I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0 @version:3.5 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); }; source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);}; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
Hello, If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable). -- Kokan On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));" Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server? Br, Laci On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
It isn't starting up at all once I add those changes to the config it says invalid syntax On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Dear Rodney Bizzel, if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem. Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors. Br, Laci On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Ok I have 3.5 syslog-ng On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error: Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); }; Since you did not provided any error message/output from your instance, I can not investigate it any further currently. If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only) Br, Laci On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell <hardworker30@gmail.com
wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
> I have install syslog-ng 3.5 and I am configuring it to send all > logs to Graylog but once changes are made syslog-ng is failing. I change > the address of graylog server to 0.0.0.0 > > > @version:3.5 > @include "scl.conf" > > # syslog-ng configuration file. > # > # This should behave pretty much like the original syslog on RedHat. > But > # it could be configured a lot smarter. > # > # See syslog-ng(8) and syslog-ng.conf(5) for more information. > # > # Note: it also sources additional configuration files (*.conf) > # located in /etc/syslog-ng/conf.d/ > > options { > flush_lines (0); > time_reopen (10); > log_fifo_size (1000); > chain_hostnames (off); > use_dns (no); > use_fqdn (no); > create_dirs (no); > keep_hostname (yes); > }; > > source s_sys { > system(); > internal(); > udp(ip(0.0.0.0) port(514)); > }; > > source s_net { > udp(ip(0.0.0.0) port(514)); > tcp(ip(0.0.0.0) port(514) max-connections(256)); > }; > > destination d_cons { file("/dev/console"); }; > destination d_mesg { file("/var/log/messages"); }; > destination d_auth { file("/var/log/secure"); }; > destination d_mail { file("/var/log/maillog" flush_lines(10)); }; > destination d_spol { file("/var/log/spooler"); }; > destination d_boot { file("/var/log/boot.log"); }; > destination d_cron { file("/var/log/cron"); }; > destination d_kern { file("/var/log/kern"); }; > destination d_mlal { usertty("*"); }; > > > destination d_graylog { > tcp("0.0.0.0" > port (12201) > spoof_sources(yes) > ); > }; > > > filter f_kernel { facility(kern); }; > filter f_default { level(info..emerg) and > not (facility(mail) > or facility(authpriv) > or facility(cron)); }; > filter f_auth { facility(authpriv); }; > filter f_mail { facility(mail); }; > filter f_emergency { level(emerg); }; > filter f_news { facility(uucp) or > (facility(news) > and level(crit..emerg)); }; > filter f_boot { facility(local7); }; > filter f_cron { facility(cron); }; > > #log { source(s_sys); filter(f_kernel); destination(d_cons); }; > log { source(s_sys); filter(f_kernel); destination(d_kern); }; > log { source(s_sys); filter(f_default); destination(d_mesg); }; > log { source(s_sys); filter(f_auth); destination(d_auth); }; > log { source(s_sys); filter(f_mail); destination(d_mail); }; > log { source(s_sys); filter(f_emergency); destination(d_mlal); }; > log { source(s_sys); filter(f_news); destination(d_spol); }; > log { source(s_sys); filter(f_boot); destination(d_boot); }; > log { source(s_sys); filter(f_cron); destination(d_cron); }; > > > > log { source(s_net); destination(d_graylog); }; > log { source(s_sys); filter(f_default); destination(d_graylog);}; > > # Source additional configuration files (.conf extension only) > @include "/etc/syslog-ng/conf.d/*.conf" > > > # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: > > ____________________________________________________________ > __________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: http://www.balabit.com/support/documentation/? > product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > > ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Ok great On Thu, Oct 11, 2018, 3:25 PM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error:
Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); };
Since you did not provided any error message/output from your instance, I can not investigate it any further currently.
If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only)
Br, Laci
On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell < hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < peter.kokai@oneidentity.com> wrote:
> Hello, > > If you starg syslogng with -Fe it might give you a clue. > Also 0.0.0.0 is a no - routable address, so it is fine for source, > not so much for destination, you should check out on which ip graylog > listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or > other valid ip, but lo would be preferable). > > -- > Kokan > > On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, < > hardworker30@gmail.com> wrote: > >> I have install syslog-ng 3.5 and I am configuring it to send all >> logs to Graylog but once changes are made syslog-ng is failing. I change >> the address of graylog server to 0.0.0.0 >> >> >> @version:3.5 >> @include "scl.conf" >> >> # syslog-ng configuration file. >> # >> # This should behave pretty much like the original syslog on >> RedHat. But >> # it could be configured a lot smarter. >> # >> # See syslog-ng(8) and syslog-ng.conf(5) for more information. >> # >> # Note: it also sources additional configuration files (*.conf) >> # located in /etc/syslog-ng/conf.d/ >> >> options { >> flush_lines (0); >> time_reopen (10); >> log_fifo_size (1000); >> chain_hostnames (off); >> use_dns (no); >> use_fqdn (no); >> create_dirs (no); >> keep_hostname (yes); >> }; >> >> source s_sys { >> system(); >> internal(); >> udp(ip(0.0.0.0) port(514)); >> }; >> >> source s_net { >> udp(ip(0.0.0.0) port(514)); >> tcp(ip(0.0.0.0) port(514) max-connections(256)); >> }; >> >> destination d_cons { file("/dev/console"); }; >> destination d_mesg { file("/var/log/messages"); }; >> destination d_auth { file("/var/log/secure"); }; >> destination d_mail { file("/var/log/maillog" flush_lines(10)); }; >> destination d_spol { file("/var/log/spooler"); }; >> destination d_boot { file("/var/log/boot.log"); }; >> destination d_cron { file("/var/log/cron"); }; >> destination d_kern { file("/var/log/kern"); }; >> destination d_mlal { usertty("*"); }; >> >> >> destination d_graylog { >> tcp("0.0.0.0" >> port (12201) >> spoof_sources(yes) >> ); >> }; >> >> >> filter f_kernel { facility(kern); }; >> filter f_default { level(info..emerg) and >> not (facility(mail) >> or facility(authpriv) >> or facility(cron)); }; >> filter f_auth { facility(authpriv); }; >> filter f_mail { facility(mail); }; >> filter f_emergency { level(emerg); }; >> filter f_news { facility(uucp) or >> (facility(news) >> and level(crit..emerg)); }; >> filter f_boot { facility(local7); }; >> filter f_cron { facility(cron); }; >> >> #log { source(s_sys); filter(f_kernel); destination(d_cons); }; >> log { source(s_sys); filter(f_kernel); destination(d_kern); }; >> log { source(s_sys); filter(f_default); destination(d_mesg); }; >> log { source(s_sys); filter(f_auth); destination(d_auth); }; >> log { source(s_sys); filter(f_mail); destination(d_mail); }; >> log { source(s_sys); filter(f_emergency); destination(d_mlal); }; >> log { source(s_sys); filter(f_news); destination(d_spol); }; >> log { source(s_sys); filter(f_boot); destination(d_boot); }; >> log { source(s_sys); filter(f_cron); destination(d_cron); }; >> >> >> >> log { source(s_net); destination(d_graylog); }; >> log { source(s_sys); filter(f_default); destination(d_graylog);}; >> >> # Source additional configuration files (.conf extension only) >> @include "/etc/syslog-ng/conf.d/*.conf" >> >> >> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: >> >> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: >> http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> >> > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I appreciate all your help I will reconfigure and try again I appreciate all your help and your responses when I email On Thu, Oct 11, 2018, 3:25 PM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error:
Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); };
Since you did not provided any error message/output from your instance, I can not investigate it any further currently.
If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only)
Br, Laci
On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell < hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < peter.kokai@oneidentity.com> wrote:
> Hello, > > If you starg syslogng with -Fe it might give you a clue. > Also 0.0.0.0 is a no - routable address, so it is fine for source, > not so much for destination, you should check out on which ip graylog > listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or > other valid ip, but lo would be preferable). > > -- > Kokan > > On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, < > hardworker30@gmail.com> wrote: > >> I have install syslog-ng 3.5 and I am configuring it to send all >> logs to Graylog but once changes are made syslog-ng is failing. I change >> the address of graylog server to 0.0.0.0 >> >> >> @version:3.5 >> @include "scl.conf" >> >> # syslog-ng configuration file. >> # >> # This should behave pretty much like the original syslog on >> RedHat. But >> # it could be configured a lot smarter. >> # >> # See syslog-ng(8) and syslog-ng.conf(5) for more information. >> # >> # Note: it also sources additional configuration files (*.conf) >> # located in /etc/syslog-ng/conf.d/ >> >> options { >> flush_lines (0); >> time_reopen (10); >> log_fifo_size (1000); >> chain_hostnames (off); >> use_dns (no); >> use_fqdn (no); >> create_dirs (no); >> keep_hostname (yes); >> }; >> >> source s_sys { >> system(); >> internal(); >> udp(ip(0.0.0.0) port(514)); >> }; >> >> source s_net { >> udp(ip(0.0.0.0) port(514)); >> tcp(ip(0.0.0.0) port(514) max-connections(256)); >> }; >> >> destination d_cons { file("/dev/console"); }; >> destination d_mesg { file("/var/log/messages"); }; >> destination d_auth { file("/var/log/secure"); }; >> destination d_mail { file("/var/log/maillog" flush_lines(10)); }; >> destination d_spol { file("/var/log/spooler"); }; >> destination d_boot { file("/var/log/boot.log"); }; >> destination d_cron { file("/var/log/cron"); }; >> destination d_kern { file("/var/log/kern"); }; >> destination d_mlal { usertty("*"); }; >> >> >> destination d_graylog { >> tcp("0.0.0.0" >> port (12201) >> spoof_sources(yes) >> ); >> }; >> >> >> filter f_kernel { facility(kern); }; >> filter f_default { level(info..emerg) and >> not (facility(mail) >> or facility(authpriv) >> or facility(cron)); }; >> filter f_auth { facility(authpriv); }; >> filter f_mail { facility(mail); }; >> filter f_emergency { level(emerg); }; >> filter f_news { facility(uucp) or >> (facility(news) >> and level(crit..emerg)); }; >> filter f_boot { facility(local7); }; >> filter f_cron { facility(cron); }; >> >> #log { source(s_sys); filter(f_kernel); destination(d_cons); }; >> log { source(s_sys); filter(f_kernel); destination(d_kern); }; >> log { source(s_sys); filter(f_default); destination(d_mesg); }; >> log { source(s_sys); filter(f_auth); destination(d_auth); }; >> log { source(s_sys); filter(f_mail); destination(d_mail); }; >> log { source(s_sys); filter(f_emergency); destination(d_mlal); }; >> log { source(s_sys); filter(f_news); destination(d_spol); }; >> log { source(s_sys); filter(f_boot); destination(d_boot); }; >> log { source(s_sys); filter(f_cron); destination(d_cron); }; >> >> >> >> log { source(s_net); destination(d_graylog); }; >> log { source(s_sys); filter(f_default); destination(d_graylog);}; >> >> # Source additional configuration files (.conf extension only) >> @include "/etc/syslog-ng/conf.d/*.conf" >> >> >> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: >> >> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: >> http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> >> > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Should I make a change to the config On Thu, Oct 11, 2018, 3:25 PM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error:
Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); };
Since you did not provided any error message/output from your instance, I can not investigate it any further currently.
If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only)
Br, Laci
On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell < hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < peter.kokai@oneidentity.com> wrote:
> Hello, > > If you starg syslogng with -Fe it might give you a clue. > Also 0.0.0.0 is a no - routable address, so it is fine for source, > not so much for destination, you should check out on which ip graylog > listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or > other valid ip, but lo would be preferable). > > -- > Kokan > > On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, < > hardworker30@gmail.com> wrote: > >> I have install syslog-ng 3.5 and I am configuring it to send all >> logs to Graylog but once changes are made syslog-ng is failing. I change >> the address of graylog server to 0.0.0.0 >> >> >> @version:3.5 >> @include "scl.conf" >> >> # syslog-ng configuration file. >> # >> # This should behave pretty much like the original syslog on >> RedHat. But >> # it could be configured a lot smarter. >> # >> # See syslog-ng(8) and syslog-ng.conf(5) for more information. >> # >> # Note: it also sources additional configuration files (*.conf) >> # located in /etc/syslog-ng/conf.d/ >> >> options { >> flush_lines (0); >> time_reopen (10); >> log_fifo_size (1000); >> chain_hostnames (off); >> use_dns (no); >> use_fqdn (no); >> create_dirs (no); >> keep_hostname (yes); >> }; >> >> source s_sys { >> system(); >> internal(); >> udp(ip(0.0.0.0) port(514)); >> }; >> >> source s_net { >> udp(ip(0.0.0.0) port(514)); >> tcp(ip(0.0.0.0) port(514) max-connections(256)); >> }; >> >> destination d_cons { file("/dev/console"); }; >> destination d_mesg { file("/var/log/messages"); }; >> destination d_auth { file("/var/log/secure"); }; >> destination d_mail { file("/var/log/maillog" flush_lines(10)); }; >> destination d_spol { file("/var/log/spooler"); }; >> destination d_boot { file("/var/log/boot.log"); }; >> destination d_cron { file("/var/log/cron"); }; >> destination d_kern { file("/var/log/kern"); }; >> destination d_mlal { usertty("*"); }; >> >> >> destination d_graylog { >> tcp("0.0.0.0" >> port (12201) >> spoof_sources(yes) >> ); >> }; >> >> >> filter f_kernel { facility(kern); }; >> filter f_default { level(info..emerg) and >> not (facility(mail) >> or facility(authpriv) >> or facility(cron)); }; >> filter f_auth { facility(authpriv); }; >> filter f_mail { facility(mail); }; >> filter f_emergency { level(emerg); }; >> filter f_news { facility(uucp) or >> (facility(news) >> and level(crit..emerg)); }; >> filter f_boot { facility(local7); }; >> filter f_cron { facility(cron); }; >> >> #log { source(s_sys); filter(f_kernel); destination(d_cons); }; >> log { source(s_sys); filter(f_kernel); destination(d_kern); }; >> log { source(s_sys); filter(f_default); destination(d_mesg); }; >> log { source(s_sys); filter(f_auth); destination(d_auth); }; >> log { source(s_sys); filter(f_mail); destination(d_mail); }; >> log { source(s_sys); filter(f_emergency); destination(d_mlal); }; >> log { source(s_sys); filter(f_news); destination(d_spol); }; >> log { source(s_sys); filter(f_boot); destination(d_boot); }; >> log { source(s_sys); filter(f_cron); destination(d_cron); }; >> >> >> >> log { source(s_net); destination(d_graylog); }; >> log { source(s_sys); filter(f_default); destination(d_graylog);}; >> >> # Source additional configuration files (.conf extension only) >> @include "/etc/syslog-ng/conf.d/*.conf" >> >> >> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: >> >> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: >> http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> >> > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Really? On Thu, 11 Oct 2018, 22:38 Rodney Bizzell, <hardworker30@gmail.com> wrote:
Should I make a change to the config
On Thu, Oct 11, 2018, 3:25 PM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error:
Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); };
Since you did not provided any error message/output from your instance, I can not investigate it any further currently.
If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only)
Br, Laci
On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell <hardworker30@gmail.com
wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell < hardworker30@gmail.com> wrote:
> I just changed my information on my graylog box 0.0.0.0 isn't what I > had in there. The way the config is did that look syntax correctly > > On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < > peter.kokai@oneidentity.com> wrote: > >> Hello, >> >> If you starg syslogng with -Fe it might give you a clue. >> Also 0.0.0.0 is a no - routable address, so it is fine for source, >> not so much for destination, you should check out on which ip graylog >> listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or >> other valid ip, but lo would be preferable). >> >> -- >> Kokan >> >> On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, < >> hardworker30@gmail.com> wrote: >> >>> I have install syslog-ng 3.5 and I am configuring it to send all >>> logs to Graylog but once changes are made syslog-ng is failing. I change >>> the address of graylog server to 0.0.0.0 >>> >>> >>> @version:3.5 >>> @include "scl.conf" >>> >>> # syslog-ng configuration file. >>> # >>> # This should behave pretty much like the original syslog on >>> RedHat. But >>> # it could be configured a lot smarter. >>> # >>> # See syslog-ng(8) and syslog-ng.conf(5) for more information. >>> # >>> # Note: it also sources additional configuration files (*.conf) >>> # located in /etc/syslog-ng/conf.d/ >>> >>> options { >>> flush_lines (0); >>> time_reopen (10); >>> log_fifo_size (1000); >>> chain_hostnames (off); >>> use_dns (no); >>> use_fqdn (no); >>> create_dirs (no); >>> keep_hostname (yes); >>> }; >>> >>> source s_sys { >>> system(); >>> internal(); >>> udp(ip(0.0.0.0) port(514)); >>> }; >>> >>> source s_net { >>> udp(ip(0.0.0.0) port(514)); >>> tcp(ip(0.0.0.0) port(514) max-connections(256)); >>> }; >>> >>> destination d_cons { file("/dev/console"); }; >>> destination d_mesg { file("/var/log/messages"); }; >>> destination d_auth { file("/var/log/secure"); }; >>> destination d_mail { file("/var/log/maillog" flush_lines(10)); }; >>> destination d_spol { file("/var/log/spooler"); }; >>> destination d_boot { file("/var/log/boot.log"); }; >>> destination d_cron { file("/var/log/cron"); }; >>> destination d_kern { file("/var/log/kern"); }; >>> destination d_mlal { usertty("*"); }; >>> >>> >>> destination d_graylog { >>> tcp("0.0.0.0" >>> port (12201) >>> spoof_sources(yes) >>> ); >>> }; >>> >>> >>> filter f_kernel { facility(kern); }; >>> filter f_default { level(info..emerg) and >>> not (facility(mail) >>> or facility(authpriv) >>> or facility(cron)); }; >>> filter f_auth { facility(authpriv); }; >>> filter f_mail { facility(mail); }; >>> filter f_emergency { level(emerg); }; >>> filter f_news { facility(uucp) or >>> (facility(news) >>> and level(crit..emerg)); }; >>> filter f_boot { facility(local7); }; >>> filter f_cron { facility(cron); }; >>> >>> #log { source(s_sys); filter(f_kernel); destination(d_cons); }; >>> log { source(s_sys); filter(f_kernel); destination(d_kern); }; >>> log { source(s_sys); filter(f_default); destination(d_mesg); }; >>> log { source(s_sys); filter(f_auth); destination(d_auth); }; >>> log { source(s_sys); filter(f_mail); destination(d_mail); }; >>> log { source(s_sys); filter(f_emergency); destination(d_mlal); }; >>> log { source(s_sys); filter(f_news); destination(d_spol); }; >>> log { source(s_sys); filter(f_boot); destination(d_boot); }; >>> log { source(s_sys); filter(f_cron); destination(d_cron); }; >>> >>> >>> >>> log { source(s_net); destination(d_graylog); }; >>> log { source(s_sys); filter(f_default); destination(d_graylog);}; >>> >>> # Source additional configuration files (.conf extension only) >>> @include "/etc/syslog-ng/conf.d/*.conf" >>> >>> >>> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: >>> >>> >>> ______________________________________________________________________________ >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >>> Documentation: >>> http://www.balabit.com/support/documentation/?product=syslog-ng >>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >>> >>> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: >> http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> >> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > > >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I will retest my config On Thu, Oct 11, 2018, 3:41 PM Salih Haji <salihhaji631@gmail.com> wrote:
Really?
On Thu, 11 Oct 2018, 22:38 Rodney Bizzell, <hardworker30@gmail.com> wrote:
Should I make a change to the config
On Thu, Oct 11, 2018, 3:25 PM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, I started a freshly built syslog-ng from the latest revision from the OSE master with your config (I used dbld for this.), and it immediatelly pointed out one syntax error:
Error parsing afsocket, inner-dest plugin spoof_sources not found in /source/syslog-ng.conf: 45 46 47 destination d_graylog { 48 tcp("0.0.0.0" 49 port (12201) 50----> spoof_sources(yes) 50----> ^^^^^^^^^^^^^ 51 ); 52 }; 53 54 55 filter f_kernel { facility(kern); };
Since you did not provided any error message/output from your instance, I can not investigate it any further currently.
If you encounter any other issue, please try to provide as many information as you can. Including at least the: - platform - syslog-ng version - installation source (custom built, OBS repository, etc...) - configuration - output from syslog-ng - network setup (if the problem can not be reproduced with the loopback interface only)
Br, Laci
On Thu, Oct 11, 2018 at 6:01 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
Ok I have 3.5 syslog-ng
On Thu, Oct 11, 2018, 10:43 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzel,
if you start syslog-ng with the following options: -F (foreground) -d (debug) -e (stderr) -v (verbose) it will provide a verbosed information during the startup. It will help a lot to figure out the root cause of the problem.
Note: If you have the option to update your syslog-ng version: Since 3.15.1 (PR: https://github.com/balabit/syslog-ng/pull/1932) syslog-ng will point out the exact location of syntax errors.
Br, Laci
On Thu, Oct 11, 2018 at 3:38 PM, Rodney Bizzell < hardworker30@gmail.com> wrote:
It isn't starting up at all once I add those changes to the config it says invalid syntax
On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
> Dear Rodney Bizzell, > sorry for the misunderstanding, now it is clear for us, that you > anonymised your config. just a note: it is preferable to use different > masking addresses for different original IP's. i.e.: I can not check this > source: "udp(ip(0.0.0.0) port(514));" > > Back to your problem. It is not clear for me what do you mean by > "once changes are made syslog-ng is failing" > It is not starting up at all? Or just not forwarding logs to your > Graylog server? > > Br, > Laci > > > On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell < > hardworker30@gmail.com> wrote: > >> I just changed my information on my graylog box 0.0.0.0 isn't what >> I had in there. The way the config is did that look syntax correctly >> >> On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai < >> peter.kokai@oneidentity.com> wrote: >> >>> Hello, >>> >>> If you starg syslogng with -Fe it might give you a clue. >>> Also 0.0.0.0 is a no - routable address, so it is fine for source, >>> not so much for destination, you should check out on which ip graylog >>> listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or >>> other valid ip, but lo would be preferable). >>> >>> -- >>> Kokan >>> >>> On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, < >>> hardworker30@gmail.com> wrote: >>> >>>> I have install syslog-ng 3.5 and I am configuring it to send all >>>> logs to Graylog but once changes are made syslog-ng is failing. I change >>>> the address of graylog server to 0.0.0.0 >>>> >>>> >>>> @version:3.5 >>>> @include "scl.conf" >>>> >>>> # syslog-ng configuration file. >>>> # >>>> # This should behave pretty much like the original syslog on >>>> RedHat. But >>>> # it could be configured a lot smarter. >>>> # >>>> # See syslog-ng(8) and syslog-ng.conf(5) for more information. >>>> # >>>> # Note: it also sources additional configuration files (*.conf) >>>> # located in /etc/syslog-ng/conf.d/ >>>> >>>> options { >>>> flush_lines (0); >>>> time_reopen (10); >>>> log_fifo_size (1000); >>>> chain_hostnames (off); >>>> use_dns (no); >>>> use_fqdn (no); >>>> create_dirs (no); >>>> keep_hostname (yes); >>>> }; >>>> >>>> source s_sys { >>>> system(); >>>> internal(); >>>> udp(ip(0.0.0.0) port(514)); >>>> }; >>>> >>>> source s_net { >>>> udp(ip(0.0.0.0) port(514)); >>>> tcp(ip(0.0.0.0) port(514) max-connections(256)); >>>> }; >>>> >>>> destination d_cons { file("/dev/console"); }; >>>> destination d_mesg { file("/var/log/messages"); }; >>>> destination d_auth { file("/var/log/secure"); }; >>>> destination d_mail { file("/var/log/maillog" flush_lines(10)); }; >>>> destination d_spol { file("/var/log/spooler"); }; >>>> destination d_boot { file("/var/log/boot.log"); }; >>>> destination d_cron { file("/var/log/cron"); }; >>>> destination d_kern { file("/var/log/kern"); }; >>>> destination d_mlal { usertty("*"); }; >>>> >>>> >>>> destination d_graylog { >>>> tcp("0.0.0.0" >>>> port (12201) >>>> spoof_sources(yes) >>>> ); >>>> }; >>>> >>>> >>>> filter f_kernel { facility(kern); }; >>>> filter f_default { level(info..emerg) and >>>> not (facility(mail) >>>> or facility(authpriv) >>>> or facility(cron)); }; >>>> filter f_auth { facility(authpriv); }; >>>> filter f_mail { facility(mail); }; >>>> filter f_emergency { level(emerg); }; >>>> filter f_news { facility(uucp) or >>>> (facility(news) >>>> and level(crit..emerg)); }; >>>> filter f_boot { facility(local7); }; >>>> filter f_cron { facility(cron); }; >>>> >>>> #log { source(s_sys); filter(f_kernel); destination(d_cons); }; >>>> log { source(s_sys); filter(f_kernel); destination(d_kern); }; >>>> log { source(s_sys); filter(f_default); destination(d_mesg); }; >>>> log { source(s_sys); filter(f_auth); destination(d_auth); }; >>>> log { source(s_sys); filter(f_mail); destination(d_mail); }; >>>> log { source(s_sys); filter(f_emergency); destination(d_mlal); }; >>>> log { source(s_sys); filter(f_news); destination(d_spol); }; >>>> log { source(s_sys); filter(f_boot); destination(d_boot); }; >>>> log { source(s_sys); filter(f_cron); destination(d_cron); }; >>>> >>>> >>>> >>>> log { source(s_net); destination(d_graylog); }; >>>> log { source(s_sys); filter(f_default); destination(d_graylog);}; >>>> >>>> # Source additional configuration files (.conf extension only) >>>> @include "/etc/syslog-ng/conf.d/*.conf" >>>> >>>> >>>> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: >>>> >>>> >>>> ______________________________________________________________________________ >>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >>>> Documentation: >>>> http://www.balabit.com/support/documentation/?product=syslog-ng >>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >>>> >>>> >>> ______________________________________________________________________________ >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >>> Documentation: >>> http://www.balabit.com/support/documentation/?product=syslog-ng >>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >>> >>> >> >> ______________________________________________________________________________ >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng >> Documentation: >> http://www.balabit.com/support/documentation/?product=syslog-ng >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq >> >> >> > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > >
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Ultimately I want to have syslog-ng running with ipvsadm so I send logs from legacy system to my new k8s graylog that is running in production. So I need to setup syslog-ng to talk to graylog. On Thu, Oct 11, 2018 at 9:22 AM Szemere, László < laszlo.szemere@oneidentity.com> wrote:
Dear Rodney Bizzell, sorry for the misunderstanding, now it is clear for us, that you anonymised your config. just a note: it is preferable to use different masking addresses for different original IP's. i.e.: I can not check this source: "udp(ip(0.0.0.0) port(514));"
Back to your problem. It is not clear for me what do you mean by "once changes are made syslog-ng is failing" It is not starting up at all? Or just not forwarding logs to your Graylog server?
Br, Laci
On Thu, Oct 11, 2018 at 2:03 PM, Rodney Bizzell <hardworker30@gmail.com> wrote:
I just changed my information on my graylog box 0.0.0.0 isn't what I had in there. The way the config is did that look syntax correctly
On Thu, Oct 11, 2018, 12:26 AM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I have syslog-ng running now how can I test to see if logs will be sent to my graylog server. Also, can someone take a peek at my config to make sure it is production ready. I will be changing somethings such as IP address to use DNS name instead @version:3.5 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (250000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); # udp(ip(0.0.0.0) port(514)); }; source s_net { udp(ip(0.0.0.0) port(514)); #tcp(ip(0.0.0.0) port(514) max-connections(256)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; destination d_graylog { tcp("10.240.1.35" port (12201) ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);}; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: On Thu, Oct 11, 2018 at 12:26 AM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Hello,
If you starg syslogng with -Fe it might give you a clue. Also 0.0.0.0 is a no - routable address, so it is fine for source, not so much for destination, you should check out on which ip graylog listening, if it is 0.0.0.0 you could use the loopback device 120.0.0.1 (or other valid ip, but lo would be preferable).
-- Kokan
On Wed, 10 Oct 2018, 10:57 pm Rodney Bizzell, <hardworker30@gmail.com> wrote:
I have install syslog-ng 3.5 and I am configuring it to send all logs to Graylog but once changes are made syslog-ng is failing. I change the address of graylog server to 0.0.0.0
@version:3.5 @include "scl.conf"
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_sys { system(); internal(); udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
destination d_graylog { tcp("0.0.0.0" port (12201) spoof_sources(yes) ); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_net); destination(d_graylog); }; log { source(s_sys); filter(f_default); destination(d_graylog);};
# Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Péter, Kókai
-
Rodney Bizzell
-
Salih Haji
-
Szemere, László