[syslog-ng]networking problems

Hamilton, Andrew Mr RAYTHEON 5 SIG CMD HamiltonA@hq.5sigcmd.army.mil
Tue, 15 May 2001 08:13:39 +0200 

Justin,

It's hard to really tell what's going on without the entire config file, but
it looks like your remote machine isn't logging to the log host machine.
There is no log statement with the remote machine as the destination.  Also
in your loghost machine there is no log statement with the remote source as
the source.  Understand that the source, destination and filter statements
only define your log environment.  The log statement does the work.  You
need a log statement like:

log { source(external_source); filter(f_whatever); destination(d_remote); };

or something similar on the loghost.  On the client you need:

log { source(local_source); filter(f_remote_whatever);
destination(remote_john); };

That should work for you.

Regards,
Drew

-----Original Message-----
From: Justin Scheiber (98030) [mailto:jscheibe@css.tayloru.edu]
Sent: Monday, May 14, 2001 11:09 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]networking problems


I checked the archives, but no entries exactly described my problem.  It
seems as though syslog-ng does not log properly over the network (at least
with my configuration).  The configuration is supposed to send the data
across the network to a centralized logging machine.  However, it seems as
though the data gets logged only out of random chance.

version:
syslog-ng-1.4.10

Here is a listing of the logs off the centralized logging machine:
SIZE    DATE            LOG FILES
0       Apr 12 16:02    machine1.automation.log
1760    Apr 18 19:21    machine1.security.log
0       Apr 17 00:01    machine2.automation.log
899     Apr 18 19:13    machine2.security.log
0       Apr 10 17:01    machine3.automation.log
3608    Apr 19 15:20    machine3.security.log
0       Apr 12 15:01    machine4.automation.log
903     Apr 23 04:59    machine4.error.log
14073   Apr 23 10:54    machine4.security.log
4618    Apr 18 19:48    machine5.security.log 
0       Apr 10 17:01 	machine5.automation.log
0       Apr 12 16:01    machine6.automation.log
1804    Apr 18 19:09    machine6.security.log

Here is the configuration file for the log host:

options { long_hostnames(off); sync(10); };

## sources ##
source local_src { unix-stream("/dev/log"); internal(); };

## external source (log messages from other machcines) ##
#source external_src { tcp(); };
source external_src { udp(ip(10.0.1.4) port(1800)); };

## destinations ##
destination kernel_dest        { file("/var/log/kernel.log"); };
destination automation_dest    { file("/var/log/automation.log"); };
destination security_dest      { file("/var/log/security.log"); };
destination error_dest         { file("/var/log/error.log"); };
destination eternal_peril_dest { file("/dev/null"); };

## destination for external logs ##
destination external_security_dest { 
	file("/export/hda3/log/$HOST.security.log"); };
destination external_automation_dest { 
	file("/export/hda3/log/$HOST.automation.log"); };
destination external_error_dest { 
	file("/export/hda3/log/$HOST.error.log"); };

## filters ##
filter kernel_filter            { facility(kern); };

filter security_filter     { match("connect")
                              or program("PAM_pwdb")
                              or match("pam")
                              or program("sshd")
                              or program("login")
                              or facility(security)
                              and not program("sendmail"); };

filter error_filter        { level(crit..panic); };

filter automation_filter   { program("runfixes"); };

filter eternal_peril_filter  { program("gpm")
                                    or program("talkd")
                                    or program("gnome-name-server")
                                        or program("automount")
                                        or program("sendmail")
                                        or program("CMD")
                                        and level(debug..error); };

## log the messages ##
log { source(local_src); filter(kernel_filter);
	destination(kernel_dest); };
log { source(local_src); filter(security_filter);
	destination(security_dest); };
log { source(local_src); filter(automation_filter);
	destination(automation_dest); };
log { source(local_src); filter(error_filter); filter(DEFAULT); 
	destination(error_dest); };
log { source(local_src); filter(eternal_peril_filter);
	destination(eternal_peril_dest); };

The log-client configuration is almost identical, except it for a
destination 
line: and the log lines:

destination remote_john { udp("10.0.1.4" port(1800)); };

log { source(local_src); filter(kernel_filter);
destination(kernel_dest); }

Any help would be appreciated.

-justin



_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng