Re: [syslog-ng] syslog-ng Digest, Vol 39, Issue 20
Hello Bazsi, I did some more observation and I have following more precise inputs 1) Same config file is working correctly in my lab Solaris v240 machine. Filtered syslog sent to destined user only. 2) In production the destined user is receiving logs twice ( 2 copies). It means one copy for itself because it is destination user and 2nd copy is because all users are copied. 3) If you telnet to server and don't enter login/password even, still you start receiving a copy of message.  Please help ! Anurag aggarwal -----Original Message----- From: Anurag Agarwal Sent: Thursday, July 24, 2008 4:54 PM To: 'syslog-ng@lists.balabit.hu' Subject: RE: syslog-ng Digest, Vol 39, Issue 20 Thanks Bazsi for reply. Relevant portion is below ************************************************************** destination console { usertty("wimaxnoc"); }; filter ps_nt_re { match("PS NOT REACHABLE"); }; log { source(network); filter(ps_nt_re); destination(console); }; ************************************************************** Please help. Anurag aggarwal -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of syslog-ng-request@lists.balabit.hu Sent: Thursday, July 24, 2008 3:30 PM To: syslog-ng@lists.balabit.hu Subject: syslog-ng Digest, Vol 39, Issue 20 Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..." Today's Topics: 1. Re: Re : Re : Re : Syslogd + Syslog-ng (Christopher Cashell) 2. Re: Re : Re : Re : Syslogd + Syslog-ng (Leandro Ferreira da Silva) 3. Re: Using regexp in match() (Balazs Scheidler) 4. Re: Usertty sending messages to all user and without login also (Balazs Scheidler) ---------------------------------------------------------------------- Message: 1 Date: Wed, 23 Jul 2008 10:04:34 -0500 From: Christopher Cashell <ChristopherCashell@solutionary.com> Subject: Re: [syslog-ng] Re : Re : Re : Syslogd + Syslog-ng To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <48874882.8070904@solutionary.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
The configuration is the standart, I only do the follow changes.
# sources source src { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); udp(); internal(); file("/dev/klog"); };
I add this, source r_src { udp(ip("*client.domain*") port(514)); };
Here's your problem. For src, you define 'udp()' as one of your log sources, without including any specific options for it. This will cause syslog-ng to go with its defaults for udp(), which is bind to *all* IP addresses assigned to the box, on port 514. Then, for r_src, you are telling syslog-ng to bind to a specific IP address on the box and port 514. When syslog-ng attempts to start, it will fail with the error message you received because that ip/port is already in use (by the source src, which is bound to all IP's). Unless you have a need to bind to a specific IP address on the box, I'd recommend removing 'udp();' from src, and replacing the current 'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'. -- Christopher Cashell ------------------------------ Message: 2 Date: Wed, 23 Jul 2008 14:39:03 -0300 From: Leandro Ferreira da Silva <ferreira@iqm.unicamp.br> Subject: Re: [syslog-ng] Re : Re : Re : Syslogd + Syslog-ng To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <48876CB7.7080909@iqm.unicamp.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Christopher Cashell wrote:
Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
The configuration is the standart, I only do the follow changes.
# sources source src { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); udp(); internal(); file("/dev/klog"); };
I add this, source r_src { udp(ip("*client.domain*") port(514)); };
Here's your problem. For src, you define 'udp()' as one of your log sources, without including any specific options for it. This will cause syslog-ng to go with its defaults for udp(), which is bind to *all* IP addresses assigned to the box, on port 514.
Then, for r_src, you are telling syslog-ng to bind to a specific IP address on the box and port 514. When syslog-ng attempts to start, it will fail with the error message you received because that ip/port is already in use (by the source src, which is bound to all IP's).
Unless you have a need to bind to a specific IP address on the box, I'd recommend removing 'udp();' from src, and replacing the current 'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'.
It worked!! The real problem was udp () at src. Thank you very much for all the help... Now I'll go complete my rules.. See you!! =P ------------------------------ Message: 3 Date: Thu, 24 Jul 2008 10:16:27 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [syslog-ng] Using regexp in match() To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Cc: documentation@balabit.com Message-ID: <1216887387.8130.5.camel@bzorp.balabit> Content-Type: text/plain; charset=UTF-8 On Tue, 2008-07-22 at 09:45 +0200, Jan Kreps wrote:
------------ P?vodn? zpr?va ------------ Od: Jan Kreps <krepsj@seznam.cz> P?edm?t: Re: [syslog-ng] Using regexp in match() Datum: 10.7.2008 10:29:35 ----------------------------------------
I'm trying to setup central syslog-ng server for my Exchange servers. On windows servers I use Epilog agent (brother of Snare) forwarding tracking logs to central syslog.
Obviously I have used bad regexp. Exchange tracking log uses tabs as delimiters. But when I saved $MSG string to text log, tabs was changed to '\011'.
So now I changed my regexp to use tabs as delimiters:
filter f_parsing { match("([^\t]*)\t([^\t]*)\t"); };
This works like charm and saves first two tab delimited fields (date and time in this case) to $1 and $2.
Some more remarks to subject.
Syslog-ng Administrator guide 1.1.1 Edition from May 2008 says on page 111:
"The regular expressions can use up to 255 regexp matches ($1 ... $255)."
and on page 112:
"Regarding braces around macro names, the following two formats are equivalent "$MSG" and "${MSG}"."
Fact is that for regexp matches greater than 9 it MUST be in ${} format. If you use for instance $12 it resolves as content of $1 + character '2'. I found that I have to use ${} syntax in ChangeLog remark for patch 137. I guess that should be stated in Admin Guide more clearly. In this respect, statement "The regular expressions can use up to 255 regexp matches ($1 ... $255)" is not true and should be corrected.
right, this should be fixed in the documentation.
And I have one question about file creation.
When something is logged a file is created according to destination(). But when I delete the file, it's not created anymore, until restart of syslog-ng. Is that correct/expected behaviour?
I run Debian Etch and syslog-ng 2.0.9-1 from unstable branch (in stable is still version 2.0.0)
Yes, you need to send the HUP signal to syslog-ng in order to reopen log files. This is the way UNIX works. (the application does not know about the deletion of a logfile) -- Bazsi ------------------------------ Message: 4 Date: Thu, 24 Jul 2008 10:28:06 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [syslog-ng] Usertty sending messages to all user and without login also To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <1216888086.8130.10.camel@bzorp.balabit> Content-Type: text/plain On Wed, 2008-07-23 at 13:39 +0530, Anurag Agarwal wrote:
Hello everybuddy,
I am using syslog-ng and used usertty in destination. I am using a user 'test' as destination. But other users can also see the message on their console e.g root and other users. Please help as this is creating a problem and NG not working as desired. OS: Solaris 10
It does work for me. Can you show us the relevant portions of your configuration file? I tried with this: source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; destination all { file("/var/log/messages"); }; log { source(local); destination(all); }; destination all_users { usertty("bazsi"); }; filter alert_emerg { level(err..emerg); }; log { source(local); filter(alert_emerg); destination(all_users); }; It correctly printed err..emerg messages on my tty, and not on others. The relevant portion of the code is here: #if HAVE_MODERN_UTMP if (ut->ut_type == USER_PROCESS && ((self->username->len == 1 && self->username->str[0] == '*') || (self->username->len <= sizeof(ut->ut_user) && memcmp(self->username->str, ut->ut_user, self->username->len) == 0))) #else if ((self->username->len == 1 && self->username->str[0] == '*') || (self->username->len <= sizeof(ut->ut_name) && memcmp(self->username->str, ut->ut_name, self->username->len) == 0)) #endif I don't see how this condition could match for everyone. Even if the wtmp format is different and ut->ut_name would contain a bogus value, the expected breakage would be to not display anywhere, not to display everywhere. -- Bazsi ------------------------------ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng End of syslog-ng Digest, Vol 39, Issue 20 *****************************************
participants (1)
-
Anurag Agarwal