Re: [syslog-ng]Sorting data from msg field into correct = columns?

From syslog-ng@lists.balabit.hu Thu May 1 00:47:12 2003 From: syslog-ng@lists.balabit.hu (Glasser, Rob) Date: Wed, 30 Apr 2003 16:47:12 -0700 Subject: [syslog-ng]FQDN in the destination - FIXED Message-ID: <452461EB40EACE48911A89E99EF82F6D3BD1EB@WA-MSG12-BTH.wireless.attws.com> Figured it out. Problem was two fold. First problem, the host I was testing with was in my /etc/hosts file with a shortname first, and my nsswitch.conf file was looking there first. Second problem, I had chrooted the environment. When I chrooted the environment all name resolution failed, all I got was IP addresses. After I removed that option I got the short name again, as soon as I commented out the shortname entry in /etc/hosts I got the FQDN. Thanks everyone for their help. From syslog-ng@lists.balabit.hu Thu May 1 07:17:38 2003 From: syslog-ng@lists.balabit.hu (nate) Date: Wed, 30 Apr 2003 23:17:38 -0700 (PDT) Subject: [syslog-ng]using flags in log statements Message-ID: <49319.10.10.10.7.1051769858.squirrel@webmail.linuxpowered.net> how would I set a flag, such as "final" in a log statement? I read on this sample config that it can be done but I don't see any examples: http://www.campin.net/syslog-ng/expanded-syslog-ng.conf I tried just putting final; and that didn't work and tried flag(final); that didn't work either. for some reason the mime setup seems to be broken on www.balabit.com when I try to access the documentation it sends me the file with type application/octet-stream which phoenix then prompts to download, I can save it to disk and view it but it's only the table of contents.. not sure if the online docs talk about it or not, the manpage for syslog-ng.conf does not mention flags(freebsd 4.8) thanks nate From syslog-ng@lists.balabit.hu Thu May 1 22:42:33 2003 From: syslog-ng@lists.balabit.hu (Bas Koot) Date: Thu, 1 May 2003 23:42:33 +0200 Subject: [syslog-ng]Simple question, MySQL & Log file Message-ID: <002201c3102a$9301deb0$6400a8c0@KOOTPCBAS> This is a multi-part message in MIME format. ------=_NextPart_000_001F_01C3103B.566DB0D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi everybody! First of all, i like Syslog-NG ! But i have 1 (simple i think) question = about it. For my postfix i need to use the /var/log/maillog file (for = the pop-before-smtp feature) but at this moment everything is putted = into the MySQL database. Somebody knows how to get the mail data in the database AND into the log = file? My current config: # sources source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; # destinations destination dmysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host,facility,priority,level,tag, timestamp,program,msg) VALUES ('$HOST','$FACILITY', '$PRIORITY','$LEVEL','$TAG','$UNIXTIME','$PROGRAM', '$MSG');\n") template-escape(yes)); }; destination maillog { file("/var/log/maillog"); }; # logs log { source(src); destination(dmysql); }; log { source(kernsrc); destination(dmysql); }; Thanks! Greetings, Bas Koot. ------=_NextPart_000_001F_01C3103B.566DB0D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi everybody!

First of all, i like Syslog-NG ! But i = have 1=20 (simple i think) question about it. For my postfix i need to use the=20 /var/log/maillog file (for the pop-before-smtp feature) but at this = moment=20 everything is putted into the MySQL database.

Somebody knows how to get the mail data = in the=20 database AND into the log file?

My current config:

# sources
source src { = unix-stream("/dev/log");=20 internal(); };
source kernsrc { file("/proc/kmsg"); };

# destinations
destination=20 dmysql     =20 {
       =20 pipe("/tmp/mysql.pipe"
       =20 template("INSERT INTO logs=20 (host,facility,priority,level,tag,
      = ;           =20 timestamp,program,msg) VALUES=20 ('$HOST','$FACILITY',
        =          =20 '$PRIORITY','$LEVEL','$TAG','$UNIXTIME','$PROGRAM',
   =             &= nbsp; =20 '$MSG');\n")
       =20 template-escape(yes));
};

destination maillog { = file("/var/log/maillog");=20 };

# logs
log { source(src); = destination(dmysql);=20 };
log { source(kernsrc); destination(dmysql); };

Thanks!

Greetings,

Bas Koot.

------=_NextPart_000_001F_01C3103B.566DB0D0-- From syslog-ng@lists.balabit.hu Thu May 1 22:51:48 2003 From: syslog-ng@lists.balabit.hu (Jason Haar) Date: Fri, 2 May 2003 09:51:48 +1200 Subject: [syslog-ng]Can some servers only be allowed to chained? Message-ID: <20030501215148.GB23480@trimble.co.nz> I have a central syslog server. destination d_messages { template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") ... I also have some DMZes and complex firewall configs that make it not practical (or secure) to open up incoming connections from all the syslog clients back to the server. So instead, each of these "complex" areas has a syslog server in it that all the others in that subnet talk to via UDP. That one syslog server then talks to the central server via TCP - leading to one server with all syslog records. This all works fine, but I have to "chain_hostnames(yes)" for that to work. What I want is the UDP source on the central server to be that it does the PTR thing to figure out what $HOST is - i.e. "chain_hostnames(no)". For TCP only, "chain_hostnames(yes)". Then I can use netfilter to limit who can TCP to the server, etc. Can that be done? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 From syslog-ng@lists.balabit.hu Fri May 2 12:59:53 2003 From: syslog-ng@lists.balabit.hu (Hamilton, Andrew) Date: Fri, 2 May 2003 07:59:53 -0400 Subject: [syslog-ng]Simple question, MySQL & Log file Message-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C310A2.579E23E7 Content-Type: text/plain; charset="iso-8859-1" Just add an additional log line or additional destination. log { source(src); destination(dmysql); destination(maillog); }; or log { source(src); destination(dmysql); }; log { source(src); destination(maillog); }; Regards, Drew -----Original Message----- From: Bas Koot [mailto:bask@tiscali.nl] Sent: Thursday, May 01, 2003 5:43 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Simple question, MySQL & Log file Hi everybody! First of all, i like Syslog-NG ! But i have 1 (simple i think) question about it. For my postfix i need to use the /var/log/maillog file (for the pop-before-smtp feature) but at this moment everything is putted into the MySQL database. Somebody knows how to get the mail data in the database AND into the log file? My current config: # sources source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; # destinations destination dmysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host,facility,priority,level,tag, timestamp,program,msg) VALUES ('$HOST','$FACILITY', '$PRIORITY','$LEVEL','$TAG','$UNIXTIME','$PROGRAM', '$MSG');\n") template-escape(yes)); }; destination maillog { file("/var/log/maillog"); }; # logs log { source(src); destination(dmysql); }; log { source(kernsrc); destination(dmysql); }; Thanks! Greetings, Bas Koot. ------_=_NextPart_001_01C310A2.579E23E7 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Just=20 add an additional log line or additional destination. =

log { = source(src);=20 destination(dmysql); destination(maillog); = };

log { = source(src);=20 destination(dmysql); };

log { source(src);=20 destination(maillog); };

Regards,

Drew

-----Original Message-----
From: Bas Koot=20 [mailto:bask@tiscali.nl]
Sent: Thursday, May 01, 2003 5:43=20 PM
To: syslog-ng@lists.balabit.hu
Subject:=20 [syslog-ng]Simple question, MySQL & Log file

Hi everybody!

First of all, i like Syslog-NG ! But = i have 1=20 (simple i think) question about it. For my postfix i need to use the=20 /var/log/maillog file (for the pop-before-smtp feature) but at this = moment=20 everything is putted into the MySQL database.

Somebody knows how to get the mail = data in the=20 database AND into the log file?

My current config:

# sources
source src {=20 unix-stream("/dev/log"); internal(); };
source kernsrc {=20 file("/proc/kmsg"); };

# destinations
destination=20 dmysql     =20 {
       =20 pipe("/tmp/mysql.pipe"
       =20 template("INSERT INTO logs=20 = (host,facility,priority,level,tag,
     &nbs= p;           =20 timestamp,program,msg) VALUES=20 = ('$HOST','$FACILITY',
        = ;         =20 = '$PRIORITY','$LEVEL','$TAG','$UNIXTIME','$PROGRAM',
   = ;            = ;  =20 '$MSG');\n")
       =20 template-escape(yes));
};

destination maillog { = file("/var/log/maillog");=20 };

# logs
log { source(src); = destination(dmysql);=20 };
log { source(kernsrc); destination(dmysql); };

Thanks!

Greetings,

Bas = Koot.

------_=_NextPart_001_01C310A2.579E23E7-- From syslog-ng@lists.balabit.hu Sun May 4 03:41:34 2003 From: syslog-ng@lists.balabit.hu (Michael Boman) Date: 04 May 2003 10:41:34 +0800 Subject: [syslog-ng]How to _not_ resolve hostnames? Message-ID: <1052016094.20462.6.camel@r2d2.dmz1.securecirt.com> --=-FUl0BFwu/ByF4cuDhZ+K Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I'd like syslog-ng NOT resolve hostnames, i want $HOST to be the ip address and nothing else. How would I go about configure it like that? Best regards Michael Boman --=20 Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com --=-FUl0BFwu/ByF4cuDhZ+K Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+tH3eds5fQJiraJwRAkG2AJsEogoK6o4m1qRv6cW8uM/meRW3wwCgzIB8 fzFsFdiaSdZ/M66NkDn25qo= =QC+S -----END PGP SIGNATURE----- --=-FUl0BFwu/ByF4cuDhZ+K-- From syslog-ng@lists.balabit.hu Sun May 4 04:23:50 2003 From: syslog-ng@lists.balabit.hu (Brian C. Hill) Date: Sat, 3 May 2003 20:23:50 -0700 Subject: [syslog-ng]How to _not_ resolve hostnames? In-Reply-To: <1052016094.20462.6.camel@r2d2.dmz1.securecirt.com> References: <1052016094.20462.6.camel@r2d2.dmz1.securecirt.com> Message-ID: <20030504032350.GA5239@mark.bch.net> use_dns(no); Brian ====================================================================== On Sun, May 04, 2003 at 10:41:34AM +0800, Michael Boman wrote: > I'd like syslog-ng NOT resolve hostnames, i want $HOST to be the ip > address and nothing else. > > How would I go about configure it like that? > > > Best regards > Michael Boman > > -- > Michael Boman > Security Architect, SecureCiRT Pte Ltd > http://www.securecirt.com -- _____________________________________________________________________ / Brian C. Hill bchill@bch.net http://brian.bch.net \ | Unix Specialist BCH Technical Services http://www.bch.net | From syslog-ng@lists.balabit.hu Sun May 4 04:30:44 2003 From: syslog-ng@lists.balabit.hu (Michael Boman) Date: 04 May 2003 11:30:44 +0800 Subject: [syslog-ng]How to _not_ resolve hostnames? In-Reply-To: <20030504032350.GA5239@mark.bch.net> References: <1052016094.20462.6.camel@r2d2.dmz1.securecirt.com> <20030504032350.GA5239@mark.bch.net> Message-ID: <1052019044.23846.0.camel@r2d2.dmz1.securecirt.com> --=-puyVI/umoB69kopWJcA3 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sun, 2003-05-04 at 11:23, Brian C. Hill wrote: > use_dns(no); >=20 > Brian Thanks Brian. Best regards Michael Boman --=20 Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com --=-puyVI/umoB69kopWJcA3 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+tIlkds5fQJiraJwRAiCIAKCPrsRgRMOk6yVpS3kTqXlCvdwygQCfcjgm pU3dwVwaJE9fHah81sUiSD4= =pdyG -----END PGP SIGNATURE----- --=-puyVI/umoB69kopWJcA3-- From syslog-ng@lists.balabit.hu Mon May 5 09:55:07 2003 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Mon, 5 May 2003 10:55:07 +0200 Subject: [syslog-ng]Sorting data from msg field into correct columns? Message-ID: <595362761E89B640A907F5112F8B89B801A2217D@sxmbx03.corproot.net> This is a multi-part message in MIME format. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C312E4.06AC8576" ------_=_NextPart_001_01C312E4.06AC8576 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all! =20 As I have now added hardware to report into a central syslog but I have to uses a relay. (Another SYSLOG-NG) Now I get messages containing =20 Host: IP/Name of the relay Facility, Priority, Level, tag, date, time and program is just all info from the relay. =20 In the msg I have all the data as the original host, time, msg. etc.=20 =20 Is there any way to "grep/sed/awk" the data out of the msg field and sort them into the right columns? =20 Is there an example for such a filter? =20 Any help is appreciated. =20 Regards, =20 Michael =20 =20 =20 -----Original Message----- From: Hamilton, Andrew [mailto:Andrew.Hamilton@afccc.af.mil]=20 Sent: Freitag, 2. Mai 2003 14:00 To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Simple question, MySQL & Log file =20 Just add an additional log line or additional destination. =20 =20 log { source(src); destination(dmysql); destination(maillog); }; =20 or log { source(src); destination(dmysql); }; log { source(src); destination(maillog); }; =20 Regards, =20 Drew =20 -----Original Message----- From: Bas Koot [mailto:bask@tiscali.nl] Sent: Thursday, May 01, 2003 5:43 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Simple question, MySQL & Log file Hi everybody! =20 First of all, i like Syslog-NG ! But i have 1 (simple i think) question about it. For my postfix i need to use the /var/log/maillog file (for the pop-before-smtp feature) but at this moment everything is putted into the MySQL database. =20 Somebody knows how to get the mail data in the database AND into the log file? =20 My current config: # sources source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; =20 # destinations destination dmysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host,facility,priority,level,tag, timestamp,program,msg) VALUES ('$HOST','$FACILITY', =09 '$PRIORITY','$LEVEL','$TAG','$UNIXTIME','$PROGRAM', '$MSG');\n") template-escape(yes)); }; =20 destination maillog { file("/var/log/maillog"); }; =20 # logs log { source(src); destination(dmysql); }; log { source(kernsrc); destination(dmysql); }; =20 Thanks! =20 Greetings, Bas Koot. ------_=_NextPart_001_01C312E4.06AC8576 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi = all!

&nbs= p;

As I = have now added hardware to report into a central syslog but I have to uses a = relay. (Another SYSLOG-NG)

Now I get messages = containing

&nbs= p;

Host: = IP/Name of the relay

Facility,= Priority, Level, tag, date, time and program is just all info from the = relay.

&nbs= p;

In the = msg I have all the data as the original host, time, msg. etc. =

&nbs= p;

Is there = any way to “grep/sed/awk” the data out of the msg field and sort = them into the right columns?

&nbs= p;

Is there = an example for such a filter?

&nbs= p;

Any help = is appreciated.

&nbs= p;

Regards,<= o:p>

&nbs= p;

Michael

&nbs= p;

-----Original = Message-----
From: Hamilton, Andrew [mailto:Andrew.Hamilton@afccc.af.mil]
Sent: Freitag, 2. Mai 2003 14:00
To: = syslog-ng@lists.balabit.hu
Subject: RE: = [syslog-ng]Simple question, MySQL & Log = file

Just add an additional log line or additional destination. =

log { source(src); destination(dmysql); destination(maillog); };

or=

log { source(src); destination(dmysql); };

log { source(src); destination(maillog); };

Regards,<= /o:p>

Drew

-----Original Message-----
From: Bas Koot [mailto:bask@tiscali.nl]
Sent: Thursday, May 01, = 2003 5:43 PM
To: = syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Simple question, MySQL & Log = file

Hi = everybody!

First of all, i like = Syslog-NG ! But i have 1 (simple i think) question about = it. For my postfix i need to use the /var/log/maillog file (for the pop-before-smtp feature) but at this moment everything is putted into the MySQL = database.

Somebody knows how to get = the mail data in the database AND into the log file?

My current = config:

# sources
source src { = unix-stream("/dev/log"); internal(); };
source kernsrc { = file("/proc/kmsg"); };

# destinations
destination = dmysql      {
        pipe("/tmp/mysql.pipe"
        template("INSERT INTO logs (host,facility,priority,level,tag,
            &= nbsp;     timestamp,program,msg) VALUES = ('$HOST','$FACILITY',
            &= nbsp;     '$PRIORITY','$LEVEL','$TAG','$UNIXTIME','$PROGRAM',
            &= nbsp;     '$MSG');\n")
        template-escape(yes));
};

destination maillog { file("/var/log/maillog"); };

# logs
log { source(src); destination(dmysql); = };
log { source(kernsrc); destination(dmysql); = };

Thanks!

Greetings,

Bas = Koot.

=00 ------_=_NextPart_001_01C312E4.06AC8576-- --------------InterScan_NT_MIME_Boundary-- From syslog-ng@lists.balabit.hu Mon May 5 13:39:26 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 5 May 2003 14:39:26 +0200 Subject: [syslog-ng]Sorting data from msg field into correct columns? In-Reply-To: <595362761E89B640A907F5112F8B89B801A2217D@sxmbx03.corproot.net> References: <595362761E89B640A907F5112F8B89B801A2217D@sxmbx03.corproot.net> Message-ID: <20030505123926.GC17088@balabit.hu> On Mon, May 05, 2003 at 10:55:07AM +0200, Michael.Semling@swisscom.com wrote: > Hi all! > > As I have now added hardware to report into a central syslog but I have > to uses a relay. (Another SYSLOG-NG) > Now I get messages containing > > Host: IP/Name of the relay > Facility, Priority, Level, tag, date, time and program is just all info > from the relay. > > In the msg I have all the data as the original host, time, msg. etc. > > Is there any way to "grep/sed/awk" the data out of the msg field and > sort them into the right columns? > > Is there an example for such a filter? Can you be more specific, can you perhaps provide examples (what you would expect and what happens in reality) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Tue May 6 07:53:18 2003 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Tue, 6 May 2003 08:53:18 +0200 Subject: [syslog-ng]Sorting data from msg field into correct columns? Message-ID: <595362761E89B640A907F5112F8B89B801A22183@sxmbx03.corproot.net> This is a multi-part message in MIME format. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3139C.2CE135C0" ------_=_NextPart_001_01C3139C.2CE135C0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Hi list, =20 I can be more specific. =20 I have in a DMZ proxies, routers and firewalls. Theses report into a syslog server in the DMZ. =20 I want to have the messages in one central place so I send them to my central syslog server with a MYSQL DB. =20 There they arrive but they look like following example.=20 a.a.a.a =3D Where it comes from originally (at least what I think ;-)) b.b.b.b =3D NAME of the syslog server =20 A router message | a.a.a.a | syslog5 | info | info | ae | 2003-05-06 | 04:21:38 | b.b.b.b | b.b.b.b : [ID 72119 syslog5.info] 04:21:36 drop rgw2 >eth0 reason: ACL: Ingress filter dropped packet ; src: a.b.c.d; s_port: 933; dst: f.g.h.i; d_port: 514; | 1015510 | =20 A firewall message | c.c.c.c | syslog5 | info | info | ae | 2003-05-06 | 04:21:38 | b.b.b.b | b.b.b.b: [ID 72119 syslog5.info] 04:21:37 drop fwgw >eth1 product: SmartDefense; TCP sequence validator: dropped packet with invalid ACK number; attack: Bad TCP sequence; src: i.j.k.l; s_port: 80; dst: m.n.o.p; service: shell; proto: tcp; | 1015511 | So I would like to have the machine name as rgw2 or fwgw on the hosts or facility's place. Maybe the word 'drop' as level so I can create an index for fast search.=20 Ideal would be, if I could do a search in the $MSG and then filter the entry and putting parts of the $MSG into different variabls e.g. $HOST etc.=20 =20 I guess this could already be done with a regexp search in the $MSG field then assigning the different variables. But I guess I have to hardcode all cases and I'd just like to take something like $MSG.$1, $MSG.$2 etc. =20 This allowed me to do some kind of "message normalisation". Maybe that's impossible for some reasons (speed). =20 Regards, =20 Michael =20 -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu]=20 Sent: Montag, 5. Mai 2003 14:39 To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Sorting data from msg field into correct columns? =20 On Mon, May 05, 2003 at 10:55:07AM +0200, Michael.Semling@swisscom.com wrote: > Hi all! >=20 > As I have now added hardware to report into a central syslog but I have > to uses a relay. (Another SYSLOG-NG) > Now I get messages containing >=20 > Host: IP/Name of the relay > Facility, Priority, Level, tag, date, time and program is just all info > from the relay. >=20 > In the msg I have all the data as the original host, time, msg. etc. >=20 > Is there any way to "grep/sed/awk" the data out of the msg field and > sort them into the right columns? >=20 > Is there an example for such a filter? Can you be more specific, can you perhaps provide examples (what you would expect and what happens in reality) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html ------_=_NextPart_001_01C3139C.2CE135C0 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Re: [syslog-ng]Sorting data from msg field into correct = columns?

Hi list,

&nbs= p;

I can be more = specific.

&nbs= p;

I have = in a DMZ proxies, routers and firewalls. Theses report into a syslog server in = the DMZ.

&nbs= p;

I want = to have the messages in one central place so I send them to my central syslog = server with a MYSQL DB.

&nbs= p;

There = they arrive but they look like following example. =

a.a.a.a = =3D Where it comes from originally (at least what I think = ;-))

b.b.b.b = =3D NAME of the syslog server

&nbs= p;

A router message

&nbs= p;

A = firewall message

So I = would like to have the machine name as rgw2 or fwgw on the hosts or = facility’s place. Maybe the word ‘drop’ as level so I can create an index for = fast search.

Ideal = would be, if I could do a search in the $MSG and then filter the entry and putting = parts of the $MSG into different variabls e.g. $HOST etc. =

&nbs= p;

I guess = this could already be done with a regexp search in the $MSG field then = assigning the different variables. But I guess I have to hardcode all cases and = I’d just like to take something like $MSG.$1, = $MSG.$2 etc.

&nbs= p;

This = allowed me to do some kind of “message normalisation”. Maybe = that’s impossible for some reasons (speed).

&nbs= p;

Regards,<= o:p>

&nbs= p;

Michael

&nbs= p;

-----Original = Message-----
From: Balazs Scheidler [mailto:bazsi@balabit.hu]
Sent: Montag, 5. Mai 2003 14:39
To: = syslog-ng@lists.balabit.hu<= /span>
Subject: Re: = [syslog-ng]Sorting data from msg field into correct = columns?

On Mon, May 05, 2003 at 10:55:07AM +0200, = Michael.Semling@swisscom.com wrote:
> Hi all!
>
> As I have now added hardware to report into a central syslog = but I have
> to uses a relay. (Another SYSLOG-NG)
> Now I get messages containing
>
> Host: IP/Name of the relay
> Facility, Priority, Level, tag, date, time and program is just all = info
> from the relay.
>
> In the msg I have all the data as the original host, time, = msg. etc.
>
> Is there any way to "grep/sed/awk" the data out of = the msg field and
> sort them into the right columns?
>
> Is there an example for such a filter?

Can you be more specific, can you perhaps provide examples (what you = would
expect and what happens in reality)

--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C = 8EB1
_______________________________________________
syslog-ng maillist - = syslog-ng@lists.balabit.hu
https://list= s.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/s= yslog-ng/faq.html

=00 ------_=_NextPart_001_01C3139C.2CE135C0-- --------------InterScan_NT_MIME_Boundary-- From syslog-ng@lists.balabit.hu Tue May 6 14:43:41 2003 From: syslog-ng@lists.balabit.hu (Dawid =?iso-8859-2?Q?Szyma=F1ski?=) Date: 06 May 2003 15:43:41 +0200 Subject: [syslog-ng]Few general questions. Message-ID: <1052228621.1396.12.camel@dawids.axit.pl> Hello, I'd like to get answers for few questions.. 1. Which version of syslogd-ng I should call stable? Its really complicated when I can read in docs that 1.4 is stable on web page that 1.6 is etc etc.. 2. Does any of syslogd-ng versions support encrypted connections over udp/tcp? 3. When/Are you going to support encrypted connections? Impatient ;) -- Kind regards, Dawid Szymanski From syslog-ng@lists.balabit.hu Tue May 6 14:51:26 2003 From: syslog-ng@lists.balabit.hu (Jacob Steinberger) Date: Tue, 6 May 2003 09:51:26 -0400 (EDT) Subject: [syslog-ng]Few general questions. In-Reply-To: <1052228621.1396.12.camel@dawids.axit.pl> References: <1052228621.1396.12.camel@dawids.axit.pl> Message-ID: <50722.209.83.112.202.1052229086.squirrel@QuestMail.FutureQuest.net> > 2. Does any of syslogd-ng versions support encrypted connections over > udp/tcp? You could always tunnel. http://www.openssl.org Jacob From syslog-ng@lists.balabit.hu Tue May 6 14:54:09 2003 From: syslog-ng@lists.balabit.hu (Hamilton, Andrew) Date: Tue, 6 May 2003 09:54:09 -0400 Subject: [syslog-ng]Few general questions. Message-ID: 1. Well, I use 1.6 and it is very stable, just get the latest snapshot. There was a release that had a macro bug but it has since been remedied. I have been using 1.6 for the last several months without issue. 2. Currently syslog-ng doesn't support native encrypted sessions. You would have to use an add-on to get that functionality. 3. The encryption support is planned in v2.0. That is still in alpha and may not even be implemented in the series yet. Bazsi would have more details on whether that is available in that line or not. You can tap your foot and sigh with impatience all you want but Bazsi has lots on his plate and the improvements come has he has time. You'll just have to learn a little patience. Syslog-ng still beats the heck out of old syslogd. Regards, Drew -----Original Message----- From: Dawid Szymanski [mailto:dawszy@axit.pl] Sent: Tuesday, May 06, 2003 9:44 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Few general questions. Hello, I'd like to get answers for few questions.. 1. Which version of syslogd-ng I should call stable? Its really complicated when I can read in docs that 1.4 is stable on web page that 1.6 is etc etc.. 2. Does any of syslogd-ng versions support encrypted connections over udp/tcp? 3. When/Are you going to support encrypted connections? Impatient ;) -- Kind regards, Dawid Szymanski _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue May 6 14:55:40 2003 From: syslog-ng@lists.balabit.hu (Dawid =?iso-8859-2?Q?Szyma=F1ski?=) Date: 06 May 2003 15:55:40 +0200 Subject: [syslog-ng]Few general questions. In-Reply-To: <50722.209.83.112.202.1052229086.squirrel@QuestMail.FutureQuest.net> References: <1052228621.1396.12.camel@dawids.axit.pl> <50722.209.83.112.202.1052229086.squirrel@QuestMail.FutureQuest.net> Message-ID: <1052229340.2007.16.camel@dawids.axit.pl> W li=B6cie z wto, 06-05-2003, godz. 15:51, Jacob Steinberger pisze:=20 > > 2. Does any of syslogd-ng versions support encrypted connections over > > udp/tcp? >=20 > You could always tunnel. http://www.openssl.org I dont want to play with stunnel on ~10 machines. I am looking for sollution that would have encryption included. --=20 Kind regards, Dawid Szymanski From syslog-ng@lists.balabit.hu Tue May 6 16:48:15 2003 From: syslog-ng@lists.balabit.hu (Brad Stockdale) Date: Tue, 06 May 2003 11:48:15 -0400 Subject: [syslog-ng]Re: Log analysis In-Reply-To: <20030505085602.7509.87801.Mailman@www.balabit.hu> Message-ID: <5.2.1.1.2.20030506114441.03309018@pop.greenepa.net> Hello all, I've been using syslog-ng for about a year now on a centralized logging server. It works great! But now I have 9 gigabytes of past logs... haha... In any case, I am trying to find a good way to analyze the daily logs... Sort of condense them like LogSentry/LogWatch does, but via a web interface... Can anyone out there recommend a good log analysis package? I started to try out lire, but part way through the setup I figured out that it might be a pain to try to get lire to understand the log rotations, etc... I rotate logs daily with the following directory structure: /var/log/$IPADDRESS/$4DIGITYEAR/$2DIGITMONTH/$2DIGITDAY/facilitypriority.log lire expects the logs to be in /var/log/ and use the normal rotation of putting a number at the end of the filename... Any thoughts? Thanks, Brad From syslog-ng@lists.balabit.hu Tue May 6 17:26:17 2003 From: syslog-ng@lists.balabit.hu (Brad Stockdale) Date: Tue, 06 May 2003 12:26:17 -0400 Subject: [syslog-ng]Re: Oops. I broke it. :( In-Reply-To: <20030506154902.25100.40616.Mailman@www.balabit.hu> Message-ID: <5.2.1.1.2.20030506122252.033451d8@pop.greenepa.net> Oops... I upgraded my syslog-ng from 1.4 train to 1.6 train, and it doesnt like my old configuration file... It seems to be choking on the following line: [root@internal syslog-ng-1.6.0rc3]# /usr/local/sbin/syslog-ng -f /etc/syslog-ng.conf unresolved reference: DEFAULT Error initializing configuration, exiting. Here's my config: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { pipe("/proc/kmsg"); unix-stream("/dev/log"); internal(); }; source s_net { udp(); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; destination d_udph { file("/var/log/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.log" create_dirs(yes)); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; log { source(s_net); filter(DEFAULT); destination(d_udph); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; log { source(s_sys); filter(DEFAULT); destination(d_mesg); }; It seems to dislike this line (I guess): log { source(s_net); filter(DEFAULT); destination(d_udph); }; Is there no more a default filter? Or am I just being stupid and cannot see a simple error? Thanks, Brad From syslog-ng@lists.balabit.hu Tue May 6 17:35:13 2003 From: syslog-ng@lists.balabit.hu (Brad Stockdale) Date: Tue, 06 May 2003 12:35:13 -0400 Subject: [syslog-ng]Re: Ooo! I fixed it! In-Reply-To: <20030506154902.25100.40616.Mailman@www.balabit.hu> Message-ID: <5.2.1.1.2.20030506123426.03289ea0@pop.greenepa.net> I guess RTFM is the quote of the day. I found reference to the DEFAULT idea being removed in preference to the flags(catchall)... It seems to be working fine. Thanks, Brad From syslog-ng@lists.balabit.hu Tue May 6 17:38:38 2003 From: syslog-ng@lists.balabit.hu (Dan Edwards) Date: Tue, 6 May 2003 12:38:38 -0400 Subject: [syslog-ng]Re: Oops. I broke it. :( In-Reply-To: <5.2.1.1.2.20030506122252.033451d8@pop.greenepa.net> Message-ID: <001001c313ed$f1f359a0$ef01010a@duda.com> You do not have a filter named DEFAULT. Dan Edwards Network Specialist A. Duda & Sons, Inc. -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Brad Stockdale Sent: Tuesday, May 06, 2003 12:26 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Re: Oops. I broke it. :( Oops... I upgraded my syslog-ng from 1.4 train to 1.6 train, and it doesnt like my old configuration file... It seems to be choking on the following line: [root@internal syslog-ng-1.6.0rc3]# /usr/local/sbin/syslog-ng -f /etc/syslog-ng.conf unresolved reference: DEFAULT Error initializing configuration, exiting. Here's my config: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { pipe("/proc/kmsg"); unix-stream("/dev/log"); internal(); }; source s_net { udp(); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; destination d_udph { file("/var/log/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.log" create_dirs(yes)); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; log { source(s_net); filter(DEFAULT); destination(d_udph); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; log { source(s_sys); filter(DEFAULT); destination(d_mesg); }; It seems to dislike this line (I guess): log { source(s_net); filter(DEFAULT); destination(d_udph); }; Is there no more a default filter? Or am I just being stupid and cannot see a simple error? Thanks, Brad _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue May 6 17:54:57 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 6 May 2003 18:54:57 +0200 Subject: [syslog-ng]syslog-ng blanks in Servicename In-Reply-To: References: Message-ID: <20030506165457.GC31493@balabit.hu> On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote: > Hi, > > i log many informations via NT-Syslog to syslog-ng. Windows 2000 have some services with a blank in the Servicename. ex: NTDS ISAM > > the log entry from syslog-ng seams as following: > Apr 15 15:42:33 ntds isam[info] 700 NTDS (268) Online defragmentation is beginning a full pass on database 'C:\WINNT\NTDS\ntds.dit'. > > NTDS ist NOT my hostname, thats the problem! > > I think thats the problem is in RFC. But i don't read it. ( no time :[ ) > > is there a easy escape? or will the next version of syslog-ng have a escape? try check_hostname(yes) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Wed May 7 11:25:28 2003 From: syslog-ng@lists.balabit.hu (Unger, Christian) Date: Wed, 7 May 2003 12:25:28 +0200 Subject: AW: [syslog-ng]syslog-ng blanks in Servicename Message-ID: >On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote: >> Hi, >>=20 >> i log many informations via NT-Syslog to syslog-ng. Windows 2000 have = some services with a blank in the Servicename. ex: NTDS ISAM >>=20 >> the log entry from syslog-ng seams as following: >> Apr 15 15:42:33 ntds isam[info] 700 NTDS (268) Online = defragmentation is beginning a full pass on database = 'C:\WINNT\NTDS\ntds.dit'. >>=20 >> NTDS ist NOT my hostname, thats the problem! >>=20 >> I think thats the problem is in RFC. But i don't read it. ( no time = :[ ) >>=20 >> is there a easy escape? or will the next version of syslog-ng have a = escape? > >try check_hostname(yes) > ---- check_hostnames(yes) doesn't help. I checked some information's with tcpdump. An I found a very interest = handling. Syslog-ng is able to handle hostnames in syslog datagram, the = delimiter between hostname and service name seams to be a space. So if I = have spaces in service name syslog-ng thinks that the first word must be = the hostname, but that's wrong. What can I do know? From syslog-ng@lists.balabit.hu Wed May 7 12:53:45 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Wed, 7 May 2003 13:53:45 +0200 Subject: [syslog-ng]syslog-ng blanks in Servicename In-Reply-To: References: Message-ID: <20030507115345.GF1557@balabit.hu> On Wed, May 07, 2003 at 12:25:28PM +0200, Unger, Christian wrote: > >On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote: > >> i log many informations via NT-Syslog to syslog-ng. Windows 2000 have some services with a blank in the Servicename. ex: NTDS ISAM > >> > >> the log entry from syslog-ng seams as following: > >> Apr 15 15:42:33 ntds isam[info] 700 NTDS (268) Online defragmentation is beginning a full pass on database 'C:\WINNT\NTDS\ntds.dit'. > >> > >> NTDS ist NOT my hostname, thats the problem! > >> > >> I think thats the problem is in RFC. But i don't read it. ( no time :[ ) > >> > >> is there a easy escape? or will the next version of syslog-ng have a escape? > > > >try check_hostname(yes) > > > ---- > > check_hostnames(yes) doesn't help. > > I checked some information's with tcpdump. An I found a very interest > handling. Syslog-ng is able to handle hostnames in syslog datagram, the > delimiter between hostname and service name seams to be a space. So if I > have spaces in service name syslog-ng thinks that the first word must be > the hostname, but that's wrong. What can I do know? sorry, check_hostname() is meant for cases when the word seeming to be a hostname contains invalid characters (like '%'). The problem is that there is no way to distinguish between a hostname and a programname containing a space. The workaround I implemented was the bad_hostname() option, which contains a regular expression which covers bad hostnames. E.g. if you have a program that sends messages like: Apr 28 15:13:54 snmp ctld[12345]: message And "snmp ctld" is the program name, then you can use bad_hostname() to make syslog-ng think that "snmp" itself is a bad hostname. (of course this will not work if you really have a host named snmp) options { bad_hostname("snmp"); }; bad_hostname() accepts an extended regular expression so you can list several bad hostnames like this: options { bad_hostname("snmp|iis|foo|bar"); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Wed May 7 13:31:21 2003 From: syslog-ng@lists.balabit.hu (Christian Osbahr) Date: Wed, 7 May 2003 14:31:21 +0200 Subject: [syslog-ng]syslog-ng blanks in Servicename Message-ID: Hi, I just installed syslog-ng, and had a similar experience with a certain type of switches (Alteon's). Only in this case the syslog messages were formatted so that syslog-ng saw the level as the hostname (i.e. my syslog files would be named e.g. NOTICE.log when using $HOST.log for the filename). Using the bad_hostname() option, as described below, solved the problem. However, the question this is all leading to is this: When a hostname is matched by the bad_hostname option, what mechanism does syslog-ng use to establish a new name? Best regards, Christian -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu]=20 Sent: 7. maj 2003 13:54 To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]syslog-ng blanks in Servicename On Wed, May 07, 2003 at 12:25:28PM +0200, Unger, Christian wrote: > >On Wed, Apr 30, 2003 at 12:22:34PM +0200, Unger, Christian wrote: > >> i log many informations via NT-Syslog to syslog-ng. Windows 2000=20 > >> have some services with a blank in the Servicename. ex: NTDS ISAM > >>=20 > >> the log entry from syslog-ng seams as following: > >> Apr 15 15:42:33 ntds isam[info] 700 NTDS (268) Online=20 > >> defragmentation is beginning a full pass on database=20 > >> 'C:\WINNT\NTDS\ntds.dit'. > >>=20 > >> NTDS ist NOT my hostname, thats the problem! > >>=20 > >> I think thats the problem is in RFC. But i don't read it. ( no time > >> :[ ) > >>=20 > >> is there a easy escape? or will the next version of syslog-ng have=20 > >> a escape? > > > >try check_hostname(yes) > > > ---- >=20 > check_hostnames(yes) doesn't help. >=20 > I checked some information's with tcpdump. An I found a very interest=20 > handling. Syslog-ng is able to handle hostnames in syslog datagram,=20 > the delimiter between hostname and service name seams to be a space.=20 > So if I have spaces in service name syslog-ng thinks that the first=20 > word must be the hostname, but that's wrong. What can I do know? sorry, check_hostname() is meant for cases when the word seeming to be a hostname contains invalid characters (like '%'). The problem is that there is no way to distinguish between a hostname and a programname containing a space. The workaround I implemented was the bad_hostname() option, which contains a regular expression which covers bad hostnames. E.g. if you have a program that sends messages like: Apr 28 15:13:54 snmp ctld[12345]: message And "snmp ctld" is the program name, then you can use bad_hostname() to make syslog-ng think that "snmp" itself is a bad hostname. (of course this will not work if you really have a host named snmp) options { bad_hostname("snmp"); }; bad_hostname() accepts an extended regular expression so you can list several bad hostnames like this: options { bad_hostname("snmp|iis|foo|bar"); }; --=20 Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Wed May 7 13:49:52 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Wed, 7 May 2003 14:49:52 +0200 Subject: [syslog-ng]syslog-ng blanks in Servicename In-Reply-To: References: Message-ID: <20030507124952.GC2066@balabit.hu> On Wed, May 07, 2003 at 02:31:21PM +0200, Christian Osbahr wrote: > Hi, > I just installed syslog-ng, and had a similar experience with a certain > type of switches (Alteon's). Only in this case the syslog messages were > formatted so that syslog-ng saw the level as the hostname (i.e. my > syslog files would be named e.g. NOTICE.log when using $HOST.log for the > filename). Using the bad_hostname() option, as described below, solved > the problem. However, the question this is all leading to is this: When > a hostname is matched by the bad_hostname option, what mechanism does > syslog-ng use to establish a new name? reverse DNS, or failing that, IP address. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Wed May 7 23:09:22 2003 From: syslog-ng@lists.balabit.hu (=?iso-8859-1?Q?arthur.chereau?=) Date: Thu, 8 May 2003 00:09:22 +0200 Subject: [syslog-ng]=?iso-8859-1?Q?Problem_getting_init_logs?= Message-ID: Hi,=0D=0A=0D=0AI've installed syslog-ng and it is working fine. There's j= ust one remaining problem I=0D=0Acan't solve:=0D=0A=0D=0AI use monit, whi= ch is started from inittab. Logs go to the file I defined. But they=0D=0A= also go to the console (tty1). I tried to remove all syslog-ng entries se= nding logs to=0D=0Ausertty (alert and emerg) and restart, but it didn't c= hange anything. So the problem=0D=0Amust be that init logs are different = from other logs.=0D=0A=0D=0AIs it possible for syslog-ng to intercept log= s sent by init to the console ?=0D=0A=0D=0A------------------------------= ------------=0D=0A=0D=0AFaites un voeu et puis Voila ! www.voila.fr =0D=0A= From syslog-ng@lists.balabit.hu Thu May 8 08:48:18 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 8 May 2003 09:48:18 +0200 Subject: [syslog-ng]Problem getting init logs In-Reply-To: References: Message-ID: <20030508074817.GB2732@balabit.hu> On Thu, May 08, 2003 at 12:09:22AM +0200, arthur.chereau wrote: > Hi, > > I've installed syslog-ng and it is working fine. There's just one remaining problem I > can't solve: > > I use monit, which is started from inittab. Logs go to the file I defined. But they > also go to the console (tty1). I tried to remove all syslog-ng entries sending logs to > usertty (alert and emerg) and restart, but it didn't change anything. So the problem > must be that init logs are different from other logs. > > Is it possible for syslog-ng to intercept logs sent by init to the console ? if they are kernel logs, then you need dmesg -n1 to stop the kernel to write logs to the console. If they are init logs, and init definitely writes those to the console then you have no way to intercept those logs. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Thu May 8 07:00:07 2003 From: syslog-ng@lists.balabit.hu (SZALAY Attila) Date: Thu, 8 May 2003 08:00:07 +0200 Subject: [syslog-ng]Problem getting init logs In-Reply-To: References: Message-ID: <20030508060007.GK8052@sasa.home> Hi All! On 2003 May 08, arthur.chereau wrote: > > usertty (alert and emerg) and restart, but it didn't change anything. So the problem > must be that init logs are different from other logs. No, there are no differences. But if a program try to send a log message and /dev/log is not opened by syslog daemon, the program send it to the console. You can try it, if you stop syslog-ng and wait for log messages. > Is it possible for syslog-ng to intercept logs sent by init to the console ? Yes, if you start syslog-ng earlyer than the program. In RedHat there are a tiny syslog daemon, that doesn't do anything except collecting log messages till real syslog daemon doesn't start. -- PGP ID 0x8D143771, /C5 95 43 F8 6F 19 E8 29 53 5E 96 61 05 63 42 D0 GPG ID ABA0E8B2, 45CF B559 8281 8091 8469 CACD DB71 AEFC ABA0 E8B2 Szeretem a Zsanit - SaSa From syslog-ng@lists.balabit.hu Thu May 8 19:54:21 2003 From: syslog-ng@lists.balabit.hu (Marco P. Rodrigues) Date: Thu, 8 May 2003 14:54:21 -0400 (EDT) Subject: [syslog-ng]Match host with IP address when using use_dns? Message-ID: Couldn't seem to find an answer to this in the documentation. Is it possible to the have the use_dns(yes) option enabled but match hosts based on their IP address? I want to be able to write files as their FQDN but fo the REGEX matching based on the IP address. I can get this to work when I disable the use_dns(yes) option but then the files are the IP. I don't want to match based on hostnames. example: destination net_host_all { file("/tmp/$HOST"); }; filter f_hosts_all { host("^10\.201\.140\.*") or host("^10\.201\.150\.*") or host("^192\.168\.0\.[0-3][0-9]"); }; log { source(net); filter(f_hosts_all); destination(net_host_all); flags(final); }; While I'm hear might as well kill two birds with one stone. Can someone give ma a real life example of the practical use of using the fallback option? I must be inept because I can't see a valid reason to have it that the final/catchall statement couldn't do (with proper logical placements of the log statements in the configuration). MPR. -- "I am kind of a paranoiac in reverse. I suspect people of plotting to make me happy." - J.D. Salinger From syslog-ng@lists.balabit.hu Fri May 9 10:56:02 2003 From: syslog-ng@lists.balabit.hu (Michael Boman) Date: 09 May 2003 17:56:02 +0800 Subject: [syslog-ng]Problem with chained hostnames.. Message-ID: <1052474162.24482.30.camel@r2d2.dmz1.securecirt.com> --=-/xdYniwAIZnPwH3JgM3T Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I have tried a series of keep_hostname() and chain_hostnames() settings, but I still won't get it as logrelay/server Either I get it as "logrelay" or as "server". I want this as I want a dir structure like: /var/log/HOSTS/$relay/$server/....... What combination should I have on the: Relay? Final destination (ie: the log server)? Best regards Michael Boman --=20 Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com --=-/xdYniwAIZnPwH3JgM3T Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+u3syds5fQJiraJwRAiAjAJ9K0abFiE50MHCqyk+jqO1KJV0blwCfXUT4 m+ZaY1j7DE2Uk4vWW7/iviI= =GxeJ -----END PGP SIGNATURE----- --=-/xdYniwAIZnPwH3JgM3T-- From syslog-ng@lists.balabit.hu Fri May 9 11:04:28 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 9 May 2003 12:04:28 +0200 Subject: [syslog-ng]Match host with IP address when using use_dns? In-Reply-To: References: Message-ID: <20030509100428.GC28662@balabit.hu> On Thu, May 08, 2003 at 02:54:21PM -0400, Marco P. Rodrigues wrote: > Couldn't seem to find an answer to this in the documentation. > > Is it possible to the have the use_dns(yes) option enabled but match > hosts based on their IP address? I want to be able to write files as > their FQDN but fo the REGEX matching based on the IP address. I can > get this to work when I disable the use_dns(yes) option but then the > files are the IP. I don't want to match based on hostnames. > > example: > > destination net_host_all { file("/tmp/$HOST"); }; > filter f_hosts_all { > host("^10\.201\.140\.*") or > host("^10\.201\.150\.*") or > host("^192\.168\.0\.[0-3][0-9]"); > }; use netmask("ip/mask"); -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Fri May 9 17:24:22 2003 From: syslog-ng@lists.balabit.hu (markallen) Date: Fri, 9 May 2003 10:24:22 -0600 Subject: [syslog-ng]syslog-ng blanks in Servicename Message-ID: I recently read a thread that described an option you can set so your not logging blanks in servernames. I seen where I can set the option to ignore bogus hostnames but how do you ignore bogus hostnames that start with a tab? This is what I'm currently using: options { bad_hostname("snmp|AFSR|AFSR.PSYND|Delete|In|UDBH|Use|ready32"); }; I would like to exclude everything that starts with a tab as well. Does anyone have any suggestions? Mark Allen From syslog-ng@lists.balabit.hu Fri May 9 17:42:18 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 9 May 2003 18:42:18 +0200 Subject: [syslog-ng]syslog-ng blanks in Servicename In-Reply-To: References: Message-ID: <20030509164218.GC2009@balabit.hu> On Fri, May 09, 2003 at 10:24:22AM -0600, markallen wrote: > I recently read a thread that described an option you can set so your not logging blanks in servernames. I seen where I can set the option to ignore bogus hostnames but how do you ignore bogus hostnames that start with a tab? > > This is what I'm currently using: > > options { bad_hostname("snmp|AFSR|AFSR.PSYND|Delete|In|UDBH|Use|ready32"); }; > > I would like to exclude everything that starts with a tab as well. Does anyone have any suggestions? options { bad_hostname("\t"); }; here's the set of special characters you can use (quoting cfg-lex.l): \\a { append_char(7); } \\n { append_char(10); } \\r { append_char(13); } \\t { append_char(9); } \\v { append_char(11); } e.g \a, \n, \r, \t and \v are all supported special characters (similarly to C) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Fri May 9 19:36:00 2003 From: syslog-ng@lists.balabit.hu (Lixin Liu) Date: Fri, 9 May 2003 11:36:00 -0700 Subject: [syslog-ng]syslog-ng blanks in Servicename Message-ID: <200305091836.h49Ia0Fw000956@rm-rstar.sfu.ca> Is it possible to DNS to verify the valid hostnames? Our syslog produces ma= ny bogus hostnames and it is almost impossible to list all of them in bad_host= name(). Thanks, Lixin. -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabi= t.hu] On Behalf Of Balazs Scheidler Sent: Friday, May 09, 2003 9:42 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]syslog-ng blanks in Servicename On Fri, May 09, 2003 at 10:24:22AM -0600, markallen wrote: > I recently read a thread that described an option you can set so your = > not logging blanks in servernames. I seen where I can set the option = > to ignore bogus hostnames but how do you ignore bogus hostnames that = > start with a tab? > = > This is what I'm currently using: > = > options { = > bad_hostname("snmp|AFSR|AFSR.PSYND|Delete|In|UDBH|Use|ready32"); }; > = > I would like to exclude everything that starts with a tab as well. = > Does anyone have any suggestions? options { bad_hostname("\t"); }; here's the set of special characters you can use (quoting cfg-lex.l): \\a { append_char(7); } \\n { append_char(10); } \\r { append_char(13); } \\t { append_char(9); } \\v { append_char(11); } e.g \a, \n, \r, \t and \v are all supported special characters (similarly t= o C) -- = Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB= 1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/= mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Sun May 11 09:05:41 2003 From: syslog-ng@lists.balabit.hu (email lists) Date: Sun, 11 May 2003 18:05:41 +1000 Subject: [syslog-ng]syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX Message-ID: <035C9F7CE28601428BBB5B051C9F77F20177E6@orion.mackay.local> Hi, We have upgraded to 1.6.0 RC3 for program() template support (ie - pipe directly to stdin of psql). Since the upgrade, we have also had a requirement to enable PIX URL logging and IPSec ISAKMP SA logging. As a consequence, we have=20 found numerous syslog entries where the record following the PIX URL log entry is merged with the URL log entry. Target system - redhat 8.0 / kernel-2.4.18-26.8.0 / glibc-2.2.93-5 / gcc-3.2-7 with libol 0.3.9. Standard syslog to file: May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest=3D 10.0.0.1, sa_prot=3D 50, sa_spi=3D 0xe859748d(3898176653), sa_trans=3D esp-3des esp-md5-hmac , = sa_conn_id=3D 1, (identity) local=3D 10.0.0.1, remote=3D 10.1.1.1, local_proxy=3D = 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest=3D 10.0.0.1, sa_prot=3D 50, sa_spi=3D 0xe859748d(3898176653), sa_trans=3D esp-3des esp-md5-hmac , sa_conn_id=3D 1 The same syslog message SQL formated to file - same template as program(): BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02', 'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest=3D 10.0.0.1, sa_prot=3D = 50, sa_spi=3D 0xe859748d(3898176653), sa_trans=3D esp-3des esp-md5-hmac , sa_conn_id=3D 1, (identity) local=3D 10.0.0.1, remote=3D 10.1.1.1, local_proxy=3D 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest=3D 10.0.0.1, sa_prot=3D 50, sa_spi=3D = 0xe859748d(3898176653), sa_trans=3D esp-3des esp-md5-hmac , sa_conn_id=3D 1'); COMMIT; TCP logging is used (too many messages lost when using UDP).=20 There are also other instances where syslog messages have been merged together. More samples of the above can be supplied if necessary if a direct e-mail address of a developer is provided - I am reluctant to send such data to the list. IP addresses containe in the log entries have also been changed. TIA, Darren syslog-ng.conf that generated the above data: options { sync (0); time_reopen (10); log_fifo_size (8192); long_hostnames (off); use_dns (no); use_fqdn (no); use_time_recvd (yes); create_dirs (yes); keep_hostname (yes); perm (0644); owner (root); group (root); dir_perm (0644); dir_owner (root); dir_group (root); }; source s_tcp { tcp(port(10514) max-connections(64)); }; source s_udp { udp(port(514)); }; destination rawsyslog {=20 file("/monitor/syslog-ng/data/rawsyslog-$YEAR-$MONTH-$DAY"); }; destination syslog2pgsql { file("/monitor/syslog-ng/data/syslog2pgsql-$YEAR-$MONTH-$DAY" template("BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, tag, program, msg) VALUES '$HOST',=20 '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$PROGRAM', '$MSG'); COMMIT;\n") template-escape(yes)); }; log { source(s_udp); destination(syslog2pgsql); }; log { source(s_tcp); destination(syslog2pgsql); }; log { source(s_udp); destination(rawsyslog); }; log { source(s_tcp); destination(rawsyslog); }; From syslog-ng@lists.balabit.hu Sun May 11 09:24:17 2003 From: syslog-ng@lists.balabit.hu (email lists) Date: Sun, 11 May 2003 18:24:17 +1000 Subject: [syslog-ng]FW: syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX Message-ID: <035C9F7CE28601428BBB5B051C9F77F20132E4@orion.mackay.local> Just realised the example tha were provided only contain IPSec SA data - apoologies, but I think you get the idea. Darten -----Original Message----- From: email lists Sent: Sunday, 11 May 2003 6:06 PM To: 'syslog-ng@lists.balabit.hu' Subject: syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1 The same syslog message SQL formated to file - same template as program(): BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02', 'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1'); COMMIT; From syslog-ng@lists.balabit.hu Sun May 11 10:47:11 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Sun, 11 May 2003 11:47:11 +0200 Subject: [syslog-ng]syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX In-Reply-To: <035C9F7CE28601428BBB5B051C9F77F20177E6@orion.mackay.local> References: <035C9F7CE28601428BBB5B051C9F77F20177E6@orion.mackay.local> Message-ID: <20030511094711.GA6997@balabit.hu> On Sun, May 11, 2003 at 06:05:41PM +1000, email lists wrote: > Hi, > > We have upgraded to 1.6.0 RC3 for program() template support (ie - pipe > directly to stdin of psql). Since the upgrade, we have also had a > requirement to enable PIX URL logging and IPSec ISAKMP SA logging. As a > consequence, we have > found numerous syslog entries where the record following the PIX URL log > entry is merged with the URL log entry. > > Target system - redhat 8.0 / kernel-2.4.18-26.8.0 / glibc-2.2.93-5 / > gcc-3.2-7 with libol 0.3.9. > > Standard syslog to file: > > May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301: > lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= > 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, > (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May > 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, > sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des > esp-md5-hmac , sa_conn_id= 1 > > The same syslog message SQL formated to file - same template as > program(): > > BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, > tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02', > 'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02: > %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, > sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , > sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, > local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, > (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), > sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1'); COMMIT; > > TCP logging is used (too many messages lost when using UDP). Can you send me a tcpdump of the syslog traffic which shows this behaviour? Aternatively you can also send me an strace snippet, provided you increase the number of characters shown in strings (so that all details can be seen). > > There are also other instances where syslog messages have been merged > together. > > More samples of the above can be supplied if necessary if a direct > e-mail address of a developer is provided - I am reluctant to send such > data to the list. IP addresses containe in the log entries have also > been changed. You can send me the dumps in privately in direct mail. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon May 12 09:03:42 2003 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Mon, 12 May 2003 09:03:42 +0100 Subject: [syslog-ng]syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX Message-ID: <80256D24.002C37AB.00@fttvgpslnhub1.flextech.co.uk> A bitter missive from last year with my previous comments on the utter stupidity of Cisco PIX syslog formatting and the magic 256 byte message truncation. Cisco still haven't fixed it, and apparently couldn't give a monkey's. Ted Ted Rule 05/09/2002 16:28 To: syslog-ng@lists.balabit.hu cc: Subject: Cisco PIX TCP Syslogging via syslog-ng More very sad news I'm afraid. I've been able to glue together a temporary copy of syslog-ng on my central syslog server listening to TCP/1468 for PIX syslogging. It is already apparent that things don't work properly - most of this appears to be entirely Cisco's fault. My original problem was that I'd reported UDP packet truncation for syslog messages > 255 characters. Cisco swore blind that my moving to TCP would fix this. tcpdump's of my test rig strongly suggests Cisco simply lied. Even the TCP stream seems to impose a 255 character limit prior to transmission. Worse still - as intimated from previous missives - the TCP stream doesn't contain EOM characters of any flavour between messages such that multiple syslog messages may appear in a single TCP packet. Moreover, sadly, syslog-ng appears to be unable to pick apart multiple messages correctly on some occasions, and hence one sees things like this: Sep 5 15:58:58 fttvgpsvpn1 %PIX-7-702301: lifetime expiring, (sa) sa_dest= 195. 188.171.5, sa_prot= 50, sa_spi= 0x6a3b8b02(1782287106), sa_trans= esp-3des esp-m d5-hmac , sa_conn_id= 8, (identity) local= 195.188.171.5, remote= 217.34.209.200 , local_proxy= 194.34.198.40/255.255.2<190>%PIX-6-602302: deleting SA, (sa) sa_d est= 195.188.171.5, sa_prot= 50, sa_spi= 0x6a3b8b02(1782287106), sa_trans= esp-3 des esp-md5-hmac , sa_conn_id= 8 where the 2 messages concatenated are actually contained in 2 separate TCP packets, as per the tcpdump below. The general logic I can deduce from the debugs so far is that the log daemon on the PIX assembles a message, truncates to 255 characters, stuffs it out the log stream ( be it UDP or TCP ). If the stream is TCP, I suspect Nagle Algorithm or similar determines when sufficient data within one or more messages have been accumulate sufficient to actually send a TCP packet. As a result, whilst any given log message is limited to 255 bytes, but any given TCP packet need not be. All in all, its a mess. I'm better off leaving the syslogging routing via UDP to ensure correct EOM determination on the syslog server. Needless to say, I'll raise a log with our Cisco resellers to try and get Cisco to fix their code. The minimum 2 requirements are: a) Raise log message size limit to 512 bytes for either UDP or TCP streams b) Terminate TCP messages with NUL or NL to allow sane logservers to unsplit the mess. I suspect there is very little Balazs can do to improve the decode of the PIX log stream without Cisco fixing their broken code. Ted 15:58:58.013327 192.168.82.15.1024 > 172.17.12.19.1468: P 878:1133(255) ack 1 win 4096 4500 0127 9d42 0000 fc06 55b2 c0a8 520f E..'.B....U...R. ac11 0c13 0400 05bc 02ff 1fde 3b30 7c08 ............;0|. 5018 1000 4360 0000 3c31 3931 3e25 5049 P...C`..<191>%PI 582d 372d 3730 3233 3031 3a20 6c69 6665 X-7-702301: life 7469 6d65 2065 7870 6972 696e 672c 2028 time expiring, ( 7361 2920 7361 5f64 6573 743d 2031 3935 sa) sa_dest= 195 2e31 3838 2e31 3731 2e35 2c20 7361 5f70 .188.171.5, sa_p 726f 743d 2035 302c 2073 615f 7370 693d rot= 50, sa_spi= 2030 7836 6133 6238 6230 3228 3137 3832 0x6a3b8b02(1782 3238 3731 3036 292c 2073 615f 7472 616e 287106), sa_tran 733d 2065 7370 2d33 6465 7320 6573 702d s= esp-3des esp- 6d64 352d 686d 6163 202c 2073 615f 636f md5-hmac , sa_co 6e6e 5f69 643d 2038 2c20 2869 6465 6e74 nn_id= 8, (ident 6974 7929 206c 6f63 616c 3d20 3139 352e ity) local= 195. 3138 382e 3137 312e 352c 2072 656d 6f74 188.171.5, remot 653d 2032 3137 2e33 342e 3230 392e 3230 e= 217.34.209.20 302c 206c 6f63 616c 5f70 726f 7879 3d20 0, local_proxy= 3139 342e 3334 2e31 3938 2e34 302f 3235 194.34.198.40/25 352e 3235 352e 32 5.255.2. 15:58:58.026581 172.17.12.19.1468 > 192.168.82.15.1024: . ack 1133 win 32120 (DF ) 4500 0028 6190 4000 4006 0e64 ac11 0c13 E..(a.@.@..d.... c0a8 520f 05bc 0400 3b30 7c08 02ff 20dd ..R.....;0|... . 5010 7d78 82af 0000 P.}x.... 15:58:58.027406 192.168.82.15.1024 > 172.17.12.19.1468: P 1133:1445(312) ack 1 w in 4096 4500 0160 9d43 0000 fc06 5578 c0a8 520f E..`.C....Ux..R. ac11 0c13 0400 05bc 02ff 20dd 3b30 7c08 .......... .;0|. 5018 1000 ca1d 0000 3c31 3930 3e25 5049 P.......<190>%PI 582d 362d 3630 3233 3032 3a20 6465 6c65 X-6-602302: dele 7469 6e67 2053 412c 2028 7361 2920 7361 ting SA, (sa) sa 5f64 6573 743d 2031 3935 2e31 3838 2e31 _dest= 195.188.1 3731 2e35 2c20 7361 5f70 726f 743d 2035 71.5, sa_prot= 5 302c 2073 615f 7370 693d 2030 7836 6133 0, sa_spi= 0x6a3 6238 6230 3228 3137 3832 3238 3731 3036 b8b02(1782287106 292c 2073 615f 7472 616e 733d 2065 7370 ), sa_trans= esp 2d33 6465 7320 6573 702d 6d64 352d 686d -3des esp-md5-hm 6163 202c 2073 615f 636f 6e6e 5f69 643d ac , sa_conn_id= 2038 0a0a 3c31 3930 3e25 5049 582d 362d 8..<190>%PIX-6- 3630 3233 3032 3a20 6465 6c65 7469 6e67 602302: deleting 2053 412c 2028 7361 2920 7361 5f64 6573 SA, (sa) sa_des 743d 2032 3137 2e33 342e 3230 392e 3230 t= 217.34.209.20 302c 2073 615f 7072 6f74 3d20 3530 2c20 0, sa_prot= 50, 7361 5f73 7069 3d20 3078 3137 6563 3539 sa_spi= 0x17ec59 3335 2834 3031 3336 3533 3031 292c 2073 35(401365301), s 615f 7472 616e 733d 2065 7370 2d33 6465 a_trans= esp-3de 7320 6573 702d 6d64 352d 686d 6163 202c s esp-md5-hmac , 2073 615f 636f 6e6e 5f69 643d 2037 0a0a sa_conn_id= 7.. ************************************************************************************************ This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of FLEXTECH Television Limited. ************************************************************************************************ From syslog-ng@lists.balabit.hu Mon May 12 22:31:34 2003 From: syslog-ng@lists.balabit.hu (Nate Campi) Date: Mon, 12 May 2003 14:31:34 -0700 Subject: [syslog-ng]Can some servers only be allowed to chained? In-Reply-To: <20030501215148.GB23480@trimble.co.nz> References: <20030501215148.GB23480@trimble.co.nz> Message-ID: <20030512213134.GA25266@campin.net> On Fri, May 02, 2003 at 09:51:48AM +1200, Jason Haar wrote: > > What I want is the UDP source on the central server to be that it does the > PTR thing to figure out what $HOST is - i.e. "chain_hostnames(no)". For TCP > only, "chain_hostnames(yes)". Then I can use netfilter to limit who can TCP > to the server, etc. Jason, You might have worked out a solution by now, but could you try to explain what you're trying to do here in different language? -- Nate Campi http://www.campin.net From syslog-ng@lists.balabit.hu Mon May 12 22:56:37 2003 From: syslog-ng@lists.balabit.hu (Joxn) Date: Mon, 12 May 2003 14:56:37 -0700 Subject: [syslog-ng]remote logging from syslog to syslog-ng Message-ID: <3EC01895.50102@vernum.com> Hi everybody, I am new to this list and don't use syslog-ng yet, but it all sounds very promising - and I will switch immediately if syslog-ng can do the following: We have a couple (50 - 100) clients that use syslog. Some (but not all) could be switched to use syslog-ng (on OpenBSD 3.3). We want to set up a central logging server running syslog-ng. Here we want to create directories based on the remote-client's MAC address and also add the information to a Postgres database. I already saw that it is possible to log to the DB. However, most important is that the syslog-clients could report to the syslog-ng server. How would I do that, if possible? Thank you very much in advance, Joxn From syslog-ng@lists.balabit.hu Tue May 13 08:33:54 2003 From: syslog-ng@lists.balabit.hu (Jason Haar) Date: Tue, 13 May 2003 19:33:54 +1200 Subject: [syslog-ng]Can some servers only be allowed to chained? In-Reply-To: <20030512213134.GA25266@campin.net> References: <20030501215148.GB23480@trimble.co.nz> <20030512213134.GA25266@campin.net> Message-ID: <3EC09FE2.4090100@trimble.co.nz> Nate Campi wrote: > On Fri, May 02, 2003 at 09:51:48AM +1200, Jason Haar wrote: > > Jason, > > You might have worked out a solution by now, but could you try to > explain what you're trying to do here in different language? No I haven't - so I'm more than happy to re-phrase :-) I have an environment whereby there is a hierarchy of syslog servers. Clients in each subnet feed to a "central subnet" syslog server, then those subnet servers feed to the Central Syslog Server (CSS). The reasoning is complex - but firewalls and ACL management of those firewalls is part of the reason behind this "layering". What I want is that each "subnet server" is talked to by it's subnet's standard syslog clients via UDP, and that its template is such that it ignores the hostname the client claims to be, and instead resolves that itself. However, the "subnet servers" talk to the CSS over TCP, and it has to trust the hostnames given by the "subnet servers"- otherwise that would break those "proxied" records. The above I can do fine. The problem is that the CSS is *also* the "subnet server" for the LAN it's on - so it needs to support UDP,etc. So my question is: can it "trust" the hostname provided by TCP-based syslog servers, and do a PTR lookup on the ones provided via UDP. From what I can see in syslog-ng - it can't. Thanks! Jason From syslog-ng@lists.balabit.hu Tue May 13 08:47:46 2003 From: syslog-ng@lists.balabit.hu (Alexander Chernyh) Date: Tue, 13 May 2003 10:47:46 +0300 Subject: [syslog-ng]I can't force syslog-ng works with multihomed PC Message-ID: <005d01c31923$f1cd4fe0$1d01a8c0@gc.lviv.ua> Hello I need that syslog-ng listen internal and external interface of my log-server See part of my syslog-ng.conf #more syslog-ng.conf options { use_time_recvd(yes); use_dns(yes); keep_hostname(no); long_hostnames(off); sync(0); }; source src { unix-dgram("/var/run/log"); internal(); file("/dev/klog"); udp(ip(0.0.0.0) port(514)); }; #/usr/local/etc/rc.d/syslog-ng.sh start #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 ? ? ? #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1445 *:* #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1448 *:* #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1449 *:* syslog-ng listen on 514 port for all interfaces (multihomed PC with internal and external interface), but why does syslog-ng dynamicaly listen other ports, not typed in syslog-ng.conf file??? It is too bad because logs from other hosts partially lost. If syslog-ng listen on internat interface only - all works OK. FreeBSD 4.8 Syslog-ng 1.6.0.rc3 Alexander From syslog-ng@lists.balabit.hu Tue May 13 15:10:43 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 13 May 2003 16:10:43 +0200 Subject: [syslog-ng]I can't force syslog-ng works with multihomed PC In-Reply-To: <005d01c31923$f1cd4fe0$1d01a8c0@gc.lviv.ua> References: <005d01c31923$f1cd4fe0$1d01a8c0@gc.lviv.ua> Message-ID: <20030513141043.GA14767@balabit.hu> On Tue, May 13, 2003 at 10:47:46AM +0300, Alexander Chernyh wrote: > Hello > > I need that syslog-ng listen internal and external interface of my > log-server > See part of my syslog-ng.conf > #more syslog-ng.conf > options { > use_time_recvd(yes); > use_dns(yes); > keep_hostname(no); > long_hostnames(off); > sync(0); > }; > source src { > unix-dgram("/var/run/log"); > internal(); > file("/dev/klog"); > udp(ip(0.0.0.0) port(514)); > }; > > > #/usr/local/etc/rc.d/syslog-ng.sh start > > #sockstat -4 | grep syslog-ng > root syslog-n 59796 6 udp4 *:514 *:* > root syslog-n 59796 9 ? ? ? > #sockstat -4 | grep syslog-ng > root syslog-n 59796 6 udp4 *:514 *:* > root syslog-n 59796 9 udp4 *:1445 *:* > #sockstat -4 | grep syslog-ng > root syslog-n 59796 6 udp4 *:514 *:* > root syslog-n 59796 9 udp4 *:1448 *:* > #sockstat -4 | grep syslog-ng > root syslog-n 59796 6 udp4 *:514 *:* > root syslog-n 59796 9 udp4 *:1449 *:* > > syslog-ng listen on 514 port for all interfaces (multihomed PC with internal > and external interface), > but why does syslog-ng dynamicaly listen other ports, not typed in > syslog-ng.conf file??? > It is too bad because logs from other hosts partially lost. > If syslog-ng listen on internat interface only - all works OK. maybe for sending messages to other syslog hosts? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Wed May 14 10:53:42 2003 From: syslog-ng@lists.balabit.hu (Hoffmann, Mathias) Date: Wed, 14 May 2003 11:53:42 +0200 Subject: [syslog-ng]syslog-ng macros did not work Message-ID: <9F1846972D09D411BE2500508BAC93B901807BA9@SEVENL_MAIL01> Hi, I'm new to syslog-ng and set up syslog-ng-1.6.0rc2 on a Solaris 2.6 box as central logging station (of sure - testing). Meanwhile it collect data from two other hosts and itself. I use the following statements found at syslog-ng FAQ or examples: source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); udp(ip(192.168.77.20) port(514)); udp(ip(192.168.76.20) port(514)); }; destination hosts { file("/var/net/hosts/$HOST/$YEAR/$MONTH/$DAY/$YEAR$MONTH$DAY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)); }; What happend is, syslog-ng creates the hosts dir in /var/net and a file $DAY with all the logged data in hosts: no $HOST dir, no $YEAR, $MONTH or $DAY directory. Even if I omit $HOST (assuming any problems resolving the hostnames of the two senders), no additional directoryy is created. Also commenting use_dns or use_fqdn made noch change. Maybe I made some simple mistakes - so any help is welcome Mathias complete config: ========== options { long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(1); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(2048); # I hate Vignette StoryServer bad_hostname("^(ctld.|cmd|tmd|last)$"); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); use_fqdn(yes); use_dns(yes); dns_cache(yes); keep_hostname(yes); owner(root); group(root); perm(0644); dir_perm(0755); create_dirs(yes); use_time_recvd(yes); }; source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); udp(ip(192.168.77.20) port(514)); udp(ip(192.168.76.20) port(514)); }; destination hosts { file("/vol_a/var/net/hosts/$HOST/$YEAR/$MONTH/$DAY/$YEAR$MONTH$DAY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)); }; log { source(src); destination(hosts); }; destination loghost { tcp("192.168.77.20" port(514)); tcp("192.168.77.20" port(514)); }; From syslog-ng@lists.balabit.hu Wed May 14 10:58:12 2003 From: syslog-ng@lists.balabit.hu (Christian Osbahr) Date: Wed, 14 May 2003 11:58:12 +0200 Subject: [syslog-ng]syslog-ng macros did not work Message-ID: Hi, The macro expansion didn't seem to work right in 1.6rc2. Download 1.6rc3 and you should be fine. Best regards, Christian -----Original Message----- From: Hoffmann, Mathias [mailto:Mathias.Hoffmann@access-7.de]=20 Sent: 14. maj 2003 11:54 To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]syslog-ng macros did not work Hi, I'm new to syslog-ng and set up syslog-ng-1.6.0rc2 on a Solaris 2.6 box as central logging station (of sure - testing). Meanwhile it collect data from two other hosts and itself. I use the following statements found at syslog-ng FAQ or examples: source src {=20 sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); udp(ip(192.168.77.20) port(514));=20 udp(ip(192.168.76.20) port(514));=20 }; destination hosts {=20 file("/var/net/hosts/$HOST/$YEAR/$MONTH/$DAY/$YEAR$MONTH$DAY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes));=20 }; What happend is, syslog-ng creates the hosts dir in /var/net and a file $DAY with all the logged data in hosts: no $HOST dir, no $YEAR, $MONTH or $DAY directory. Even if I omit $HOST (assuming any problems resolving the hostnames of the two senders), no additional directoryy is created. Also commenting use_dns or use_fqdn made noch change. Maybe I made some simple mistakes -=20 so any help is welcome Mathias complete config: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D options {=20 long_hostnames(off);=20 # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(1);=20 # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(2048);=20 # I hate Vignette StoryServer bad_hostname("^(ctld.|cmd|tmd|last)$"); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); use_fqdn(yes); use_dns(yes); dns_cache(yes); keep_hostname(yes); owner(root);=20 group(root); perm(0644); dir_perm(0755); create_dirs(yes); use_time_recvd(yes); }; source src {=20 sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); udp(ip(192.168.77.20) port(514));=20 udp(ip(192.168.76.20) port(514));=20 }; destination hosts {=20 file("/vol_a/var/net/hosts/$HOST/$YEAR/$MONTH/$DAY/$YEAR$MONTH$DAY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes));=20 }; =20 log { source(src); destination(hosts); }; destination loghost { tcp("192.168.77.20" port(514)); tcp("192.168.77.20" port(514)); }; _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Fri May 16 01:16:31 2003 From: syslog-ng@lists.balabit.hu (Jason Haar) Date: 16 May 2003 12:16:31 +1200 Subject: [syslog-ng]Can I add "chain_hostnames(no)" to source? Message-ID: <1053044191.21983.17.camel@crom.trimble.co.nz> Well, under 1.6.0rc3 I know I can't :-) I'm trying to do: source s_local { internal(); tcp(ip("1.2.3.4") chain_hostnames(yes)); udp( chain_hostnames(no)); } ...so that UDP-based client get records with their DNS PTR hostnames, whereas TCP-based clients (which are other "collector" servers) are allowed to present the hostname as part of the record. Is this possible? I'm hoping I just have the format wrong. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 From syslog-ng@lists.balabit.hu Fri May 16 08:55:42 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 16 May 2003 09:55:42 +0200 Subject: [syslog-ng]Can I add "chain_hostnames(no)" to source? In-Reply-To: <1053044191.21983.17.camel@crom.trimble.co.nz> References: <1053044191.21983.17.camel@crom.trimble.co.nz> Message-ID: <20030516075542.GA31163@balabit.hu> On Fri, May 16, 2003 at 12:16:31PM +1200, Jason Haar wrote: > > Well, under 1.6.0rc3 I know I can't :-) > > I'm trying to do: > > source s_local { internal(); > tcp(ip("1.2.3.4") chain_hostnames(yes)); > udp( chain_hostnames(no)); > } > > ...so that UDP-based client get records with their DNS PTR hostnames, > whereas TCP-based clients (which are other "collector" servers) are > allowed to present the hostname as part of the record. > > Is this possible? I'm hoping I just have the format wrong. no it is not possible, chain_hostnames() is currently a global option. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Fri May 16 12:08:02 2003 From: syslog-ng@lists.balabit.hu (Jonathon Ross) Date: Fri, 16 May 2003 07:08:02 -0400 Subject: [syslog-ng]Running syslong-ng from init? Message-ID: <6F456CF83B5CD5119341009027AECAAB0104DD70@S-NY-EXCHPUB> syslog-ng seems to die on me from time to time. (I whish I had more info on why to share with you, but there doesn't seem to be anyting in the logs). I'd like to run syslog-ng out of init, but I can't seem to find a way to keep it from fork()-ing. Could anyone offer some advice? Thanks, -Jon ------------------------------------------------------------------------ This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email is prohibited. -----------------------------------------------------------------------! From syslog-ng@lists.balabit.hu Mon May 19 09:40:17 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 19 May 2003 10:40:17 +0200 Subject: [syslog-ng]Running syslong-ng from init? In-Reply-To: <6F456CF83B5CD5119341009027AECAAB0104DD70@S-NY-EXCHPUB> References: <6F456CF83B5CD5119341009027AECAAB0104DD70@S-NY-EXCHPUB> Message-ID: <20030519084017.GE8900@balabit.hu> On Fri, May 16, 2003 at 07:08:02AM -0400, Jonathon Ross wrote: > > syslog-ng seems to die on me from time to time. (I whish I had more info on > why to share with you, but there doesn't seem to be anyting in the logs). maybe you could enable core files (using ulimic -c unlimited) and then create a backtrace using gdb syslog-ng -c /path/to/core (gdb) bt > > I'd like to run syslog-ng out of init, but I can't seem to find a way to > keep it from fork()-ing. > > Could anyone offer some advice? -F does the trick to avoid forking. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon May 19 14:58:41 2003 From: syslog-ng@lists.balabit.hu (Michael Hare) Date: Mon, 19 May 2003 08:58:41 -0500 Subject: [syslog-ng]100% newbie match question Message-ID: <000a01c31e0e$c11462e0$99d35c90@uwwt2rlwxumxvn> Guys- I know a little bit about syslog-ng, and a little bit about regular expressions. I haven't been able to put the two together to come up with a match expression that has the following behavior; match lines that do -not- contain word FOO. The thing I tried that I thought would work, but didn't, was "^[FOO]". Help? Thanks- -Michael /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Michael Hare UW-Madison/WiscNet Network Engineering My phone: 608-262-5236 24-Hour NOC: 608-263-4188 WiscNet: 608-265-6761 From syslog-ng@lists.balabit.hu Mon May 19 16:37:58 2003 From: syslog-ng@lists.balabit.hu (Aaron Jackson) Date: Mon, 19 May 2003 11:37:58 -0400 Subject: [syslog-ng]100% newbie match question In-Reply-To: <000a01c31e0e$c11462e0$99d35c90@uwwt2rlwxumxvn> Message-ID: Not tested in any way, but maybe not match(^FOO) in one of the filters might work. Aaron On Monday, May 19, 2003, at 09:58 AM, Michael Hare wrote: > Guys- > > I know a little bit about syslog-ng, and a little bit about regular > expressions. I haven't been able to put the two together to come up > with a > match expression that has the following behavior; match lines that do > -not- > contain word FOO. The thing I tried that I thought would work, but > didn't, > was "^[FOO]". > > Help? > > Thanks- > -Michael > > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ > Michael Hare > UW-Madison/WiscNet Network Engineering > My phone: 608-262-5236 > 24-Hour NOC: 608-263-4188 > WiscNet: 608-265-6761 > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue May 13 08:36:30 2003 From: syslog-ng@lists.balabit.hu (Alexander Chernyh) Date: Tue, 13 May 2003 10:36:30 +0300 Subject: [syslog-ng]I can't force syslog-ng works with multihomed PC Message-ID: <003601c31922$5ef4f480$1d01a8c0@gc.lviv.ua> Hello I need that syslog-ng listen internal and external interface of my log-server See part of my syslog-ng.conf #more syslog-ng.conf options { use_time_recvd(yes); use_dns(yes); keep_hostname(no); long_hostnames(off); sync(0); }; source src { unix-dgram("/var/run/log"); internal(); file("/dev/klog"); udp(ip(0.0.0.0) port(514)); }; #/usr/local/etc/rc.d/syslog-ng.sh start #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 ? ? ? #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1445 *:* #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1448 *:* #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1449 *:* syslog-ng listen on 514 port for all interfaces (multihomed PC with internal and external interface), but why does syslog-ng dynamicaly listen other ports, not typed in syslog-ng.conf file??? It is too bad because logs from other hosts partially lost. If syslog-ng listen on internat interface only - all works OK. FreeBSD 4.8 Syslog-ng 1.6.0.rc3 Alexander From syslog-ng@lists.balabit.hu Mon May 12 14:04:47 2003 From: syslog-ng@lists.balabit.hu (Alexander Chernyh) Date: Mon, 12 May 2003 16:04:47 +0300 Subject: [syslog-ng]I can't force syslog-ng works with multihomed PC Message-ID: <01cb01c31887$11a407c0$1d01a8c0@gc.lviv.ua> Hello I need that syslog-ng listen internal and external interface of my log-server See part of my syslog-ng.conf #more syslog-ng.conf options { use_time_recvd(yes); use_dns(yes); keep_hostname(no); long_hostnames(off); sync(0); }; source src { unix-dgram("/var/run/log"); internal(); file("/dev/klog"); udp(ip(0.0.0.0) port(514)); }; #/usr/local/etc/rc.d/syslog-ng.sh start #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 ? ? ? #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1445 *:* #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1448 *:* #sockstat -4 | grep syslog-ng root syslog-n 59796 6 udp4 *:514 *:* root syslog-n 59796 9 udp4 *:1449 *:* syslog-ng listen on 514 port for all interfaces (multihomed PC with internal and external interface), but why does syslog-ng dynamicaly listen other ports, not typed in syslog-ng.conf file??? It is too bad because logs from other hosts partially lost. If syslog-ng listen on internat interface only - all works OK. FreeBSD 4.8 Syslog-ng 1.6.0.rc3 Alexander From syslog-ng@lists.balabit.hu Thu May 8 19:52:02 2003 From: syslog-ng@lists.balabit.hu (Marco P. Rodrigues) Date: Thu, 8 May 2003 14:52:02 -0400 (EDT) Subject: [syslog-ng](no subject) Message-ID: Couldn't seem to find an answer to this in the documentation. Is it possible to the have the use_dns(yes) option enabled but match hosts based on their IP address? I want to be able to write files as their FQDN but fo the REGEX matching based on the IP address. I can get this to work when I disable the use_dns(yes) option but then the files are the IP. I don't want to match based on hostnames. example: destination net_host_all { file("/tmp/$HOST"); }; filter f_hosts_all { host("^10\.201\.140\.*") or host("^10\.201\.150\.*") or host("^192\.168\.0\.[0-3][0-9]"); }; log { source(net); filter(f_hosts_all); destination(net_host_all); flags(final); }; While I'm hear might as well kill two birds with one stone. Can someone give ma a real life example of the practical use of using the fallback option? I must be inept because I can't see a valid reason to have it that the final/catchall statement couldn't do (with proper logical placements of the log statements in the configuration). MPR. -- "I am kind of a paranoiac in reverse. I suspect people of plotting to make me happy." - J.D. Salinger From syslog-ng@lists.balabit.hu Mon May 19 12:40:20 2003 From: syslog-ng@lists.balabit.hu (Geoff Wright) Date: Mon, 19 May 2003 12:40:20 +0100 Subject: [syslog-ng]Running syslong-ng from init? In-Reply-To: <6F456CF83B5CD5119341009027AECAAB0104DD70@S-NY-EXCHPUB> References: <6F456CF83B5CD5119341009027AECAAB0104DD70@S-NY-EXCHPUB> Message-ID: <20030519114020.GA26008@mail.trainedmonkey.co.uk> Jonathon Ross (jross@island.com) said : Re: [syslog-ng]Running syslong-ng from init? > > syslog-ng seems to die on me from time to time. (I whish I had more info on > why to share with you, but there doesn't seem to be anyting in the logs). > > I'd like to run syslog-ng out of init, but I can't seem to find a way to > keep it from fork()-ing. > > Could anyone offer some advice? > > Thanks, > -Jon > There was a foreground hack for syslog-ng. But you can use daemontools to make sure it keeps running: http://cr.yp.to/daemontools.html Because syslog-ng goes into the background you need to use fghack (comes with daemontools). Otherwise it'll keep starting syslog-ng processes until you're machine falls over. The /service/syslog-ng/run file would be something like: #!/bin/sh exec fghack /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf Works for us anyway. Cheers, Geoff From syslog-ng@lists.balabit.hu Thu May 8 19:48:37 2003 From: syslog-ng@lists.balabit.hu (sjm) Date: Thu, 08 May 2003 14:48:37 -0400 Subject: [syslog-ng]xinet.d Message-ID: <3EBAA685.9020203@porter.appstate.edu> Could someone please post the xinet.d script they use with syslog-ng? Thanks for you time, -- /*-----------------------------*\ | | | Steve McKinney | | ARDI - Web Programmer | | sjm@porter.appstate.edu | | (828) 262-6553 | | | \*-----------------------------*/ From syslog-ng@lists.balabit.hu Tue May 20 15:37:56 2003 From: syslog-ng@lists.balabit.hu (Nate Campi) Date: Tue, 20 May 2003 07:37:56 -0700 Subject: [syslog-ng]Can some servers only be allowed to chained? In-Reply-To: <3EC09FE2.4090100@trimble.co.nz> References: <20030501215148.GB23480@trimble.co.nz> <20030512213134.GA25266@campin.net> <3EC09FE2.4090100@trimble.co.nz> Message-ID: <20030520143756.GJ19024@campin.net> On Tue, May 13, 2003 at 07:33:54PM +1200, Jason Haar wrote: > > So my question is: can it "trust" the hostname provided by TCP-based > syslog servers, and do a PTR lookup on the ones provided via UDP. From > what I can see in syslog-ng - it can't. I do the exact same thing as you, and now I understand your setup. Basically, I ended up having to choose between running a second syslog-ng on the central host with different hostname options or using a second host on the same subnet. Basically, until you can do per-source hostname options you're out of luck. -- Nate Campi http://www.campin.net From syslog-ng@lists.balabit.hu Tue May 20 23:30:42 2003 From: syslog-ng@lists.balabit.hu (Joxn) Date: Tue, 20 May 2003 15:30:42 -0700 Subject: [syslog-ng]failover Message-ID: <3ECAAC92.4050406@vernum.com> Hi everybody, I log messages to a remote server. But what happens if that server is not reachable? Is there a way to implement a failover to second server? Thanks very much in advance. bye Joxn From syslog-ng@lists.balabit.hu Wed May 21 00:12:09 2003 From: syslog-ng@lists.balabit.hu (Nate Campi) Date: Tue, 20 May 2003 16:12:09 -0700 Subject: [syslog-ng]failover In-Reply-To: <3ECAAC92.4050406@vernum.com> References: <3ECAAC92.4050406@vernum.com> Message-ID: <20030520231209.GA10784@campin.net> On Tue, May 20, 2003 at 03:30:42PM -0700, Joxn wrote: > I log messages to a remote server. But what happens if that server is > not reachable? Is there a way to implement a failover to second server? There's nothing built in to syslog-ng for this, you'd have to build something yourself. You could use syslog-ng on all the clients to send via udp to two hosts, and only start up syslog-ng on the second loghost when the first is down (no error messages of any kind on the clients when using UDP, but you lose the reliability). A simple fping script could be used on the second host to start syslog-ng (or load up a new conf that listens on the network). Other ways involve hot-failover (heartbeat-type stuff perhaps) so that a backup server takes over for the downed host, or a load balancer that stops sending packets to a downed server (layer four switch type of thing from cisco, alteon, bigip, etc), or an out-of band process that watches logs for connection failed messages (when using TCP) and modifies the syslog-ng conf file to use another host (and restarts it of course). Most of this is overkill, a monitoring system that pages someone when servers go down is usually ok. I could see shops where security is the top priority that might want this, though. Such a shop would benefit from having a config directive to call a script when a certain number of attempts to connect to a loghost over TCP have failed. The site-specific script could take care of whatever failover measures are needed. -- Nate Campi http://www.campin.net From syslog-ng@lists.balabit.hu Wed May 21 05:29:51 2003 From: syslog-ng@lists.balabit.hu (Joxn) Date: Tue, 20 May 2003 21:29:51 -0700 Subject: [syslog-ng]failover In-Reply-To: <20030520231209.GA10784@campin.net> References: <3ECAAC92.4050406@vernum.com> <20030520231209.GA10784@campin.net> Message-ID: <3ECB00BF.1000109@vernum.com> Nate Campi wrote: >>I log messages to a remote server. But what happens if that server is >>not reachable? Is there a way to implement a failover to second server? > There's nothing built in to syslog-ng for this, you'd have to build > something yourself. Well, when TCP is used to transfer the remote logs, shouldn't it be rather easy to build some failover code into syslog-ng? I imagine that some option for tcp in the syslog-ng.conf would be the way to do it: destination remote_tcp1 { tcp("loghost1" failover(remote_tcp2)); }; destination remote_tcp2 { tcp("loghost2"); }; And perhaps if remote_tcp2 / loghost2 can't be reached failover to a local log... Is any of this planed? Otherwise, I might look into that - although I don't know if I have the time for this right now. bye Joxn -- || //\\ \\// |\\|| :: joxn@vernum.com :: \\|| \\// //\\ ||\\| :: 8053703 :: From syslog-ng@lists.balabit.hu Wed May 21 11:16:52 2003 From: syslog-ng@lists.balabit.hu (Jason Haar) Date: Wed, 21 May 2003 22:16:52 +1200 Subject: [syslog-ng]Can some servers only be allowed to chained? In-Reply-To: <20030520143756.GJ19024@campin.net> References: <20030501215148.GB23480@trimble.co.nz> <20030512213134.GA25266@campin.net> <3EC09FE2.4090100@trimble.co.nz> <20030520143756.GJ19024@campin.net> Message-ID: <3ECB5214.8060000@trimble.co.nz> Nate Campi wrote: > Basically, I ended up having to choose between running a second > syslog-ng on the central host with different hostname options or using a > second host on the same subnet. Basically, until you can do per-source > hostname options you're out of luck. Yeah. I already thought of running two instances - but then I'd have to have two sets of destinations too wouldn't I? I doubt two instances of syslog-ng could write to /var/log/messages simultaneously... Jason From syslog-ng@lists.balabit.hu Wed May 21 17:27:04 2003 From: syslog-ng@lists.balabit.hu (Mike Thomas) Date: Wed, 21 May 2003 11:27:04 -0500 Subject: [syslog-ng]tcp wrapper support on FreeBSD 5.0 Message-ID: <200305211127.04432.mwt@cems.umn.edu> Hello, I recently discovered the wonders and joys of syslog-ng, and have been attempting to get tcp wrapper support to work, and unfortunately, to no avail. What I am experiencing is simply it is not working, I wish I could provide a more descriptive and detailed 'error', but it just simply won't block denied hosts. Here's the relevent output from ./configure, etc. ./configure --prefix=/usr --enable-tcp-wrapper checking for tcpd.h... yes checking for TCP wrapper library... -lwrap checking whether to enable Sun STREAMS support... no checking whether to enable Sun door support... no checking whether to enable TCP wrapper support... yes As you can see, tcp wrapper support was sucessfully compiled in. I did not have any issues/warnings/errors while compiling. Everything looked good on that end. Here's the relevant entries from /etc/hosts.allow (I don't use hosts.deny, all my entries are in hosts.allow, both deny and allow) syslog-ng: draco.cems.umn.edu, centaurus.cems.umn.edu, lupus.cems.umn.edu, cygnus.cems.umn.edu, orion.cems.umn.edu, gemini.cems.umn.edu, crux.cems.umn.edu, mozart.cems.umn.edu, : ALLOW syslogng: draco.cems.umn.edu, centaurus.cems.umn.edu, lupus.cems.umn.edu, cygnus.cems.umn.edu, orion.cems.umn.edu, gemini.cems.umn.edu, crux.cems.umn.edu, mozart.cems.umn.edu : ALLOW #deny *EVERYTHING* else ALL : ALL : DENY I've used tcpdmatch to verify that the rules are being examined and caught in the right fashion and, they are. Here's the output of tcpdmatch for instance: loki:root(~/syslog-ng/syslog-ng-1.6.0rc3)# tcpdmatch syslog-ng oberlin.cems.umn.edu warning: syslog-ng: no such process name in /etc/inetd.conf client: hostname oberlin.cems.umn.edu client: address 134.84.165.104 server: process syslog-ng matched: /etc/hosts.allow line 25 option: DENY access: denied Line 25 is the ALL: ALL : DENY loki:root(~/syslog-ng/syslog-ng-1.6.0rc3)# tcpdmatch syslog-ng mozart.cems.umn.edu warning: syslog-ng: no such process name in /etc/inetd.conf client: hostname mozart.cems.umn.edu client: address 134.84.164.249 server: process syslog-ng matched: /etc/hosts.allow line 20 option: ALLOW access: granted Line 20 is the syslog-ng: etc... line I have also used strace and truss on the syslog-ng binary and discovered that it is sucessfully making a call to the libwrap library, but it doesn't read hosts.allow/hosts.deny (I'm not sure if its supposed to or not). As far as how I have syslog-ng setup, I have it running on the default udp port, 514, bound to a specific ip which is not the main ip of the machine, but setup as a virtual interface, in linux it would be known as eth0:0, BSD just regards it as a second ip. Syslog-ng itself functions perfectly, accepting remote connections and the whole nine yards, it just simply refuses to work with tcp wrappers. Thanks in advance for your help, --Mike From syslog-ng@lists.balabit.hu Thu May 22 09:13:48 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 22 May 2003 10:13:48 +0200 Subject: [syslog-ng]tcp wrapper support on FreeBSD 5.0 In-Reply-To: <200305211127.04432.mwt@cems.umn.edu> References: <200305211127.04432.mwt@cems.umn.edu> Message-ID: <20030522081348.GD29076@balabit.hu> On Wed, May 21, 2003 at 11:27:04AM -0500, Mike Thomas wrote: > Hello, > > I recently discovered the wonders and joys of syslog-ng, and have been > attempting to get tcp wrapper support to work, and unfortunately, to no > avail. > > What I am experiencing is simply it is not working, I wish I could provide a > more descriptive and detailed 'error', but it just simply won't block denied > hosts. > > Here's the relevent output from ./configure, etc. > > ./configure --prefix=/usr --enable-tcp-wrapper > > checking for tcpd.h... yes > checking for TCP wrapper library... -lwrap > checking whether to enable Sun STREAMS support... no > checking whether to enable Sun door support... no > checking whether to enable TCP wrapper support... yes > > As you can see, tcp wrapper support was sucessfully compiled in. I did not > have any issues/warnings/errors while compiling. Everything looked good on > that end. > > Here's the relevant entries from /etc/hosts.allow (I don't use hosts.deny, all > my entries are in hosts.allow, both deny and allow) > > syslog-ng: draco.cems.umn.edu, centaurus.cems.umn.edu, lupus.cems.umn.edu, > cygnus.cems.umn.edu, orion.cems.umn.edu, gemini.cems.umn.edu, > crux.cems.umn.edu, mozart.cems.umn.edu, : ALLOW > > syslogng: draco.cems.umn.edu, centaurus.cems.umn.edu, lupus.cems.umn.edu, > cygnus.cems.umn.edu, orion.cems.umn.edu, gemini.cems.umn.edu, > crux.cems.umn.edu, mozart.cems.umn.edu : ALLOW > > > #deny *EVERYTHING* else > > ALL : ALL : DENY > > I've used tcpdmatch to verify that the rules are being examined and caught in > the right fashion and, they are. Here's the output of tcpdmatch for instance: > > loki:root(~/syslog-ng/syslog-ng-1.6.0rc3)# tcpdmatch syslog-ng > oberlin.cems.umn.edu > > warning: syslog-ng: no such process name in /etc/inetd.conf > client: hostname oberlin.cems.umn.edu > client: address 134.84.165.104 > server: process syslog-ng > matched: /etc/hosts.allow line 25 > option: DENY > access: denied > > Line 25 is the ALL: ALL : DENY > > loki:root(~/syslog-ng/syslog-ng-1.6.0rc3)# tcpdmatch syslog-ng > mozart.cems.umn.edu > warning: syslog-ng: no such process name in /etc/inetd.conf > client: hostname mozart.cems.umn.edu > client: address 134.84.164.249 > server: process syslog-ng > matched: /etc/hosts.allow line 20 > option: ALLOW > access: granted > > Line 20 is the syslog-ng: etc... line > > I have also used strace and truss on the syslog-ng binary and discovered that > it is sucessfully making a call to the libwrap library, but it doesn't read > hosts.allow/hosts.deny (I'm not sure if its supposed to or not). > > As far as how I have syslog-ng setup, I have it running on the default udp > port, 514, bound to a specific ip which is not the main ip of the machine, > but setup as a virtual interface, in linux it would be known as eth0:0, BSD > just regards it as a second ip. Syslog-ng itself functions perfectly, > accepting remote connections and the whole nine yards, it just simply refuses > to work with tcp wrappers. The TCP wrapper code has been contributed and I do not use it myself. Checking the source it seems that it is applied to TCP based connections only. I don't know however how it would behave if it would be applied to each incoming UDP packet (as they might each have a different source IP), though the results could be cached, but there's no such code in place. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Thu May 22 15:13:38 2003 From: syslog-ng@lists.balabit.hu (Mike Thomas) Date: Thu, 22 May 2003 09:13:38 -0500 Subject: [syslog-ng]tcp wrapper support on FreeBSD 5.0 In-Reply-To: <20030522081348.GD29076@balabit.hu> References: <200305211127.04432.mwt@cems.umn.edu> <20030522081348.GD29076@balabit.hu> Message-ID: <200305220913.38531.mwt@cems.umn.edu> > > The TCP wrapper code has been contributed and I do not use it myself. > Checking the source it seems that it is applied to TCP based connections > only. I don't know however how it would behave if it would be applied to > each incoming UDP packet (as they might each have a different source IP), > though the results could be cached, but there's no such code in place. Well that would explain things, thanks for your help. Perhaps I will add the UDP code, and submit a patch. Thanks again! --Mike From syslog-ng@lists.balabit.hu Fri May 23 21:05:02 2003 From: syslog-ng@lists.balabit.hu (Nate Campi) Date: Fri, 23 May 2003 13:05:02 -0700 Subject: [syslog-ng]Can some servers only be allowed to chained? In-Reply-To: <3ECB5214.8060000@trimble.co.nz> References: <20030501215148.GB23480@trimble.co.nz> <20030512213134.GA25266@campin.net> <3EC09FE2.4090100@trimble.co.nz> <20030520143756.GJ19024@campin.net> <3ECB5214.8060000@trimble.co.nz> Message-ID: <20030523200502.GA16807@campin.net> On Wed, May 21, 2003 at 10:16:52PM +1200, Jason Haar wrote: > Nate Campi wrote: > >Basically, I ended up having to choose between running a second > >syslog-ng on the central host with different hostname options or using a > >second host on the same subnet. Basically, until you can do per-source > >hostname options you're out of luck. > > Yeah. I already thought of running two instances - but then I'd have to > have two sets of destinations too wouldn't I? I doubt two instances of > syslog-ng could write to /var/log/messages simultaneously... No silly, the second one is simply a relay that does the hostname replacement and sends on to the second one that trusts hostnames. The first does no writing to any files. -- Nate Campi http://www.campin.net From syslog-ng@lists.balabit.hu Sun May 25 02:16:52 2003 From: syslog-ng@lists.balabit.hu (Jason Haar) Date: Sun, 25 May 2003 13:16:52 +1200 Subject: [syslog-ng]Can some servers only be allowed to chained? In-Reply-To: <20030523200502.GA16807@campin.net> References: <20030501215148.GB23480@trimble.co.nz> <20030512213134.GA25266@campin.net> <3EC09FE2.4090100@trimble.co.nz> <20030520143756.GJ19024@campin.net> <3ECB5214.8060000@trimble.co.nz> <20030523200502.GA16807@campin.net> Message-ID: <3ED01984.6020300@trimble.co.nz> Nate Campi wrote: >>Yeah. I already thought of running two instances - but then I'd have to >>have two sets of destinations too wouldn't I? I doubt two instances of >>syslog-ng could write to /var/log/messages simultaneously... > > > No silly, the second one is simply a relay that does the hostname > replacement and sends on to the second one that trusts hostnames. The > first does no writing to any files. Well Duh! Do I feel stupid :-) Great idea. Simple and doesn't require patching. Thanks for the tip Jason From syslog-ng@lists.balabit.hu Thu May 29 12:38:57 2003 From: syslog-ng@lists.balabit.hu (Moktar KONE) Date: Thu, 29 May 2003 11:38:57 -0000 Subject: [syslog-ng]Rotate my logs files References: <20030524182002.2188.76408.Mailman@www.balabit.hu> Message-ID: <005301c325d6$e3fbb9a0$35c8ccc2@mtds.com> Hi , I am testing syslog-ng and I want to know how can I rotate my logs file . To logs messages I have a directory for many hosts, for each host, logs are classified by facilities, I have a new log file each day for each facility. so the name of my logs files changes according to the date. how can rotate the old log files? the logs of 2days ago? 3days ago? thanks this is the section that logs my files : destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY/$FACILITY_$YEAR_$MONTH_$DAY" create_dirs(yes)); }; From syslog-ng@lists.balabit.hu Thu May 29 15:04:28 2003 From: syslog-ng@lists.balabit.hu (Keith Olmstead) Date: Thu, 29 May 2003 09:04:28 -0500 (CDT) Subject: [syslog-ng]A few questions Message-ID: Hello, I have been messing with syslog-ng for awhile now. and I have it working on a central log server that I am working on, and now I have a few questions. 1. Is it better to do the filtering on the remote log server or the syslog server? I would think sending all logs to the syslog server would create uneeded traffic. 2. I am logging using the following variables, but it seems that the log is only getting logged as message_$date in the dir. Why is this? /$HOST/$YEAR/$MONTH/$DAY/$HOST_messages_$YEAR_$MONTH_$DAY" TIA, Keith Olmstead From syslog-ng@lists.balabit.hu Thu May 29 15:08:47 2003 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 29 May 2003 16:08:47 +0200 Subject: [syslog-ng]syslog-ng and Linux kernel 2.4.20 Message-ID: <20030529140847.GA18411@balabit.hu> hi, this message is to inform you that syslog-ng might crash on kernels 2.4.20 due to a kernel bug. It causes syslog-ng to crash every few days. the problem is that recvfrom() returns without touching either the sockaddr length or the socket address. If the memory area contains a seemingly valid AF_INET address (because of a previous invocation), then sockaddr2address_info memcpy()s socklen (which is 256 in our case) amount of memory to a sockaddr_in. I've now added a workaround, and an assert statement to catch these cases. Patch is included below, but grabbing the latest libol snapshot should also help. A workaround is attached: diff -u -r1.36 -r1.37 --- io.c 30 Apr 2003 08:08:50 -0000 1.36 +++ io.c 22 May 2003 16:56:59 -0000 1.37 @@ -1,6 +1,6 @@ /* io.c * - * $Id: io.c,v 1.36 2003/04/30 08:08:50 bazsi Exp $ */ + * $Id: io.c,v 1.37 2003/05/22 16:56:59 bazsi Exp $ */ /* lsh, an implementation of the ssh protocol * @@ -373,9 +373,13 @@ for (;;) { int res; + /* This is another workaround for Linux kernel bugs */ + + ((struct sockaddr *) addr)->sa_family = 0; + res = recvfrom(closure->fd, buffer, length, 0, (struct sockaddr *) addr, (socklen_t *) addrlen); - if (*addrlen == 2) { + if (*addrlen == 2 || (*addrlen >= 2 && ((struct sockaddr *) addr)->sa_family == 0)) { /* HACK: this is a workaround of a Linux 2.2 & 2.4 bug, * it doesn't return anything sensible in sockaddr buf */ @@ -1013,6 +1017,7 @@ struct sockaddr_in *in = (struct sockaddr_in *) addr; UINT32 ip, port; + assert(addr_len == sizeof(struct sockaddr_in)); ip = ntohl(in->sin_addr.s_addr); port = ntohs(in->sin_port); a = make_inet_address(c_format_cstring("%i.%i.%i.%i", -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Tue May 20 18:24:02 2003 From: syslog-ng@lists.balabit.hu (Tivon Luker) Date: Tue, 20 May 2003 13:24:02 -0400 Subject: [syslog-ng]tcp wrappers, syslog-ng and solaris 9 Message-ID: Hello. I am attempting to get tcp wrappers to work with syslog-ng-1.6.0rc3 compiled under solaris 9. syslog-ng seems to ignore hosts.allow and hosts.deny. When compiling ,configure says it finds everything and I compiled with --enable-tcp-wrapper. Has anyone been successful in getting this to work? _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From syslog-ng@lists.balabit.hu Thu May 22 16:22:16 2003 From: syslog-ng@lists.balabit.hu (Steven Welters) Date: Thu, 22 May 2003 17:22:16 +0200 Subject: [syslog-ng]libtool ar not found Message-ID: Hi, I want to install syslog-ng on my Solaris 7 system. I have gcc 3.2.3, GNU make 3.80, GNUflex, bison. I run into problems with compiling the libol (have tried 0.3.10, 3.9, 3.8, 3.6, 3.5). ./configure seems to work, however, make stops with these error messages: ../libtool: ar: not found make[1]: *** [libol.la] Error 1 make[1]: Leaving directory `/tmp/libol-0.3.5/src' make: *** [all-recursive] Error 1 I have searched the internet but no references to this problem found. Does anyone have a clue? Best regards & thanks in advance, Steven ---"Virtual" means never knowing where your next byte is coming from.--- From syslog-ng@lists.balabit.hu Mon May 26 10:50:28 2003 From: syslog-ng@lists.balabit.hu (=?iso-8859-1?Q?Amodiovalerio_Verde?=) Date: Mon, 26 May 2003 11:50:28 +0200 Subject: [syslog-ng]=?iso-8859-1?Q?filter_match()?= Message-ID: Hi all,=0D=0A=0D=0Aduring some extensive test on syslog-ng, I found somet= hing that really make me difficult to implement some filters.=0D=0A=0D=0A= I need to match same EXACT messages, and so I used something like match("= ^MATCHTHIS$") in a filter statement...=0D=0A=0D=0Abut I find that the mat= ch will consider the message starting from the program name...=0D=0A=0D=0A= Is there any way to match JUST the message part without the program one ?= ?? ( the program() just work on the program part of the message, so i exp= ected that match() will work on the other one... )=0D=0A=0D=0AThanks in a= dvance=0D=0A=0D=0A=0D=0AAmodiovalerio Verde=0D=0A=0D=0Aamodiovalerio.verd= e@ags-it.com=0D=0Aamover@libero.it