking up auth notice just fine and not picking up kern notice? Thanks! -RC
On Thu, Jun 08, 2000 at 11:20:15AM -0700, Robert Coli wrote:
-- [happy] /var/adm # logger -p auth.notice AUTH NOTICE TEST #5 [happy] /var/adm # logger -p kern.notice KERN NOTICE TEST #5 [happy] /var/adm # tail messages Jun 8 11:19:32 system@w4 root: AUTH NOTICE TEST #5 --
Anyone have any idea why syslog-ng is picking up auth notice just fine and not picking up kern notice?
I had problems with this earlier too.. if you read syslog(3), it says something to the effect the LOG_KERN messages can only come from the kernel. You are not the kernel (not even if you are root). The kern.notice is turned into user.notice. The same goes for the whole kern facility... To confirm this isn't a syslog-ng quirk (it isn't), run syslogd at the same time (you can do this if you are using the syslog IPC door). Syslogd also will log your kernel syslog message using the user facility. To convince yourself that kernel messages get logged at all you can reboot the machine(kern.info), or fill a drive up(kern.???). ---------------------------------------------------------------------------- __o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__ _ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _ (_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)
Hello. I am attempting to have multiple hosts log to syslog-ng on a centralized host via tcp. This is the line from my config file on the logging host : --- source remote { tcp(port(<port #>)); max-connections(50) }; --- This does not seem to be a valid syntax for a tcp remote source. In fact, syslog-ng will not start unless I remove the "max-connections(#)" part of that line. The only notes in the docs wrt this directive is here : --- source s_tcp { tcp(ip(127.0.0.1) port(1999); max-connections(10)); }; --- This is a pretty serious issue, because I am getting tons and tons of these errors : Jun 19 16:21:40 int@logger syslog-ng[138]: Error accepting AF_INET connection from: ip.ip.ip.ip:60194, opened connections: 10, max: 10 For which, I assume, I need to increase the number of maximum concurrent connections. Please help. -RC
--- source remote { tcp(port(<port #>)); max-connections(50) }; ---
source remote { tcp(port(<port #>) max-connections(100)); }; is the valid statement. typos stink. it must be a monday. -RC
Robert, On Mon, 19 Jun 2000, Robert Coli wrote:
Hello. I am attempting to have multiple hosts log to syslog-ng on a centralized host via tcp. This is the line from my config file on the logging host :
--- source remote { tcp(port(<port #>)); max-connections(50) }; ---
This does not seem to be a valid syntax for a tcp remote source. In fact, syslog-ng will not start unless I remove the "max-connections(#)" part of that line.
The only notes in the docs wrt this directive is here :
--- source s_tcp { tcp(ip(127.0.0.1) port(1999); max-connections(10)); }; ---
Well, seems that max-connections belongs to the tcp-statement, so you set a closing brace wrong, try: source remote { tcp(port(<port #>); max-connections(50)); }; ^ ^^ I have not tried this out, but it should be easy to test. Markus -- VIA NET.WORKS Deutschland GmbH m.warg@via-net-works.de Bismarckstr. 120 www.via-net-works.de fon: +49 203 3093-101 D-47057 Duisburg Deutsches Provider Network fax: +49 203 3093-112
participants (3)
-
Brad Arlt
-
Markus Warg
-
Robert Coli