[syslog-ng]logfile save problem (again ;)
Balazs Scheidler
bazsi@balabit.hu
Thu, 18 Jul 2002 10:13:12 +0200
On Thu, Jul 18, 2002 at 10:08:47AM +0200, Buerger, Manfred wrote:
> Hello,
>
> For test purposes i have changed my configuration, as you told me to do: now
> i try $HOST, $SOURCEIP and $SOURCE_IP for the destination folder, but
> nothing works!
> Take a look at my config, please:
>
> # Syslog-ng configuration.
> #
> # what the default options are for files that it writes
> #
>
> options { sync(0); time_reopen(10); log_fifo_size(100); };
>
> source src {
> unix-stream("/dev/log");
> internal();
> udp(ip("0.0.0.0") port(514));
> };
>
> filter f_messages { facility(local7); };
> filter f_bootlog { facility(local7); };
> filter f_authlog { facility(local7); };
> #i know that this filter config doesnīt make sense; its only for testing
> purposes!
>
> destination messages {
> file("/var/log/syslog-ng/$SOURCE_IP/messages"
> sync(0) log_fifo_size(10) create_dirs(yes)
> owner(root) group(system) perm(0660) dir_perm(0770));
> };
>
> destination bootlog {
> file("/var/log/syslog-ng/$SOURCEIP/boot.log"
> sync(0) log_fifo_size(10) create_dirs(yes)
> owner(root) group(system) perm(0660) dir_perm(0770));
> };
>
> destination authlog {
> file("/var/log/syslog-ng/$HOST/secure.log"
> sync(0) log_fifo_size(10) create_dirs(yes)
> owner(root) group(system) perm(0660) dir_perm(0770));
> };
> log { source(src);
> filter(f_messages);
> destination(messages);
> };
> log { source(src);
> filter(f_bootlog);
> destination(bootlog);
> };
> log { source(src);
> filter(f_authlog);
> destination(authlog);
> };
>
>
> The results of this config:
>
> destination messages (with $SOURCE_IP in the pathname) writes the file
> "messages" to "/var/log/syslog-ng/messages"
>
> destination bootlog (with $SOURCEIP in the pathname) writes the file
> "boot.log" to "/var/log/syslog-ng/boot.log"
>
> destination authlog (with $HOST in the pathname) works fine for Cisco
> network components! e.g. the logfile is stored in
> "/var/log/syslog-ng/10.146.18.3".Well!!! As i wrote in an earlier mail it
> donīt work with enterasys/cabletron stuff. They build folders like this:
> /var/log/syslog-ng # ll
> total 79
> drwxr-x--- 2 root root 72 Jul 9 17:56 %CLI-E-FACUNKNWN,
> drwxr-x--- 2 root root 72 Jul 13 20:16 %CLI-E-INCMPCMD,
> drwxr-x--- 2 root root 72 Jul 9 19:05 %CLI-W-MODNOTFOUND,
> drwxr-x--- 2 root root 72 Jul 17 07:38 %CONFIG-E-SEARCH,
> drwxr-x--- 2 root root 72 Jul 14 00:23 %CONFIG-I-NOCHANGES,
>
> At least please take a look at the Syslogmessages sent by different network
> components!
> The Enterasys/Cabletron components send messages like this:
>
> Jul 17 09:10:48 %STP-I-PORT_STATUS,/10.146.12.16 Port status change
> detected: et.1.7 - Port Down
>
> The Ciscoīs use another formatting:
>
> Jul 18 09:31:02 10.146.18.3/10.146.18.3 5392: 3w2d: %AMDP2_FE-5-EXCESSCOLL:
> Ethernet1/0 TDR=2, TRC=0
>
> Could this cause the problem?? What can I do?? (perhaps some important
> information: i am using syslog-ng version 1.4.14)
This is the important bit. These macros are supported only by 1.5.x (18 at
the moment)
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1