RE: [syslog-ng]Trying to send log over network
Sim, I have just a couple of other questions. What is the address of your loghost and the address of the clients? I'm looking at your two configs and I want to make sure that the destination for the problem machine is ok. Do you have a 192.168.1.19 host on your network and is it listening for tcp connections on port 514? In the loghost config you reference a source of 192.168.1.1 which tells me that your loghost is 192.168.1.1. If you are trying to establish a connection to a host using the tcp/ip you also need to make sure that the host is listening for tcp/ip connections. The loghost config is listening for tcp/ip on 192.168.1.1 port 10001 and you are trying to make a tcp connection with 192.168.1.19 on port 514. Is this what you are intending, if so this won't work. Change your destination in your client to read destination d_bg {tcp("192.168.1.1:10001") }; That should at least let you log to that loghost. Regards, Drew
-----Original Message----- From: Simeon Johnston [SMTP:simeonuj@eetc.com] Sent: Wednesday, February 21, 2001 5:39 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Trying to send log over network
Here are the configs.
I have added as an attachment the strace output files using "strace -f -ff -o localfile syslog-ng".
This is the config for the problem conputers.
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (on); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); };
source s_sys { unix-stream ("/dev/log"); internal(); };
destination d_cons { file("/var/log/ng/kern.log"); }; destination d_mesg { file("/var/log/ng/messages"); }; destination d_auth { file("/var/log/ng/secure"); }; destination d_mail { file("/var/log/ng/maillog"); }; destination d_spol { file("/var/log/ng/spooler"); }; destination d_boot { file("/var/log/ng/boot.log"); }; destination d_mlal { file("/var/log/ng/emerg.log"); }; destination d_bg { tcp("192.168.1.19:514"); }; destination d_sshd { file("/var/log/ng/sshd.log"); };
filter f_filter1 { facility(kern); }; filter f_filter2 { level(info); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_tcplog { level(debug); }; filter f_sshd { match("sshd"); };
log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_tcplog); destination(d_bg); }; log { source(s_sys); filter(f_sshd); destination(d_sshd); };
This is the logserver config
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (on); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); };
source s_sys { unix-stream ("/dev/log"); internal(); }; source s_tcp { tcp (ip(192.168.1.1) port(10001)); };
destination d_cons { file("/var/log/ng/kernel"); }; destination d_mesg { file("/var/log/ng/messages"); }; destination d_auth { file("/var/log/ng/secure"); }; destination d_mail { file("/var/log/ng/maillog"); }; destination d_spol { file("/var/log/ng/spooler"); }; destination d_boot { file("/var/log/ng/boot.log"); }; destination d_mlal { file("/var/log/ng/emerg.log"); }; destination d_pptp { file("/var/log/ng/pptpd.log"); }; destination d_daemon { file("/var/log/ng/daemon.log"); }; destination d_firewall { file("/var/log/ng/firewall.log"); };
filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not facility(mail,authpriv,kern); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp); }; filter f_pptpd { match("pptpd"); }; filter f_daemon { facility(daemon); }; filter f_boot { facility(local7); }; filter f_firewall { level(debug); };
log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_pptpd); destination(d_pptp); }; log { source(s_sys); filter(f_daemon); destination(d_daemon); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_tcp); filter(f_firewall); destination(d_firewall); };
Thank you for your help.
sim
"Hamilton, Andrew Mr RAYTHEON 5 SIG CMD" wrote:
1. No syslog-ng runs as its own daemon. Works much better this way. 2. If the answer to 1 was yes it would make a difference. But since it isn't then no. 3. Could you post a sample of your config file? That might be helpful. Also could you post part of your strace results? That would at least give us info on where to look for your problem.
Random thoughts...do you have some sort of port monitor that could be blocking your default ports? I have seen that before.
Regards. Drew << File: strace.syslog-ng >> << File: strace.syslog-ng.25136 >>
What is the address of your loghost and the address of the clients? I'm looking at your two configs and I want to make sure that the destination for the problem machine is ok. Do you have a 192.168.1.19 host on your network and is it listening for tcp connections on port 514? In the loghost config you reference a source of 192.168.1.1 which tells me that your loghost is 192.168.1.1. If you are trying to establish a connection to a host using the tcp/ip you also need to make sure that the host is listening for tcp/ip connections. The loghost config is listening for tcp/ip on 192.168.1.1 port 10001 and you are trying to make a tcp connection with 192.168.1.19 on port 514. Is this what you are intending, if so this won't work. Change your destination in your client to read destination d_bg {tcp("192.168.1.1:10001") }; That should at least let you log to that loghost.
destination d_bg { tcp("192.168.1.19:514"); };
destination tcp drivers should look like this: destination d_bg { tcp("192.168.1.19" port(514)); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Balazs Scheidler wrote:
destination tcp drivers should look like this:
destination d_bg { tcp("192.168.1.19" port(514)); };
-- Bazsi
Thanks, this seems to work. I still am not getting any logging over the network. This is the new complete logserver config and the syslog-ng config used for sending messages. No errors but still is not logging anything. Is there a problem with the options? I am not a network guru and don't know what most of these mean. Is there any other problems that could cause this problem? Anything at all would be of great help. sim This is the Logserver config options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (on); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; source s_sys { unix-stream ("/dev/log"); internal(); }; source s_tcp { tcp (ip(192.168.1.1) port(514)); }; destination d_cons { file("/var/log/ng/kernel"); }; destination d_mesg { file("/var/log/ng/messages"); }; destination d_auth { file("/var/log/ng/secure"); }; destination d_mail { file("/var/log/ng/maillog"); }; destination d_spol { file("/var/log/ng/spooler"); }; destination d_boot { file("/var/log/ng/boot.log"); }; destination d_mlal { file("/var/log/emerg.log"); }; destination d_pptp { file("/var/log/pptpd.log"); }; destination d_daemon { file("/var/log/ng/daemon.log"); }; destination d_firewall { file("/var/log/ng/firewall.log"); }; destination d_sshd { file("/var/log/sshd.log"); }; destination d_cron { file("/var/log/cron.log"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not facility(mail,authpriv,kern); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp); }; filter f_pptpd { program(pptpd); }; filter f_daemon { facility(daemon); }; filter f_boot { facility(local7); }; filter f_firewall { host("SparcFirewall") or level(info) or host("192.168.1.1") or match("sshd"); }; filter f_sshd { program(sshd); }; filter f_cron { program(cron); }; log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_pptpd); destination(d_pptp); }; log { source(s_sys); filter(f_daemon); destination(d_daemon); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_tcp); filter(f_firewall); destination(d_firewall); }; log { source(s_sys); filter(f_sshd); destination(d_sshd); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; This is the other config. options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (on); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; source s_sys { unix-stream ("/dev/log"); internal(); }; destination d_cons { file("/var/log/ng/kern.log"); }; destination d_mesg { file("/var/log/ng/messages"); }; destination d_auth { file("/var/log/ng/secure"); }; destination d_mail { file("/var/log/ng/maillog"); }; destination d_spol { file("/var/log/ng/spooler"); }; destination d_boot { file("/var/log/ng/boot.log"); }; destination d_mlal { file("/var/log/ng/emerg.log"); }; destination d_dhcp { file("/var/log/ng/dhcpd.log"); }; destination d_ipchains { file("/var/log/ng/ipchains.log"); }; destination d_bg { tcp("192.168.1.19" port(514)); }; destination d_sshd { file("/var/log/ng/sshd.log"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_dhcp { match("dhcpd"); }; filter f_ipchains { match("ipchains"); }; filter f_sshd { match("sshd"); }; log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_dhcp); destination(d_dhcp); }; log { source(s_sys); filter(f_ipchains); destination(d_ipchains); }; log { source(s_sys); filter(f_filter2); destination(d_bg); }; log { source(s_sys); filter(f_sshd); destination(d_sshd); };
Sorry for the confusion. I was testing different ports and forgot to change it back. This is not the problem. "Hamilton, Andrew Mr RAYTHEON 5 SIG CMD" wrote:
Sim,
I have just a couple of other questions.
What is the address of your loghost and the address of the clients? I'm looking at your two configs and I want to make sure that the destination for the problem machine is ok. Do you have a 192.168.1.19 host on your network and is it listening for tcp connections on port 514? In the loghost config you reference a source of 192.168.1.1 which tells me that your loghost is 192.168.1.1. If you are trying to establish a connection to a host using the tcp/ip you also need to make sure that the host is listening for tcp/ip connections. The loghost config is listening for tcp/ip on 192.168.1.1 port 10001 and you are trying to make a tcp connection with 192.168.1.19 on port 514. Is this what you are intending, if so this won't work. Change your destination in your client to read destination d_bg {tcp("192.168.1.1:10001") }; That should at least let you log to that loghost.
Regards, Drew
This rule seems to work but it still isn't logging anything over the network. Will syslog and syslog-ng conflict if they are both running? Does klogd need to be restarted if I want to use syslog-ng? I think that this rule will work. Didn't give any errors. thanks, sim Balazs Scheidler wrote:
What is the address of your loghost and the address of the clients? I'm looking at your two configs and I want to make sure that the destination for the problem machine is ok. Do you have a 192.168.1.19 host on your network
and is it listening for tcp connections on port 514? In the loghost config
you reference a source of 192.168.1.1 which tells me that your loghost is 192.168.1.1. If you are trying to establish a connection to a host using the tcp/ip you also need to make sure that the host is listening for tcp/ip
connections. The loghost config is listening for tcp/ip on 192.168.1.1 port 10001 and you are trying to make a tcp connection with 192.168.1.19 on port
514. Is this what you are intending, if so this won't work. Change your destination in your client to read destination d_bg {tcp("192.168.1.1:10001") }; That should at least let you log to that loghost.
destination d_bg { tcp("192.168.1.19:514"); };
destination tcp drivers should look like this:
destination d_bg { tcp("192.168.1.19" port(514)); };
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
participants (3)
-
Balazs Scheidler
-
Hamilton, Andrew Mr RAYTHEON 5 SIG CMD
-
Simeon Johnston