[syslog-ng]logfile save problem (again ;)

Balazs Scheidler bazsi@balabit.hu
Thu, 18 Jul 2002 10:13:12 +0200


On Thu, Jul 18, 2002 at 10:08:47AM +0200, Buerger, Manfred wrote:
> Hello,
> 
> For test purposes i have changed my configuration, as you told me to do: now
> i try $HOST, $SOURCEIP and $SOURCE_IP for the destination folder, but
> nothing works!
> Take a look at my config, please:
> 
> # Syslog-ng configuration.
> #
> # what the default options are for files that it writes
> #
> 
> options { sync(0); time_reopen(10); log_fifo_size(100); };
> 
> source src {
>         unix-stream("/dev/log");
>         internal();
>         udp(ip("0.0.0.0") port(514));
> };
> 
> filter f_messages { facility(local7); };
> filter f_bootlog { facility(local7); };
> filter f_authlog { facility(local7); };
> #i know that this filter config doesnīt make sense; its only for testing
> purposes!
> 
> destination messages {
>    file("/var/log/syslog-ng/$SOURCE_IP/messages"
>          sync(0) log_fifo_size(10) create_dirs(yes)
>          owner(root) group(system) perm(0660) dir_perm(0770));
> };
> 
> destination bootlog {
>    file("/var/log/syslog-ng/$SOURCEIP/boot.log"
>          sync(0) log_fifo_size(10) create_dirs(yes)
>          owner(root) group(system) perm(0660) dir_perm(0770));
> };
> 
> destination authlog {
>    file("/var/log/syslog-ng/$HOST/secure.log"
>          sync(0) log_fifo_size(10) create_dirs(yes)
>          owner(root) group(system) perm(0660) dir_perm(0770));
> };
> log { source(src);
>       filter(f_messages);
>       destination(messages);
> };
> log { source(src);
>       filter(f_bootlog);
>       destination(bootlog);
> };
> log { source(src);
>       filter(f_authlog);
>       destination(authlog);
> };
> 
> 
> The results of this config:
> 
> destination messages (with $SOURCE_IP in the pathname) writes the file
> "messages" to  "/var/log/syslog-ng/messages"
> 
> destination bootlog (with $SOURCEIP in the pathname) writes the file
> "boot.log" to  "/var/log/syslog-ng/boot.log"
> 
> destination authlog (with $HOST in the pathname) works fine for Cisco
> network components! e.g. the logfile is stored in
> "/var/log/syslog-ng/10.146.18.3".Well!!! As i wrote in an earlier mail it
> donīt work with enterasys/cabletron stuff. They build folders like this:
> /var/log/syslog-ng # ll
> total 79
> drwxr-x---    2 root     root           72 Jul  9 17:56 %CLI-E-FACUNKNWN,
> drwxr-x---    2 root     root           72 Jul 13 20:16 %CLI-E-INCMPCMD,
> drwxr-x---    2 root     root           72 Jul  9 19:05 %CLI-W-MODNOTFOUND,
> drwxr-x---    2 root     root           72 Jul 17 07:38 %CONFIG-E-SEARCH,
> drwxr-x---    2 root     root           72 Jul 14 00:23 %CONFIG-I-NOCHANGES,
> 
> At least please take a look at the Syslogmessages sent by different network
> components!
> The Enterasys/Cabletron components send messages like this: 
> 
> Jul 17 09:10:48 %STP-I-PORT_STATUS,/10.146.12.16 Port status change
> detected: et.1.7 - Port Down
> 
> The Ciscoīs use another formatting:
> 
> Jul 18 09:31:02 10.146.18.3/10.146.18.3 5392: 3w2d: %AMDP2_FE-5-EXCESSCOLL:
> Ethernet1/0 TDR=2, TRC=0
> 
> Could this cause the problem?? What can I do?? (perhaps some important
> information: i am using syslog-ng version 1.4.14)

This is the important bit. These macros are supported only by 1.5.x (18 at
the moment)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1