[syslog-ng]Problem of recording

Balazs Scheidler bazsi@balabit.hu
Wed, 6 Nov 2002 20:02:27 +0100 

On Wed, Nov 06, 2002 at 05:53:32PM +0100, Stefano Tanfoglio wrote:
> I am Stefano Tanfoglio, I work from one bank in Italy.
> I use syslog-ng for archive the log of 176 computer. ( 2 router - 125
> windows server - 51 linux server ).
> 
> In Windows server i use ntsyslog service.
> 
> protocol =  udp
> destination server = ip syslog-ng server
> destination port = 514
> 
> Ntsyslog send all log
> 
> In Linux server i use the syslog
> 
> auth.*
> @syslog01.xxxx.it
> authpriv.*
> @syslog01.xxxx.it
> kernel.=err;kernel.=warn                               @syslog01.xxxx.it
> mail.=err;mail.=warn                                      @syslog01.xxxx.it
> daemon.=err;daemon.=warn                          @syslog01.xxxx.it
> local7.=err;local7.=warn                                 @syslog01.xxxx.it
> ...
> ...
> 
> Configuratione syslong-ng.conf:
> Versione: syslog-ng-1.4.14-2mdk
> 
> options { sync (0);
>           time_reopen (10);
>           log_fifo_size (3000);
>           long_hostnames (on);
>           use_dns (yes);
>           use_fqdn (yes);
>           create_dirs (yes);
>           keep_hostname (yes);
>         };
> 
> source remote   { udp(); };
> 
> destination linux { file("/var/log/HOSTS/LINUX/$HOST/$FACILITY"
> dir_perm(0755) perm(0655)); };
> destination windows { file("/var/log/HOSTS/WINDOWS/$HOST/$FACILITY"
> dir_perm(0755) perm(0655)); };
> destination router { file("/var/log/HOSTS/ROUTER/$HOST/$FACILITY"
> dir_perm(0755) perm(0655)); };
> 
> filter f_linux {
> host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|51"); }
> ;
> 
> filter f_windows {
> host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|125"); 
> };
> 
> filter f_router { host("name1.domain.tld|name2.domain.tld"); };
> 
> log { source(remote); filter(f_linux); destination(linux); };
> log { source(remote); filter(f_windows); destination(windows); };
> log { source(remote); filter(f_router); destination(router); };
> 
> Problem:
> 
> 1) In the windows section I have 125 machine and only 80 recording.
>     I try to move the last hostname in first position:
>     filter f_windows {
> host("125|name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|124
> "); };
>     the test it ok, hostname logger and recording.

the maximum length of the regular expressions in 1023 character

> 
> 2)Every 10-15 minutes the syslog-ng system it down.

you might try 1.4.17 (stable) or 1.5.23 (soon to be stable)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1