[syslog-ng]Difficulty with source(net) on Solaris 8 [syslog-n g-1.4.9a]

Shawn Davenport shawn.davenport@currenex.com
Tue, 11 Sep 2001 01:54:34 -0700 

Hey Ken,

Give this a try as your syslog-ng.conf file,

options { sync(0); keep_hostname(yes); chain_hostnames(no);
log_fifo_size(30000); };
source s_local { sun-streams("/dev/log" door("/etc/.syslog_door"));
internal(); };
source s_net_udp { udp(); };
destination d_local { file("/logs/messages"); };
log { source(s_local); source(s_net_udp); destination(d_local); };


Note: the source s_net_udp will set syslog-ng to accept ALL incoming
UPD(514) messages from ANY host.
The cisco conf looks ok, and yes both syslogd and -ng can be running at the
same time, at least I've had no problems doing that on Solaris.

If the above does work for you, and gets the cisco messages into
/var/adm/messages let me know and I can toss a few more examples your way...
such as other destinations and filters, and sources.

Best of luck.
Shawn




 -----Original Message-----
From: 	Ken Paris [mailto:kparis@netstars.org] 
Sent:	Tuesday, September 11, 2001 12:28 AM
To:	syslog-ng@lists.balabit.hu
Subject:	[syslog-ng]Difficulty with source(net) on Solaris 8
[syslog-ng-1.4.9a]

Greetings.

I must request your assistance. 

First I wish to say that I greatly appreciate the professional level of this

list. I am looking forward to getting syslog-ng functioning properly, as it 
will greatly reduce my workload. 

It compiled .... I thought the rest would be easy ;-)

I have read through most of the archived list, and thought I had this baby 
down, but I cannot get syslogs comming from sources other than from the
local 
system to appear.

I have tested with the following script and log everything except
level(emerg), 
which is correct, and odly I do not get any facility(kern), which I thought
I 
would, but which is also not quite so important at the moment. 

... but still none from external sources.

for f in 
{kern,user,daemon,auth,syslog,local0,local1,local2,local3,local4,local5,loca
l6,l
ocal7}
do
 for i in {debug,info,notice,warning,err,crit,alert,emerg}
 do
 logger -p $f.$i "Facility $f Level $i"
 echo "Facility $f Level $i"
 done
done

Works great!

My main goal is to receive and filter syslogs from Cisco routers, switches,
and 
firewalls. 

If the standard syslogd is running I can see those external log entries 
in /var/adm/messages. They look like this:

Sep 10 16:41:34 [112.139.47.241.225.185] 645: Sep 10 16:36:52:
%SYS-5-CONFIG_I: 
Configured from console by kparis on vty0 (112.139.47.250)
Sep 10 17:03:43 [112.139.47.241.225.185] 646: Sep 10 16:59:00:
%SYS-5-CONFIG_I: 
Configured from console by kparis on vty1 (112.139.47.250)
Sep 10 20:30:42 [112.139.47.244.196.210] 2036: Sep 10 20:25:25.921: %SYS-5-
CONFIG_I: Configured from console by kparis on vty0 (112.139.47.250)
Sep 10 20:30:57 [112.139.47.244.196.210] 2037: Sep 10 20:25:40.997: %SYS-5-
CONFIG_I: Configured from console by kparis on vty0 (112.139.47.250)

( I still don't get the format of the host stamp [112.139.47.244.196.210]
.... but I believe this is a syslogd thing, and don't think it's the culprit

here. )

( Clarification: Can the standard syslogd be running at the same time as
syslog-
ng? I have tried it both ways )

If I snoop the interface, I can see the syslog packets arrive. 

I fear I am missing something fairly basic. I believe I am having difficulty

with the "source net", but I can't seem to find what is wrong when compared
to 
the many examples I have seen on this list. None of the "source net" entries

shown, nor any variation I can think of, seems to work. 

I have also tried changing  "/etc/.syslog_door" to "/var/run/syslog_door",
but 
this makes no difference either.

If I can provide any more clues, I certainly will if I know how.

Any help would be appreciated.

********************* Begin Config Stuff ***************

Cisco Logging Config:
logging buffered 9000 debugging
logging rate-limit console 10 except errors
logging source-interface FastEthernet1/0
logging 172.16.7.250
( The default here is logging facility local7. I have also tried logging 
facility local6, which should werk too ... I am avoiding kern like the
plague )

Platform:  SunOS 172.16.7.250 5.8 Generic_108528-09 sun4u sparc
SUNW,Ultra-5_10
Version:   syslog-ng-1.4.9a

syslog-ng config: 
( with which I expect to see any message that arrives except level(emerg) )

# /usr/local/etc/syslog-ng.conf
# Start command: /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf
-
p /var/run/syslog-ng.pid
# Re-start command: kill -HUP `cat /var/run/syslog-ng.pid`
# Begin
# -------- OPTIONS ---------------
options { sync (0);
          time_reopen (10);
          log_fifo_size (1000);
          long_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          create_dirs (yes);
          keep_hostname (yes);
        };
# -------- SOURCES ---------------
#source src { sun-streams("/dev/log" door("/etc/.syslog_door")); internal();
udp
(ip(0.0.0.0) port(514)); };
# Didn't werk ... seperate out for clarity
source src { sun-streams("/dev/log" door("/etc/.syslog_door")); };
source int { internal(); };
source net { udp(ip(172.16.7.250) port(514)); };
#source net { udp(); };
#source net { sun-streams("/dev/log" door("/etc/.syslog_door")); udp(ip
(0.0.0.0) port(514)); };
# Something is not right in the source department !
#
# -------- DESTINATIONS ----------
destination d_default { file("/var/adm/log/$MONTH/default"); };
# Many more places in mind
#
# -------- FILTERS ---------------
filter f_debug { level(debug .. alert) and facility(kern, daemon, user,
auth, 
syslog, local0, local1, local2, local3, local4, local5, local6, local7); };
# Catch all for now... I got a book of "matches" in my pocket
#
# -------- ACTIONS ---------------
log { source(src); filter(f_debug); destination(d_default); };
# Add loggers to match added sources
log { source(net); filter(f_debug); destination(d_default); };
log { source(int); filter(f_debug); destination(d_default); };
#log { source(src); filter(DEFAULT); destination(d_default); };
# Blast ... All that reading, and I think I still need some help
# End

Megs of thanks,
Ken Paris
Sr. Network Systems Engineer,
Bluestar Solutions, Inc.

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng