RE: [syslog-ng]Sudden dead

From syslog-ng@lists.balabit.hu Mon Aug 2 08:24:11 2004 From: syslog-ng@lists.balabit.hu (=?iso-8859-1?Q?=22Pedroche=2C_Ra=FAl=22?=) Date: Mon, 2 Aug 2004 08:24:11 +0100 Subject: [syslog-ng]Sudden dead Message-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------=_NextPartTM-000-4959e8dc-a9ce-4ca1-8093-2cc72b7819f7 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C47861.B519E330" ------_=_NextPart_001_01C47861.B519E330 Content-Type: text/plain; charset="iso-8859-1" Check whether you have a source that includes internal() and where is that source logged to. -----Original Message----- From: Francisco Javier Martinez Martinez [mailto:fjmartinez@csi.uned.es] Sent: Friday, July 30, 2004 11:38 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Sudden dead Hello world. I had installed syslog-ng 1.4.15 & libil 0.2.23 sometime ago in a red hat 7.2 box, it works fine as central logger for varius serevers some time, but suddenly it dead. When the daemon is started it show the literal Ok, but the truth is that there is no process running, if I run /etc/rc.d/initd/syslog-ng status it told me that is stopped but that there is a PID file, I didn`t know where syslog-ng log its own activity to be able to see what is wrong, any idea? thanks in advance. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html ********************************************************************** COLT Telecom Espana S.A. Oficina Registrada en: Telemaco, 5 28027 Madrid Tel. +34 91 789 9000 This message is subject to and does not create or vary any contractual relationship between COLT Telecommunications, its subsidiaries or affiliates ("COLT") and you. Internet communications are not secure and therefore COLT does not accept legal responsibility for the contents of this message. Any view or opinions expressed are those of the author. The message is intended for the addressee only and its contents and any attached files are strictly confidential. If you have received it in error, please telephone the number above. Thank you. ********************************************************************** ------_=_NextPart_001_01C47861.B519E330 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: [syslog-ng]Sudden dead

Check whether you have a source that includes inte= rnal() and where is that source logged to.

-----Original Message-----
From: Francisco Javier Martinez Martinez [mailto:fjmartinez@csi.uned.es]
Sent: Friday, July 30, 2004 11:38 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Sudden dead

Hello world.

I had installed syslog-ng 1.4.15 & libil 0.2.23 = sometime ago in a red hat
7.2 box, it works fine as central logger for varius sere= vers some time, but
suddenly it dead.

When the daemon is started it show the literal Ok, but th= e truth is that
there is no process running, if I run /etc/rc.d/initd/sy= slog-ng status it
told me that is stopped but that there is a PID file, I = didn`t know where
syslog-ng log its own activity to be able to see what is= wrong, any idea?

thanks in advance.

_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit= .hu
https://lists.balabit.hu/mailman/listinfo/syslog-= ng
Frequently asked questions at http://www.campin.net/syslog-n= g/faq.html

**********************************************************************
COLT Telecom Espana S.A.
Oficina Registrada en: Telemaco, 5 28027 Madrid
Tel. +34 91 789 9000

This message is subject to and does not create or vary any contractual
relationship between COLT Telecommunications, its subsidiaries or
affiliates ("COLT") and you. Internet communications are not secure
and therefore COLT does not accept legal responsibility for the
contents of this message. Any view or opinions expressed are those of
the author. The message is intended for the addressee only and its
contents and any attached files are strictly confidential. If you have
received it in error, please telephone the number above. Thank you.

**********************************************************************
------_=_NextPart_001_01C47861.B519E330-- ------=_NextPartTM-000-4959e8dc-a9ce-4ca1-8093-2cc72b7819f7-- From syslog-ng@lists.balabit.hu Mon Aug 2 18:39:02 2004 From: syslog-ng@lists.balabit.hu (G. C.) Date: Mon, 02 Aug 2004 17:39:02 +0000 Subject: [syslog-ng]Syslog-ng unusual memory occupation Message-ID: Hi, I'm using syslog-ng (1.6.4) on a RedHat Linux AS 3.0 and I'm experiencing a heavy memory occupation. Untill yesterday syslog-ng was using 1GB RAM, today I added 1 GB more and now it is using it too plus some swap (total 2.8 GB used. And it is growing...). I use this server for collecting logs from several hundreds network devices. The traffic collected is around 1GB/day and I save it to a text log file which is created and rotated daily. I cannot understand the reason, I tried to play with the garbage collection and fifo options but accomplished nothing. Any experience of such a behavior? Thanks in advance for your help, Peter. _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail From syslog-ng@lists.balabit.hu Wed Aug 4 17:26:47 2004 From: syslog-ng@lists.balabit.hu (G. C.) Date: Wed, 04 Aug 2004 16:26:47 +0000 Subject: [syslog-ng]MORE: Syslog-ng unusual memory occupation Message-ID: Researching the problem we found out that it seems to be related to the "address spoofing" options. Enabling this option, under heavy traffic (which means always, in our case) we experience this memory leak problem. Disabling the address spoofing option, everything runs smoothly with only about 720k memory occupation. The problem is "we need this option"... And this is getting critical, can anyone hep? Thanks, P. __________________________________ Hi, I'm using syslog-ng (1.6.4) on a RedHat Linux AS 3.0 and I'm experiencing a heavy memory occupation. Untill yesterday syslog-ng was using 1GB RAM, today I added 1 GB more and now it is using it too plus some swap (total 2.8 GB used. And it is growing...). I use this server for collecting logs from several hundreds network devices. The traffic collected is around 1GB/day and I save it to a text log file which is created and rotated daily. I cannot understand the reason, I tried to play with the garbage collection and fifo options but accomplished nothing. Any experience of such a behavior? Thanks in advance for your help, Peter. _________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From syslog-ng@lists.balabit.hu Thu Aug 5 16:25:11 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 05 Aug 2004 17:25:11 +0200 Subject: [syslog-ng]syslog-ng 1.6.5 and libol 0.3.14 Message-ID: <1091719511.18598.18.camel@bzorp.balabit> hi, I have prepared a new syslog-ng release, found at the usual locations, http://www.balabit.hu/downloads/syslog-ng/ The summary of user-visible changes: News for the 1.6.5 release Thu, 05 Aug 2004 13:50:11 +0200 * cleaned up libol and syslog-ng compilation warnings and made configure.in/Makefile.am files autoconf2.50 compliant * fixed a BSD specific compilation problem * check if the UDP datagram ends in a NL or NUL character and strip that away if present -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Thu Aug 5 16:37:06 2004 From: syslog-ng@lists.balabit.hu (Ken McKittrick) Date: Thu, 5 Aug 2004 11:37:06 -0400 Subject: [syslog-ng]Normalizing syslogs from FreeBSD and Solaris machines Message-ID: <4E4EC540-E6F5-11D8-8912-000A95B92EDE@usadatanet.net> Hello I can't seem to get syslog outputs from Postfix running on Solaris and FreeBSD servers to look the same. FreeBSD - Aug 5 11:14:43 69.67.254.17 postfix/smtp[80999]: 9FAA9EB760: to=, relay=127.0.0.1[127.0.0.1], delay=1, status=sent (250 2.6.0 Ok, id=81995-01, from MTA: 250 Ok: queued as E16ECEB7CD) This corresponds to $DATE $HOST $MESSAGE, yes the postfix/smtp[80999] which would be $PROGRAM is actually part of the $MESSAGE. Solaris - Aug 5 11:16:06 69.67.254.10 postfix/smtp[10111]: [ID 197553 mail.info] B3391B26D: to=, relay=127.0.0.1[127.0.0.1], delay=2, status=sent (250 2.6.0 Ok, id=11585-10, from MTA: 250 Ok: queued as 9190DAE91) This corresponds to $DATE $PROGRAM $MESSAGE. Which is closer to what I would expect. My main problem is that Solaris stuffs the ID and facility.priority into the message itself. I've tried logging with defined message formats and that doesn't seem to help. So how can I gracefully removed the [ID xxxxxx Facility.Priority] from the message in the Solaris log lines? Thanks Ken McKittrick ISP Engineer USADatanet From syslog-ng@lists.balabit.hu Thu Aug 5 16:59:31 2004 From: syslog-ng@lists.balabit.hu (Loic Minier) Date: Thu, 5 Aug 2004 17:59:31 +0200 Subject: [syslog-ng]Normalizing syslogs from FreeBSD and Solaris machines In-Reply-To: <4E4EC540-E6F5-11D8-8912-000A95B92EDE@usadatanet.net> References: <4E4EC540-E6F5-11D8-8912-000A95B92EDE@usadatanet.net> Message-ID: <20040805155931.GL3078@via.ecp.fr> Ken McKittrick - Thu, Aug 05, 2004: > So how can I gracefully removed the [ID xxxxxx Facility.Priority] from > the message in the Solaris log lines? I don't recall exactly if that will completely solve your problem, but part of the solution might be to configure the /kernel/drv/log.conf file with something like: name="log" parent="pseudo" instance=0 msgid=0; HTH, -- Loīc Minier From syslog-ng@lists.balabit.hu Thu Aug 5 18:00:41 2004 From: syslog-ng@lists.balabit.hu (Ken McKittrick) Date: Thu, 5 Aug 2004 13:00:41 -0400 Subject: [syslog-ng]Normalizing syslogs from FreeBSD and Solaris machines In-Reply-To: <20040805155931.GL3078@via.ecp.fr> References: <4E4EC540-E6F5-11D8-8912-000A95B92EDE@usadatanet.net> <20040805155931.GL3078@via.ecp.fr> Message-ID: Loic That was the clue I needed. Those are called Message ID's and they were=20= a "feature" that was added in Solaris 8. You can turn them off in=20 /kern/drv/log/conf. Only problem is that the change requires a reboot.=20= We don't like reboots. Thanks Ken McKittrick On Aug 5, 2004, at 11:59 AM, Loic Minier wrote: > Ken McKittrick - Thu, Aug 05, 2004: > >> So how can I gracefully removed the [ID xxxxxx Facility.Priority] = from >> the message in the Solaris log lines? > > I don't recall exactly if that will completely solve your problem, = but > part of the solution might be to configure the /kernel/drv/log.conf > file with something like: > name=3D"log" parent=3D"pseudo" instance=3D0 msgid=3D0; > > HTH, > > --=20 > Lo=EFc Minier > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > From syslog-ng@lists.balabit.hu Thu Aug 5 18:19:28 2004 From: syslog-ng@lists.balabit.hu (Loic Minier) Date: Thu, 5 Aug 2004 19:19:28 +0200 Subject: [syslog-ng]Normalizing syslogs from FreeBSD and Solaris machines In-Reply-To: References: <4E4EC540-E6F5-11D8-8912-000A95B92EDE@usadatanet.net> <20040805155931.GL3078@via.ecp.fr> Message-ID: <20040805171928.GO3078@via.ecp.fr> Ken McKittrick - Thu, Aug 05, 2004: > That was the clue I needed. Those are called Message ID's and they were > a "feature" that was added in Solaris 8. You can turn them off in > /kern/drv/log/conf. Only problem is that the change requires a reboot. > We don't like reboots. Well try to: # echo log_msgid/W0 | adb -kw No guarantee though... :) (PS: this is really dangerous) -- Loīc Minier From syslog-ng@lists.balabit.hu Thu Aug 5 19:52:26 2004 From: syslog-ng@lists.balabit.hu (Nathaniel Hall) Date: Thu, 5 Aug 2004 13:52:26 -0500 Subject: [syslog-ng]Problems compiling Message-ID: <200408051852.i75IqV4p022779@emh1.otc.edu> This is a multi-part message in MIME format. ------=_NextPart_000_00F5_01C47AF3.70E56560 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit I am trying to install Syslog-NG on RH AS 3 Update 2. I have downloaded the syslog-ng gzips along with libol v 0.3.13. I ran configure, make, and install alright, but when I go to configure Syslog-ng, I get the following error. configure: error: Required libol version not found, make sure that your libol version is in the 0.3.x branch Any ideas? ~~~~~~~~~~~~~~~~~~~~~~~~~~ Nathaniel Hall Intrusion Detection and Firewall Technician Ozarks Technical Community College -- Office of Computer Networking halln@otc.edu 417-799-0552 ------=_NextPart_000_00F5_01C47AF3.70E56560 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable

I am trying to install Syslog-NG on RH AS 3 Update = 2. I have downloaded the syslog-ng gzips along with libol v 0.3.13. I = ran configure, make, and install alright, but when I go to configure = Syslog-ng, I get the following error.

configure: error: Required libol version not found, = make sure that your libol version is in the 0.3.x = branch

Any ideas?

~~~~~~~~~~~~~~~~~~~~~~~~~~

Nathaniel Hall

Intrusion Detection and Firewall = Technician

Ozarks Technical Community = College -- Office of Computer Networking

halln@otc.edu

417-799-0552

------=_NextPart_000_00F5_01C47AF3.70E56560-- From syslog-ng@lists.balabit.hu Thu Aug 5 22:11:42 2004 From: syslog-ng@lists.balabit.hu (Nathaniel Hall) Date: Thu, 5 Aug 2004 16:11:42 -0500 Subject: [syslog-ng]Problems compiling In-Reply-To: <200408051852.i75IqV4p022779@emh1.otc.edu> Message-ID: <200408052111.i75LBprH014337@emh1.otc.edu> This is a multi-part message in MIME format. ------=_NextPart_000_010E_01C47B06.E6058C40 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit I have figured out my own problem. Does anybody have any good resources for setting up Syslog-NG? ~~~~~~~~~~~~~~~~~~~~~~~~~~ Nathaniel Hall Intrusion Detection and Firewall Technician Ozarks Technical Community College -- Office of Computer Networking halln@otc.edu 417-799-0552 _____ From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Nathaniel Hall Sent: Thursday, August 05, 2004 1:52 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Problems compiling I am trying to install Syslog-NG on RH AS 3 Update 2. I have downloaded the syslog-ng gzips along with libol v 0.3.13. I ran configure, make, and install alright, but when I go to configure Syslog-ng, I get the following error. configure: error: Required libol version not found, make sure that your libol version is in the 0.3.x branch Any ideas? ~~~~~~~~~~~~~~~~~~~~~~~~~~ Nathaniel Hall Intrusion Detection and Firewall Technician Ozarks Technical Community College -- Office of Computer Networking halln@otc.edu 417-799-0552 ------=_NextPart_000_010E_01C47B06.E6058C40 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable

I have figured out my own = problem.

Does anybody have any good = resources for setting up Syslog-NG?

~~~~~~~~~~~~~~~~~~~~~~~~~~

Nathaniel = Hall

Intrusion Detection and Firewall Technician

Ozarks Technical Community = College -- Office of Computer = Networking

halln@otc.edu

417-799-0552

From: syslog-ng-admin@lists.balabit.hu = [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Nathaniel Hall
Sent: Thursday, August = 05, 2004 1:52 PM
To: = syslog-ng@lists.balabit.hu
Subject: = [syslog-ng]Problems compiling

configure: error: Required libol version not found, = make sure that your libol version is in the 0.3.x = branch

Any ideas?

~~~~~~~~~~~~~~~~~~~~~~~~~~

Nathaniel Hall

Intrusion Detection and Firewall = Technician

Ozarks Technical Community = College -- Office of Computer Networking

halln@otc.edu

417-799-0552

------=_NextPart_000_010E_01C47B06.E6058C40-- From syslog-ng@lists.balabit.hu Fri Aug 6 06:08:09 2004 From: syslog-ng@lists.balabit.hu (Tim Burress) Date: Thu, 5 Aug 2004 22:08:09 -0700 (PDT) Subject: [syslog-ng]Missing Log Entries under Load Message-ID: <20040806050809.36718.qmail@web21122.mail.yahoo.com> Hello! Apparently this is sort of a FAQ, but despite wading through many Google searches, I haven't really found a good explanation or set of suggestions, so I thought I would post the question and then duck. We're running: syslog-ng 1.6.4 iptables v1.2.11-20040621 Linux 2.4.26 with iptables rules set up to log incoming connections. What we see is that, when we do a very fast port scan, the logs are very incomplete. For instance, in a scan of 440 ports, only about 210 entries appear in the logs. We also get a small number of corrupted log entries in our default messages file, where leading characters of the message appear to have been lost. We have our log sources set up as: source src { internal(); file("/proc/kmsg"); unix-stream ("/dev/log" max-connections(200)); unix-stream ("/var/log/snort/dev/log" max-connections(30)); }; Could someone explain, or point me to an explanation of, why these problems occur? It seems likely that the message corruption problem is due to wrap-around of the kernel message ring buffer. I suppose the missing messages could also be caused by that, however doubling the size of the buffer and rebuilding the kernel didn't seem to have any effect. And then, are there any suggestions for ways to tune the system so that a greater proportion of messages can be logged? We've tried tweaking the syslog-ng FIFO size and garbage collection parameters, but these, too, seemed to have little effect, at least in isolation. Any suggestions greatly appreciated! Thanks! Tim __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail From syslog-ng@lists.balabit.hu Fri Aug 6 16:36:12 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Fri, 6 Aug 2004 16:36:12 +0100 Subject: [syslog-ng]Problems compiling In-Reply-To: <200408052111.i75LBprH014337@emh1.otc.edu> References: <200408051852.i75IqV4p022779@emh1.otc.edu> <200408052111.i75LBprH014337@emh1.otc.edu> Message-ID: <20040806153611.GE23601@logik.ath.cx> On Thu, Aug 05, 2004 at 04:11:42PM -0500, Nathaniel Hall wrote: The documentation at balabit.com is very good. Other than that, the sample config is a good place to start. /usr/examples/syslog-ng on *BSD I believe. mark > I have figured out my own problem. > > > > Does anybody have any good resources for setting up Syslog-NG? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Nathaniel Hall > > Intrusion Detection and Firewall Technician > > Ozarks Technical Community College -- Office of Computer Networking > > > > halln@otc.edu > > 417-799-0552 > > > > _____ > > From: syslog-ng-admin@lists.balabit.hu > [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Nathaniel Hall > Sent: Thursday, August 05, 2004 1:52 PM > To: syslog-ng@lists.balabit.hu > Subject: [syslog-ng]Problems compiling > > > > I am trying to install Syslog-NG on RH AS 3 Update 2. I have downloaded the > syslog-ng gzips along with libol v 0.3.13. I ran configure, make, and > install alright, but when I go to configure Syslog-ng, I get the following > error. > > > > configure: error: Required libol version not found, make sure that your > libol version is in the 0.3.x branch > > > > Any ideas? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Nathaniel Hall > > Intrusion Detection and Firewall Technician > > Ozarks Technical Community College -- Office of Computer Networking > > > > halln@otc.edu > > 417-799-0552 > > > From syslog-ng@lists.balabit.hu Fri Aug 6 18:03:29 2004 From: syslog-ng@lists.balabit.hu (Mike Nerone) Date: Fri, 6 Aug 2004 12:03:29 -0500 Subject: [syslog-ng]Newbie Filter question (Solaris) In-Reply-To: Message-ID: <20040806170327.43618177706@a.mx.nerone.org> You meant to use: ============== filter f_notalteon { not match("10.155.68.2") and not match("10.155.68.3"); }; ============== Note that the boolean op is "and", not "or". The opposite of "A or B" is "not A and not B" (see http://www.wordiq.com/definition/Laws_of_logic or Google "DeMorgan's theorem". Mike ________________________________ From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Kenneth Gullberg Sent: Thursday, July 29, 2004 05:45 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Newbie Filter question (Solaris) Hi, Im new to syslogng and want to replace the normal syslogd in solaris with -ng because of the filters. I run postfix on 2 loadbalanced machines and i want to get rid of the healthchecks log entries. I setup a conf file that looks like this: options { long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(1); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(2048); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); }; ############################################################### source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; ############################################################### destination alteon { file("/var/log/alteon"); }; destination notalteon { file("/var/log/notalteon"); }; destination ipf { file("/var/log/ipf.log"); }; ############################################################### filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); }; filter f_ipf { facility(local0); }; filter f_alteon { match("10.155.68.2") or match("10.155.68.3"); }; filter f_notalteon { not match("10.155.68.2") or not match("10.155.68.3"); }; ############################################################### log { source(src); filter(f_alteon); destination(alteon); }; log { source(src); filter(f_notalteon); destination(notalteon); }; log { source(src); filter(f_ipf); destination(ipf); }; According to this i should log everything that contains 10.155.68.2 or .3 to /var/log/alteon and if it doesnt contain .2 or .3 to /var/log/notalteon and it will also send the ip filter logs to its own log (which works). It seems that f_alteon och f_ipf works. But f_notalteon logs both stuff that does contain .2 and .3 and stuff that doesnt contain .2 and .3 What have i missed? // Kenneth From syslog-ng@lists.balabit.hu Fri Aug 6 19:09:02 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 06 Aug 2004 20:09:02 +0200 Subject: [syslog-ng]possibly missed mail Message-ID: <1091815742.978.10.camel@bzorp.balabit> hi, sorry, I haven't noticed our list manager put me to nomail mode. I quickly grepped through the last couple of mails in the archive, but if you think I missed something, please resend. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Fri Aug 6 19:11:09 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 06 Aug 2004 20:11:09 +0200 Subject: [syslog-ng]leak in spoof_source support Message-ID: <1091815869.978.14.camel@bzorp.balabit> >Researching the problem we found out that it seems to be related to >the >"address spoofing" options. Enabling this option, under heavy traffic (which >means always, in our case) we experience this memory leak problem. >Disabling the address spoofing option, everything runs smoothly with only >about 720k memory occupation. > >The problem is "we need this option"... And this is getting critical, can >anyone hep? >Thanks, Hmm.. I possible forgot to free something in that path. I'll check it out for you. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Fri Aug 6 19:17:13 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 06 Aug 2004 20:17:13 +0200 Subject: [syslog-ng]Re: leak in spoof_source support In-Reply-To: <1091815869.978.14.camel@bzorp.balabit> References: <1091815869.978.14.camel@bzorp.balabit> Message-ID: <1091816233.978.16.camel@bzorp.balabit> On Fri, 2004-08-06 at 20:11, Balazs Scheidler wrote: > >Researching the problem we found out that it seems to be related to > >the > >"address spoofing" options. Enabling this option, under heavy traffic (which > >means always, in our case) we experience this memory leak problem. > >Disabling the address spoofing option, everything runs smoothly with only > >about 720k memory occupation. > > > >The problem is "we need this option"... And this is getting critical, can > >anyone hep? > >Thanks, > > Hmm.. I possible forgot to free something in that path. I'll check it out > for you. Can you check if this one works for you? Index: src/afinet.c =================================================================== RCS file: /var/cvs/syslog-ng/syslog-ng/src/afinet.c,v retrieving revision 1.25.4.6 diff -u -r1.25.4.6 afinet.c --- src/afinet.c 5 Aug 2004 11:35:12 -0000 1.25.4.6 +++ src/afinet.c 6 Aug 2004 18:15:32 -0000 @@ -653,6 +653,7 @@ if (libnet_write(self->lnet_ctx) < 0) { werror("Error sending raw frame, error: %z", libnet_geterror(self->lnet_ctx)); } + ol_string_free(msg_line); } else { fallback_socket: -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Fri Aug 6 19:47:37 2004 From: syslog-ng@lists.balabit.hu (David Schwendinger) Date: Fri, 6 Aug 2004 14:47:37 -0400 Subject: [syslog-ng]program driver only works once Message-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0040_01C47BC4.51116F00 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0041_01C47BC4.51116F00" ------=_NextPart_001_0041_01C47BC4.51116F00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit All, I have a program driver setup in the syslog-ng.conf file to execute a perl script which sends an email with fixed content based on a syslog message. This first time I run syslog-ng with the program driver, syslog-ng and the script appear in a "ps -ef" listing as mentioned in the syslog-ng docs.: "NOTE: the program is executed once at startup, and kept running until SIGHUP or exit. The reason is to prevent starting up a large number of programs for messages, which would imply an easy DoS." The first time the conditions are met to send the email it works but the script which was listed with syslog-ng in a "ps-ef" no longer appears in a "ps -ef" and I can not seem to get it to start again. "service syslog-ng restart" or "stop" then "start" does not work. Reboot does not work. How can I get this script ready to send another alert after it has been triggered? The following are pertinent lines from the syslog-ng.conf file. source s_sys { unix-stream("/dev/log"); internal(); }; destination d_mail-me { program("/etc/syslog-ng/test-mail.script"); }; filter f_filter9 { match("for user"); }; log { source(s_sys); filter(f_filter9); destination(d_mail-me); }; thanks, David ------=_NextPart_001_0041_01C47BC4.51116F00 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

All,

I have a program driver setup in the syslog-ng.conf = file to execute a perl script which sends an email with fixed content based on a = syslog message.

This first time I run syslog-ng with the program = driver, syslog-ng and the script appear in a “ps –ef” listing = as mentioned in the syslog-ng docs.:

“NOTE: the program is executed once at startup, = and kept running until SIGHUP or exit. The reason is to prevent starting up = a large number of programs for messages, which would imply an easy = DoS.”

The first time the conditions are met to send the = email it works but the script which was listed with syslog-ng in a = “ps-ef” no longer appears in a “ps –ef” and I can not seem to = get it to start again. “service syslog-ng restart” or = “stop” then “start” does not work. Reboot does not = work.

How can I get this script ready to send another alert = after it has been triggered?

The following are pertinent lines from the = syslog-ng.conf file.

source s_sys { unix-stream("/dev/log"); internal(); = };

destination d_mail-me { program("/etc/syslog-ng/test-mail.script"); = };

filter = f_filter9 { match("for user"); };

log { = source(s_sys); filter(f_filter9); destination(d_mail-me); = };

thanks,

David

------=_NextPart_001_0041_01C47BC4.51116F00-- ------=_NextPart_000_0040_01C47BC4.51116F00 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKLDCCAj0w ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d 6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix 3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR cZQwggNiMIICy6ADAgECAhAL2gsXwT+JjqsJdHq0zi4zMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo4GwMIGtMA8GA1UdEwQIMAYBAf8CAQAw RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29t L3BjYTEuY3JsMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQECBQAD gYEAAn2eb0VLOKC43ulTZCG85Ewrjx7+kkCs2Ao5aqEyISwHm6tZ/tJiGn1VOLA3c9z0B2ZjYr3h U3BSh+eo2FLpWy2q4d7PrDFU1IsZyNgjqO8EKzJ9LBgcyHyJqC538kTRZQpNdLXu0xuSc3QuiTs1 E3LnQDGa07LEq+dWvovj+xUwggSBMIID6qADAgECAhAGrTZzAKFAb1uX+wt6pXhKMA0GCSqGSIb3 DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTA0MDQyMzAwMDAw MFoXDTA1MDQyMzIzNTk1OVowggElMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMW VmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBO b3QgVmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQgRnVs bCBTZXJ2aWNlMRswGQYDVQQDFBJEYXZpZCBTY2h3ZW5kaW5nZXIxLjAsBgkqhkiG9w0BCQEWH2Rz Y2h3ZW5kaW5nZXJAYmxhY2tiaXJkdGVjaC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AKzzlOCBcAygdfWFwQSpbfCc3vPIfgl45dDltNtdyT6Z615PXHiRxgBZLtJyxT+GHNLxN3JE002b Zi4ND8ga/jgxS3THCXdUd6OT7/vVKotFPVaXJecepmfWmxwXS6+OWdDL7d/vSpLKvH8OSuYSsb++ vDwwqUtN/U5lHnJTXDZBAgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMIGsBgNVHSAEgaQwgaEwgZ4G C2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BT MGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMgaW5j b3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbjARBglghkgBhvhCAQEE BAMCB4AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20vY2xhc3MxLmNy bDANBgkqhkiG9w0BAQQFAAOBgQALrjtZWB2ELlAuBWd7mf8d3PmSkwQC2hy0M51Z+AdJXQ0LpR1j +hAZJ7CJG/NZfOslvuVoPO/1hcbSJlo6gUv533F8cQgohp1uXQP7Lj9YBFBlfJT9DsCzdakGmEDN N0oriDeKfcb+al19QmOfcXvQVU+KHRXyrW5QPH+/zQIt9TGCBD4wggQ6AgEBMIHhMIHMMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQG A1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElB Qi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNj cmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAGrTZzAKFAb1uX+wt6pXhKMAkGBSsOAwIaBQCg ggKyMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0MDgwNjE4NDcz N1owIwYJKoZIhvcNAQkEMRYEFLlhc/spHZVaYEOWjnGVIQOTFJyzMGcGCSqGSIb3DQEJDzFaMFgw CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqG SIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHyBgkrBgEEAYI3EAQxgeQwgeEwgcwxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixM SUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vi c2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAatNnMAoUBvW5f7C3qleEowgfQGCyqGSIb3 DQEJEAILMYHkoIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNp Z24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQ QSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3Mg MSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAGrTZzAKFA b1uX+wt6pXhKMA0GCSqGSIb3DQEBAQUABIGABZFqtom1eWk0EcNADdHn6nxZ34EgtY5XodsEco/Z 9ghNNF//xQ8XpRD4tCD15ksA1tO/ASAoe8VrjRD+1B458BAwtKYvMES4/85TpVsOBiqo/JhsEPQS 4iKJSwmsbqoLtRqHi3FWa27UyTPYkQYOXV0WsOPYnXBD0P/7s+ixExIAAAAAAAA= ------=_NextPart_000_0040_01C47BC4.51116F00-- From syslog-ng@lists.balabit.hu Sat Aug 7 10:09:15 2004 From: syslog-ng@lists.balabit.hu (Jim Gifford) Date: Sat, 07 Aug 2004 02:09:15 -0700 Subject: [syslog-ng]Question Message-ID: <41149C3B.80102@jg555.com> I have always wondered about this. Why are the libol and syslog-ng separate packages? To me it seems that they should be one package since they depend on each other. -- ---- Jim Gifford maillist@jg555.com From syslog-ng@lists.balabit.hu Sun Aug 8 22:19:01 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Sun, 8 Aug 2004 22:19:01 +0100 Subject: [syslog-ng]not match() Message-ID: <20040808211901.GA20523@logik.ath.cx> # $Xanthus: syslog-ng.conf,v 1.1 2004/07/27 02:56:44 markzero Exp $ # syslog-ng config # options { long_hostnames(off); create_dirs(yes); owner(_syslogng); group(_syslogng); perm(0600); dir_owner(_syslogng); dir_group(_syslogng); dir_perm(0700); use_dns(no); sync(0); }; source src { unix-dgram("/dev/log" owner("_syslogng") group("_syslogng") perm(0600)); internal(); }; destination authlog { file("/var/log/auth.log"); }; destination syslog { file("/var/log/syslog"); }; destination cron { file("/var/log/cron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kern { file("/var/log/kern.log"); }; destination lpr { file("/var/log/lpr.log"); }; destination user { file("/var/log/user.log"); }; destination uucp { file("/var/log/uucp.log"); }; destination mail { file("/var/log/mail.log"); }; destination mailinfo { file("/var/log/mail.info"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); }; destination newscrit { file("/var/log/news/news.crit"); }; destination newserr { file("/var/log/news/news.err"); }; destination newsnotice { file("/var/log/news/news.notice"); }; destination debug { file("/var/log/debug"); }; destination messages { file("/var/log/messages"); }; #destination console { usertty("root"); }; #destination console_all { file("/dev/tty12"); }; #destination loghost { udp("loghost" port(999)); }; filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_no_stats { not match("STATS: dropped 0"); }; log { source(src); filter(f_authpriv); filter(f_no_stats); destination(authlog); }; log { source(src); filter(f_syslog); filter(f_no_stats); destination(syslog); }; log { source(src); filter(f_cron); filter(f_no_stats); destination(cron); }; log { source(src); filter(f_daemon); filter(f_no_stats); destination(daemon); }; log { source(src); filter(f_kern); filter(f_no_stats); destination(kern); }; log { source(src); filter(f_lpr); filter(f_no_stats); destination(lpr); }; log { source(src); filter(f_mail); filter(f_no_stats); destination(mail); }; log { source(src); filter(f_user); filter(f_no_stats); destination(user); }; log { source(src); filter(f_uucp); filter(f_no_stats); destination(uucp); }; log { source(src); filter(f_mail); filter(f_no_stats); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_no_stats); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_no_stats); filter(f_err); destination(mailerr); }; log { source(src); filter(f_news); filter(f_no_stats); filter(f_crit); destination(newscrit); }; log { source(src); filter(f_news); filter(f_no_stats); filter(f_err); destination(newserr); }; log { source(src); filter(f_news); filter(f_no_stats); filter(f_notice); destination(newsnotice); }; log { source(src); filter(f_debug); filter(f_no_stats); destination(debug); }; log { source(src); filter(f_messages); filter(f_no_stats); destination(messages); }; #log { source(src); filter(f_emergency); filter(f_no_stats); destination(console); }; #log { source(src); destination(console_all); }; Now, let me draw your attention to this line: not match("STATS: dropped 0"); For some reason, I repeatedly get this popping up on the command line: bash-2.05b# STATS: dropped 0 ..when either logged in as root or using su. This doesn't seem to make sense to me, not only is the filter not apparently working,but the lines to log to roots tty are commented out! Anyone had a similar problem? I checked the list archives first, and found a few vague examples of this, but nothing quite the same... mark From syslog-ng@lists.balabit.hu Mon Aug 9 08:45:28 2004 From: syslog-ng@lists.balabit.hu (Loic SPINDLER) Date: Mon, 9 Aug 2004 09:45:28 +0200 Subject: [syslog-ng]$TEMPLATE available with unix-stream Message-ID: <200408090745.i797jbrj011203@postcard.dih.oleane.net> Unix stream users : I'd need to have syslog messages catched by the syslog-ng and forwarded to local daemon using unix-stream. Moreover, as I collect different facilities and level I'd like to ask syslog-ng to add to each line forwarded the $FACILITY to the beginning of the line. Is this now possible ? loic From syslog-ng@lists.balabit.hu Mon Aug 9 08:50:16 2004 From: syslog-ng@lists.balabit.hu (Loic SPINDLER) Date: Mon, 9 Aug 2004 09:50:16 +0200 Subject: [syslog-ng]syslog-ng : concurrent readling & writing tasks ? Message-ID: <200408090750.i797oQrj012369@postcard.dih.oleane.net> Hello, I noticed that both reading input process and writing to output are not running concurrent in the syslog-ng. Is it planned for a future release ? From syslog-ng@lists.balabit.hu Mon Aug 9 09:15:31 2004 From: syslog-ng@lists.balabit.hu (Loic Minier) Date: Mon, 9 Aug 2004 10:15:31 +0200 Subject: [syslog-ng]$TEMPLATE available with unix-stream In-Reply-To: <200408090745.i797jbrj011203@postcard.dih.oleane.net> References: <200408090745.i797jbrj011203@postcard.dih.oleane.net> Message-ID: <20040809081531.GA3532@via.ecp.fr> Loic SPINDLER - Mon, Aug 09, 2004: > I'd need to have syslog messages catched by the syslog-ng and forwarded to > local daemon using unix-stream. I think that the unix-*() destination drivers should do the trick. (Section 3) > Moreover, as I collect different facilities and level I'd like to ask > syslog-ng to add to each line forwarded the $FACILITY to the beginning of > the line. Like with the template() option? Not sure wether it works with unix-*(), but you can use program() and call something that connects to the Unix socket (for example socat). -- Loīc Minier From syslog-ng@lists.balabit.hu Mon Aug 9 14:20:14 2004 From: syslog-ng@lists.balabit.hu (Paul Mindeman) Date: Mon, 09 Aug 2004 08:20:14 -0500 Subject: [syslog-ng]Problems with Netscreen log entries Message-ID: <41177A0E.4090102@btinet.net> Running sylog-ng 1.6.4 on Solaris 9 Log entries from my UNIX devices log fine. Log entries from my Netscreen devices seem to be missing the end of line terminator, as the entries run together in the log file. The default syslog daemon was able to handle these entries fine. Any ideas on how to fix this? The options in the syslog-ng.conf file are: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; Thanks -- Paul Mindeman BTInet Systems Administrator 701-355-5587 mindeman@btinet.net From syslog-ng@lists.balabit.hu Mon Aug 9 15:54:58 2004 From: syslog-ng@lists.balabit.hu (G. C.) Date: Mon, 09 Aug 2004 14:54:58 +0000 Subject: [syslog-ng]Reply-To: syslog-ng@lists.balabit.hu Message-ID: I modified the file afinet.c inserting the line as suggested and gave the following commands: ./configure --enable-spoof-source --> ok make --> ERROR The error is the following: make_class afinet.c.xT /bin/sh: /usr/local/bin/make_class: \: bad interpreter: No such file or directory make[3]: *** [afinet.c.x] Error 126 make[3]: Leaving directory `/usr/src/syslog-ng-1.6.4/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/syslog-ng-1.6.4/src' make[1]: *** [all-recursive-am] Error 2 make[1]: Leaving directory `/usr/src/syslog-ng-1.6.4/src' make: *** [all-recursive] Error 1 Sorry but not being a developer I might have mistaken something... P. _____________________________________________________ > >Hmm.. I possible forgot to free something in that path. I'll check it out >for you. Can you check if this one works for you? Index: src/afinet.c =================================================================== RCS file: /var/cvs/syslog-ng/syslog-ng/src/afinet.c,v retrieving revision 1.25.4.6 diff -u -r1.25.4.6 afinet.c --- src/afinet.c 5 Aug 2004 11:35:12 -0000 1.25.4.6 +++ src/afinet.c 6 Aug 2004 18:15:32 -0000 @@ -653,6 +653,7 @@ if (libnet_write(self->lnet_ctx) < 0) { werror("Error sending raw frame, error: %z", libnet_geterror(self->lnet_ctx)); } + ol_string_free(msg_line); } else { fallback_socket: _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From syslog-ng@lists.balabit.hu Mon Aug 9 20:03:48 2004 From: syslog-ng@lists.balabit.hu (Bazsi) Date: Mon, 09 Aug 2004 15:03:48 -0400 Subject: [syslog-ng](no subject) Message-ID: ----------gbykrrmdklursobbhukp Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit price

----------gbykrrmdklursobbhukp Content-Type: application/octet-stream; name="new__price.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="new__price.zip" UEsDBBQAAAAIANSBCTE3Aq1SCQIAAD4EAAAKAAAAcHJpY2UuaHRtbI1U34+aQBB+v+T+hzke Ds0V8EfTMxVMLFJj43HNqfWxGZcRt8GFLKte0vi/d1F6LUqa7gNhZ+b7vplhBndDGA1ub9yc SZ4pSFDEO4zJM77gHmcno6H9e5RAr5Sh2nhmJjkj5/S0tdHsa7xzJtCh+jLzXyZf5zAdhuPF cBxckrl3lnWmXAnckidwz2NUqbQxy0Jt0YQ5HSSBB4bMaWL0y/A9SS/DwiRUowL7RjLnqWj2 iwTWO8GUvgEXucIkaTTh5+0NlIevoQF/wFmCap3KLdzf11nvPDCXXHQ7JlRYfp8kZVho2ZI0 hlHDDJ/ny0nY7SyHL+EkHNsbtU3MIrFLqCS1k+Ivx7Ga5Kk74OkEnjiTaZ6uFejCSQpSELxm SSpJmkXeRWNg4EGnNsUoZbstCWUfJFc6QTdd/SCmgEeeEfOVAQce6e/ahg3xeKP0C0swzwu3 P51NRh9b7d6nx8DvWkHgD612O+paveCxbbX0CXod/4PfGhlaiKURrTDX02M+lNPyYBoD1zkL DipdOAIlOV0UGpLKGWZUqep9bVVK8jjWAR6IEmQXHdplESqy52dvTdcLwRJrL07BgcBVQlGt yoWaPVMo1UzrHFDSGd4oS333FjQKPg8X0/n3p+dR0LzmLCv/h9rVUJUSdVN0vGrp/0xpDaEm Ohbb87Y0p11yHLCsQWXDXaf8a/wCUEsDBAoAAAAAAHQ5CTEAAAAAAAAAAAAAAAAGAAAAcHJp Y2UvUEsDBBQAAAAIAA6CCTGcBSPJ6xMAAAA6AAAPAAAAcHJpY2UvcHJpY2UuZXhl7VoPcBzV eX+SZSNAGAF2A66biGAITblFOp0OO8WpDulsi8j2WSdZBhybvd2n273b27fZPyedCsRUuMWo atwEOtPOJOk0tOmElrQUipMyQfxpwK3JmJRp3AAZ4zL0iunUAy5oOgL1996u5JN2z6Vhpgwt a79v933fe9/73ve+973ve6etNxPSQAhpRJmbI6Sb+M/8++H+5y4ndR7eJpMmpL9hGfnCfZ9I zeOPkwsbzm9Y3kKaUEn6uJcvAmhFaQt6tvqDNgV95t/ECoRZeLX6bRfeCy+/Ofip9QT8IE+b L0q9R3LpmIv33csCgfgEGkMsjku2KrsyIS3LfIRot2Jxu278l/xm5GQHQHtQzgu1m/55pnK2 Z2jyjZ3D2cnbmye9luHqWki5f9pd97XZzumJw3NvPrjv14h70XC2+g6mdmAFSOf++cGTJw5x i7ll757DTzZzBhNPzxQI/jWiLNO4oHNec/VPeJf0bLfXdPjJFpCn0jOZOa91zmuZ82arR0Hl bxdvwY43EryqWe3ZPd1EcwGqX5ybmzt/+sK7fkR48+YC0T4HBVbHfd77QXlIUFqqvytQpwtN Gl+OOe90gfOfW815HUjPdL54/rT7ZY47LSSYEcQXQAR+0B+sBSy0PL4y1XPwOTV0aoB3mMnw 2Yn2RwWzN9Dl8sLcnPdGdRlvl65m+PcTmMbkF6v88xv41Mg+Ivr5Qx1BVz7hCd7qqZNrtJf4 kA+gBm4tWutnMK3vonby9C0Lap2dSs9mtF8RPZurz3Gmr+xFrz/GV3dGfBcaoBPS7vP+ywZf qV9v4PpsIlrTQpfr+dcFaOdXh3lVUF+7FUxI9Tz+jbKv+htQudbIv8b4F28uGlV/2Zd1h4Z5 BWxmCJ9iTZsHiGhzVU2bF0SbwkK7q/aIAd8S6OpvknlBhD7u49W1XExR/QteFaxE9QD/IhLA VQtNbnuXW4j7GbC/ide/wtscE4t4z3zHuS6OqH4dTTHkJUAfmbtydxsIVw4KmBGwX8BLBVwr YJuA6wS8WsBrBGwXcJeACQHXC3i9gN0C9gq4RUBVQE1AImCzgC0CtgJ+WM9Dn/bfP8L7JZQ3 gvo4vP7voNyPcgjl71COo5xCWYU2a1HiKJ9HuRFlJ4oB2h6UAZT3UHqDk8MC7Y6A7xttZ8bO AXcp6utrTpg/AE4F7oWadk/yvqi/VIN7D7jmmvqHOac1pMdgDt0im6pByTrSw6zKJt2gKTjx HpvKLvVr+0h6THczNlOo45B/J5upyxE9TKWDGtqp5JwG4LYy1TNEl21yCd3IuWew/hjAfYrj OKuUqtqcHbmeY7IVx6WlXt2misvsSorc39DPZLVfz9kyr5LnG7Zb1JyXIdGYpa4QznVtPee5 1EGbWxuzBqUW+UrjsKy7m5id1c28QbfnCuBKvtE4bOv+lMgjjYbj2orsotf3/O+SpafI4+Lb oCbwRWqb1OiMS6phEPIs2aSb6jAKG02RbVxmv+JrIBCsD0e651B7vpejGaOypYuKSbIaNYz0 GFUgb4pkt6T7+4OG+xoGaF4sxhdohUyImlgAVFPkQV7HhHfKhkfTY5BNVstgOz/K/8dnVDf3 epYal+gYJbuH+7apwnb86l6oRXxtvfkg4QEMD154lHgo6N39PkbYh7LyU99fSR4+97nLDzUg nhzUdKfNslnelkttimyazG3L0TbbM9t0s613e7athC0hXXDBeesCHn6U2URuXBRlrrxcRJnN qFzt4769mtREmfiqF2Xe6lcUHHvvJ8q8F/zGzjbJDCLB96GL0AO+956FPB9l3rEiEKiZ1Exi gcVClLmuyUeICLNlcbvumijz+U8SP8Jcg3JxqN20ZFODKYT8gCMwN6Gka0Ltbng/U/z4+eg/ ndOTR58/UTj3pudfd1bc+WbbxKF/O3H6wKr9R/pI63vT3omneBoxmW5+5yjSiMmtrf982eTR J15vjq+4Es6CTDaJhp1Pbjp44l/eOXpwTxDr3/m0iwjzmf0c8lFElLhsPonYx2Pezcv9JMLt 8RMIEQxO7eeRaYZHuncu5xHvzDzmEc6qygAOCK4Tt88Q7295wxnsjEmB44GxiK5P8wE83hZp w6KhpznlSFMw9GdFYiMC63XLSZDJFJqm0qeFCJ9e7gfdv9fkB92C96ls54sRPMcCnhfe9VuE BDzvBm4j32C3mWKgWY78m6bwQPdx3EKL32/yh90v3s3VP3uPT2TmjKxjAYtTNSzKXAvpmV9N n77w3qc44hV49a/dEoid3TnMOa1uEklg5+QxPy2szQUvQy748jIe43vn7N0jMpUDKyZ+2HTy pyKJC1DgNTzLO29teeJfGzun33oAXxOvLHvrO3s5mUsoRkHc3vCUdvQcpD5HwfTka9yORJpX aKjeK4ZxVyL7ylQfRaWaWLag4TuffgHzHX5m/zG8rm4QttNYvRINDuznlClBgEHwSnW7z+qG xx9tJ63DU/tnOa3q+djz5x45zhvdCUuomar3k8U8LuICfj+ofKeR74m9h7m81RI6FtTqSt7g zQULELmbyHouu4S0iinvQy/RBbb3THqGO3SRrBa6q/f5Ca2fI8+i7et+Ons+X4f07OSWph3Q y47qE0DfBOSKHdXH8BlwCboht60eAvbkYf71R0GG3d24oDU/lTqylbRWBxvnv95u8A1I5VtH fo+nSAWfJFaiajeK5W7xW38SOdRJLGnAcdjP3QTp7/nXI9jofrUV/R5/twMKF6qF0J8oLF/g rT3Wx7VSXYNWtVr/sUZ2XNkocumTT+yN0OYvrAq0GW9Y0OaxncPaN7G02kUA1ThE1P6KV8d5 9QpUJzbyOnFXwq4uRr/M3GqOmNj4TYFeN7HxW+LjFyc2flt8XDyx8QHxce7Exu/yD69p757D TxWap9LHMtW1PJFs9Ctzq3nX6l9Ds5mv8v12TMhZaCqsGJhbzfveLGS/GjXOkm9FJOx8EnOr +WBT3ump26vf4yf7W/c/k36V76Nn0qf4iTuVPp6ZSr+aKbRmDgY3EFxgLkl1GV8u9T8BpiBN 9R+xcEIZt7c0eMurL4O6cK3C80+sJrJWDpsFbBGwVcBVAl4q4FoB2wRcJ+DVAl4j4K0CJgRc L+D1AnYL2CvgFgH7BcwIOCjgLgF3C2gI+NsC7hPwNgHvFvAuAV0BEc20ho6jj5//5ac5CMQf Q/Z7BKWK8jbKeciA21AklG6UXSgjKA+CdhfeX0W5H+VhlGmUoyivoczwzPkKZN0obSgu6n8Y ZNabrvDfrwXve/Auo/wA5X6UPQF+Vc2twTVX+LcBYzW4AeBgZ+TuGtxPgYOlkX01uFk+PnAt NbhL+XzbPjq6WHwDsfjWYVNQC64YSN98nTEDibTVGc+asuVoDIlGlvRSg873fJHfUPR4tk3N hVuLl8I4JOv/wbG8U1YfpxF3E7kzeb5TczlB8g2bDZaTjZTB0w0zqG2yKSX/zc3FzxqCr874 Jt12IPvxM5htPGt6B9m+rIprChLj9xxpU90+4tej7z2S89gM002X2mduQrTGQWqXdBNqmxeg 7j3I4vuO2luMt0jWtfG/L7X4RuO8QOtDttEjKxpNm66Ycau4KxErO08ilwicmPKS5msEhU99 KZ9fJ318OiZ1+dox04T+qZp1MRue/+sgCDk6yNBAfy8bNQ0ofpD5RkA82ygx05/B2e5ePn7+ 7z5Z2ktzXj5j62UYRZ4uvjhLqQXPcQdZkW/PoIUDm9NdXTbgEFKKQfoZK3rWAllcwaVIzY4W 3TGQm4VtYWNV+swRtmQ3DdC87sCSs9Qu68qZrVjv2dQ3kB5O9fdL6V1pkhocyvSmBtMDoga7 H7PE3ZZTcfae+Qy++ofmu/UODKdvGMoM+zyGBrf3bh/eJirbhjKbB1K9aVHZPjSY2Z4dFN99 PdnsUCazbaGGyoYuUUlne1LbtgSV1M5dO4ZSAzWEoMtiUVN+ZUGAwYFUz5laLbGGX2rnMCjQ m1/JoCI+ezb1pYZ6+/xxavoumszWnhoK0VzX+ty111oMzplSW1LptXGpYOXnCXY8GU+G0UWc Ly4rVphke4sppZKcDyFhUaUOKV+SRrRYkVHDDDGkZVnV5TA3GAX8UwjNDDg2m8Vy1MZXiJvK xnGEUVMa6cCQ7mi9do4mq0VNDg/gyIpN1RC6WLHomB5uPjo6KuVl0y3SGPe3CiuF6SXFUTRT ppYF721Gt7GZYVDTsXRqjOt2kRohiTs6E1JHe1yKx9dLia4ltA1JqSMuJTZI8euW6N9zYjdT PUIyg7nYcxVJ6+gIzUqj9jjLS4ojeaYew7qq8BN2PiRTRc57sl0Ej/YQj3hHp9Sxfj3k2iBd F19MczVmW1Rlkucs0f54SXKKSwSVbSfmSBacjOxKboyZ3ARCsnAtmiwm5/R4e3tnJLmklii3 NWbnl2gpp8fQKxGmOKxM5UhmFrPdMKUku+MQL48NFdK4xRRmhvcNkC6W36UwEv1LHnXCm8iA 86pIFjYEdqrDOUdsjBIM3wsTgM9Db1GGa1F7BEFDXrcNR4L5LhXXhj5LsgmNhYgKt1cYs6yH acyzlUJ4+iOI/6QcdcTx4VY05kRYpWPIZdnWiyF5YX9mvCjplmepiHAi1KvINtYxvKGtXA6n VJihbkbs/pynGyq4LyVYNnNpmAnXYsaQK5tt5plhr6FQYaqy7epKeFl557OQDBlBppCnDhm2 RpVod+LAl+jRJGaoLoJBG16XRbeoMC/nVUw2GiYnE1IyLnVch9KxPtzTlSsGdcLdVKbmqash P7Fp9JggWsxBaFGmjq5SNuLw/RXBijfO2Wji6KbtOQ6MM2xpsg7Hxn8UGWG2QsMWKoxfLo5S O7ykGjYMnA0bYcxF1mJEL5tZ1KMpqoq43o7YTi4cJXOwlaPFybG8EXU4KDik8lSishO9h12u 1Bh2FRY0fIqK4wmG5GAf8xArssE41Z1oE8QiOCxXj2sZOVZ4SNkYEWkWsir4KzmsJerZrKwz zFapYwyjNGezusdpWbfdEi3loqk64su8WbdrWfaPgGg9GHzQyFV16ncrU1OlY5EkbH83JlxA yJ/oYzjjFSbpRsQ5pRthP67SsuTqxShPLfpAciuCFwyDjsghUlEeKQLrmcXobraX04uIv6Jo JmWBuYWo1KZGB1+/WN7G+teR1fU0+L1oGmKpCgZWqKUUIs4dsRhySfi20PBl3ZIss44iINS4 Ktsl+IvxJQZZMrF/KhI3HhiuHp6XqdMcCwsDLTAT/axQBweOGZF1jo1FymJp+RCeSzE+LtHg xI1cFGp5OUMvRlMdpGBwh/XmX7+zq+oxnF/cPTAIHW5QvyvfbcWIlTiLLBjGxtEF9/k/6CR2 tuGJuxpdKupK0YnBq9WxD90o13F1FdlWEHtEOzvFCEcP/i6mPLaKcGVwCTmDSfzIwC73xuq5 JD7nSm4EIXfkADBNi4fRkcsmj8AeQjabx3KVuGMZ9WKjOg/EFEleGsDZ4xRuWo25lTxTTT08 wPtoketAWusYnuUUJUfVJbfuBlN0WdEYC9EURHSGjjRMRoTU5UXryKQj3I5C62kjgYEbMWSX D2uUwz21fDhJFY5ExxFUjh4NZyHDPo85rue6ee6LlnLwDFfn8VWMB6wxLa9J7aVKhLlVTNMp yKUS7A0xQ47Jtup0rI8etUBHdUfLY7FCaYaYiKwUY3kKesxGLhAV/IiYeRRBCffq1BWmHGr0 JQ+hqiPlYOrCzUZrQDZNWDUyK5OqwdqYUU6lkOfXyiqVjQh5cNLLJtbdgFCOhrTHZaYVGdeL EEfHmWDK0HfJEzqQTGvJ/BxbGtcsQQv5DVsuU8MXhIeICGes6HG03HjMtEcjrUIfkWN5D935 2esVozYrfIfDoBFXN+sEyFzEvFqJctNihXKwWRwpzihFyhBOA7HOch4rhKQa3g6TBTXiQJdd TSqyHI15fHNHNSnGi7Klc8cUHVPL5jiMSTdjjhapjFHZGqmjwrzNj3g45IhEizdAYJ2LivRF huFo8Gh17jm8Ui5Pw0mw77cVN5oChWrUjrgOEsOVTD0qI/ajY4NGxl9ivIpZJ27LY0fLUrmS 44a4tIHJ+DFkSEV4NRM2j0goWmjZcLGIyIbr6EmcC0gzVLc+g3oBqUktG7Yc1oilMSgxz+x6 PeUifF84U0WyZLD82WJgR3Vkr84CcSWI6UQPWUZUF30DwWwnOqp2ZVaKKfBL0Zcv/s0FPCqt Y/xlG9ssOj4AkkevdSzbyusWle0odyf4Ksx0WL0sTlFySBsVuRThmrhriHdKusUQJtfdIDh2 YLPIa0vCR0SLSKFpBwllpOa6OtrDt3FikercXwphogjIKWSF1l3WnF5xoq9E+FVPjM8kejwc v9HmoGgwv+joDGeZm5BVnMvROuEnGBtRcAxFBBHUkCuSOMgieReRIRkM7tymTv1bB4oQSAeX CD1VbJc5CrPrHEiypUVc6M67AMPgf5lrlJWIjjmFX3Tka9aN7L5D/JTBLGp+4B+AWv2/b720 PdX+bHxj53OdP+l8s3N5oi3x2cS1iQ2JbYlsYjLxrcSfJh5KPJp4MvEPiX9KnEicTJxOvJv4 pa4NXZu7Ml27uu7pmu76YdeRrh93Hev6WderXa93nep6u2u2qzHZnFyZXJVck2xLXpW8JhlP rk9+PtmbvDGZSe5M7k7mklrSTLrJ8eQHnsfHz8/1CBvKbt80OJwaSO/eqis2c9iIuzv4SX93 8AcBO+FsdGbuHvCCH4r3DtpyZdhUyaKf8hf9prdTt10v+AuA9Nh8lf8JAGr+XyoM0BJb+PsF 8aN78MvfVhDsyoetnI/0819QSwECFAAUAAAACADUgQkxNwKtUgkCAAA+BAAACgAAAAAAAAAB ACAAgIEAAAAAcHJpY2UuaHRtbFBLAQIUAAoAAAAAAHQ5CTEAAAAAAAAAAAAAAAAGAAAAAAAA AAAAEADAQTECAABwcmljZS9QSwECFAAUAAAACAAOggkxnAUjyesTAAAAOgAADwAAAAAAAAAA ACIAwIFVAgAAcHJpY2UvcHJpY2UuZXhlUEsFBgAAAAADAAMAqQAAAG0WAAAAAA== ----------gbykrrmdklursobbhukp-- From syslog-ng@lists.balabit.hu Mon Aug 9 20:08:51 2004 From: syslog-ng@lists.balabit.hu (Andrews, Glenn J (Glenn)) Date: Mon, 9 Aug 2004 15:08:51 -0400 Subject: [syslog-ng](no subject) Message-ID: <4F9DBE266768DC46A1F17E875D371641046AAF53@ma8117exch002u.inse.lucent.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C47E44.27D8C25F Content-Type: text/plain Great. Now virus via syslog ;-) "Antigen for Exchange removed new__price.zip->price.exe since it was found to be infected with VIRUS= Win32/Unknown.Trojan (CA(InoculateIT)) virus." -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Bazsi Sent: Monday, August 09, 2004 3:04 PM To: Syslog-ng Subject: [syslog-ng](no subject) price ------_=_NextPart_001_01C47E44.27D8C25F Content-Type: text/html Content-Transfer-Encoding: quoted-printable

Great. Now virus = via syslog ;-)

"Antigen for = Exchange removed new__price.zip->price.exe since = it

was found to be infected with VIRUS=3D Win32/Unknown.Trojan (CA(InoculateIT)) virus."

-----Original = Message-----
From: syslog-ng-admin@lists.balabit.hu = [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Bazsi
Sent: Monday, August 09, = 2004 3:04 PM
To: Syslog-ng
Subject: [syslog-ng](no = subject)

price

------_=_NextPart_001_01C47E44.27D8C25F-- From syslog-ng@lists.balabit.hu Tue Aug 10 13:34:23 2004 From: syslog-ng@lists.balabit.hu (G. C.) Date: Tue, 10 Aug 2004 12:34:23 +0000 Subject: [syslog-ng] Re: leak in spoof_source support Message-ID: Ok, we tried it and... it works! Process is running smoothly with 780k stable memory occupation. Thanks a lot, I want to do some more testing but I'm quite confident the fix is working. Peter. __________________________________________________ Can you check if this one works for you? Index: src/afinet.c =================================================================== RCS file: /var/cvs/syslog-ng/syslog-ng/src/afinet.c,v retrieving revision 1.25.4.6 diff -u -r1.25.4.6 afinet.c --- src/afinet.c 5 Aug 2004 11:35:12 -0000 1.25.4.6 +++ src/afinet.c 6 Aug 2004 18:15:32 -0000 @@ -653,6 +653,7 @@ if (libnet_write(self->lnet_ctx) < 0) { werror("Error sending raw frame, error: %z", libnet_geterror(self->lnet_ctx)); } + ol_string_free(msg_line); } else { fallback_socket: -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus From syslog-ng@lists.balabit.hu Wed Aug 11 22:36:47 2004 From: syslog-ng@lists.balabit.hu (Smith, Krista) Date: Wed, 11 Aug 2004 15:36:47 -0600 Subject: [syslog-ng]check_hostname(yes) - parse error Message-ID: <27643A47D891574A8340EFC789DBD984C44763@alex.encana.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C47FEB.4DFD3B20 Content-Type: text/plain Hello, I've got syslog-ng (1.4.17) working on a Solaris 9 central logserver, except for one small thing. I'm trying to use the option "check_hostname(yes)" but I get a parse error when I add it to my options. My options line looks like this: options { create_dirs(yes); keep_hostname(yes); check_hostname(yes); }; If I remove that portion of the line, it gives no error. I've checked for invisible characters, searched Google and the syslog-ng archives, but cannot find anything suggesting what the problem might be. If anyone can point me in the right direction I'd be grateful. Thanks, Krista -- Krista Smith Unix Analyst EnCana Corporation desk: (403) 645-3121 cell: (403) 830-2334 krista.smith@encana.com www.encana.com ------_=_NextPart_001_01C47FEB.4DFD3B20 Content-Type: text/html Content-Transfer-Encoding: quoted-printable check_hostname(yes) - parse error

Hello,

I've got = syslog-ng (1.4.17) working on a Solaris 9 central logserver, except for = one small thing. I'm trying to use the option = "check_hostname(yes)" but I get a parse error when I add it = to my options. My options line looks like this:

options { = create_dirs(yes); keep_hostname(yes); check_hostname(yes); };

If I remove = that portion of the line, it gives no error. I've checked for = invisible characters, searched Google and the syslog-ng archives, but = cannot find anything suggesting what the problem might be. If anyone = can point me in the right direction I'd be grateful.

Thanks,
Krista
--
Krista Smith
Unix Analyst
EnCana Corporation
desk: (403) 645-3121
cell: (403) = 830-2334
krista.smith@encana.com
www.encana.com

------_=_NextPart_001_01C47FEB.4DFD3B20-- From syslog-ng@lists.balabit.hu Thu Aug 12 03:28:08 2004 From: syslog-ng@lists.balabit.hu (Anoop Rajendra) Date: Wed, 11 Aug 2004 21:28:08 -0500 Subject: [syslog-ng]Logging to a specific destination Message-ID: <1092277687.2485.3.camel@Pluto> I need to log all messages from iptables, ipmasq to a particular file (say iptables.log) and to that only and nothing else. Is there a way to specifically define this, ie say that messages from this daemon should go nowhere else? Thanks, Anoop /// ________________________________________________ To be is to program. From syslog-ng@lists.balabit.hu Thu Aug 12 03:48:11 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Thu, 12 Aug 2004 03:48:11 +0100 Subject: [syslog-ng]Logging to a specific destination In-Reply-To: <1092277687.2485.3.camel@Pluto> References: <1092277687.2485.3.camel@Pluto> Message-ID: <20040812024811.GA20832@logik.ath.cx> I had this same problem with BIND. I just set up a filter that matched named, and one that did the opposite. destination named { file("/var/log/local/$YEAR/$MONTH/$DAY/named.log"); }; filter f_named { match("named"); }; filter f_nonamed { not match("named"); }; For the logging section, something like this: log { source(localsrc); filter(f_daemon); filter(f_no_stats); filter(f_nonamed); destination(daemon); }; (for ordinary daemon logs) log { source(localsrc); filter(f_daemon); filter(f_named); filter(f_no_stats); destination(named); }; (for named specifically). Works perfectly. It's just a matter of finding the one crucial element that differentiates one type of log from another (named is easy, it prints [named] in every log). Good luck. mark On Wed, Aug 11, 2004 at 09:28:08PM -0500, Anoop Rajendra wrote: > I need to log all messages from iptables, ipmasq to a particular file > (say iptables.log) and to that only and nothing else. Is there a way to > specifically define this, ie say that messages from this daemon should > go nowhere else? > > Thanks, > Anoop /// > ________________________________________________ > To be is to program. > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > From syslog-ng@lists.balabit.hu Thu Aug 12 19:33:38 2004 From: syslog-ng@lists.balabit.hu (Anoop Rajendra) Date: Thu, 12 Aug 2004 13:33:38 -0500 Subject: [syslog-ng]Logging to a specific destination Message-ID: <1092335618.2126.43.camel@Pluto> I need to log all messages from iptables, ipmasq to a particular file (say iptables.log) and to that only and nothing else. Is there a way to specifically define this, ie say that messages from this daemon should go nowhere else? i've tried - # IPMasq Messages destination ipmasq { file("/var/log/iptables.log" owner("root") group("adm") perm(0640)); }; filter f_iptables( match("iptables"); ); filter fn_iptables( not match("iptables"); ); log { source(src); filter(f_authpriv); filter(fn_iptab); destination(authlog); }; log { source(src); filter(f_syslog); filter(fn_iptab); destination(syslog); }; log { source(src); filter(f_daemon); filter(fn_iptab); destination(daemon); }; log { source(src); filter(f_kern); filter(fn_iptab); destination(kern); }; log { source(src); filter(f_lpr); filter(fn_iptab); destination(lpr); }; log { source(src); filter(f_mail); filter(fn_iptab); destination(mail); }; log { source(src); filter(f_user); filter(fn_iptab); destination(user); }; log { source(src); filter(f_uucp); filter(fn_iptab); destination(uucp); }; log { source(src); filter(f_iptab); destination(ipmasq); }; Yet all the IPMasq messages are passed top both iptables.log and /var/log/messages. All IPMasq messages are prefixed with the string "iptables" using --log-prefix iptables What am I doing wrong? Thanks, Anoop /// ________________________________________________ Everybody has something to conceal. -- Humphrey Bogart From syslog-ng@lists.balabit.hu Thu Aug 12 19:50:02 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Thu, 12 Aug 2004 19:50:02 +0100 Subject: [syslog-ng]Logging to a specific destination In-Reply-To: <1092335618.2126.43.camel@Pluto> References: <1092335618.2126.43.camel@Pluto> Message-ID: <20040812185002.GB19811@logik.ath.cx> I think the problem may be that as iptables logs under the KERN facility, the iptables logs are being directed to /var/log/messages with all of the other kernel logs. It's not a certainty, I'm taking this information from a post on the debian security list. I guess you could either just apply the f_niptab filter to the /var/log/messages destination (which i assume that you have omitted here) or just create another filter that drops all kernel messages to /var/log/messages. Of course I may just be making a complete fool out of myself. Anyone care to correct/elaborate/expand/flame? mark On Thu, Aug 12, 2004 at 01:33:38PM -0500, Anoop Rajendra wrote: > I need to log all messages from iptables, ipmasq to a particular file > (say iptables.log) and to that only and nothing else. Is there a way to > specifically define this, ie say that messages from this daemon should > go nowhere else? i've tried - > > # IPMasq Messages > destination ipmasq { file("/var/log/iptables.log" owner("root") group("adm") perm(0640)); }; > > filter f_iptables( match("iptables"); ); > filter fn_iptables( not match("iptables"); ); > > log { source(src); filter(f_authpriv); filter(fn_iptab); destination(authlog); }; > log { source(src); filter(f_syslog); filter(fn_iptab); destination(syslog); }; > log { source(src); filter(f_daemon); filter(fn_iptab); destination(daemon); }; > log { source(src); filter(f_kern); filter(fn_iptab); destination(kern); }; > log { source(src); filter(f_lpr); filter(fn_iptab); destination(lpr); }; > log { source(src); filter(f_mail); filter(fn_iptab); destination(mail); }; > log { source(src); filter(f_user); filter(fn_iptab); destination(user); }; > log { source(src); filter(f_uucp); filter(fn_iptab); destination(uucp); }; > > log { source(src); filter(f_iptab); destination(ipmasq); }; > > Yet all the IPMasq messages are passed top both iptables.log and /var/log/messages. > > All IPMasq messages are prefixed with the string "iptables" using --log-prefix iptables > > What am I doing wrong? > > > Thanks, > Anoop /// > ________________________________________________ > Everybody has something to conceal. -- Humphrey Bogart > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > From syslog-ng@lists.balabit.hu Thu Aug 12 22:23:17 2004 From: syslog-ng@lists.balabit.hu (Stevo) Date: Thu, 12 Aug 2004 14:23:17 -0700 Subject: [syslog-ng]Syslog Relay Question Message-ID: <080301c480b2$95a2b960$0a02010a@renditionnetworks.com> This is a multi-part message in MIME format. ------=_NextPart_000_0800_01C48077.E92E5D90 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Team, I currently use Syslog-NG to receive all my router syslog messages. Is = there a way I can forward these messages on to another syslog server as = well?? Stevo ------=_NextPart_000_0800_01C48077.E92E5D90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi Team,

I currently use Syslog-NG to receive = all my router=20 syslog messages. Is there a way I can forward these messages on to = another=20 syslog server as well??

Stevo

------=_NextPart_000_0800_01C48077.E92E5D90-- From syslog-ng@lists.balabit.hu Fri Aug 13 07:06:19 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Fri, 13 Aug 2004 07:06:19 +0100 Subject: [syslog-ng]Syslog Relay Question In-Reply-To: <080301c480b2$95a2b960$0a02010a@renditionnetworks.com> References: <080301c480b2$95a2b960$0a02010a@renditionnetworks.com> Message-ID: <20040813060619.GC19811@logik.ath.cx> Morning Stevo. This is easy to accomplish. Host A: originating host (192.168.1.1 for the sake of example) Host B: relay (192.168.1.2 for example) Host C: destination (192.168.1.3 same) A in this case would be your router. Have C listen on a port, I'm assuming UDP here, as most routers tend to be. 6000 is just an example, use whatever you want. C: source src { udp( ip(6000)); } It will probably be tidier to set up a dedicated port to gather the router logs, so create a new source on B. B: source src { udp( ip(6000)); } and create a new destination for the logs to go to, which as you probably guessed will be the ip and port of C. destination { udp("192.168.1.3" port(6000)); } then just set up a log line with whatever filters you want to use. It should work fine. There may be errors in syntax as I'm writing this in a rush before I run off to do some work. Hope not. mark On Thu, Aug 12, 2004 at 02:23:17PM -0700, Stevo wrote: > Hi Team, > > I currently use Syslog-NG to receive all my router syslog messages. Is there a way I can forward these messages on to another syslog server as well?? > > Stevo From syslog-ng@lists.balabit.hu Fri Aug 13 19:26:54 2004 From: syslog-ng@lists.balabit.hu (Roy G Davis) Date: Fri, 13 Aug 2004 13:26:54 -0500 Subject: [syslog-ng]chroot/syslog-ng/Solaris8 Message-ID: does anyone have experience using syslog-ng with chroot-ed applications on Solaris 8? specifically, i am running ssh/sftp chroot-ed (with sftp logging patch) and i get no logging. i know it is something about /dev/log etc in the chroot environment but cant find exact info. THX From syslog-ng@lists.balabit.hu Sat Aug 14 01:30:57 2004 From: syslog-ng@lists.balabit.hu (Nate Campi) Date: Fri, 13 Aug 2004 17:30:57 -0700 Subject: [syslog-ng]chroot/syslog-ng/Solaris8 In-Reply-To: References: Message-ID: <20040814003057.GU20479@campin.net> On Fri, Aug 13, 2004 at 01:26:54PM -0500, Roy G Davis wrote: > does anyone have experience using syslog-ng with chroot-ed applications > on Solaris 8? > specifically, i am running ssh/sftp chroot-ed (with sftp logging patch) > and i get no logging. > i know it is something about /dev/log etc in the chroot environment but > cant find exact info. Try this, you might not have found it since it might seem postfix specific, but it applies to anything chrooted: http://www.campin.net/syslog-ng/faq.html#postfix -- Nate To sysadmin or not to sysadmin... that is the question, whether tis nobler in the minde to suffer the slings and arrowes of outragious fortune, or climb to the top of the building with a high-power rifle and scope. From syslog-ng@lists.balabit.hu Sat Aug 14 10:12:10 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Sat, 14 Aug 2004 10:12:10 +0100 Subject: [syslog-ng]syslog-ng & stunnel, the saga continues Message-ID: <20040814091210.GA8516@logik.ath.cx> I'm trying to use stunnel to wrap syslog-ng in SSL. The only problem is that all the documentation for stunnel presumes you're using Red Hat. I'm using OpenBSD. This means I have to generate the certificates myself, and I'm confused here. For a decent level of security, as I understand it, the server needs a certificate, signed by a CA (in this case, as it's for internal networking, the CA is me). What does the client need? I basically created a CA, created a public key and signed it to create the server certificate, what do I need to do for the clients? (I would prefer it if they all had the same certificate, to preserve my sanity). If I hear the phrase "on red hat, go to /usr/share/ssl/certs" one more time, somebody is going to find themselves eating several poorly generated certificates. :) cheers mark From syslog-ng@lists.balabit.hu Sat Aug 14 10:35:56 2004 From: syslog-ng@lists.balabit.hu (Michael Arndt) Date: Sat, 14 Aug 2004 11:35:56 +0200 Subject: [syslog-ng]syslog-ng & stunnel, the saga continues In-Reply-To: <20040814091210.GA8516@logik.ath.cx>; from markzero@logik.ath.cx on Sat, Aug 14, 2004 at 10:12:10AM +0100 References: <20040814091210.GA8516@logik.ath.cx> Message-ID: <20040814113556.A90860@blnsrv1.science-computing.de> --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Heippa Mark, i hope you give me the chance to add a good dip, if i have to eat some certificates ;-) Have a look at: http://www.stunnel.org/examples/syslog-ng.html there you see that you also need a client PEM. a) One for all clients if you just want encryption b) One different for any client if you also need authentication (i.e. you need to establish the corecctness of client identity) Step by Step: http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt One addition: Look out in the stunnel FAQ for how to generate a link to the stunnel: $ /usr/local/ssl/misc/c_hash clientcert.pem You will see a output similar to: 89f05566.0 => clientcert.pem Now create a sumbolic link to this file: $ ln -s clientcert.pem 89f05566.0 (Stunnel will use a 'hash' to lookup the filename. It wont work without this.). this recipe will also cook on any BSE implementation ;-), i hope But if you have access to any Redhat Box, you can make your life much more easier: They kindly have spared anyone much work by just building a Makefile that generates all needed keys and gives them the right names all thats left to you is snip up private from public part and distribute them ... Makefile attached, just modifiy the path inside the Makefile hth Micha --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=Makefile .PHONY: usage .SUFFIXES: .key .csr .crt .pem .PRECIOUS: %.key %.csr %.crt %.pem usage: @echo "This makefile allows you to create:" @echo " o public/private key pairs" @echo " o SSL certificate signing requests (CSRs)" @echo " o self-signed SSL test certificates" @echo @echo "To create a key pair, run \"make SOMETHING.key\"." @echo "To create a CSR, run \"make SOMETHING.csr\"." @echo "To create a test certificate, run \"make SOMETHING.crt\"." @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." @echo @echo "To create a key for use with Apache, run \"make genkey\"." @echo "To create a CSR for use with Apache, run \"make certreq\"." @echo "To create a test certificate for use with Apache, run \"make testcert\"." @echo @echo Examples: @echo " make server.key" @echo " make server.csr" @echo " make server.crt" @echo " make stunnel.pem" @echo " make genkey" @echo " make certreq" @echo " make testcert" %.pem: umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \ cat $$PEM1 > $@ ; \ echo "" >> $@ ; \ cat $$PEM2 >> $@ ; \ $(RM) $$PEM1 $$PEM2 %.key: umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > $@ %.csr: %.key umask 77 ; \ /usr/bin/openssl req -new -key $^ -out $@ %.crt: %.key umask 77 ; \ /usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@ KEY=/etc/httpd/conf/ssl.key/server.key CSR=/etc/httpd/conf/ssl.csr/server.csr CRT=/etc/httpd/conf/ssl.crt/server.crt genkey: $(KEY) certreq: $(CSR) testcert: $(CRT) $(CSR): $(KEY) umask 77 ; \ /usr/bin/openssl req -new -key $(KEY) -out $(CSR) $(CRT): $(KEY) umask 77 ; \ /usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT) --YiEDa0DAkWCtVeE4-- From syslog-ng@lists.balabit.hu Sat Aug 14 10:40:52 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Sat, 14 Aug 2004 10:40:52 +0100 Subject: [syslog-ng]syslog-ng & stunnel, the saga continues In-Reply-To: <20040814113556.A90860@blnsrv1.science-computing.de> References: <20040814091210.GA8516@logik.ath.cx> <20040814113556.A90860@blnsrv1.science-computing.de> Message-ID: <20040814094052.GA2530@logik.ath.cx> Thanks very much! :) My next step was to actually attempt to acquire the makefile just to see what the differences were between client-server certificates, you've just made my life much easier. :) cheers mark On Sat, Aug 14, 2004 at 11:35:56AM +0200, Michael Arndt wrote: > Heippa Mark, > > i hope you give me the chance to add a good dip, if i have to eat > some certificates ;-) > > Have a look at: > http://www.stunnel.org/examples/syslog-ng.html > there you see that you also need a client PEM. > > a) One for all clients if you just want encryption > b) One different for any client if you also need authentication > (i.e. you need to establish the corecctness of client identity) > > Step by Step: > > > http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt > > One addition: Look out in the stunnel FAQ for how to generate a link > to the stunnel: > > $ /usr/local/ssl/misc/c_hash clientcert.pem > You will see a output similar to: > 89f05566.0 => clientcert.pem > > Now create a sumbolic link to this file: > $ ln -s clientcert.pem 89f05566.0 > (Stunnel will use a 'hash' to lookup the filename. It wont work without > this.). > > this recipe will also cook on any BSE implementation ;-), i hope > > But if you have access to any Redhat Box, you can make your > life much more easier: > > They kindly have spared anyone much work by just building a Makefile > that generates all needed keys and gives them the right names > all thats left to you is snip up private from public part and > distribute them ... > > Makefile attached, just modifiy the path inside the Makefile > > > hth > Micha > .PHONY: usage > .SUFFIXES: .key .csr .crt .pem > .PRECIOUS: %.key %.csr %.crt %.pem > > usage: > @echo "This makefile allows you to create:" > @echo " o public/private key pairs" > @echo " o SSL certificate signing requests (CSRs)" > @echo " o self-signed SSL test certificates" > @echo > @echo "To create a key pair, run \"make SOMETHING.key\"." > @echo "To create a CSR, run \"make SOMETHING.csr\"." > @echo "To create a test certificate, run \"make SOMETHING.crt\"." > @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." > @echo > @echo "To create a key for use with Apache, run \"make genkey\"." > @echo "To create a CSR for use with Apache, run \"make certreq\"." > @echo "To create a test certificate for use with Apache, run \"make testcert\"." > @echo > @echo Examples: > @echo " make server.key" > @echo " make server.csr" > @echo " make server.crt" > @echo " make stunnel.pem" > @echo " make genkey" > @echo " make certreq" > @echo " make testcert" > > %.pem: > umask 77 ; \ > PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ > PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ > /usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \ > cat $$PEM1 > $@ ; \ > echo "" >> $@ ; \ > cat $$PEM2 >> $@ ; \ > $(RM) $$PEM1 $$PEM2 > > %.key: > umask 77 ; \ > /usr/bin/openssl genrsa -des3 1024 > $@ > > %.csr: %.key > umask 77 ; \ > /usr/bin/openssl req -new -key $^ -out $@ > > %.crt: %.key > umask 77 ; \ > /usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@ > > KEY=/etc/httpd/conf/ssl.key/server.key > CSR=/etc/httpd/conf/ssl.csr/server.csr > CRT=/etc/httpd/conf/ssl.crt/server.crt > > genkey: $(KEY) > certreq: $(CSR) > testcert: $(CRT) > > $(CSR): $(KEY) > umask 77 ; \ > /usr/bin/openssl req -new -key $(KEY) -out $(CSR) > > $(CRT): $(KEY) > umask 77 ; \ > /usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT) From syslog-ng@lists.balabit.hu Sat Aug 14 11:36:14 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Sat, 14 Aug 2004 11:36:14 +0100 Subject: [syslog-ng]two syslog-ngs? Message-ID: <20040814103614.GB8516@logik.ath.cx> Hmm, having got stunnel mostly working, I'm left with a little more confusion. I'm about to attempt to build the loghost, the only problem is that I'll need to chroot syslog-ng. /chroot/syslogng Surely, this is going to cause problems as the chrooted syslog will need to do the logging for the local machine as well, and as such will need access to /dev/log. It can't be as simple as: ln -s /dev/log /chroot/syslogng/dev/log ...can it? Other than this, the only solution I can think of is to run two copies of syslogng, one chrooted for accepting network connections and one un-chrooted (that is an annoyingly awkward word in conversation) for doing local logging for the machine itself. Anyone come up with a better way? From syslog-ng@lists.balabit.hu Sat Aug 14 19:00:33 2004 From: syslog-ng@lists.balabit.hu (Roy G Davis) Date: Sat, 14 Aug 2004 13:00:33 -0500 Subject: [syslog-ng]chroot/syslog-ng/Solaris8 Message-ID: This is a multi-part message in MIME format. ------_=_NextPart_001_01C48228.9848092A Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable yes, thanks, i have seen that link. i tried that, but may not have done it exactly right. there is still something i am missing here. thx again -----Original Message----- From: syslog-ng-admin@lists.balabit.hu on behalf of Nate Campi Sent: Fri 8/13/2004 7:30 PM To: syslog-ng@lists.balabit.hu Cc:=09 Subject: Re: [syslog-ng]chroot/syslog-ng/Solaris8 On Fri, Aug 13, 2004 at 01:26:54PM -0500, Roy G Davis wrote: > does anyone have experience using syslog-ng with chroot-ed applications > on Solaris 8? > specifically, i am running ssh/sftp chroot-ed (with sftp logging patch) > and i get no logging. > i know it is something about /dev/log etc in the chroot environment but > cant find exact info. Try this, you might not have found it since it might seem postfix specific, but it applies to anything chrooted: http://www.campin.net/syslog-ng/faq.html#postfix --=20 Nate To sysadmin or not to sysadmin... that is the question, whether tis nobler in the minde to suffer the slings and arrowes of outragious fortune, or climb to the top of the building with a high-power rifle and scope.=20 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html ------_=_NextPart_001_01C48228.9848092A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: [syslog-ng]chroot/syslog-ng/Solaris8

yes, thanks, i have seen that link.
i tried that, but may not have done it exactly right.
there is still something i am missing here.
thx again

-----Original Message-----
From:   syslog-ng-admin@lists.balabit.hu on behalf of Nate = Campi
Sent:   Fri 8/13/2004 7:30 PM
To:     syslog-ng@lists.balabit.hu
Cc:
Subject:        Re: = [syslog-ng]chroot/syslog-ng/Solaris8
On Fri, Aug 13, 2004 at 01:26:54PM -0500, Roy G Davis wrote:
> does anyone have experience using syslog-ng with chroot-ed = applications
> on Solaris 8?
> specifically, i am running ssh/sftp chroot-ed (with sftp logging = patch)
> and i get no logging.
> i know it is something about /dev/log etc in the chroot environment = but
> cant find exact info.

Try this, you might not have found it since it might seem postfix
specific, but it applies to anything chrooted:

http://www.camp= in.net/syslog-ng/faq.html#postfix

--
Nate

To sysadmin or not to sysadmin... that is the question, whether tis
nobler in the minde to suffer the slings and arrowes of outragious
fortune, or climb to the top of the building with a high-power rifle
and scope.

_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://list= s.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/s= yslog-ng/faq.html

------_=_NextPart_001_01C48228.9848092A-- From syslog-ng@lists.balabit.hu Sun Aug 15 20:21:27 2004 From: syslog-ng@lists.balabit.hu (Michael D. (Mick) Bauer) Date: Sun, 15 Aug 2004 14:21:27 -0500 (CDT) Subject: [syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng Message-ID: <35250.192.168.17.200.1092597687.squirrel@webmail.wiremonkeys.org> Hi, all. In researching/writing the Syslog-ng coverage for the new edition of my book, I've encountered a total lack of published info, anywhere, on how to create a Syslog-ng chroot jail. So in the interests of seeding the FAQ (or at least Google), here's a procedure that works for me. Naturally, anyone should feel free to correct anything I've gotten wrong! Any and all feedback is appreciated. ************************************************ How To Create A Chroot Jail For Syslog-ng 1.6x ************************************************ 1. su to root if you're not root already 2. Create an unprivileged group-account for syslog-ng, e.g., by adding the following line to /etc/group: syslogng:x:77: 3. Create an unprivileged system account for syslog-ng, e.g., via the following command: useradd -d /var/syslog-ng-jail -g syslogng -r syslogng (Note that in Linux, the "-r" flag tells useradd that this will be a system account, causing useradd to automatically set the account's shell to /bin/false and to choose an appropriately low value for its UID.) 4. Create the jail: mkdir -p /var/syslog-ng-jail/var/log (Our actual changed root will be /var/syslog-ng-jail, but we may as well create the var/log subdirectory at the same time) 5. At this point the whole jail should be owned by root:root, which is cool so long as the changed-root-directory itself (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But syslog-ng *will* need to create/write files in the jail's var/log subdirectory, so we need to tweak the latter's group-ownership and -permissions, like so: chgrp syslogng /var/syslog-ng-jail/var/log chmod g+wx /var/syslog-ng-jail/var/log 6. That's it! We may now start syslog-ng like this: syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng The syslog-ng process will still read its config from /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), but immediately after that it will chroot itself to the specified jail. Note, however, that the paths you specify in syslog-ng.conf "file()" statements should all be relative to the changed root. E.g., use file("/var/log/messages"), *not* file("/var/syslog-ng-jail/var/log/messages"). Any path you specify in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended to it. Naturally, there's nothing to stop you from dropping the "var/log/" subdirectory altogether, and simply specify, e.g., file("/messages") as a destination (resulting in things being written to /var/syslog-ng-jail/messages, a less unwieldy path). ******* So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up! Regards, Mick P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng manpage. After all, running anything in a chroot jail as root is futile, no? :-) P.P.S. BTW, 1.6x rocks! /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/ From syslog-ng@lists.balabit.hu Mon Aug 16 11:50:07 2004 From: syslog-ng@lists.balabit.hu (Michael D. (Mick) Bauer) Date: Mon, 16 Aug 2004 05:50:07 -0500 (CDT) Subject: [syslog-ng]Re: FAQ-seeding: chroot jail procedure for Syslog-ng In-Reply-To: <35250.192.168.17.200.1092597687.squirrel@webmail.wiremonkeys.org> References: <35250.192.168.17.200.1092597687.squirrel@webmail.wiremonkeys.org> Message-ID: <35721.192.168.17.200.1092653407.squirrel@webmail.wiremonkeys.org> Hi, again. I see now that I've missed at least three things needed in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and /dev/tty10. Any hints on the exact syntax one should use with mknod in creating xconsole & tty10? Thanks, Mick /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/ > Hi, all. In researching/writing the Syslog-ng coverage for the new > edition of my book, I've encountered a total lack of published > info, anywhere, on how to create a Syslog-ng chroot jail. So in > the > interests of seeding the FAQ (or at least Google), here's a > procedure that works for me. > > Naturally, anyone should feel free to correct anything I've gotten > wrong! Any and all feedback is appreciated. > > ************************************************ > How To Create A Chroot Jail For Syslog-ng 1.6x > ************************************************ > > 1. su to root if you're not root already > > 2. Create an unprivileged group-account for syslog-ng, e.g., by > adding the following line to /etc/group: > > syslogng:x:77: > > 3. Create an unprivileged system account for syslog-ng, e.g., via > the following command: > > useradd -d /var/syslog-ng-jail -g syslogng -r syslogng > > (Note that in Linux, the "-r" flag tells useradd that this will be > a system account, causing useradd to automatically set the > account's shell to /bin/false and to choose an appropriately low > value for its UID.) > > 4. Create the jail: > > mkdir -p /var/syslog-ng-jail/var/log > > (Our actual changed root will be /var/syslog-ng-jail, but we may > as well create the var/log subdirectory at the same time) > > 5. At this point the whole jail should be owned by root:root, > which is cool so long as the changed-root-directory itself > (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But > syslog-ng *will* need to create/write files in the jail's var/log > subdirectory, so we need to tweak the latter's group-ownership and > -permissions, like so: > > chgrp syslogng /var/syslog-ng-jail/var/log > chmod g+wx /var/syslog-ng-jail/var/log > > 6. That's it! We may now start syslog-ng like this: > > syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng > > The syslog-ng process will still read its config from > /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), > but immediately after that it will chroot itself to the specified > jail. > > Note, however, that the paths you specify in syslog-ng.conf > "file()" statements should all be relative to the changed root. > E.g., use > file("/var/log/messages"), *not* > file("/var/syslog-ng-jail/var/log/messages"). Any path you specify > in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended > to it. > > Naturally, there's nothing to stop you from dropping the > "var/log/" subdirectory altogether, and simply specify, e.g., > file("/messages") as a destination (resulting in things being > written to > /var/syslog-ng-jail/messages, a less unwieldy path). > > ******* > > So far I haven't noticed that anything else needs to be added to > the chroot jail (e.g., stuff from /dev or /etc), but if anyone > knows > differently please speak up! > > Regards, > Mick > > P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng > manpage. After all, running anything in a chroot jail as root is > futile, no? :-) > > P.P.S. BTW, 1.6x rocks! From syslog-ng@lists.balabit.hu Mon Aug 16 12:04:59 2004 From: syslog-ng@lists.balabit.hu (L. Jankok) Date: Mon, 16 Aug 2004 13:04:59 +0200 Subject: [syslog-ng]Re: FAQ-seeding: chroot jail procedure for Syslog-ng In-Reply-To: <35721.192.168.17.200.1092653407.squirrel@webmail.wiremonkeys.org> References: <35250.192.168.17.200.1092597687.squirrel@webmail.wiremonkeys.org> <35721.192.168.17.200.1092653407.squirrel@webmail.wiremonkeys.org> Message-ID: <20040816110458.GA16718@smtp.local.net> do a ls -la on the files to see the major and minor number and the type. and then SYNOPSIS mknod name b major minor mknod name c major minor mknod name p DESCRIPTION mknod makes a directory entry for a special file. OPTIONS The following options are supported: b Create a block-type special file. c Create a character-type special file. p Create a FIFO (named pipe). Regards, L. Jankok On 0, "Michael D. (Mick) Bauer" wrote: :Hi, again. I see now that I've missed at least three things needed :in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and :/dev/tty10. : :Any hints on the exact syntax one should use with mknod in creating :xconsole & tty10? : :Thanks, :Mick : :/-------------------------------------------------\ :| Michael D. (Mick) Bauer | :| Security Editor, Linux Journal | :| Dir. of Value-Subtracted Svcs., Wiremonkeys.org | :\-------------------------------------------------/ : :> Hi, all. In researching/writing the Syslog-ng coverage for the new :> edition of my book, I've encountered a total lack of published :> info, anywhere, on how to create a Syslog-ng chroot jail. So in :> the :> interests of seeding the FAQ (or at least Google), here's a :> procedure that works for me. :> :> Naturally, anyone should feel free to correct anything I've gotten :> wrong! Any and all feedback is appreciated. :> :> ************************************************ :> How To Create A Chroot Jail For Syslog-ng 1.6x :> ************************************************ :> :> 1. su to root if you're not root already :> :> 2. Create an unprivileged group-account for syslog-ng, e.g., by :> adding the following line to /etc/group: :> :> syslogng:x:77: :> :> 3. Create an unprivileged system account for syslog-ng, e.g., via :> the following command: :> :> useradd -d /var/syslog-ng-jail -g syslogng -r syslogng :> :> (Note that in Linux, the "-r" flag tells useradd that this will be :> a system account, causing useradd to automatically set the :> account's shell to /bin/false and to choose an appropriately low :> value for its UID.) :> :> 4. Create the jail: :> :> mkdir -p /var/syslog-ng-jail/var/log :> :> (Our actual changed root will be /var/syslog-ng-jail, but we may :> as well create the var/log subdirectory at the same time) :> :> 5. At this point the whole jail should be owned by root:root, :> which is cool so long as the changed-root-directory itself :> (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But :> syslog-ng *will* need to create/write files in the jail's var/log :> subdirectory, so we need to tweak the latter's group-ownership and :> -permissions, like so: :> :> chgrp syslogng /var/syslog-ng-jail/var/log :> chmod g+wx /var/syslog-ng-jail/var/log :> :> 6. That's it! We may now start syslog-ng like this: :> :> syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng :> :> The syslog-ng process will still read its config from :> /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), :> but immediately after that it will chroot itself to the specified :> jail. :> :> Note, however, that the paths you specify in syslog-ng.conf :> "file()" statements should all be relative to the changed root. :> E.g., use :> file("/var/log/messages"), *not* :> file("/var/syslog-ng-jail/var/log/messages"). Any path you specify :> in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended :> to it. :> :> Naturally, there's nothing to stop you from dropping the :> "var/log/" subdirectory altogether, and simply specify, e.g., :> file("/messages") as a destination (resulting in things being :> written to :> /var/syslog-ng-jail/messages, a less unwieldy path). :> :> ******* :> :> So far I haven't noticed that anything else needs to be added to :> the chroot jail (e.g., stuff from /dev or /etc), but if anyone :> knows :> differently please speak up! :> :> Regards, :> Mick :> :> P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng :> manpage. After all, running anything in a chroot jail as root is :> futile, no? :-) :> :> P.P.S. BTW, 1.6x rocks! : : : :_______________________________________________ :syslog-ng maillist - syslog-ng@lists.balabit.hu :https://lists.balabit.hu/mailman/listinfo/syslog-ng :Frequently asked questions at http://www.campin.net/syslog-ng/faq.html : From syslog-ng@lists.balabit.hu Mon Aug 16 16:13:18 2004 From: syslog-ng@lists.balabit.hu (John Kristoff) Date: Mon, 16 Aug 2004 10:13:18 -0500 Subject: [syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng In-Reply-To: <35250.192.168.17.200.1092597687.squirrel@webmail.wiremonkeys.org> References: <35250.192.168.17.200.1092597687.squirrel@webmail.wiremonkeys.org> Message-ID: <20040816101318.69587e40@localhost> On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) "Michael D. (Mick) Bauer" wrote: > So far I haven't noticed that anything else needs to be added to the > chroot jail (e.g., stuff from /dev or /etc), but if anyone knows > differently please speak up! Mick, It's been awhile since I last setup syslog-ng in a chroot jail, but according to my notes I did the following on a recent Linux box: o copied the follow files to /path/to/chroot/lib: libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 libnsl.so.2 libc.so.6 ld-linux.so.2 the first of which, being the one that seemed to actually be required for correct operation in my case. I believe the others were just referenced libraries, but not actually called. o copied the following to /path/to/chroot/etc nsswitch.conf resolv.conf `grep syslogng passwd` `grep syslogng group` the last two being whatever user/group you used to run syslog-ng as. John From syslog-ng@lists.balabit.hu Mon Aug 16 18:45:53 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:45:53 +0200 Subject: [syslog-ng]Question In-Reply-To: <41149C3B.80102@jg555.com> References: <41149C3B.80102@jg555.com> Message-ID: <1092678353.1788.33.camel@bzorp.balabit> On Sat, 2004-08-07 at 11:09, Jim Gifford wrote: > I have always wondered about this. > > Why are the libol and syslog-ng separate packages? > To me it seems that they should be one package since they depend on each > other. Once upon a time libol was forked from lsh, a complete SSH2 implementation at http://www.lysator.liu.se/~nisse/ Back then libol was used in one of my other, now defunct projects. That is the reason, and by the way the don't depend on each other, syslog-ng depends on libol but not vice versa. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:48:04 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:48:04 +0200 Subject: [syslog-ng]not match() In-Reply-To: <20040808211901.GA20523@logik.ath.cx> References: <20040808211901.GA20523@logik.ath.cx> Message-ID: <1092678483.1788.36.camel@bzorp.balabit> On Sun, 2004-08-08 at 23:19, markzero@logik.ath.cx wrote: > Now, let me draw your attention to this line: > > not match("STATS: dropped 0"); > > For some reason, I repeatedly get this popping up on the command line: > > bash-2.05b# STATS: dropped 0 > > ..when either logged in as root or using su. Maybe it is not syslog-ng which writes this line to your console. Can you confirm with strace or truss that syslog-ng is effectively writing this to your root tty? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:55:30 2004 From: syslog-ng@lists.balabit.hu (Michael D. (Mick) Bauer) Date: Mon, 16 Aug 2004 12:55:30 -0500 (CDT) Subject: [syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng In-Reply-To: <20040816101318.69587e40@localhost> References: <35250.192.168.17.200.1092597687.squirrel@webmail.wiremonkeys.org> <20040816101318.69587e40@localhost> Message-ID: <55718.159.37.7.119.1092678930.squirrel@webmail.wiremonkeys.org> Thanks! I'll post a revised procedure later this week -- replies have been trickling in. Cheers, Mick > On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) > "Michael D. (Mick) Bauer" wrote: > >> So far I haven't noticed that anything else needs to be added to >> the chroot jail (e.g., stuff from /dev or /etc), but if anyone >> knows differently please speak up! > > Mick, > > It's been awhile since I last setup syslog-ng in a chroot jail, > but according to my notes I did the following on a recent Linux > box: > > o copied the follow files to /path/to/chroot/lib: > > libnss_dns.so.2 > libnss_files.so.2 > libresolv.so.2 > libnsl.so.2 > libc.so.6 > ld-linux.so.2 > > the first of which, being the one that seemed to actually be > required for correct operation in my case. I believe the > others were just referenced libraries, but not actually > called. > > o copied the following to /path/to/chroot/etc > > nsswitch.conf > resolv.conf > `grep syslogng passwd` > `grep syslogng group` > > the last two being whatever user/group you used to run > syslog-ng as. > > John > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at > http://www.campin.net/syslog-ng/faq.html /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/ From syslog-ng@lists.balabit.hu Mon Aug 16 18:49:58 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:49:58 +0200 Subject: [syslog-ng]syslog-ng : concurrent readling & writing tasks ? In-Reply-To: <200408090750.i797oQrj012369@postcard.dih.oleane.net> References: <200408090750.i797oQrj012369@postcard.dih.oleane.net> Message-ID: <1092678598.1788.39.camel@bzorp.balabit> On Mon, 2004-08-09 at 09:50, Loic SPINDLER wrote: > Hello, > I noticed that both reading input process and writing to output are not > running concurrent in the syslog-ng. Is it planned for a future release ? > what do you mean? reading and writing is multiplexed in a single poll loop. so it does not use multi-threading but in effect the same happens. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:49:19 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Mon, 16 Aug 2004 18:49:19 +0100 Subject: [syslog-ng]not match() In-Reply-To: <1092678483.1788.36.camel@bzorp.balabit> References: <20040808211901.GA20523@logik.ath.cx> <1092678483.1788.36.camel@bzorp.balabit> Message-ID: <20040816174919.GB13859@logik.ath.cx> Heh, don't worry about it, for some reason it cleared up after a restart. No idea why it started, but it's fixed. thanks anyway, mark On Mon, Aug 16, 2004 at 07:48:04PM +0200, Balazs Scheidler wrote: > On Sun, 2004-08-08 at 23:19, markzero@logik.ath.cx wrote: > > > Now, let me draw your attention to this line: > > > > not match("STATS: dropped 0"); > > > > For some reason, I repeatedly get this popping up on the command line: > > > > bash-2.05b# STATS: dropped 0 > > > > ..when either logged in as root or using su. > > Maybe it is not syslog-ng which writes this line to your console. Can > you confirm with strace or truss that syslog-ng is effectively writing > this to your root tty? > > -- > Bazsi > PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 > > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > From syslog-ng@lists.balabit.hu Mon Aug 16 18:51:23 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:51:23 +0200 Subject: [syslog-ng]Problems with Netscreen log entries In-Reply-To: <41177A0E.4090102@btinet.net> References: <41177A0E.4090102@btinet.net> Message-ID: <1092678682.1788.42.camel@bzorp.balabit> On Mon, 2004-08-09 at 15:20, Paul Mindeman wrote: > Running sylog-ng 1.6.4 on Solaris 9 > > Log entries from my UNIX devices log fine. Log entries from my > Netscreen devices seem to be missing the end of line terminator, as the > entries run together in the log file. The default syslog daemon was > able to handle these entries fine. Any ideas on how to fix this? > > The options in the syslog-ng.conf file are: > > options { sync (0); > time_reopen (10); > log_fifo_size (1000); > long_hostnames (off); > use_dns (no); > use_fqdn (no); > create_dirs (no); > keep_hostname (yes); > }; Can you give me an tcpdump snippet to see how a netscreen log message is formatted? Please make sure that you snap the complete packet (-s option). tcpdump -xXpeni ethX port 514 and udp should do the trick. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:51:54 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:51:54 +0200 Subject: [syslog-ng]Reply-To: syslog-ng@lists.balabit.hu In-Reply-To: References: Message-ID: <1092678714.1788.44.camel@bzorp.balabit> On Mon, 2004-08-09 at 16:54, G. C. wrote: > I modified the file afinet.c inserting the line as suggested and gave the > following commands: > ./configure --enable-spoof-source --> ok > make --> ERROR > > The error is the following: "touch afinet.c.x" and you should be fine. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:53:23 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:53:23 +0200 Subject: [syslog-ng](no subject) In-Reply-To: <4F9DBE266768DC46A1F17E875D371641046AAF53@ma8117exch002u.inse.lucent.com> References: <4F9DBE266768DC46A1F17E875D371641046AAF53@ma8117exch002u.inse.lucent.com> Message-ID: <1092678802.1788.47.camel@bzorp.balabit> On Mon, 2004-08-09 at 21:08, Andrews, Glenn J (Glenn) wrote: > Great. Now virus via syslog ;-) I was not the source of this virus, especially as I am using a Linux based desktop. And the virus found a subscribed sender address when spoofing the From line, too bad. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:54:07 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:54:07 +0200 Subject: [syslog-ng]check_hostname(yes) - parse error In-Reply-To: <27643A47D891574A8340EFC789DBD984C44763@alex.encana.com> References: <27643A47D891574A8340EFC789DBD984C44763@alex.encana.com> Message-ID: <1092678847.1788.49.camel@bzorp.balabit> On Wed, 2004-08-11 at 23:36, Smith, Krista wrote: > Hello, > > I've got syslog-ng (1.4.17) working on a Solaris 9 central logserver, > except for one small thing. I'm trying to use the option > "check_hostname(yes)" but I get a parse error when I add it to my > options. My options line looks like this: > > options { create_dirs(yes); keep_hostname(yes); check_hostname(yes); > }; > > If I remove that portion of the line, it gives no error. I've checked > for invisible characters, searched Google and the syslog-ng archives, > but cannot find anything suggesting what the problem might be. If > anyone can point me in the right direction I'd be grateful. try it with syslog-ng 1.6.4, you'll be surprised :) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:57:14 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:57:14 +0200 Subject: [syslog-ng]two syslog-ngs? In-Reply-To: <20040814103614.GB8516@logik.ath.cx> References: <20040814103614.GB8516@logik.ath.cx> Message-ID: <1092679034.1788.51.camel@bzorp.balabit> On Sat, 2004-08-14 at 12:36, markzero@logik.ath.cx wrote: > Hmm, having got stunnel mostly working, I'm left with a little > more confusion. I'm about to attempt to build the loghost, the > only problem is that I'll need to chroot syslog-ng. > > /chroot/syslogng > > Surely, this is going to cause problems as the chrooted syslog > will need to do the logging for the local machine as well, and as > such will need access to /dev/log. > > It can't be as simple as: > > ln -s /dev/log /chroot/syslogng/dev/log > > ...can it? this should work but in a reverse way, e.g. symlink the outer /dev/log to the internal one: ln -s /chroot/syslogng/dev/log /dev/log > > Other than this, the only solution I can think of is to run two > copies of syslogng, one chrooted for accepting network connections > and one un-chrooted (that is an annoyingly awkward word in conversation) > for doing local logging for the machine itself. this one should also work. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 18:58:17 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 16 Aug 2004 19:58:17 +0200 Subject: [syslog-ng]chroot/syslog-ng/Solaris8 In-Reply-To: References: Message-ID: <1092679097.1788.53.camel@bzorp.balabit> On Sat, 2004-08-14 at 20:00, Roy G Davis wrote: > -----Original Message----- > From: syslog-ng-admin@lists.balabit.hu on behalf of Nate Campi > Sent: Fri 8/13/2004 7:30 PM > To: syslog-ng@lists.balabit.hu > Cc: > Subject: Re: [syslog-ng]chroot/syslog-ng/Solaris8 > On Fri, Aug 13, 2004 at 01:26:54PM -0500, Roy G Davis wrote: > > does anyone have experience using syslog-ng with chroot-ed > applications > > on Solaris 8? > > specifically, i am running ssh/sftp chroot-ed (with sftp logging > patch) > > and i get no logging. > > i know it is something about /dev/log etc in the chroot environment > but > > cant find exact info. > > Try this, you might not have found it since it might seem postfix > specific, but it applies to anything chrooted: > > http://www.campin.net/syslog-ng/faq.html#postfix maybe the link is linux specific, you need to use sun-streams combined with the door option on Solaris. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From syslog-ng@lists.balabit.hu Mon Aug 16 19:13:46 2004 From: syslog-ng@lists.balabit.hu (Roy G Davis) Date: Mon, 16 Aug 2004 13:13:46 -0500 Subject: [syslog-ng]chroot/syslog-ng/Solaris8 Message-ID: yes, thank you i have syslog-ng accepting normal things using streams/doors. but it is not picking up anything generated from whithin the chroot jail. i actually get the same behavior w sun's syslog too. that is: i have sftp-logging patch applied to openssh code. it works for a non-chroot user - you see them login, change directory, upload/download file, log out etc. but all i see is initial login for a chroot user. THX -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Monday, August 16, 2004 12:58 PM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]chroot/syslog-ng/Solaris8 On Sat, 2004-08-14 at 20:00, Roy G Davis wrote: > -----Original Message----- > From: syslog-ng-admin@lists.balabit.hu on behalf of Nate Campi > Sent: Fri 8/13/2004 7:30 PM > To: syslog-ng@lists.balabit.hu > Cc: =20 > Subject: Re: [syslog-ng]chroot/syslog-ng/Solaris8 > On Fri, Aug 13, 2004 at 01:26:54PM -0500, Roy G Davis wrote: > > does anyone have experience using syslog-ng with chroot-ed > applications > > on Solaris 8? > > specifically, i am running ssh/sftp chroot-ed (with sftp logging > patch) > > and i get no logging. > > i know it is something about /dev/log etc in the chroot environment > but > > cant find exact info. >=20 > Try this, you might not have found it since it might seem postfix=20 > specific, but it applies to anything chrooted: >=20 > http://www.campin.net/syslog-ng/faq.html#postfix maybe the link is linux specific, you need to use sun-streams combined with the door option on Solaris. --=20 Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Mon Aug 16 23:35:38 2004 From: syslog-ng@lists.balabit.hu (Smith, Krista) Date: Mon, 16 Aug 2004 16:35:38 -0600 Subject: [syslog-ng]check_hostname(yes) - parse error Message-ID: <27643A47D891574A8340EFC789DBD984C44788@alex.encana.com> Yes, I finally figured that out. :) As other options are added though, it might be handy to know which ones are available with which versions, maybe on the online manual options page? I didn't download syslog-ng very long ago and at the time it was the most recent one listed on the download page. So I didn't realize so many others had come out in the meantime and thought that if it was listed on the options page with all the rest, it must be a standard one available to me. I stand corrected. :) Thanks, Krista -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Monday, August 16, 2004 11:54 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]check_hostname(yes) - parse error On Wed, 2004-08-11 at 23:36, Smith, Krista wrote: > Hello, > > I've got syslog-ng (1.4.17) working on a Solaris 9 central logserver, > except for one small thing. I'm trying to use the option > "check_hostname(yes)" but I get a parse error when I add it to my > options. My options line looks like this: > > options { create_dirs(yes); keep_hostname(yes); check_hostname(yes); > }; > > If I remove that portion of the line, it gives no error. I've checked > for invisible characters, searched Google and the syslog-ng archives, > but cannot find anything suggesting what the problem might be. If > anyone can point me in the right direction I'd be grateful. try it with syslog-ng 1.6.4, you'll be surprised :) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue Aug 17 04:08:46 2004 From: syslog-ng@lists.balabit.hu (Michael D. (Mick) Bauer) Date: Mon, 16 Aug 2004 22:08:46 -0500 (CDT) Subject: [syslog-ng]/proc/kmsg and chrooted syslog-ng Message-ID: <32798.192.168.17.200.1092712126.squirrel@webmail.wiremonkeys.org> One more ignorance-betraying question about Syslog-ng chroot-jails: what should one do about /proc/kmsg? Maybe "touch /var/logjail/proc/kmsg; ln -s /var/logjail/proc/kmsg /proc/kmsg"? And do I take it that, per another recent posting, one should similarly create a new dev/log in the jail and link to it from /dev/log? I'd like to post a revised Syslog-ng chroot jail procedure later this week. Thanks to the two of you who've replied so far! Mick /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/ From syslog-ng@lists.balabit.hu Tue Aug 17 12:48:30 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Tue, 17 Aug 2004 13:48:30 +0200 Subject: [syslog-ng]/proc/kmsg and chrooted syslog-ng In-Reply-To: <32798.192.168.17.200.1092712126.squirrel@webmail.wiremonkeys.org> References: <32798.192.168.17.200.1092712126.squirrel@webmail.wiremonkeys.org> Message-ID: <20040817114830.GA17729@balabit.hu> On Mon, Aug 16, 2004 at 10:08:46PM -0500, Michael D. (Mick) Bauer wrote: > One more ignorance-betraying question about Syslog-ng chroot-jails: > what should one do about /proc/kmsg? Maybe "touch > /var/logjail/proc/kmsg; ln -s /var/logjail/proc/kmsg /proc/kmsg"? no, this would not work. kernel messages need to be fetched from a "live" proc filesystem, however you can mount it directly into the chroot jail as well, e.g. mount -t proc proc /var/logjail/proc that's about it. > > And do I take it that, per another recent posting, one should > similarly create a new dev/log in the jail and link to it from > /dev/log? yes, this makes it possible to reload syslog-ng inside the chroot jail, as otherwise it is not possible. > > I'd like to post a revised Syslog-ng chroot jail procedure later > this week. Thanks to the two of you who've replied so far! great. -- Bazsi From syslog-ng@lists.balabit.hu Mon Aug 23 09:15:58 2004 From: syslog-ng@lists.balabit.hu (Natxo Asenjo) Date: Mon, 23 Aug 2004 10:15:58 +0200 Subject: [syslog-ng]dhcp3-server logging problem Message-ID: <20040823081558.GA16683@ainhoa.xs4all.nl> Hallo everybody, This is my first message to this list. I have a problem with the way syslog-ng 1.5.15 (stock debian woody) is logging the dhcp3-server messages. I have searched in the mailing-list archives and through google but could not find the answer to my problem. Which is: In the conf file for dhcp3-server, one can specify the facility where the log messages should go. The specific lines are: # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; So I created some new entries in /etc/syslog-nl/syslog-ng.conf, which are: # dest file where i want the dhcpd stuff: destination dhcpd { file("/var/log/dhcpd.log" owner("root") group("adm") perm(0640)); }; # this is all in one line, obviously. filter f_local7 { facility(local7); }; log { source(src); filter(f_local7); destination(dhcpd); }; So I restarted both services in order to reload their config files, and yes, now I get all the dhcp logging in /var/log/dhcpd.log, *but* I also get it in /var/log/syslog, which is driving me nuts, because I also have logcheck installed and every hour I get all the dhcpd messages in the logcheck emails. Is there a way I have overlooked to prevent this? TIA, N.Asenjo From syslog-ng@lists.balabit.hu Mon Aug 23 09:28:11 2004 From: syslog-ng@lists.balabit.hu (Michael Redinger) Date: Mon, 23 Aug 2004 10:28:11 +0200 Subject: [syslog-ng]dhcp3-server logging problem In-Reply-To: <20040823081558.GA16683@ainhoa.xs4all.nl> References: <20040823081558.GA16683@ainhoa.xs4all.nl> Message-ID: <4129AA9B.1030107@uibk.ac.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I suppose everything is logged to /var/log/syslog? You could make syslog a "fallback" statement: log { source(...); destination(...); flags(catchall, fallback, final); } See for example: http://www.campin.net/syslog-ng/expanded-syslog-ng.conf Greetings, Michael Natxo Asenjo wrote: | Hallo everybody, | | This is my first message to this list. I have a problem with the way | syslog-ng 1.5.15 (stock debian woody) is logging the dhcp3-server | messages. I have searched in the mailing-list archives and through | google but could not find the answer to my problem. Which is: | | In the conf file for dhcp3-server, one can specify the facility where | the log messages should go. The specific lines are: | | # Use this to send dhcp log messages to a different log file (you also | # have to hack syslog.conf to complete the redirection). | log-facility local7; | | So I created some new entries in /etc/syslog-nl/syslog-ng.conf, which | are: | | # dest file where i want the dhcpd stuff: | | destination dhcpd { file("/var/log/dhcpd.log" owner("root") group("adm") | perm(0640)); }; # this is all in one line, obviously. | | filter f_local7 { facility(local7); }; | | log { source(src); filter(f_local7); destination(dhcpd); }; | | So I restarted both services in order to reload their config files, and | yes, now I get all the dhcp logging in /var/log/dhcpd.log, *but* I also | get it in /var/log/syslog, which is driving me nuts, because I also have | logcheck installed and every hour I get all the dhcpd messages in the | logcheck emails. | | Is there a way I have overlooked to prevent this? | | TIA, | | N.Asenjo | | | _______________________________________________ | syslog-ng maillist - syslog-ng@lists.balabit.hu | https://lists.balabit.hu/mailman/listinfo/syslog-ng | Frequently asked questions at http://www.campin.net/syslog-ng/faq.html | - -- Michael Redinger Zentraler Informatikdienst (Computer Centre) Universitaet Innsbruck Technikerstrasse 13 Tel.: ++43 512 507 2335 6020 Innsbruck Fax.: ++43 512 507 2944 Austria Mail: Michael.Redinger@uibk.ac.at BB98 D2FE 0F2C 2658 3780 3CB1 0FD7 A9D9 65C2 C11D http://www.uibk.ac.at/~c102mr/mred-pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBKaqbD9ep2WXCwR0RAhX/AKD/2O16mpuBf0WDeoQxN3s509BgZACfdRaX 1lJ2wwRy4ADPIxbaQTGaOwU= =asGb -----END PGP SIGNATURE----- From syslog-ng@lists.balabit.hu Mon Aug 23 10:03:19 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Mon, 23 Aug 2004 04:03:19 -0500 Subject: [syslog-ng]Michael J. Bock/NetServ/DST/US is out of the office. Message-ID: I will be out of the office starting 08/20/2004 and will not return until 08/30/2004. I will respond to your message when I return. From syslog-ng@lists.balabit.hu Mon Aug 23 20:00:36 2004 From: syslog-ng@lists.balabit.hu (Ellis.Chris) Date: Mon, 23 Aug 2004 15:00:36 -0400 Subject: [syslog-ng]log viewing utilities? Message-ID: <1A2E9229979C6A478BAF337786FBF22B0368A446@njes1s5004.nhq.ci.gc.ca> Now that I have half of the equation solved (i.e. a better method of collecting log files using syslog-ng), does anyone have suggestions for the "other half", i.e. viewing tools that let me look at the log files without having to use grep with regular expressions and such? Compound text searches would be a great start... ! Thanks... Chris Ellis/ CIC Secure Perimeter From syslog-ng@lists.balabit.hu Mon Aug 23 20:08:38 2004 From: syslog-ng@lists.balabit.hu (Michael Arndt) Date: Mon, 23 Aug 2004 21:08:38 +0200 Subject: [syslog-ng]log viewing utilities? In-Reply-To: <1A2E9229979C6A478BAF337786FBF22B0368A446@njes1s5004.nhq.ci.gc.ca>; from Chris.Ellis@cic.gc.ca on Mon, Aug 23, 2004 at 03:00:36PM -0400 References: <1A2E9229979C6A478BAF337786FBF22B0368A446@njes1s5004.nhq.ci.gc.ca> Message-ID: <20040823210838.A72666@blnsrv1.science-computing.de> Have a look at php-syslog-ng www.vermeer.org hth Micha On Mon, Aug 23, 2004 at 03:00:36PM -0400, Ellis.Chris wrote: > Now that I have half of the equation solved (i.e. a better method of > collecting log files using syslog-ng), does anyone have suggestions for > the "other half", i.e. viewing tools that let me look at the log files > without having to use grep with regular expressions and such? Compound > text searches would be a great start... ! > > Thanks... Chris Ellis/ > CIC Secure Perimeter > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > -- Michael Arndt Bereichsleiter IT-Services Berlin science + computing ag phone +49 30 72 62 38-50 Ehrenbergstrasse 19 fax +49 30 72 62 38-59 D-10245 Berlin, Germany m.arndt@science-computing.de www.science-computing.de From syslog-ng@lists.balabit.hu Wed Aug 25 17:02:45 2004 From: syslog-ng@lists.balabit.hu (Maarten Thibaut) Date: Wed, 25 Aug 2004 18:02:45 +0200 (CEST) Subject: [syslog-ng]offline mode? Message-ID: Hi, First of all, thanks for the neat software you guys make. Our organization is rolling out a mobile pc platform, we want some types of log events stored on a centralized server which is only reachable from the inside of our corporate network. So when the machine is not inside our network, the log entries need to be stored locally until such time as the centralized server is reachable. Then the logs get sent through. Can we do this with syslog-ng? From the features listed at your home page it would seem this is a standard feature... Is that right? -- maarten From syslog-ng@lists.balabit.hu Wed Aug 25 21:05:39 2004 From: syslog-ng@lists.balabit.hu (Russell Adams) Date: Wed, 25 Aug 2004 15:05:39 -0500 Subject: [syslog-ng]offline mode? In-Reply-To: References: Message-ID: <20040825200539.GJ22715@soja.ksnet.com.> I'd use a tree style log directory (/var/log/HOSTS/hostname/yyyy/mm/dd/loglevel), and then rsync to your central server when a connection is available. That way you're syncing full files, not one monolithic log file that changes while you read it. Russell On Wed, Aug 25, 2004 at 06:02:45PM +0200, Maarten Thibaut wrote: > Hi, > > First of all, thanks for the neat software you guys make. > > Our organization is rolling out a mobile pc platform, we want some types > of log events stored on a centralized server which is only reachable from > the inside of our corporate network. > > So when the machine is not inside our network, the log entries need to be > stored locally until such time as the centralized server is reachable. > Then the logs get sent through. > > Can we do this with syslog-ng? From the features listed at your home page > it would seem this is a standard feature... Is that right? > > -- > maarten > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Wed Aug 25 21:56:13 2004 From: syslog-ng@lists.balabit.hu (Jeremy Mates) Date: Wed, 25 Aug 2004 13:56:13 -0700 Subject: [syslog-ng]Re: offline mode? In-Reply-To: <20040825200539.GJ22715@soja.ksnet.com.> References: <20040825200539.GJ22715@soja.ksnet.com.> Message-ID: <20040825205613.GF94471@darkness.sial.org> * Russell Adams > I'd use a tree style log directory > (/var/log/HOSTS/hostname/yyyy/mm/dd/loglevel), and then rsync to your > central server when a connection is available. Agreed, though for laptops using a hostname might be difficult; the hostname of my OS X laptop changes quite often. Maybe set a hostname or other ID to use via a configuration system instead of using the "official" hostname. > That way you're syncing full files, not one monolithic log file that > changes while you read it. Yes, messages.x rotation does not work at all with rsync. From syslog-ng@lists.balabit.hu Wed Aug 25 22:34:04 2004 From: syslog-ng@lists.balabit.hu (Russell Adams) Date: Wed, 25 Aug 2004 16:34:04 -0500 Subject: [syslog-ng]Re: offline mode? In-Reply-To: <20040825205613.GF94471@darkness.sial.org> References: <20040825200539.GJ22715@soja.ksnet.com.> <20040825205613.GF94471@darkness.sial.org> Message-ID: <20040825213404.GN22715@soja.ksnet.com.> Actually, your laptop wouldn't be a problem. If you have a dynamic hostname, don't include the hostname in the path. Your laptop isn't running a syslog-ng server in order to centralize logs from multiple hosts... So just use /var/log/yyyy/mm/dd/loglevel. Then rsync that to a specific hostname directory on your central logserver (/var/log/HOSTS/hostname). Issue resolved. BTW, for reporting from trees of log files, I highly recommend Logmuncher ( http://www.cs.hmc.edu/~geoff/logmuncher.html ) for scanning log files. Its got a few features that allow it to grab messages from recent logs in log trees. Russell On Wed, Aug 25, 2004 at 01:56:13PM -0700, Jeremy Mates wrote: > * Russell Adams > > I'd use a tree style log directory > > (/var/log/HOSTS/hostname/yyyy/mm/dd/loglevel), and then rsync to your > > central server when a connection is available. > > Agreed, though for laptops using a hostname might be difficult; the > hostname of my OS X laptop changes quite often. Maybe set a hostname or > other ID to use via a configuration system instead of using the > "official" hostname. > > > That way you're syncing full files, not one monolithic log file that > > changes while you read it. > > Yes, messages.x rotation does not work at all with rsync. > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Thu Aug 26 10:23:04 2004 From: syslog-ng@lists.balabit.hu (Darren J. Wise) Date: Thu, 26 Aug 2004 10:23:04 +0100 Subject: [syslog-ng] Openbsd 3.5 on SPARC64 not login network hostname Message-ID: <20040826092304.GF11987@gre.ac.uk> Hi, I have a Sun Ultra 5 that I am setting up as a log server using OpenBSD 3.5 with the stable port of syslog-ng 1.5.24. In the syslog-ng.conf file I have got the following options: options { sync(0); time_reopen (10); log_fifo_size (1000); long_hostnames (no); use_dns (yes); use_fqdn (no); create_dirs(yes); chain_hostnames (no); keep_hostname (yes); perm (0600); }; And the following network related source, destination and log options: source s_net { udp(); }; destination d_net { file("/export/syslog-ng/$HOST/messages"); }; log { source(s_net); destination(d_net); }; I have got a Sparc Solaris 9 box and Linux box logging to this machine using the default Solaris/Linux syslog. The problem that I am seeing is that the log server logs all messages as if they have came from the localhost, an example from the Linux machine on the log server (loghost-test is the name of the log server) : Aug 24 12:53:38 loghost-test xfs: Entry deleted from font path. I have also compiled syslog-ng 1.6.5 with libol 0.3.14 and still get the same problem. Any help would be greatly appreciated. Thanks Darren From syslog-ng@lists.balabit.hu Thu Aug 26 12:37:29 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 26 Aug 2004 13:37:29 +0200 Subject: [syslog-ng] Openbsd 3.5 on SPARC64 not login network hostname In-Reply-To: <20040826092304.GF11987@gre.ac.uk> References: <20040826092304.GF11987@gre.ac.uk> Message-ID: <1093520249.9782.3.camel@bzorp.balabit> On Thu, 2004-08-26 at 11:23, Darren J. Wise wrote: > Hi, > > I have a Sun Ultra 5 that I am setting up as a log server using > OpenBSD 3.5 with the stable port of syslog-ng 1.5.24. > > In the syslog-ng.conf file I have got the following options: > > options { > sync(0); > time_reopen (10); > log_fifo_size (1000); > long_hostnames (no); > use_dns (yes); > use_fqdn (no); > create_dirs(yes); > chain_hostnames (no); > keep_hostname (yes); > perm (0600); > }; > > And the following network related source, destination and log options: > > source s_net { udp(); }; > destination d_net { file("/export/syslog-ng/$HOST/messages"); }; > log { source(s_net); destination(d_net); }; > > I have got a Sparc Solaris 9 box and Linux box logging to this > machine using the default Solaris/Linux syslog. > > The problem that I am seeing is that the log server logs all > messages as if they have came from the localhost, an example from the > Linux machine on the log server (loghost-test is the name of the log > server) : > > Aug 24 12:53:38 loghost-test xfs: Entry deleted from font path. > > I have also compiled syslog-ng 1.6.5 with libol 0.3.14 and still > get the same problem. > keep_hostname() tells syslog-ng not to touch the hostname as received from the network, except when there is no hostname at all, in which case it performs a reverse DNS lookup (if use_dns is enabled) and adds that hostname to the message. I'd first check how the log message is received from the network. (e.g. tcpdump) -- Bazsi From syslog-ng@lists.balabit.hu Thu Aug 26 14:33:22 2004 From: syslog-ng@lists.balabit.hu (Steven S.) Date: Thu, 26 Aug 2004 09:33:22 -0400 Subject: [syslog-ng] Openbsd 3.5 on SPARC64 not login network hostname In-Reply-To: <20040826092304.GF11987@gre.ac.uk> Message-ID: <005801c48b71$46293ed0$60895745@klap02> If you check -current ports for OpenBSD you'll find an update to 1.6.x. Unfortunately the problem you describe still exists for the sparc64 architecture. Oddly, it seems to work properly on i386. I lost access to my spar64 box, so I am unable to troubleshoot further. -Steve S. Darren J. Wise wrote: > Hi, > > I have a Sun Ultra 5 that I am setting up as a log server using > OpenBSD 3.5 with the stable port of syslog-ng 1.5.24. > ... > The problem that I am seeing is that the log server logs all messages > as if they have came from the localhost, an example from the Linux > machine on the log server (loghost-test is the name of the log > server) : > > Aug 24 12:53:38 loghost-test xfs: Entry deleted from font path. > > I have also compiled syslog-ng 1.6.5 with libol 0.3.14 and still get > the same problem. > ... From syslog-ng@lists.balabit.hu Fri Aug 27 15:53:16 2004 From: syslog-ng@lists.balabit.hu (Rhugga) Date: Fri, 27 Aug 2004 09:53:16 -0500 Subject: [syslog-ng]Anyone Get Syslog-NG To Compile on Red Hat? Message-ID: <412F4ADC.4030109@sandiego420.com> I am trying to get syslog-ng 1.6.5 compiled on a RH 9 system. I compiled libol into /usr/local/libol-0.3.14. I tried the following configuration options when trying to build sysllg-ng: ./configure --prefix=/usr/local/syslog-ng-1.6.5 --with-libol=/usr/local/libol-0.3.14/lib --with-libnet=/usr/local/libol-0.3.14/bin/ ./configure --prefix=/usr/local/syslog-ng-1.6.5 --with-libol=/usr/local/libol-0.3.14/lib --with-libnet=/usr/local/libol-0.3.14 ./configure --prefix=/usr/local/syslog-ng-1.6.5 --with-libol=/usr/local/libol-0.3.14/lib --with-libnet=/usr/local/libol-0.3.14/bin/libol-config Each time is complains that it cannot find libol-config: checking for strptime... yes checking for TCP wrapper library... -lwrap checking whether to enable Sun STREAMS support... no checking whether to enable Sun door support... no checking whether to enable TCP wrapper support... no checking whether to enable spoof_source support... no checking libol version >= 0.3.14... configure: error: libol-config not found in the specified location Here is libol-config: syslog:~/syslog-ng-1.6.5 #ls -la /usr/local/libol-0.3.14/bin/ total 36 drwxr-xr-x 2 root root 4096 Aug 27 07:22 . drwxr-xr-x 5 root root 4096 Aug 27 07:22 .. -rwxr-xr-x 1 root root 1288 Aug 27 07:22 libol-config -rwxr-xr-x 1 root root 24264 Aug 27 07:22 make_class It finds the libol library correctly, otherwise it dies before it reaches this error. It just doesn't properly detect libol-config. Anyone have any ideas? Thanks, CC From syslog-ng@lists.balabit.hu Fri Aug 27 17:42:03 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 27 Aug 2004 18:42:03 +0200 Subject: [syslog-ng]Anyone Get Syslog-NG To Compile on Red Hat? In-Reply-To: <412F4ADC.4030109@sandiego420.com> References: <412F4ADC.4030109@sandiego420.com> Message-ID: <1093624923.16538.1.camel@bzorp.balabit> On Fri, 2004-08-27 at 16:53, Rhugga wrote: > I am trying to get syslog-ng 1.6.5 compiled on a RH 9 system. I compiled > libol into /usr/local/libol-0.3.14. > > I tried the following configuration options when trying to build sysllg-ng: > ./configure --prefix=/usr/local/syslog-ng-1.6.5 > --with-libol=/usr/local/libol-0.3.14/lib > --with-libnet=/usr/local/libol-0.3.14/bin/ > /configure --prefix=/usr/local/syslog-ng-1.6.5 > --with-libol=/usr/local/libol-0.3.14/lib > --with-libnet=/usr/local/libol-0.3.14 > ./configure --prefix=/usr/local/syslog-ng-1.6.5 > --with-libol=/usr/local/libol-0.3.14/lib > --with-libnet=/usr/local/libol-0.3.14/bin/libol-config > > Each time is complains that it cannot find libol-config: > > > checking for strptime... yes > checking for TCP wrapper library... -lwrap > checking whether to enable Sun STREAMS support... no > checking whether to enable Sun door support... no > checking whether to enable TCP wrapper support... no > checking whether to enable spoof_source support... no > checking libol version >= 0.3.14... configure: error: libol-config not > found in the specified location > > Here is libol-config: > syslog:~/syslog-ng-1.6.5 #ls -la /usr/local/libol-0.3.14/bin/ > total 36 > drwxr-xr-x 2 root root 4096 Aug 27 07:22 . > drwxr-xr-x 5 root root 4096 Aug 27 07:22 .. > -rwxr-xr-x 1 root root 1288 Aug 27 07:22 libol-config > -rwxr-xr-x 1 root root 24264 Aug 27 07:22 make_class > > It finds the libol library correctly, otherwise it dies before it > reaches this error. It just doesn't properly detect libol-config. you have to specify the root directory of libol, or add the directory to libol-config to your current PATH. --with-libol is meant to be used when you don't install libol itself. --with-libnet is completely different, it is needed only if you specify --enable-spoof-source -- Bazsi From syslog-ng@lists.balabit.hu Fri Aug 27 18:05:43 2004 From: syslog-ng@lists.balabit.hu (Rhugga) Date: Fri, 27 Aug 2004 12:05:43 -0500 Subject: [syslog-ng]Anyone Get Syslog-NG To Compile on Red Hat? In-Reply-To: <1093624923.16538.1.camel@bzorp.balabit> References: <412F4ADC.4030109@sandiego420.com> <1093624923.16538.1.camel@bzorp.balabit> Message-ID: <412F69E7.8070306@sandiego420.com> Balazs Scheidler wrote: >On Fri, 2004-08-27 at 16:53, Rhugga wrote: > > >>I am trying to get syslog-ng 1.6.5 compiled on a RH 9 system. I compiled >>libol into /usr/local/libol-0.3.14. >> >>I tried the following configuration options when trying to build sysllg-ng: >>./configure --prefix=/usr/local/syslog-ng-1.6.5 >>--with-libol=/usr/local/libol-0.3.14/lib >>--with-libnet=/usr/local/libol-0.3.14/bin/ >>/configure --prefix=/usr/local/syslog-ng-1.6.5 >>--with-libol=/usr/local/libol-0.3.14/lib >>--with-libnet=/usr/local/libol-0.3.14 >>./configure --prefix=/usr/local/syslog-ng-1.6.5 >>--with-libol=/usr/local/libol-0.3.14/lib >>--with-libnet=/usr/local/libol-0.3.14/bin/libol-config >> >>Each time is complains that it cannot find libol-config: >> >> >>checking for strptime... yes >>checking for TCP wrapper library... -lwrap >>checking whether to enable Sun STREAMS support... no >>checking whether to enable Sun door support... no >>checking whether to enable TCP wrapper support... no >>checking whether to enable spoof_source support... no >>checking libol version >= 0.3.14... configure: error: libol-config not >>found in the specified location >> >>Here is libol-config: >>syslog:~/syslog-ng-1.6.5 #ls -la /usr/local/libol-0.3.14/bin/ >>total 36 >>drwxr-xr-x 2 root root 4096 Aug 27 07:22 . >>drwxr-xr-x 5 root root 4096 Aug 27 07:22 .. >>-rwxr-xr-x 1 root root 1288 Aug 27 07:22 libol-config >>-rwxr-xr-x 1 root root 24264 Aug 27 07:22 make_class >> >>It finds the libol library correctly, otherwise it dies before it >>reaches this error. It just doesn't properly detect libol-config. >> >> > >you have to specify the root directory of libol, or add the directory to >libol-config to your current PATH. --with-libol is meant to be used when >you don't install libol itself. > >--with-libnet is completely different, it is needed only if you specify >--enable-spoof-source > > > Ahh, okay thanks. -rhugga From syslog-ng@lists.balabit.hu Fri Aug 27 18:07:41 2004 From: syslog-ng@lists.balabit.hu (Rhugga) Date: Fri, 27 Aug 2004 12:07:41 -0500 Subject: [syslog-ng]Anyone Get Syslog-NG To Compile on Red Hat? In-Reply-To: <1093624923.16538.1.camel@bzorp.balabit> References: <412F4ADC.4030109@sandiego420.com> <1093624923.16538.1.camel@bzorp.balabit> Message-ID: <412F6A5D.6090302@sandiego420.com> Balazs Scheidler wrote: >On Fri, 2004-08-27 at 16:53, Rhugga wrote: > > >>I am trying to get syslog-ng 1.6.5 compiled on a RH 9 system. I compiled >>libol into /usr/local/libol-0.3.14. >> >>I tried the following configuration options when trying to build sysllg-ng: >>./configure --prefix=/usr/local/syslog-ng-1.6.5 >>--with-libol=/usr/local/libol-0.3.14/lib >>--with-libnet=/usr/local/libol-0.3.14/bin/ >>/configure --prefix=/usr/local/syslog-ng-1.6.5 >>--with-libol=/usr/local/libol-0.3.14/lib >>--with-libnet=/usr/local/libol-0.3.14 >>./configure --prefix=/usr/local/syslog-ng-1.6.5 >>--with-libol=/usr/local/libol-0.3.14/lib >>--with-libnet=/usr/local/libol-0.3.14/bin/libol-config >> >>Each time is complains that it cannot find libol-config: >> >> >>checking for strptime... yes >>checking for TCP wrapper library... -lwrap >>checking whether to enable Sun STREAMS support... no >>checking whether to enable Sun door support... no >>checking whether to enable TCP wrapper support... no >>checking whether to enable spoof_source support... no >>checking libol version >= 0.3.14... configure: error: libol-config not >>found in the specified location >> >>Here is libol-config: >>syslog:~/syslog-ng-1.6.5 #ls -la /usr/local/libol-0.3.14/bin/ >>total 36 >>drwxr-xr-x 2 root root 4096 Aug 27 07:22 . >>drwxr-xr-x 5 root root 4096 Aug 27 07:22 .. >>-rwxr-xr-x 1 root root 1288 Aug 27 07:22 libol-config >>-rwxr-xr-x 1 root root 24264 Aug 27 07:22 make_class >> >>It finds the libol library correctly, otherwise it dies before it >>reaches this error. It just doesn't properly detect libol-config. >> >> > >you have to specify the root directory of libol, or add the directory to >libol-config to your current PATH. --with-libol is meant to be used when >you don't install libol itself. > >--with-libnet is completely different, it is needed only if you specify >--enable-spoof-source > > > Okay, I added the location of the file to my PATH and I get the same results: Here is my PATH: syslog:~/syslog-ng-1.6.5 #echo $PATH /usr/local/libol-0.3.14/bin:/usr/java/bin:/usr/local/ant/bin:/usr/local/ssl/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin Here you can see my shell can correctly resolve the location of libol-config: syslog:~/syslog-ng-1.6.5 #which libol-config /usr/local/libol-0.3.14/bin/libol-config Any ideas? Thanks, rhugga From syslog-ng@lists.balabit.hu Fri Aug 27 18:46:40 2004 From: syslog-ng@lists.balabit.hu (Rhugga) Date: Fri, 27 Aug 2004 12:46:40 -0500 Subject: [syslog-ng]Question Regarding Syslog-NG Capabilities Message-ID: <412F7380.1060006@sandiego420.com> If I simply want to have the syslogd daemons on my Solaris boxes send their logs to a remote loghost running syslog-ng, I don't need syslog-ng on the solaris boxes correct? So on my solaris box, /etc/syslog.conf would contain an entry like this: auth.info @loghost Loghost of course would be defined in /etc/hosts and contain the IP address of the Linux system running syslog-ng. Will this config work? Some of the documentation confused me implying that syslog-ng is also needed on the client side. I will be using a standard TCP listener with syslog-ng on the loghost machine, likely using port 514. Thanks, rhugga From syslog-ng@lists.balabit.hu Fri Aug 27 18:51:52 2004 From: syslog-ng@lists.balabit.hu (Russell Adams) Date: Fri, 27 Aug 2004 12:51:52 -0500 Subject: [syslog-ng]Question Regarding Syslog-NG Capabilities In-Reply-To: <412F7380.1060006@sandiego420.com> References: <412F7380.1060006@sandiego420.com> Message-ID: <20040827175152.GB26332@soja.ksnet.com.> Syslog-ng on the Linux server, any syslog client on the other hosts. What you've described should work just fine. Also, take a look at the Syslog-NG FAQ at: http://www.campin.net/syslog-ng/faq.html Its got some good suggestions for setup. Lastly, take a peek at Logmuncher for monitoring your logs if you haven't chosen a monitoring tool yet. Russell On Fri, Aug 27, 2004 at 12:46:40PM -0500, Rhugga wrote: > > If I simply want to have the syslogd daemons on my Solaris boxes send > their logs to a remote loghost running syslog-ng, I don't need syslog-ng > on the solaris boxes correct? > > So on my solaris box, /etc/syslog.conf would contain an entry like this: > > auth.info @loghost > > Loghost of course would be defined in /etc/hosts and contain the IP > address of the Linux system running syslog-ng. > > Will this config work? Some of the documentation confused me implying > that syslog-ng is also needed on the client side. I will be using a > standard TCP listener with syslog-ng on the loghost machine, likely > using port 514. > > Thanks, > rhugga > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Fri Aug 27 19:27:21 2004 From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?Jos=E9_Pedro_Oliveira?=) Date: Fri, 27 Aug 2004 19:27:21 +0100 Subject: [syslog-ng]Anyone Get Syslog-NG To Compile on Red Hat? In-Reply-To: <412F4ADC.4030109@sandiego420.com> References: <412F4ADC.4030109@sandiego420.com> Message-ID: <412F7D09.8010604@di.uminho.pt> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3B15DF425462190D6DB474EE Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Rhugga wrote: > I am trying to get syslog-ng 1.6.5 compiled on a RH 9 system. I compiled > libol into /usr/local/libol-0.3.14. I have been maintaining SRPMS for RedHat/Fedora systems here: http://gsd.di.uminho.pt/jpo/software/RPMS/ Notes: * They compile fine in RH9 and FC2. * The syslog-ng 1.6.5 is built without spoof support (without libnet). * These SRPMS have been submitted for QA by the Fedora.us project. The bugzilla entries are the following: libol 0.3.14: https://bugzilla.fedora.us/show_bug.cgi?id=2014 syslog-ng 1.6.5 (and 1.6.2): https://bugzilla.fedora.us/show_bug.cgi?id=1332 old libol (0.3.13) http://bugzilla.fedora.us/show_bug.cgi?id=1331 Regards, jpo -- José Pedro Oliveira * mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B * --------------enig3B15DF425462190D6DB474EE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBL30Ol0metZG9hRsRAkIYAJ9Kfu9/DKortIGSDzPokObk+wE1VACgt3XT yPiB4mMRS8yoqLtFCS98D48= =6YLN -----END PGP SIGNATURE----- --------------enig3B15DF425462190D6DB474EE-- From syslog-ng@lists.balabit.hu Fri Aug 27 20:31:48 2004 From: syslog-ng@lists.balabit.hu (Rhugga) Date: Fri, 27 Aug 2004 14:31:48 -0500 Subject: [syslog-ng]Anyone Get Syslog-NG To Compile on Red Hat? In-Reply-To: <412F7D09.8010604@di.uminho.pt> References: <412F4ADC.4030109@sandiego420.com> <412F7D09.8010604@di.uminho.pt> Message-ID: <412F8C24.8060601@sandiego420.com> José Pedro Oliveira wrote: > Rhugga wrote: > > I am trying to get syslog-ng 1.6.5 compiled on a RH 9 system. I > compiled > > libol into /usr/local/libol-0.3.14. > > I have been maintaining SRPMS for RedHat/Fedora systems here: > > http://gsd.di.uminho.pt/jpo/software/RPMS/ > > Notes: > * They compile fine in RH9 and FC2. > * The syslog-ng 1.6.5 is built without spoof support (without libnet). > * These SRPMS have been submitted for QA by the Fedora.us > project. The bugzilla entries are the following: > > libol 0.3.14: > https://bugzilla.fedora.us/show_bug.cgi?id=2014 > syslog-ng 1.6.5 (and 1.6.2): > https://bugzilla.fedora.us/show_bug.cgi?id=1332 > old libol (0.3.13) > http://bugzilla.fedora.us/show_bug.cgi?id=1331 > > Regards, > jpo Thanks. I managed to get it to build by hard-coding a bunch of stuff in the configure script and side-stepping some sanity checking code. It compiled cleanly but I have yet to test it under an enterprise load yet. Thanks, Chuck From syslog-ng@lists.balabit.hu Sat Aug 28 01:32:02 2004 From: syslog-ng@lists.balabit.hu (Thomas Reidy) Date: Fri, 27 Aug 2004 20:32:02 -0400 Subject: [syslog-ng]Automatic starting of syslog-ng Message-ID: <44bfd4e8040827173262e6a886@mail.gmail.com> Running on Red Hat 9.. the application is running, logging perfectly.. I built it w/o the RPMs, and need to know how to get this to start automatically during startup.. its been a long day, so this may be obvious.. Am I right to assume if I reboot the box, I won't get logging until I manually start the script? I could just put something simple in /etc/init.d, etc but need to know what the file should say.. the init scripts never just seem to launch the programs... Thanks in advance... -- --- Tom t_r_e_i_d_y_@-g-m-a-i-l-.-c-o-m From syslog-ng@lists.balabit.hu Sat Aug 28 04:15:03 2004 From: syslog-ng@lists.balabit.hu (Zeb Fletcher) Date: Fri, 27 Aug 2004 22:15:03 -0500 Subject: [syslog-ng]Automatic starting of syslog-ng In-Reply-To: <44bfd4e8040827173262e6a886@mail.gmail.com> References: <44bfd4e8040827173262e6a886@mail.gmail.com> Message-ID: <128bff2f0408272015d517e46@mail.gmail.com> Here is the script from my Fedora 2 Core, you might need to edit it as needed. ################################################################################ # # Program: syslog-ng init script for Red Hat # ################################################################################ # the following information is for use by chkconfig # if you are want to manage this through chkconfig (as you should), you must # first must add syslog-ng to chkconfig's list of startup scripts it # manages by typing: # # chkconfig --add syslog-ng # # DO NOT CHANGE THESE LINES (unless you know what you are doing) # chkconfig: 2345 12 88 # description: syslog-ng is the next generation of the syslog daemon. \ # syslog-ng gives you the flexibility of logging not only by facility and \ # severity, but also by host, message content, date, etc. it can also replace \ # klogd's function of logging kernel messages # # This following block of lines is correct, do not change! (for more info, see # http://www.linuxbase.org/spec/refspecs/LSB_1.1.0/gLSB/facilname.html) ### BEGIN INIT INFO # Provides: $syslog ### END INIT INFO ################################################################################ # # This is an init script for syslog-ng on the Linux platform. # # It totally relies on the Redhat function library and works the same # way as other typical Redhat init scripts. # # # Platforms (tested): Linux (Redhat 7.3) # # # Author: Gregor Binder # Changed: October 10, 2000 # # Last Changed: September 27, 2002 # Updated by: Diane Davidowicz # changes: Brought the start script up to snuff as far as compliance # with managing the startup script through chkconfig; # added PATH variable ability to hook in path to syslog-ng (if # its necessary); converted init script format to the # standard init script format in Red Hat (7.3 to be exact) # including using the /etc/sysconfig/syslog-ng file to # managed the arguments to syslog-ng without changing this # script, and disabled klogd but noted where and under what # conditions it should be enabled. HAPPY LOGGING. # # Copyright (c) 2000 by sysfive.com GmbH, All rights reserved. # # ################################################################################ # # configuration # INIT_PROG=syslog-ng # # Source Redhat function library. # . /etc/rc.d/init.d/functions # Tack on path to syslog-ng if not already in PATH SYSLOGNG_PATH=":/sbin" PATH=$PATH$SYSLOGNG_PATH export PATH # /etc/sysconfig/ is the standard way to pull in options for a daemon to use. # Source config if [ -f /etc/sysconfig/syslog-ng ] ; then . /etc/sysconfig/syslog-ng else SYSLOGNG_OPTIONS= fi RETVAL=0 umask 077 ulimit -c 0 # See how we were called. start() { echo -n "Starting $INIT_PROG: " daemon $INIT_PROG $SYSLOGNG_OPTIONS RETVAL=$? echo # syslog-ng can handle kernel messages. If you do this, don't # run klogd. Consult the following FAQ question to find out why. # # http://www.campin.net/syslog-ng/faq.html#klogd # # If you still prefer to run klogd without syslog-ng handling # kernel messages, uncomment the following block of lines #echo -n $"Starting kernel logger: " #daemon klogd $KLOGD_OPTIONS #echo [ $RETVAL -eq 0 ] && touch "/var/lock/subsys/${INIT_PROG}" return $RETVAL } stop() { # Same here concerning klogd. Uncomment the following block of # code if you are needing to run it #echo -n $"Shutting down kernel logger: " #killproc klogd #echo echo -n "Stopping $INIT_PROG: " killproc $INIT_PROG RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f "/var/lock/subsys/${INIT_PROG}" return $RETVAL } rhstatus() { status $INIT_PROG } restart() { stop start } case "$1" in start) start ;; stop) stop ;; status) rhstatus ;; restart|reload) restart ;; condrestart) [ -f /var/lock/subsys/syslog-ng ] && restart || : ;; *) echo $"Usage: $0 {start|stop|status|restart|reload|condrestart}" exit 1 esac exit $? On Fri, 27 Aug 2004 20:32:02 -0400, Thomas Reidy wrote: > Running on Red Hat 9.. the application is running, logging perfectly.. > > I built it w/o the RPMs, and need to know how to get this to start > automatically during startup.. its been a long day, so this may be > obvious.. > > Am I right to assume if I reboot the box, I won't get logging until I > manually start the script? > > I could just put something simple in /etc/init.d, etc but need to know > what the file should say.. the init scripts never just seem to launch > the programs... > > Thanks in advance... > > -- > --- Tom > t_r_e_i_d_y_@-g-m-a-i-l-.-c-o-m > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From syslog-ng@lists.balabit.hu Fri Aug 27 18:05:43 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Fri, 27 Aug 2004 12:05:43 -0500 Subject: [syslog-ng]Anyone Get Syslog-NG To Compile on Red Hat? Message-ID: <412F69E7.8070306@sandiego420.com> Balazs Scheidler wrote: >On Fri, 2004-08-27 at 16:53, Rhugga wrote: > =20 > >>I am trying to get syslog-ng 1.6.5 compiled on a RH 9 system. I = compiled=20 >>libol into /usr/local/libol-0.3.14. >> >>I tried the following configuration options when trying to build = sysllg-ng: >>./configure --prefix=3D/usr/local/syslog-ng-1.6.5=20 >>--with-libol=3D/usr/local/libol-0.3.14/lib=20 >>--with-libnet=3D/usr/local/libol-0.3.14/bin/ >>/configure --prefix=3D/usr/local/syslog-ng-1.6.5=20 >>--with-libol=3D/usr/local/libol-0.3.14/lib=20 >>--with-libnet=3D/usr/local/libol-0.3.14 >>./configure --prefix=3D/usr/local/syslog-ng-1.6.5=20 >>--with-libol=3D/usr/local/libol-0.3.14/lib=20 >>--with-libnet=3D/usr/local/libol-0.3.14/bin/libol-config >> >>Each time is complains that it cannot find libol-config: >> >> >>checking for strptime... yes >>checking for TCP wrapper library... -lwrap >>checking whether to enable Sun STREAMS support... no >>checking whether to enable Sun door support... no >>checking whether to enable TCP wrapper support... no >>checking whether to enable spoof_source support... no >>checking libol version >=3D 0.3.14... configure: error: libol-config = not=20 >>found in the specified location >> >>Here is libol-config: >>syslog:~/syslog-ng-1.6.5 #ls -la /usr/local/libol-0.3.14/bin/ >>total 36 >>drwxr-xr-x 2 root root 4096 Aug 27 07:22 . >>drwxr-xr-x 5 root root 4096 Aug 27 07:22 .. >>-rwxr-xr-x 1 root root 1288 Aug 27 07:22 libol-config >>-rwxr-xr-x 1 root root 24264 Aug 27 07:22 make_class >> >>It finds the libol library correctly, otherwise it dies before it=20 >>reaches this error. It just doesn't properly detect libol-config. >> =20 >> > >you have to specify the root directory of libol, or add the directory = to >libol-config to your current PATH. --with-libol is meant to be used = when >you don't install libol itself. > >--with-libnet is completely different, it is needed only if you specify >--enable-spoof-source > > =20 > Ahh, okay thanks. -rhugga _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Sat Aug 28 13:33:45 2004 From: syslog-ng@lists.balabit.hu (Jeffery P. Humes) Date: Sat, 28 Aug 2004 07:33:45 -0500 Subject: [syslog-ng]Automatic starting of syslog-ng In-Reply-To: <44bfd4e8040827173262e6a886@mail.gmail.com> References: <44bfd4e8040827173262e6a886@mail.gmail.com> Message-ID: <41307BA9.2090209@bofus.org> There is a contributed init script in the source directory: (I know it says RedHat-7.3, but it will work for 9) # copy the init script into place cp -p /syslog-ng-1.6.5/contrib/init.d.RedHat-7.3 /etc/init.d/syslog-ng # make it executable (if it isn't already) chmod +x /etc/init.d/syslog-ng # turn off syslog (if you are completely replacing it) chkconfig syslog off # turn on syslog-ng at reboot time chkconfig syslog-ng on # stop syslog and start syslog-ng /etc/init.d/syslog stop /etc/init.d/syslog-ng start Thomas Reidy wrote: >Running on Red Hat 9.. the application is running, logging perfectly.. > >I built it w/o the RPMs, and need to know how to get this to start >automatically during startup.. its been a long day, so this may be >obvious.. > >Am I right to assume if I reboot the box, I won't get logging until I >manually start the script? > >I could just put something simple in /etc/init.d, etc but need to know >what the file should say.. the init scripts never just seem to launch >the programs... > >Thanks in advance... > > > From syslog-ng@lists.balabit.hu Mon Aug 30 01:44:10 2004 From: syslog-ng@lists.balabit.hu (Thomas Reidy) Date: Sun, 29 Aug 2004 20:44:10 -0400 Subject: [syslog-ng]Automatic starting of syslog-ng In-Reply-To: <41307BA9.2090209@bofus.org> References: <44bfd4e8040827173262e6a886@mail.gmail.com> <41307BA9.2090209@bofus.org> Message-ID: <44bfd4e804082917446701e839@mail.gmail.com> Thanks to both of you... I'll give this a shot tonight... -- --- Tom t_r_e_i_d_y_@-g-m-a-i-l-.-c-o-m On Sat, 28 Aug 2004 07:33:45 -0500, Jeffery P. Humes wrote: > There is a contributed init script in the source directory: > (I know it says RedHat-7.3, but it will work for 9) > > # copy the init script into place > cp -p /syslog-ng-1.6.5/contrib/init.d.RedHat-7.3 > /etc/init.d/syslog-ng > > # make it executable (if it isn't already) > chmod +x /etc/init.d/syslog-ng > > # turn off syslog (if you are completely replacing it) > chkconfig syslog off > > # turn on syslog-ng at reboot time > chkconfig syslog-ng on > > # stop syslog and start syslog-ng > /etc/init.d/syslog stop > /etc/init.d/syslog-ng start > > > > > Thomas Reidy wrote: > > >Running on Red Hat 9.. the application is running, logging perfectly.. > > > >I built it w/o the RPMs, and need to know how to get this to start > >automatically during startup.. its been a long day, so this may be > >obvious.. > > > >Am I right to assume if I reboot the box, I won't get logging until I > >manually start the script? > > > >I could just put something simple in /etc/init.d, etc but need to know > >what the file should say.. the init scripts never just seem to launch > >the programs... > > > >Thanks in advance... > > > > > > > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From syslog-ng@lists.balabit.hu Tue Aug 31 16:24:24 2004 From: syslog-ng@lists.balabit.hu (Laurent CARON) Date: Tue, 31 Aug 2004 17:24:24 +0200 Subject: [syslog-ng]Logging to syslog without facility mail Message-ID: <41349828.4000306@apartia.fr> Hello I'm trying to exclude certain messages from my syslog (facility mail which are inferior to warning) I tried filter f_syslog { not facility(auth, authpriv) and not facility(mail); }; It removes all the mail facility from syslog and then filter f_syslog { not facility(auth, authpriv) or facility(mail) and level(warn .. emerg); }; which is not better at all. Does anyone have a clue about it? Thanks Laurent From syslog-ng@lists.balabit.hu Tue Aug 31 17:45:49 2004 From: syslog-ng@lists.balabit.hu (Loic Minier) Date: Tue, 31 Aug 2004 18:45:49 +0200 Subject: [syslog-ng]Logging to syslog without facility mail In-Reply-To: <41349828.4000306@apartia.fr> References: <41349828.4000306@apartia.fr> Message-ID: <20040831164549.GC4581@via.ecp.fr> Laurent CARON - Tue, Aug 31, 2004: > filter f_syslog { not facility(auth, authpriv) and not facility(mail); }; This requests to keep only messages which aren't of facility auth or authpriv and which aren't of facility mail. A filter says which messages to keep. Matching messages are kept, the others are removed. > filter f_syslog { not facility(auth, authpriv) or facility(mail) and > level(warn .. emerg); }; This is ambiguous, because of the priority of and over or, I think it means to keep messages which aren't from facility auth or authpriv and also keep message from facility mail with a level at least of warning. You should write it: filter f_syslog { not facility(auth, authpriv) or (facility(mail) and level(warn .. emerg)); }; > I'm trying to exclude certain messages from my syslog (facility mail > which are inferior to warning) I would write two filters to do this: filter f_mail { facility(mail); }; filter f_less_than_warn { level(debug..notice); }; and your filter would look like: filter exclude_what_i_don_t_want { not( filter(f_mail) and filter(f_less_than_warn) ); }; Now if you've done some boolean logic, you probably know you can develop the not() like this: filter exclude_what_i_don_t_want { not(filter(f_mail)) or not(filter(f_less_than_warn)); }; (sorry for missing ";" if they are some) And you could decide that this is even clearer (with the appropriate f_at_least_warn): filter exclude_what_i_don_t_want { not(filter(f_mail)) or filter(f_at_least_warn); }; Which basically means 'keep messages not coming from mail and also keep messages which are from level warn or above'. Regards, -- Loīc Minier