[syslog-ng]Trying to send log over network
Hamilton, Andrew Mr RAYTHEON 5 SIG CMD
HamiltonA@hq.5sigcmd.army.mil
Thu, 22 Feb 2001 09:08:50 +0100
Sim,
I have just a couple of other questions.
What is the address of your loghost and the address of the clients? I'm
looking at your two configs and I want to make sure that the destination for
the problem machine is ok. Do you have a 192.168.1.19 host on your network
and is it listening for tcp connections on port 514? In the loghost config
you reference a source of 192.168.1.1 which tells me that your loghost is
192.168.1.1. If you are trying to establish a connection to a host using
the tcp/ip you also need to make sure that the host is listening for tcp/ip
connections. The loghost config is listening for tcp/ip on 192.168.1.1 port
10001 and you are trying to make a tcp connection with 192.168.1.19 on port
514. Is this what you are intending, if so this won't work. Change your
destination in your client to read destination d_bg
{tcp("192.168.1.1:10001") }; That should at least let you log to that
loghost.
Regards,
Drew
> -----Original Message-----
> From: Simeon Johnston [SMTP:simeonuj@eetc.com]
> Sent: Wednesday, February 21, 2001 5:39 PM
> To: syslog-ng@lists.balabit.hu
> Subject: Re: [syslog-ng]Trying to send log over network
>
> Here are the configs.
>
> I have added as an attachment the strace output files using "strace -f -ff
> -o
> localfile syslog-ng".
>
> This is the config for the problem conputers.
>
> options { sync (0);
> time_reopen (10);
> log_fifo_size (1000);
> long_hostnames (on);
> use_dns (no);
> use_fqdn (no);
> create_dirs (yes);
> keep_hostname (yes);
> };
>
> source s_sys { unix-stream ("/dev/log"); internal(); };
>
> destination d_cons { file("/var/log/ng/kern.log"); };
> destination d_mesg { file("/var/log/ng/messages"); };
> destination d_auth { file("/var/log/ng/secure"); };
> destination d_mail { file("/var/log/ng/maillog"); };
> destination d_spol { file("/var/log/ng/spooler"); };
> destination d_boot { file("/var/log/ng/boot.log"); };
> destination d_mlal { file("/var/log/ng/emerg.log"); };
> destination d_bg { tcp("192.168.1.19:514"); };
> destination d_sshd { file("/var/log/ng/sshd.log"); };
>
> filter f_filter1 { facility(kern); };
> filter f_filter2 { level(info); };
> filter f_filter3 { facility(authpriv); };
> filter f_filter4 { facility(mail); };
> filter f_filter5 { level(emerg); };
> filter f_filter6 { facility(uucp) or
> (facility(news) and level(crit)); };
> filter f_tcplog { level(debug); };
> filter f_sshd { match("sshd"); };
>
> log { source(s_sys); filter(f_filter1); destination(d_cons); };
> log { source(s_sys); filter(f_filter2); destination(d_mesg); };
> log { source(s_sys); filter(f_filter3); destination(d_auth); };
> log { source(s_sys); filter(f_filter4); destination(d_mail); };
> log { source(s_sys); filter(f_filter5); destination(d_mlal); };
> log { source(s_sys); filter(f_filter6); destination(d_spol); };
> log { source(s_sys); filter(f_tcplog); destination(d_bg); };
> log { source(s_sys); filter(f_sshd); destination(d_sshd); };
>
>
> This is the logserver config
>
> options { sync (0);
> time_reopen (10);
> log_fifo_size (1000);
> long_hostnames (on);
> use_dns (no);
> use_fqdn (no);
> create_dirs (yes);
> keep_hostname (yes);
> };
>
> source s_sys { unix-stream ("/dev/log"); internal(); };
> source s_tcp { tcp (ip(192.168.1.1) port(10001)); };
>
> destination d_cons { file("/var/log/ng/kernel"); };
> destination d_mesg { file("/var/log/ng/messages"); };
> destination d_auth { file("/var/log/ng/secure"); };
> destination d_mail { file("/var/log/ng/maillog"); };
> destination d_spol { file("/var/log/ng/spooler"); };
> destination d_boot { file("/var/log/ng/boot.log"); };
> destination d_mlal { file("/var/log/ng/emerg.log"); };
> destination d_pptp { file("/var/log/ng/pptpd.log"); };
> destination d_daemon { file("/var/log/ng/daemon.log"); };
> destination d_firewall { file("/var/log/ng/firewall.log"); };
>
> filter f_filter1 { facility(kern); };
> filter f_filter2 { level(info) and not facility(mail,authpriv,kern);
> };
> filter f_filter3 { facility(authpriv); };
> filter f_filter4 { facility(mail); };
> filter f_filter5 { level(emerg); };
> filter f_filter6 { facility(uucp); };
> filter f_pptpd { match("pptpd"); };
> filter f_daemon { facility(daemon); };
> filter f_boot { facility(local7); };
> filter f_firewall { level(debug); };
>
> log { source(s_sys); filter(f_filter1); destination(d_cons); };
> log { source(s_sys); filter(f_filter2); destination(d_mesg); };
> log { source(s_sys); filter(f_filter3); destination(d_auth); };
> log { source(s_sys); filter(f_filter4); destination(d_mail); };
> log { source(s_sys); filter(f_filter5); destination(d_mlal); };
> log { source(s_sys); filter(f_filter6); destination(d_spol); };
> log { source(s_sys); filter(f_pptpd); destination(d_pptp); };
> log { source(s_sys); filter(f_daemon); destination(d_daemon); };
> log { source(s_sys); filter(f_boot); destination(d_boot); };
> log { source(s_tcp); filter(f_firewall); destination(d_firewall); };
>
> Thank you for your help.
>
> sim
>
> "Hamilton, Andrew Mr RAYTHEON 5 SIG CMD" wrote:
>
> > 1. No syslog-ng runs as its own daemon. Works much better this way.
> > 2. If the answer to 1 was yes it would make a difference. But since it
> > isn't then no.
> > 3. Could you post a sample of your config file? That might be helpful.
> > Also could you post part of your strace results? That would at least
> give
> > us info on where to look for your problem.
> >
> > Random thoughts...do you have some sort of port monitor that could be
> > blocking your default ports? I have seen that before.
> >
> > Regards.
> > Drew << File: strace.syslog-ng >> << File: strace.syslog-ng.25136 >>