I have just installed syslog-ng and am logging to a mysql database. I am trying to implement a centralized syslog system. Everything is working well except for auth-priv facility. I cannot seem to get to them sent to the centralized database. When l run test with logger on the remote computer get the following error logger: unknown facility name: auth-priv. however syslog on the remove computer has the entry # The authpriv file has restricted access. authpriv.* /var/log/secure and is logging to the secure file with no problems when I add an entry for the remote compter to send the info authpriv.* @host.me.com the logs do not show up. Can someone advise me on what to I can Peter Koinange
This is kind of a silly question, but did you bounce the syslogd after you made that config change? Assuming you're sending this to a syslog-ng daemon as a central collection source, where is the syslog-ng daemon configured to place logs for that facility/severity combination? - billn On Thu, 12 Jan 2006, Peter Koinange wrote:
I have just installed syslog-ng and am logging to a mysql database. I am trying to implement a centralized syslog system. Everything is working well except for auth-priv facility. I cannot seem to get to them sent to the centralized database.
When l run test with logger on the remote computer get the following error logger: unknown facility name: auth-priv. however syslog on the remove computer has the entry # The authpriv file has restricted access. authpriv.* /var/log/secure and is logging to the secure file with no problems
when I add an entry for the remote compter to send the info authpriv.* @host.me.com
the logs do not show up. Can someone advise me on what to I can
Peter Koinange
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I have a very basic setup at the monet for syslog-ng server, am just writing everything i get to the database regardless of the facility/severity combination since the database can get check for specific details k On Thursday 12 January 2006 20:00, Bill Nash wrote:
This is kind of a silly question, but did you bounce the syslogd after you made that config change? Assuming you're sending this to a syslog-ng daemon as a central collection source, where is the syslog-ng daemon configured to place logs for that facility/severity combination?
- billn
On Thu, 12 Jan 2006, Peter Koinange wrote:
I have just installed syslog-ng and am logging to a mysql database. I am trying to implement a centralized syslog system. Everything is working well except for auth-priv facility. I cannot seem to get to them sent to the centralized database.
When l run test with logger on the remote computer get the following error logger: unknown facility name: auth-priv. however syslog on the remove computer has the entry # The authpriv file has restricted access. authpriv.* /var/log/secure and is logging to the secure file with no problems
when I add an entry for the remote compter to send the info authpriv.* @host.me.com
the logs do not show up. Can someone advise me on what to I can
Peter Koinange
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I have included my config On Thursday 12 January 2006 20:11, Peter Koinange wrote:
I have a very basic setup at the monet for syslog-ng server, am just writing everything i get to the database regardless of the facility/severity combination since the database can get check for specific details
k source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; source s_udpmessages { udp(); };
destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(src); destination(d_mysql); }; log { source(s_udpmessages); destination(d_mysql); };
On Thursday 12 January 2006 20:00, Bill Nash wrote:
This is kind of a silly question, but did you bounce the syslogd after you made that config change? Assuming you're sending this to a syslog-ng daemon as a central collection source, where is the syslog-ng daemon configured to place logs for that facility/severity combination?
- billn
syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
As a test case, I'd recommend adding a file destination so you can interactively tail the file to test your delivery. Once you have that in place, force authpriv traffic generation on your source hosts and verify that it's arriving at your collector. A la: destination test { file("/tmp/foo"); }; log{ source(s_udpmessages); destination(test); }; If you don't see it arrive using a simple configuration like this, supplement your diagnosis with `tcpdump udp port 514` and repeat traffic generation. If you still don't see the packet arrive, repeat the tcpdump step on the device sending the log entry, and verify that the syslogd is sending it out. If your collector has multiple network addresses/interfaces, verify that syslog-ng is listening on the address you're expecting to see it on (`netstat -plan | grep 514`) Other things that could prevent delivery include network ACLs, iptables firewall rules, and sunspots. - billn On Thu, 12 Jan 2006, Peter Koinange wrote:
I have included my config
On Thursday 12 January 2006 20:11, Peter Koinange wrote:
I have a very basic setup at the monet for syslog-ng server, am just writing everything i get to the database regardless of the facility/severity combination since the database can get check for specific details
k source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; source s_udpmessages { udp(); };
destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(src); destination(d_mysql); }; log { source(s_udpmessages); destination(d_mysql); };
On Thursday 12 January 2006 20:00, Bill Nash wrote:
This is kind of a silly question, but did you bounce the syslogd after you made that config change? Assuming you're sending this to a syslog-ng daemon as a central collection source, where is the syslog-ng daemon configured to place logs for that facility/severity combination?
- billn
syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Peter Koinange wrote:
I have just installed syslog-ng and am logging to a mysql database. I am trying to implement a centralized syslog system. Everything is working well except for auth-priv facility. I cannot seem to get to them sent to the centralized database.
When l run test with logger on the remote computer get the following error logger: unknown facility name: auth-priv.
The name of the facility is authpriv, not auth-priv. Maybe you mistyped the facility.
however syslog on the remove computer has the entry # The authpriv file has restricted access. authpriv.* /var/log/secure and is logging to the secure file with no problems
when I add an entry for the remote compter to send the info authpriv.* @host.me.com
the logs do not show up. Can someone advise me on what to I can
Strange, this shouldn't happen. I suppose you reloaded/ restarted syslogd on the remote machine. Can you show the captured network traffic between the remote host and the host syslog-ng is running on? -- Sandor Geller wildy@balabit.hu
participants (3)
-
Bill Nash
-
Peter Koinange
-
Sandor Geller