Server conf for syslog-ng.conf
Hi, Can somebody show to me a sample to set-up for server of syslog-ng.conf? I'm trying to use this config but its complaining on s_network: @version:3.0 options { time_reap(30); mark_freq(10); keep_hostname(yes); }; source s_local { unix-stream("/dev/log"); internal();}; source s_network { syslog(transport(tcp))}; destination d_logs { file( "/var/log/syslog-ng/logs.txt" owner("root") group("root") perm(0777) ); }; log { source(s_local); source(s_network); destination(d_logs); }; What Im missing here? Thanks and regards, Agustin Lozada UNIX System Admin 713-207-2474
On Thu, Mar 18, 2010 at 11:29 AM, Lozada, Agustin T < Agustin.Lozada@centerpointenergy.com> wrote:
Hi,
Can somebody show to me a sample to set-up for server of syslog-ng.conf? I’m trying to use this config but its complaining on s_network:
@version:3.0 options { time_reap(30); mark_freq(10); keep_hostname(yes); }; source s_local { unix-stream("/dev/log"); internal();}; source s_network { syslog(transport(tcp))}; destination d_logs { file( "/var/log/syslog-ng/logs.txt" owner("root") group("root") perm(0777) ); }; log { source(s_local); source(s_network); destination(d_logs); };
What Im missing here?
Thanks and regards,
Agustin Lozada UNIX System Admin 713-207-2474
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, Where'd you get that example?? Check out the admin guide here: http://www.balabit.com/dl/guides/syslog-ng-v3.0-guide-admin-en.pdf <http://www.balabit.com/dl/guides/syslog-ng-v3.0-guide-admin-en.pdf>Page 34 has a simple example of a network source listening on port 1999: source s_demo_tcp { tcp(ip(10.1.2.3) port(1999)); }; -- Lance Laursen Demonware Systems Engineer
Hi, replace this line: source s_network { syslog(transport(tcp))}; with this one(missing semicolon at the end of last bracket): source s_network { syslog(transport(tcp));}; 2010.03.18. 19:29 keltezéssel, Lozada, Agustin T írta:
@version:3.0 options { time_reap(30); mark_freq(10); keep_hostname(yes); }; source s_local { unix-stream("/dev/log"); internal();}; source s_network { syslog(transport(tcp))}; destination d_logs { file( "/var/log/syslog-ng/logs.txt" owner("root") group("root") perm(0777) ); }; log { source(s_local); source(s_network); destination(d_logs); };
-- pzolee
I got that part fixed thanks Zoltan. My next question is I set up this box (AIX 5.3) to be the central server and configure a client to forward syslog and it looks like the client is doing it: # /usr/sbin/syslogd -d 0821-600 /usr/sbin/syslogd: continuing without SRC support syslogd: bind: errno = 67 logmsg: pri 53, flags 8, from t01labax08, msg syslogd: bind: errno = 67 off & running.... init cfline(*.debug @10.13.6.83) cfline(*.debug;mail.none @10.13.6.83) cfline(*.crit @10.13.6.83) cfline(mail.debug @10.13.6.83 ) 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FORW: 10.13.6.83 7 7 X 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FORW: 10.13.6.83 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 X FORW: 10.13.6.83 X X 7 X X X X X X X X X X X X X X X X X X X X X X FORW: 10.13.6.83 logmsg: pri 56, flags 8, from t01labax08, msg syslogd: restart Logging to FORW 10.13.6.83 Logging to FORW 10.13.6.83 syslogd: restarted readfds = 0x10 got a message (-1, 0x10) readfds = 0x10 got a message (-1, 0x10) 10.13.6.83 is my designated server and its seems it is not getting the forwarded log messages, here is how my syslog.conf for remote logging: source s_tcp { # syslog(transport(tcp)); udp(ip(10.13.6.83) port(514)); tcp(ip(10.13.6.83) port(5149) max-connections(333)); }; destination d_tcp { file("/var/log/messages_tcp" owner("root") group("adm") perm(0640)); }; I do not see any traffic coming to my client t01labax08 going to my syslog server and /var/log/messages_tcp not even been created. Again what am I missing here? Sorry I'm syslog-ng newbie here.... Thanks and regards, Agustin Lozada UNIX System Admin 713-207-2474 From: Zoltán Pallagi [mailto:pzolee@balabit.hu] Sent: Thursday, March 18, 2010 1:42 PM To: Syslog-ng users' and developers' mailing list; Lozada, Agustin T Subject: Re: [syslog-ng] Server conf for syslog-ng.conf Hi, replace this line: source s_network { syslog(transport(tcp))}; with this one(missing semicolon at the end of last bracket): source s_network { syslog(transport(tcp));}; 2010.03.18. 19:29 keltezéssel, Lozada, Agustin T írta: @version:3.0 options { time_reap(30); mark_freq(10); keep_hostname(yes); }; source s_local { unix-stream("/dev/log"); internal();}; source s_network { syslog(transport(tcp))}; destination d_logs { file( "/var/log/syslog-ng/logs.txt" owner("root") group("root") perm(0777) ); }; log { source(s_local); source(s_network); destination(d_logs); }; -- pzolee
I hope, in fact your full config looks like this one, doesn't it?: source s_tcp { # syslog(transport(tcp)); udp(ip(10.13.6.83) port(514)); tcp(ip(10.13.6.83) port(5149) max-connections(333)); }; destination d_tcp { file("/var/log/messages_tcp" owner("root") group("adm") perm(0640)); }; *log { source(s_tcp); destination(d_tcp); };* If it is true, you can try the following things: -listening on the all addresses of this host: udp(port(514)); -start syslog-ng in debug mode (syslog-ng -Fevd) and you should see the incoming syslogd logs. For example: /root@thor:/opt/syslog-ng# sbin/syslog-ng -Fevd Server license found, starting in server mode; customer='BalaBit IT Kft.', serial='708005-000000-2c8926', limit='-1' Running application hooks; hook='1' Running application hooks; hook='3' syslog-ng starting up; version='3.1.0', cfg-fingerprint='5b1cb89509fcbe41d22634f2bce20323d2c87a55', cfg-nonce-ndx='0', cfg-signature='866ce1c9eac64d70356b90b0b4da411ae323c73b' Incoming log entry; line='<46>syslogd 1.5.0#5ubuntu4: restart.' Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages' / If no "Incoming log entry..:" line is here, then syslogd doesn't send logs to syslog-ng, and probably the reason for this behaviour will be on client side or at least (I hope) you will see what the problem is. If these solutions don't help you, please send me the version of your syslog-ng (syslog-ng -V) and the above debug output of syslog-ng. Lozada, Agustin T wrote:
I got that part fixed thanks Zoltan. My next question is I set up this box (AIX 5.3) to be the central server and configure a client to forward syslog and it looks like the client is doing it:
# /usr/sbin/syslogd -d
0821-600 /usr/sbin/syslogd: continuing without SRC support
syslogd: bind: errno = 67
logmsg: pri 53, flags 8, from t01labax08, msg syslogd: bind: errno = 67
off & running....
init
cfline(*.debug @10.13.6.83)
cfline(*.debug;mail.none @10.13.6.83)
cfline(*.crit @10.13.6.83)
cfline(mail.debug @10.13.6.83 )
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FORW: 10.13.6.83
7 7 X 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FORW: 10.13.6.83
2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 X FORW: 10.13.6.83
X X 7 X X X X X X X X X X X X X X X X X X X X X X FORW: 10.13.6.83
logmsg: pri 56, flags 8, from t01labax08, msg syslogd: restart
Logging to FORW 10.13.6.83
Logging to FORW 10.13.6.83
syslogd: restarted
readfds = 0x10
got a message (-1, 0x10)
readfds = 0x10
got a message (-1, 0x10)
10.13.6.83 is my designated server and its seems it is not getting the forwarded log messages, here is how my syslog.conf for remote logging:
source s_tcp {
# syslog(transport(tcp));
udp(ip(10.13.6.83) port(514));
tcp(ip(10.13.6.83) port(5149) max-connections(333));
};
destination d_tcp {
file("/var/log/messages_tcp" owner("root") group("adm") perm(0640));
};
I do not see any traffic coming to my client t01labax08 going to my syslog server and /var/log/messages_tcp not even been created. Again what am I missing here? Sorry I'm syslog-ng newbie here....
Thanks and regards,
Agustin Lozada
UNIX System Admin
713-207-2474
*From:* Zoltán Pallagi [mailto:pzolee@balabit.hu] *Sent:* Thursday, March 18, 2010 1:42 PM *To:* Syslog-ng users' and developers' mailing list; Lozada, Agustin T *Subject:* Re: [syslog-ng] Server conf for syslog-ng.conf
Hi, replace this line: source s_network { syslog(transport(tcp))}; with this one(missing semicolon at the end of last bracket): source s_network { syslog(transport(tcp));}; 2010.03.18. 19:29 keltezéssel, Lozada, Agustin T írta:
@version:3.0
options {
time_reap(30);
mark_freq(10);
keep_hostname(yes);
};
source s_local { unix-stream("/dev/log"); internal();};
source s_network { syslog(transport(tcp))};
destination d_logs {
file(
"/var/log/syslog-ng/logs.txt"
owner("root")
group("root")
perm(0777)
); };
log { source(s_local); source(s_network); destination(d_logs); };
-- pzolee
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
participants (3)
-
Lance Laursen
-
Lozada, Agustin T
-
Zoltán Pallagi