Can I prevent syslog-ng from prepending logs from other servers?
I am recieving web and ftp logs from another machine on my central logging machine. Syslog-ng prepends the logs with a bunch of information that I don't need and it prevents Analog and Webalizer from parsing the logs correctly. Is there a way to tell syslog-ng not to prepend this information to certain logs? Thanks. Matt mmatt@freew3.com
On Mon, Dec 18, 2000 at 05:09:20PM -0600, Matt Mencel wrote:
I am recieving web and ftp logs from another machine on my central logging machine. Syslog-ng prepends the logs with a bunch of information that I don't need and it prevents Analog and Webalizer from parsing the logs correctly. Is there a way to tell syslog-ng not to prepend this information to certain logs? Thanks.
Can you not prepend our mailboxes with 4 copies of the same message? Thanks. BTW telling us minor details like what information you don't want logged might be helpful since our mindreading capabilities aren't that developed yet.
William Yodlowsky on Mon, Dec 18, 2000 at 11:34:34PM -0500:
On Mon, Dec 18, 2000 at 05:09:20PM -0600, Matt Mencel wrote:
Hi,
I am recieving web and ftp logs from another machine on my central logging machine. Syslog-ng prepends the logs with a bunch of information that I don't need and it prevents Analog and Webalizer from parsing the logs correctly. Is there a way to tell syslog-ng not to prepend this information to certain logs? Thanks.
the main reason why you have replaced your original syslog are advanced filtering capabilities .. use them :) Look at the example configuration files that came with your source tarball, RTFM (one of the not so advanced features of syslog-ng ;)), or try something like: source s_ftplog { udp (ip(a.b.c.d) port(514)); destination d_ftplog { file ("/log/$HOST/the_log_you_are_checking") filter f_ftplog { program ("ftpd") and not match ("bunch of information"); } log { source(s_ftplog); filter(f_ftplog); destination(d_ftplog); };
Can you not prepend our mailboxes with 4 copies of the same message? Thanks.
BTW, I seem to get almost every message twice, and since I got this one 4 times as well, I guess other people have the same problem? I did not subscribe multiple times, in case anybody wonders :) Greetings, Gregor. -- Gregor Binder <gbinder@sysfive.com> http://www.sysfive.com/~gbinder/ sysfive.com GmbH UNIX. Networking. Security. Applications. Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
Can you not prepend our mailboxes with 4 copies of the same message? Thanks.
BTW, I seem to get almost every message twice, and since I got this one 4 times as well, I guess other people have the same problem?
I did not subscribe multiple times, in case anybody wonders :)
this seems to be a mailman bug I might upgrade as soon as I have some spare time. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Tue, Dec 19, 2000 at 02:19:34PM +0100, Balazs Scheidler wrote:
Can you not prepend our mailboxes with 4 copies of the same message? Thanks.
BTW, I seem to get almost every message twice, and since I got this one 4 times as well, I guess other people have the same problem?
I did not subscribe multiple times, in case anybody wonders :)
this seems to be a mailman bug I might upgrade as soon as I have some spare time.
Apologies to Matt then... his was the first message I saw duplicated.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 19 December 2000 13:25, you wrote:
William Yodlowsky on Mon, Dec 18, 2000 at 11:34:34PM -0500:
On Mon, Dec 18, 2000 at 05:09:20PM -0600, Matt Mencel wrote:
Hi,
I am recieving web and ftp logs from another machine on my central logging machine. Syslog-ng prepends the logs with a bunch of information that I don't need and it prevents Analog and Webalizer from parsing the logs correctly. Is there a way to tell syslog-ng not to prepend this information to certain logs? Thanks.
the main reason why you have replaced your original syslog are advanced filtering capabilities .. use them :)
William, I think you missunderstand the question from Matt. The problem is that this is a normal (local) syslog message: Tue Dec 19 16:18:14 2000 17 saraksh.alkar.net 65536 /ftp/data/fgf092.zip b _ o a Squid@ ftp 0 * i This is the same in the log-server from syslog-ng: Dec 19 16:18:20 local@limonero/limonero ftpd[3065]: [ID 735137 daemon.info] xferlog (send): 25 saraksh.alkar.net 65536 /ftp/data/fgf092.zip b _ o a Squid@ ftp 0 * i When a program that parse those logs for statistic purpose (as webalizer) its fail because the logs are not in the format the webalizer expect. I save the problem pre-processing the logs whith a script that write them in the right format in another file and then pass it to webalizer. �What are the reason because the syslog-ng use another different format in their logs? Sorry for my english. Victor. - -- "Alone? you are not alone, Bigbrother is watching you" - ------------------------------------------------------------------------ Soporte Seguridad en red........................http://www.utc.uam.es/ss Unidad Tecnica de Comunicaciones...................http://www.utc.uam.es Universidad Autonoma de Madrid.........................http://www.uam.es Tlf.- 91 397 5525 PGP ID-0x8750AB79 - ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOj+K2UoW8ByHUKt5EQLUiACeLUHqXJGmeFylJlX0+RpuTo0B830AoLwN 3kG3ooRAuqnI8sYzjEmMnQkv =iEb4 -----END PGP SIGNATURE-----
żWhat are the reason because the syslog-ng use another different format in their logs?
syslog-ng uses the (ad hoc) standard syslog format. if you feed it f.e. squid logs it'll prepend the fields needed by standard syslog. For now you can't change this format. A solution is to use sed to rewrite lines, or wait until I have some time to implement it. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Tue, Dec 19, 2000 at 05:20:41PM +0100, Victor Barahona wrote:
On Tuesday 19 December 2000 13:25, you wrote:
William Yodlowsky on Mon, Dec 18, 2000 at 11:34:34PM -0500:
On Mon, Dec 18, 2000 at 05:09:20PM -0600, Matt Mencel wrote:
the main reason why you have replaced your original syslog are advanced filtering capabilities .. use them :)
William, I think you missunderstand the question from Matt.
I have been misquoted :) Those words are not mine, but rather they belong to Gregor Binder <gbinder@sysfive.com>
The problem is that this is a normal (local) syslog message:
Tue Dec 19 16:18:14 2000 17 saraksh.alkar.net 65536 /ftp/data/fgf092.zip b _ o a Squid@ ftp 0 * i
This is the same in the log-server from syslog-ng:
Dec 19 16:18:20 local@limonero/limonero ftpd[3065]: [ID 735137 daemon.info] xferlog (send): 25 saraksh.alkar.net 65536 /ftp/data/fgf092.zip b _ o a Squid@ ftp 0 * i
When a program that parse those logs for statistic purpose (as webalizer) its fail because the logs are not in the format the webalizer expect.
I save the problem pre-processing the logs whith a script that write them in the right format in another file and then pass it to webalizer.
¿What are the reason because the syslog-ng use another different format in their logs?
Sorry for my english.
William Yodlowsky on Tue, Dec 19, 2000 at 12:32:58PM -0500: Hi,
William, I think you missunderstand the question from Matt.
I have been misquoted :) Those words are not mine, but rather they belong to Gregor Binder <gbinder@sysfive.com>
Absolutely. I was the ignorant trying to give answers before I knew the actual question ... please don't tell my boss ;) Maybe it would be a good idea not to assume that people on this list know anything but syslog-ng when posting a problem to this list. :) To me, it actually looked like Matt was trying to get rid of extra lines in his logfiles, and not extra information in the log messages. Regards, Gregor. P.S: Damn, and I thought my mind-reading capabilities were better than William's .. ;) -- Gregor Binder <gbinder@sysfive.com> http://www.sysfive.com/~gbinder/ sysfive.com GmbH UNIX. Networking. Security. Applications. Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
A couple of questions. I seem to remember there being two sync optinos. One based upon time and one based upon number of lines. Which one was time? Second, is there any way to do a sync for a destination rather than for the whole system? Matthew
I seem to remember there being two sync optinos. One based upon time and one based upon number of lines. Which one was time?
Second, is there any way to do a sync for a destination rather than for the whole system?
IIRC you can set sync on a per destination basis. try: destination d_messages { file("/var/log/messages" sync(0)); }; There's no sync option based on time. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
participants (6)
-
Balazs Scheidler
-
Gregor Binder
-
Matt Mencel
-
matthew.copeland@honeywell.com
-
Victor Barahona
-
William Yodlowsky