Message

From syslog-ng@lists.balabit.hu Wed Dec 1 01:50:19 2004 From: syslog-ng@lists.balabit.hu (Timothy Webster) Date: Tue, 30 Nov 2004 20:50:19 -0500 Subject: [syslog-ng]FYI: Performance In-Reply-To: <20041130191310.GC22970@soja.ksnet.com.> References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> Message-ID: <20041130205019.21a07fb3@delta.hk.office.outblaze.com> Currently logging 39G a day and just keeping up, with minirsyslog. The problem is the disk io is killing me. :( each byte requires 1 write then 1 read to process and 1 read to compress and finally 1/3 write 1 + 1/3 write and 2 reads I am using lzop compression, gzip just won't keep up. And I avoid perl like the plague. I have one second stage data analyzer script in perl and it takes a good chunk of the resources. Thinking of adding lzo compression directly in to syslog-ng and with a fifo I can reduce my disk io to ~ 1/3 compressed byte per raw byte. Does syslog-ng have a hope here performance wise? -tim From syslog-ng@lists.balabit.hu Wed Dec 1 08:24:23 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Wed, 01 Dec 2004 09:24:23 +0100 Subject: [syslog-ng]FYI: Performance In-Reply-To: <20041130205019.21a07fb3@delta.hk.office.outblaze.com> References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> <20041130205019.21a07fb3@delta.hk.office.outblaze.com> Message-ID: <1101889462.2773.2.camel@bzorp.balabit> On Wed, 2004-12-01 at 02:50, Timothy Webster wrote: > Currently logging 39G a day and just keeping up, with > minirsyslog. The problem is the disk io is killing me. :( > > each byte requires 1 write then 1 read to process and 1 read to > compress and finally 1/3 write > 1 + 1/3 write and 2 reads > > I am using lzop compression, gzip just won't keep up. > And I avoid perl like the plague. > I have one second stage data analyzer script in perl and it > takes a good chunk of the resources. > > Thinking of adding lzo compression directly in to syslog-ng and with > a fifo I can reduce my disk io to ~ 1/3 compressed byte per raw byte. > > Does syslog-ng have a hope here performance wise? Sigh. yes and no. I have a nearly complete reimplementation of syslog-ng with nifty features and probably better performance and the possibility to add more features easier. It's been sitting on my hard disk more or less unmodified for about two years now. -- Bazsi From syslog-ng@lists.balabit.hu Wed Dec 1 20:55:54 2004 From: syslog-ng@lists.balabit.hu (Xiaodong Lin) Date: Wed, 1 Dec 2004 13:55:54 -0700 Subject: [syslog-ng]Syslog-ng log file rollover question Message-ID: This is a multi-part message in MIME format. ------_=_NextPart_001_01C4D7E8.6B575D30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all, =20 I am wondering whether anyone here knows how to config syslog-ng to perform log file rollover. I was told that I can roll over a log file in syslog-ng by configuring syslog-ng in a format which includes time related macroes, such as $MONTH, $DAY, $HOUR, $MIN. For example =20 destination snort { file("/var/snort/snort-$MONTH$DAY$HOUR$MIN"); }; =20 In this case, the log file should roll over to a new file every 1 minute. However, I found it doesn't work and syslog-ng keeps appending its received syslog message into a log file, for example snort-08091208. =20 Does anyone know how to do it or figure out what I have done wrong? Or does syslog-ng support the log file rollover? =20 Thanks! =20 Xiaodong ------_=_NextPart_001_01C4D7E8.6B575D30 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi=20 all,

I am = wondering=20 whether anyone here knows how to config syslog-ng to perform log file = rollover.=20 I was told that I can roll over a log file in syslog-ng by = configuring=20 syslog-ng in a format which includes time related macroes, such as = $MONTH, $DAY,=20 $HOUR, $MIN. For example

destination snort {=20 file("/var/snort/snort-$MONTH$DAY$HOUR$MIN"); };

In = this case,=20 the log file should roll over to a new file every 1 minute. = However, I=20 found it doesn't work and syslog-ng keeps appending its received syslog = message=20 into a log file, for example snort-08091208.

Does = anyone know how=20 to do it or figure out what I have done wrong? Or does syslog-ng support = the log=20 file rollover?

Thanks!

Xiaodong

------_=_NextPart_001_01C4D7E8.6B575D30-- From syslog-ng@lists.balabit.hu Thu Dec 2 03:33:20 2004 From: syslog-ng@lists.balabit.hu (scott) Date: Thu, 02 Dec 2004 13:33:20 +1000 Subject: [syslog-ng]Syslog-ng log file rollover question In-Reply-To: References: Message-ID: <41AE8D00.1030001@slittle.com> > Does anyone know how to do it or figure out what I have done wrong? Or > does syslog-ng support the log file rollover? Most programs don't rotate logs. The usual Unix way is to send the process a SIGHUP, and it will close and reopen its log file (as well as re-read its config file). There's no accuracy guarantee though, and done every minute will put a lid on performance. You're better off post-processing it into single files. -- () ASCII Ribbon Campaign /\ against HTML email From syslog-ng@lists.balabit.hu Thu Dec 2 09:43:47 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 02 Dec 2004 10:43:47 +0100 Subject: [syslog-ng]Syslog-ng log file rollover question In-Reply-To: References: Message-ID: <1101980626.2875.16.camel@bzorp.balabit> On Wed, 2004-12-01 at 21:55, Xiaodong Lin wrote: > Hi all, > > I am wondering whether anyone here knows how to config syslog-ng to > perform log file rollover. I was told that I can roll over a log file > in syslog-ng by configuring syslog-ng in a format which includes time > related macroes, such as $MONTH, $DAY, $HOUR, $MIN. For example > > destination snort { file("/var/snort/snort-$MONTH$DAY$HOUR$MIN"); }; > > In this case, the log file should roll over to a new file every 1 > minute. However, I found it doesn't work and syslog-ng keeps appending > its received syslog message into a log file, for example > snort-08091208. > > Does anyone know how to do it or figure out what I have done wrong? Or > does syslog-ng support the log file rollover? it should work, however the macros referenced above use the timestamp found in the log message itself, thus if there is a timestamp with invalid stamp you might see messages appearing in wrong files. You might want to check out the S_ and R_ versions of the macros above. (one refers to the timestamp of the message, the other the time the message was received by syslog-ng) -- Bazsi From syslog-ng@lists.balabit.hu Thu Dec 2 14:13:08 2004 From: syslog-ng@lists.balabit.hu (Xiaodong Lin) Date: Thu, 2 Dec 2004 07:13:08 -0700 Subject: [syslog-ng]Syslog-ng log file rollover question Message-ID: Thanks, Bazsi! R_versions of the macros work. Xiaodong =20 -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, December 02, 2004 4:44 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Syslog-ng log file rollover question On Wed, 2004-12-01 at 21:55, Xiaodong Lin wrote: > Hi all, > =20 > I am wondering whether anyone here knows how to config syslog-ng to=20 > perform log file rollover. I was told that I can roll over a log file=20 > in syslog-ng by configuring syslog-ng in a format which includes time=20 > related macroes, such as $MONTH, $DAY, $HOUR, $MIN. For example > =20 > destination snort { file("/var/snort/snort-$MONTH$DAY$HOUR$MIN"); }; > =20 > In this case, the log file should roll over to a new file every 1=20 > minute. However, I found it doesn't work and syslog-ng keeps appending > its received syslog message into a log file, for example=20 > snort-08091208. > =20 > Does anyone know how to do it or figure out what I have done wrong? Or > does syslog-ng support the log file rollover? it should work, however the macros referenced above use the timestamp found in the log message itself, thus if there is a timestamp with invalid stamp you might see messages appearing in wrong files. You might want to check out the S_ and R_ versions of the macros above. (one refers to the timestamp of the message, the other the time the message was received by syslog-ng) -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Thu Dec 2 23:18:54 2004 From: syslog-ng@lists.balabit.hu (Dave Johnson) Date: Thu, 2 Dec 2004 17:18:54 -0600 Subject: [syslog-ng]FYI: Performance In-Reply-To: <1101889462.2773.2.camel@bzorp.balabit> References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> <20041130205019.21a07fb3@delta.hk.office.outblaze.com> <1101889462.2773.2.camel@bzorp.balabit> Message-ID: <90cdf79a0412021518ba4bfa9@mail.gmail.com> Jay--- Yesterday, our email log server here did 47069024518 bytes or 176818253 lines a day. Balazs -- Unfortunately we can't run non-production stuff to test out that secret code you have there, but would like to see that stuff make it to the stable series in the next year... =) I'm sure people wouldn't mind testing... ? In the lab, at least I can... Which reminds me.. I still need to get some more namedpipe logging information, which seems to get lost somewhere.... - Dave On Wed, 01 Dec 2004 09:24:23 +0100, Balazs Scheidler wrote: > On Wed, 2004-12-01 at 02:50, Timothy Webster wrote: > > > > Currently logging 39G a day and just keeping up, with > > minirsyslog. The problem is the disk io is killing me. :( > > > > each byte requires 1 write then 1 read to process and 1 read to > > compress and finally 1/3 write > > 1 + 1/3 write and 2 reads > > > > I am using lzop compression, gzip just won't keep up. > > And I avoid perl like the plague. > > I have one second stage data analyzer script in perl and it > > takes a good chunk of the resources. > > > > Thinking of adding lzo compression directly in to syslog-ng and with > > a fifo I can reduce my disk io to ~ 1/3 compressed byte per raw byte. > > > > Does syslog-ng have a hope here performance wise? > > Sigh. yes and no. I have a nearly complete reimplementation of syslog-ng > with nifty features and probably better performance and the possibility > to add more features easier. It's been sitting on my hard disk more or > less unmodified for about two years now. > > -- > Bazsi > > > > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From syslog-ng@lists.balabit.hu Fri Dec 3 00:43:11 2004 From: syslog-ng@lists.balabit.hu (ravi pina) Date: Thu, 2 Dec 2004 19:43:11 -0500 Subject: [syslog-ng]stripping domain name Message-ID: <20041203004311.GA67345@happy.cow.org> does a combination of options exist to have the HOST macro return the hostname up to but not including the domain name? for example i have host.site.domain.com and with fqdn(yes) i get that where if fqdn(no) i just get 'host' -r From syslog-ng@lists.balabit.hu Fri Dec 3 10:11:15 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 03 Dec 2004 11:11:15 +0100 Subject: [syslog-ng]FYI: Performance In-Reply-To: <90cdf79a0412021518ba4bfa9@mail.gmail.com> References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> <20041130205019.21a07fb3@delta.hk.office.outblaze.com> <1101889462.2773.2.camel@bzorp.balabit> <90cdf79a0412021518ba4bfa9@mail.gmail.com> Message-ID: <1102068675.2905.7.camel@bzorp.balabit> On Fri, 2004-12-03 at 00:18, Dave Johnson wrote: > Jay--- > > Yesterday, our email log server here did 47069024518 bytes or > 176818253 lines a day. geee. how many mail messages generate this amount of log messages daily? My guess would be about 60-80 million. Hmm.. your averate message size is quite large (266 bytes) Is this some kind of free email service provider? -- Bazsi From syslog-ng@lists.balabit.hu Fri Dec 3 12:06:56 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Fri, 3 Dec 2004 07:06:56 -0500 Subject: [syslog-ng]FYI: Performance In-Reply-To: <90cdf79a0412021518ba4bfa9@mail.gmail.com> References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> <20041130205019.21a07fb3@delta.hk.office.outblaze.com> <1101889462.2773.2.camel@bzorp.balabit> <90cdf79a0412021518ba4bfa9@mail.gmail.com> Message-ID: <4b9601ce04120304065a127b28@mail.gmail.com> Any worries I had syslog-ng handling growth are pretty much erased. :-) Now I only have to worry about diskio and the load of the parsers... On Thu, 2 Dec 2004 17:18:54 -0600, Dave Johnson wrote: > Jay--- > > Yesterday, our email log server here did 47069024518 bytes or > 176818253 lines a day. > From syslog-ng@lists.balabit.hu Fri Dec 3 12:27:37 2004 From: syslog-ng@lists.balabit.hu (Pavel Urban) Date: Fri, 03 Dec 2004 13:27:37 +0100 Subject: [syslog-ng]FYI: Performance In-Reply-To: <4b9601ce04120304065a127b28@mail.gmail.com> References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> <20041130205019.21a07fb3@delta.hk.office.outblaze.com> <1101889462.2773.2.camel@bzorp.balabit> <90cdf79a0412021518ba4bfa9@mail.gmail.com> <4b9601ce04120304065a127b28@mail.gmail.com> Message-ID: <41B05BB9.1000700@mlp.cz> About 40 millions lines per day from 8 servers here. Centralized syslog-ng, running on simple Dell PowerEdge 350 with IDE disks (SW RAID 0 on Linux). No performance problems, except of searching in logs. Jay Guerette wrote: > Any worries I had syslog-ng handling growth are pretty much erased. :-) > Now I only have to worry about diskio and the load of the parsers... > > > On Thu, 2 Dec 2004 17:18:54 -0600, Dave Johnson wrote: > >>Jay--- >> >> Yesterday, our email log server here did 47069024518 bytes or >>176818253 lines a day. >> -- *********************************************************************** Pavel Urban (pavel.urban@ct.cz) IOL system disaster Internet OnLine, www.iol.cz (owned by Czech Telecom, www.ct.cz) *********************************************************************** Vegetables should not operate electronic equipment. Computer Stupidities, http://rinkworks.com/stupid/ *********************************************************************** From syslog-ng@lists.balabit.hu Fri Dec 3 12:44:00 2004 From: syslog-ng@lists.balabit.hu (Thomas Lohschmidt) Date: Fri, 3 Dec 2004 13:44:00 +0100 Subject: [syslog-ng]Separator for $MSGONLY Message-ID: Hi folks, I've got a small feature request regarding the $MSGONLY macro. I've notic= ed there is a colon ':' hard coded in macros.c as separator between preamble and the message content. I would like to have this character configurable. We use a lot of solaris boxes sending messages using the logger command and it puts some addition= al information in brackets in front of the message which I don't want to see in my logfiles. So I hardcoded the closing bracket ']' into macros.c as a workaroung to achieve the desired result. It would be nice to have a parameter in the config file, say "msgonly_sep" or something like that, so I don't have to patch new releases of syslog-ng. Regards Thomas Der Inhalt dieser E-Mail ist vertraulich. Falls Sie nicht der angegebene Empf=E4nger sind oder falls diese E-Mail irrt=FCmlich an Sie adressiert w= urde, verst=E4ndigen Sie bitte den Absender sofort und l=F6schen Sie die E-Mail sodann. Das unerlaubte Kopieren sowie die unbefugte =DCbermittlung sind n= icht gestattet. Die Sicherheit von =DCbermittlungen per E-Mail kann nicht garantiert werden. Falls Sie eine Best=E4tigung w=FCnschen, fordern Sie b= itte den Inhalt der E-Mail als Hardcopy an. The contents of this e-mail are confidential. If you are not the named addressee or if this transmission has been addressed to you in error, please notify the sender immediately and then delete this e-mail. Any unauthorized copying and transmission is forbidden. E-Mail transmission cannot be guaranteed to be secure. If verification is required, please request a hard copy version. From syslog-ng@lists.balabit.hu Fri Dec 3 15:24:27 2004 From: syslog-ng@lists.balabit.hu (=?iso-8859-1?Q?Lo=EFc?= Minier) Date: Fri, 3 Dec 2004 16:24:27 +0100 Subject: [syslog-ng]Separator for $MSGONLY In-Reply-To: References: Message-ID: <20041203152427.GC20241@via.ecp.fr> Thomas Lohschmidt - Fri, Dec 03, 2004: > I've got a small feature request regarding the $MSGONLY macro. I've noticed > there is a colon ':' hard coded in macros.c as separator between preamble > and the message content. > I would like to have this character configurable. We use a lot of solaris > boxes sending messages using the logger command and it puts some additional > information in brackets in front of the message which I don't want to see > in my logfiles. You can also configure your "log" kernel driver not to log this, but that's just a quick workaround if you're not interested for this information: https://lists.balabit.hu/pipermail/syslog-ng/2004-March/005848.html BR, -- Lo�c Minier From syslog-ng@lists.balabit.hu Fri Dec 3 18:06:43 2004 From: syslog-ng@lists.balabit.hu (Bill Nash) Date: Fri, 3 Dec 2004 10:06:43 -0800 (PST) Subject: [syslog-ng]FYI: Performance In-Reply-To: <4b9601ce04120304065a127b28@mail.gmail.com> References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> <20041130205019.21a07fb3@delta.hk.office.outblaze.com> <1101889462.2773.2.camel@bzorp.balabit> <90cdf79a0412021518ba4bfa9@mail.gmail.com> <4b9601ce04120304065a127b28@mail.gmail.com> Message-ID: On Fri, 3 Dec 2004, Jay Guerette wrote: > Any worries I had syslog-ng handling growth are pretty much erased. :-) > Now I only have to worry about diskio and the load of the parsers... My daily throughput is about half of Dave's. Using a perl live analyzer, sporting almost 800 (well organized) rules, a dual AMD 2800+ runs a load of about .7 at peak, with syslog-ng forking the incoming streams to the analyzer, and to disk. - billn > On Thu, 2 Dec 2004 17:18:54 -0600, Dave Johnson wrote: >> Jay--- >> >> Yesterday, our email log server here did 47069024518 bytes or >> 176818253 lines a day. From syslog-ng@lists.balabit.hu Fri Dec 3 17:37:29 2004 From: syslog-ng@lists.balabit.hu (Dave Johnson) Date: Fri, 3 Dec 2004 11:37:29 -0600 Subject: [syslog-ng]FYI: Performance In-Reply-To: References: <4b9601ce041130082747a3f273@mail.gmail.com> <20041130191310.GC22970@soja.ksnet.com.> <20041130205019.21a07fb3@delta.hk.office.outblaze.com> <1101889462.2773.2.camel@bzorp.balabit> <90cdf79a0412021518ba4bfa9@mail.gmail.com> <4b9601ce04120304065a127b28@mail.gmail.com> Message-ID: <90cdf79a0412030937448cccaf@mail.gmail.com> For performance reasons we dump raw output to disk and don't use a live analyzer-- destination hosts { file("/slog/$YEAR$MONTH$DAY/$HOST/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); }; destination useronlyhosts { file("/slog/$YEAR$MONTH$DAY/$HOST/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) template ("$MSG\n") ); }; And there are some valid reasons why we can't at this time (reporting tools are from vendor and we are upgrading platform, logfile format changing/evolving, etc...) ------------- Here are a set of machines that just handle incoming email connections (no content filtering): /machine1/-rw-r--r-- 1 root root 9164 Dec 2 16:58 auth /machine1/-rw-r--r-- 1 root root 125836 Dec 2 23:58 mail /machine1/-rw-r--r-- 1 root root 1464 Dec 2 23:26 syslog /machine1/-rw-r--r-- 1 root root 6186893798 Dec 3 00:00 user /machine2/-rw-r--r-- 1 root root 76570 Dec 2 23:50 auth /machine2/-rw-r--r-- 1 root root 68374 Dec 2 23:58 mail /machine2/-rw-r--r-- 1 root root 2086 Dec 2 23:28 syslog /machine2/-rw-r--r-- 1 root root 6173712608 Dec 3 00:00 user /machine3/-rw-r--r-- 1 root root 76405 Dec 2 23:50 auth /machine3/-rw-r--r-- 1 root root 29456 Dec 2 23:40 mail /machine3/-rw-r--r-- 1 root root 1464 Dec 2 23:30 syslog /machine3/-rw-r--r-- 1 root root 6195319607 Dec 3 00:00 user /machine4/-rw-r--r-- 1 root root 76546 Dec 2 23:50 auth /machine4/-rw-r--r-- 1 root root 29474 Dec 2 23:40 mail /machine4/-rw-r--r-- 1 root root 1464 Dec 2 23:31 syslog /machine4/-rw-r--r-- 1 root root 6183132276 Dec 3 00:00 user * This "user" is actually from a couple named pipe sources for that machine, and syslog-ng hasn't a current mechansim to change facilitiy for sources. ------------ * This is for a medium sized ISP... * These numbers are running on a central Sun V240 (dual 1.2Ghz) server running Sol9. Storage is to an EMC disk array with .5 TB allocated to this server. * Balaz, yeah 266 bytes per syslog line average, for email volume, factor in: - Everyday there are a few million connections blocked (ala rbls) - Content filtering information - Email errors/bouncing/etc... Alright, so after all this is said and done, its only a few email million messages a day... And there are a few cpuhours for this process-- Jul 09 ? 30241:34 /usr/local/sbin/syslog-ng On Fri, 3 Dec 2004 10:06:43 -0800 (PST), Bill Nash wrote: > > On Fri, 3 Dec 2004, Jay Guerette wrote: > > > Any worries I had syslog-ng handling growth are pretty much erased. :-) > > Now I only have to worry about diskio and the load of the parsers... > > My daily throughput is about half of Dave's. Using a perl live analyzer, > sporting almost 800 (well organized) rules, a dual AMD 2800+ runs a load > of about .7 at peak, with syslog-ng forking the incoming streams to the > analyzer, and to disk. > > - billn > > > > > On Thu, 2 Dec 2004 17:18:54 -0600, Dave Johnson wrote: > >> Jay--- > >> > >> Yesterday, our email log server here did 47069024518 bytes or > >> 176818253 lines a day. > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From syslog-ng@lists.balabit.hu Sat Dec 4 18:56:31 2004 From: syslog-ng@lists.balabit.hu (Mike Tremaine) Date: Sat, 04 Dec 2004 10:56:31 -0800 Subject: [syslog-ng]Question about file handles, programs and time_reopen Message-ID: <1102186590.2659.29.camel@dwarfstar.stellarcore.net> I was doing a little experimenting on syslog-ng [syslog-ng-1.6.5-6 from rpm package] and was curious what happens if the destination object is destroyed. I read the configs option "time_reopen" [mine is set to 10, I assume that is secs], does this control all output options or just network connections? 2 examples. If you have a log file that is removed while syslog-ng is running is there a way to have syslog-ng re-create the file. I tried it and the file didn't not come back even though there was more data. Same experiment with a program. Syslog-ng forks a child program at start-up but what happens if that child dies. I did a kill -9 just to see if it would detect the absence and try to re-fork. If I want these features do I need to look outside of syslog-ng [some sort of daemon watcher that will throw a HUP]. Thanks, Mike Tremaine From syslog-ng@lists.balabit.hu Sat Dec 4 19:14:26 2004 From: syslog-ng@lists.balabit.hu (Jesse Molina) Date: Sat, 04 Dec 2004 12:14:26 -0700 Subject: [syslog-ng]Question about file handles, programs and time_reopen In-Reply-To: <1102186590.2659.29.camel@dwarfstar.stellarcore.net> References: <1102186590.2659.29.camel@dwarfstar.stellarcore.net> Message-ID: <41B20C92.4040304@opendreams.net> Hi You can always clear the file rather than actually removing it. Such as; > yerlog.log or echo "" yerlog.log I realize that isn't what you were asking, but that's how I handle it for some log processing scripts that clear the log file upon processing. You are correct in your assessment of how syslog-ng behaves with log file creation. Mike Tremaine wrote: > I was doing a little experimenting on syslog-ng [syslog-ng-1.6.5-6 from > rpm package] and was curious what happens if the destination object is > destroyed. I read the configs option "time_reopen" [mine is set to 10, I > assume that is secs], does this control all output options or just > network connections? > > 2 examples. > > If you have a log file that is removed while syslog-ng is running is > there a way to have syslog-ng re-create the file. I tried it and the > file didn't not come back even though there was more data. > > Same experiment with a program. Syslog-ng forks a child program at > start-up but what happens if that child dies. I did a kill -9 just to > see if it would detect the absence and try to re-fork. > > If I want these features do I need to look outside of syslog-ng [some > sort of daemon watcher that will throw a HUP]. > > Thanks, > > Mike Tremaine > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > -- # Jesse Molina # Mail = jesse@opendreams.net # Page = page-jesse@opendreams.net # Cell = 1.407.970.0280 # Web = http://www.opendreams.net/jesse/ From syslog-ng@lists.balabit.hu Sun Dec 5 13:35:03 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Sun, 05 Dec 2004 14:35:03 +0100 Subject: [syslog-ng]Question about file handles, programs and time_reopen In-Reply-To: <1102186590.2659.29.camel@dwarfstar.stellarcore.net> References: <1102186590.2659.29.camel@dwarfstar.stellarcore.net> Message-ID: <1102253702.2684.3.camel@bzorp.balabit> On Sat, 2004-12-04 at 19:56, Mike Tremaine wrote: > I was doing a little experimenting on syslog-ng [syslog-ng-1.6.5-6 from > rpm package] and was curious what happens if the destination object is > destroyed. I read the configs option "time_reopen" [mine is set to 10, I > assume that is secs], does this control all output options or just > network connections? > > 2 examples. > > If you have a log file that is removed while syslog-ng is running is > there a way to have syslog-ng re-create the file. I tried it and the > file didn't not come back even though there was more data. you currently have to send a SIGHUP for that to syslog-ng. > > Same experiment with a program. Syslog-ng forks a child program at > start-up but what happens if that child dies. I did a kill -9 just to > see if it would detect the absence and try to re-fork. > > If I want these features do I need to look outside of syslog-ng [some > sort of daemon watcher that will throw a HUP]. you need a daemon watcher that restarts the program if it exited while keeping the stdin opened. -- Bazsi From syslog-ng@lists.balabit.hu Mon Dec 6 11:59:39 2004 From: syslog-ng@lists.balabit.hu (Virgil) Date: Mon, 6 Dec 2004 04:59:39 -0700 Subject: [syslog-ng]UNSUBSCRIBE. Message-ID: <001001c4db8b$10962930$680fa8c0@PACKETEYE> This is a multi-part message in MIME format. ------=_NextPart_000_000D_01C4DB50.6409FFA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_000D_01C4DB50.6409FFA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_000D_01C4DB50.6409FFA0-- From syslog-ng@lists.balabit.hu Mon Dec 6 12:06:33 2004 From: syslog-ng@lists.balabit.hu (Conrad Tiflin (CF)) Date: Mon, 6 Dec 2004 14:06:33 +0200 Subject: [syslog-ng]UNSUBSCRIBE. Message-ID: <4D2337DE44E0E1478F62D4840FA92E88015BF299@CNTRRA20-XCS00.telkom.co.za> This is a multi-part message in MIME format. ------_=_NextPart_001_01C4DB8C.07210388 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable =0D =0D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This e-mail and its contents are subject to the Telkom SA Limited e-mail legal notice available at=0D http://www.telkom.co.za/TelkomEMailLegalNotice.PDF ------_=_NextPart_001_01C4DB8C.07210388 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Message

=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This e-mail and its contents are subject to the Telkom SA Limited
e-mail legal notice available at
http://www.telkom.co.za/TelkomEMailLegalNotice.PDF

------_=_NextPart_001_01C4DB8C.07210388-- From syslog-ng@lists.balabit.hu Mon Dec 6 18:50:00 2004 From: syslog-ng@lists.balabit.hu (Mike Tremaine) Date: Mon, 06 Dec 2004 10:50:00 -0800 Subject: [syslog-ng]Question about file handles, programs and time_reopen In-Reply-To: <1102253702.2684.3.camel@bzorp.balabit> References: <1102186590.2659.29.camel@dwarfstar.stellarcore.net> <1102253702.2684.3.camel@bzorp.balabit> Message-ID: <1102359000.2654.61.camel@dwarfstar.stellarcore.net> On Sun, 2004-12-05 at 05:35, Balazs Scheidler wrote: > > > > Same experiment with a program. Syslog-ng forks a child program at > > start-up but what happens if that child dies. I did a kill -9 just to > > see if it would detect the absence and try to re-fork. > > > > If I want these features do I need to look outside of syslog-ng [some > > sort of daemon watcher that will throw a HUP]. > > you need a daemon watcher that restarts the program if it exited while > keeping the stdin opened. Thank you for answer. Let me ask a follow up. Do you think it would be possible to catch that event and re-fork the program or re-open a file handle in syslog-ng? I have not looked at the source code yet, that is my next task. But I'm asking in a theoretical way since you are the one who would know best. Thanks again.. PS - I suppose this is why a named pipe is a preferred method since it is more fault tolerant. Just add more info I was doing something like this destination d_mysql { program("/usr/bin/mysql -u user --password='password' database" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); }; Instead of the standard method of using a pipe and have another process read the pipe. This method is nice since you don;t have to worry about restarting the reader if you restart syslog-ng. -- Mike Tremaine mgt@stellarcore.net http://www.stellarcore.net From syslog-ng@lists.balabit.hu Tue Dec 7 08:29:22 2004 From: syslog-ng@lists.balabit.hu (wei) Date: Tue, 7 Dec 2004 16:29:22 +0800 Subject: [syslog-ng]Can't receive syslog by UDP protocol Message-ID: <20041207082947.D3B5812C240@www.balabit.hu> This is a multi-part message in MIME format. ------=_NextPart_000_0152_01C4DC79.EB106410 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Greeting! I have set up my syslog-ng environment by the default syslog-ng.conf file. By the linux default logger command, I can generate syslog to file. But when I use a syslog client send out syslog to the syslog-ng server, I can't receive the log by UDP protocol. But I can get TCP protocol syslog. Could anyone tell me why? Thanks! My system is RedHat 9.0. The syslog client is Kiwi Syslog Gen in windows. The following is part of my syslog.conf file: source src { pipe("/proc/kmsg"); unix-stream("/dev/log"); internal(); udp(); tcp(port(5140) keep-alive(yes)); }; log { source(src); destination(file); }; ------=_NextPart_000_0152_01C4DC79.EB106410 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable

Greeting!

I have set up my syslog-ng environment by the = default syslog-ng.conf file. By the linux default logger command, I can generate = syslog to file.

But when I use a syslog client send out syslog = to the syslog-ng server, I can’t receive the log by UDP protocol. But I = can get TCP protocol syslog. Could anyone tell me = why?

Thanks!

My system is RedHat 9.0. The syslog client is = Kiwi Syslog Gen in windows. The following is part of my syslog.conf = file:

source src {

= pipe("/proc/kmsg");

= unix-stream("/dev/log");

= internal();

= udp();

= tcp(port(5140) keep-alive(yes));

};

log {

= source(src);

= destination(file);

};

------=_NextPart_000_0152_01C4DC79.EB106410-- From syslog-ng@lists.balabit.hu Tue Dec 7 18:05:41 2004 From: syslog-ng@lists.balabit.hu (Xiaodong Lin) Date: Tue, 7 Dec 2004 11:05:41 -0700 Subject: [syslog-ng]Can't receive syslog by UDP protocol Message-ID: This is a multi-part message in MIME format. ------_=_NextPart_001_01C4DC87.A554A3DB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I think you should use the following: udp(ip(0.0.0.0) port(514)); =20 instead of udp(); =20 Xiaodong ________________________________ From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of wei Sent: Tuesday, December 07, 2004 3:29 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Can't receive syslog by UDP protocol Greeting! =20 I have set up my syslog-ng environment by the default syslog-ng.conf file. By the linux default logger command, I can generate syslog to file.=20 But when I use a syslog client send out syslog to the syslog-ng server, I can't receive the log by UDP protocol. But I can get TCP protocol syslog. Could anyone tell me why? =20 Thanks! =20 My system is RedHat 9.0. The syslog client is Kiwi Syslog Gen in windows. The following is part of my syslog.conf file: =20 source src {=20 pipe("/proc/kmsg");=20 unix-stream("/dev/log");=20 internal();=20 udp(); tcp(port(5140) keep-alive(yes));=20 }; =20 log {=20 source(src);=20 destination(file);=20 }; ------_=_NextPart_001_01C4DC87.A554A3DB Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I think you should use the = following:

udp(ip(0.0.0.0) port(514));

instead of udp();

Xiaodong

From: = syslog-ng-admin@lists.balabit.hu=20 [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of=20 wei
Sent: Tuesday, December 07, 2004 3:29 AM
To: = syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Can't receive = syslog by=20 UDP protocol

Greeting!

I have set up my syslog-ng=20 environment by the default syslog-ng.conf file. By the linux default = logger=20 command, I can generate syslog to file.

But when I use a syslog = client send=20 out syslog to the syslog-ng server, I can’t receive the log by UDP = protocol. But=20 I can get TCP protocol syslog. Could anyone tell me=20 why?

Thanks!

My system is RedHat 9.0. = The syslog=20 client is Kiwi Syslog Gen in windows. The following is part of my = syslog.conf=20 file:

source src {=20

=20 pipe("/proc/kmsg");

=20 unix-stream("/dev/log");

=20 internal();

=20 udp();

=20 tcp(port(5140) keep-alive(yes));

};

log { =

=20 source(src);

=20 destination(file);

};

------_=_NextPart_001_01C4DC87.A554A3DB-- From syslog-ng@lists.balabit.hu Tue Dec 7 21:58:46 2004 From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?=22Manuel_Jo=E3o_S=2E_Costa_Amaro=22?=) Date: Tue, 07 Dec 2004 21:58:46 +0000 Subject: [syslog-ng]Can't receive syslog by UDP protocol In-Reply-To: References: Message-ID: <41B62796.4040700@sapo.pt> This is a multi-part message in MIME format. --------------060904090802000902050000 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit It works with udp() also.

Maybe your UDP port is closed (firewall ?) ....

Xiaodong Lin wrote:

I think you should use the following:

udp(ip(0.0.0.0) port(514));

instead of udp();

Xiaodong

From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of wei
Sent: Tuesday, December 07, 2004 3:29 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Can't receive syslog by UDP protocol

Greeting!

I have set up my syslog-ng environment by the default syslog-ng.conf file. By the linux default logger command, I can generate syslog to file.

But when I use a syslog client send out syslog to the syslog-ng server, I can’t receive the log by UDP protocol. But I can get TCP protocol syslog. Could anyone tell me why?

Thanks!

My system is RedHat 9.0. The syslog client is Kiwi Syslog Gen in windows. The following is part of my syslog.conf file:

source src {

         pipe("/proc/kmsg");

         unix-stream("/dev/log");

         internal();

         udp();

         tcp(port(5140) keep-alive(yes));

};

log {

         source(src);

         destination(file);

};

--------------060904090802000902050000 Content-Type: text/x-vcard; charset=utf-8; name="ashes.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ashes.vcf" begin:vcard fn:Manuel Joao S. Costa Amaro n:Amaro;Manuel Joao S. Costa email;internet:joao@joane.org tel;cell:351 917 833 551 version:2.1 end:vcard --------------060904090802000902050000-- From syslog-ng@lists.balabit.hu Wed Dec 8 00:52:57 2004 From: syslog-ng@lists.balabit.hu (wei) Date: Wed, 8 Dec 2004 08:52:57 +0800 Subject: [syslog-ng]=?gb2312?B?tPC4tDogW3N5c2xvZy1uZ11DYW4ndCByZWNlaXZlIHN5c2xvZyBieQ==?= =?gb2312?B?IFVEUCBwcm90b2NvbA==?= In-Reply-To: <41B62796.4040700@sapo.pt> Message-ID: <20041208005320.CE42312C249@www.balabit.hu> This is a multi-part message in MIME format. ------=_NextPart_000_0173_01C4DD03.50AB23D0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable You are right! It is really caused by my firewall setting, I have solved it=20 The conf file has no error.=20 _____ =20 =B7=A2=BC=FE=C8=CB: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] =B4=FA=B1=ED Manuel Jo?o S. = Costa Amaro =B7=A2=CB=CD=CA=B1=BC=E4: 2004=C4=EA12=D4=C28=C8=D5 5:59 =CA=D5=BC=FE=C8=CB: syslog-ng@lists.balabit.hu =D6=F7=CC=E2: Re: [syslog-ng]Can't receive syslog by UDP protocol =20 It works with udp() also. Maybe your UDP port is closed (firewall ?) .... Xiaodong Lin wrote:=20 I think you should use the following: udp(ip(0.0.0.0) port(514)); =20 instead of udp(); =20 Xiaodong =20 _____ =20 From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of wei Sent: Tuesday, December 07, 2004 3:29 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Can't receive syslog by UDP protocol Greeting! =20 I have set up my syslog-ng environment by the default syslog-ng.conf = file. By the linux default logger command, I can generate syslog to file.=20 But when I use a syslog client send out syslog to the syslog-ng server, = I can=A1=AFt receive the log by UDP protocol. But I can get TCP protocol = syslog. Could anyone tell me why? =20 Thanks! =20 My system is RedHat 9.0. The syslog client is Kiwi Syslog Gen in = windows. The following is part of my syslog.conf file: =20 source src {=20 pipe("/proc/kmsg");=20 unix-stream("/dev/log");=20 internal();=20 udp(); tcp(port(5140) keep-alive(yes));=20 }; =20 log {=20 source(src);=20 destination(file);=20 }; ------=_NextPart_000_0173_01C4DD03.50AB23D0 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

You are = right!

It is really = caused by my firewall setting, I have solved it

The conf file has = no error.

=B7=A2=BC=FE=C8=CB: syslog-ng-admin@lists.balabit.hu = [mailto:syslog-ng-admin@lists.balabit.hu] =B4=FA=B1=ED = Manuel Jo?o S. Costa = Amaro
=B7=A2=CB=CD=CA=B1=BC=E4: = 2004=C4=EA12=D4=C28=C8=D5 5:59
=CA=D5=BC=FE=C8=CB: = syslog-ng@lists.balabit.hu
=D6=F7=CC=E2: Re: [syslog-ng]Can't receive syslog by UDP protocol

It works with udp() also.

Maybe your UDP port is closed (firewall ?) ....

Xiaodong Lin wrote:

I think you should use the following:

udp(ip(0.0.0.0) = port(514));

instead of udp();

Xiaodong

From: syslog-ng-admin@lists.ba= labit.hu [mailto:syslog-ng-admin@l= ists.balabit.hu] On Behalf Of wei
Sent: Tuesday, December = 07, 2004 3:29 AM
To: syslog-ng@lists.balabit.hu=
Subject: [syslog-ng]Can't = receive syslog by UDP protocol

Greeting!=

I have set up my syslog-ng environment by the default syslog-ng.conf file. By the linux default = logger command, I can generate syslog to file.

But when I use a syslog = client send out syslog to the syslog-ng server, I can=A1=AFt receive the log by UDP protocol. But I can get TCP protocol syslog. Could anyone tell me = why?

Thanks!

My system is RedHat 9.0. The = syslog client is Kiwi Syslog Gen in windows. The following is part of my = syslog.conf file:

source src { =

= ; pipe("/proc/kmsg");

= ; unix-stream("/dev/log");

= ; internal();

= ; udp();

= ; tcp(port(5140) keep-alive(yes));

};=

log { =

= ; source(src);

= ; destination(file);

};=

------=_NextPart_000_0173_01C4DD03.50AB23D0-- From syslog-ng@lists.balabit.hu Wed Dec 8 04:44:51 2004 From: syslog-ng@lists.balabit.hu (torpedo) Date: Tue, 7 Dec 2004 22:44:51 -0600 Subject: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") Message-ID: <1102481091.41b686c39ff33@bluebottle.com> Hi All , I have installed the syslog-ng 1.6.5 In configuration file I have defined source as the /etc/httpd/logs/access_log and destination as the terminal : /dev/tty1 Syslog-ng get started with no problem but it doesnot logs the information from the access_log file or any other log file ... i think thr is problem reading the file (but syslog-ng does not give any error) ... Plz help me out Thanks in advance torpedo From syslog-ng@lists.balabit.hu Wed Dec 8 15:42:59 2004 From: syslog-ng@lists.balabit.hu (scott) Date: Thu, 09 Dec 2004 01:42:59 +1000 Subject: [syslog-ng]repost: line truncation with spamd Message-ID: <41B72103.3040908@slittle.com> Is anyone looking into this issue? To refresh your memory, all five of these entries appear on the same line: 2004-12-09T01:09:35+1000 chloe spamd[704]: connection from localhost [127.0.0.1] at port 40811 2004-12-09T01:09:35+1000 chloe spamd[13558]: info: setuid to slittle succeeded 2004-12-09T01:09:35+1000 chloe spamd[13558]: processing message <35089309.09501@cbuki@getherbalnow.info> for slittle:1000. 2004-12-09T01:09:36+1000 chloe spamd[13558]: identified spam (20.8/5.0) for slittle:1000 in 0.8 seconds, 1475 bytes. 2004-12-09T01:09:36+1000 chloe qmail: 1102514976.416174 new msg 12808775 From syslog-ng@lists.balabit.hu Wed Dec 8 19:49:47 2004 From: syslog-ng@lists.balabit.hu (Roberto Nibali) Date: Wed, 08 Dec 2004 20:49:47 +0100 Subject: [syslog-ng][PATCH] syslog-ng-1.6.5+20041206 fixes missing facility/priority in afinet.c Message-ID: <41B75ADB.5040607@tac.ch> Hello, Somehow we either forgot this piece or it dropped out of the CVS again ;). The inlined patch fixes a missing facility/priority addition for template expansion over the network in afinet.c The goal is to be able to send the node name in each syslog message in order to distinguish the two systems: unfortunately when using templates in destination files, the facility/priority is lost. This fixes it I hope: --- syslog-ng-1.6.5+20041206/src/afinet.c 2004-08-05 13:35:12.000000000 +0200 +++ syslog-ng-1.6.5+20041206-fixed/src/afinet.c 2004-12-08 20:44:15.000000000 +0100 @@ -595,7 +595,8 @@ struct ol_string *msg_line; if (self->template_output) { - msg_line = c_format("%fS", + msg_line = c_format("<%i>%fS", + msg->pri, expand_macros( self->cfg, self->template_output, I'm under the distinct impression that something like that has already been addressed in the past. Maybe it was a copy'n'paste error or so ... Take care, Roberto Nibali, ratz -- ------------------------------------------------------------- addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355 http://www.terreactive.com fax://++41 62 823 9356 ------------------------------------------------------------- terreActive AG Wir sichern Ihren Erfolg ------------------------------------------------------------- From syslog-ng@lists.balabit.hu Thu Dec 9 01:26:20 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Wed, 8 Dec 2004 20:26:20 -0500 Subject: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") In-Reply-To: <1102481091.41b686c39ff33@bluebottle.com> References: <1102481091.41b686c39ff33@bluebottle.com> Message-ID: <4b9601ce04120817264adaf18c@mail.gmail.com> That is not a valid syslog source. No variation of options will make that work all by itself. A sample of your configuration would be helpful... The 'file()' souce driver is explained here: http://www.balabit.com/products/syslog_ng/reference/reference.html#AEN279 The above reference demonstrates a method to feed web server logs into syslog-ng. Never having done it myself, I can only hope the documentation is up-to-date and correct. On Tue, 7 Dec 2004 22:44:51 -0600, torpedo wrote: > I have installed the syslog-ng 1.6.5 > In configuration file I have defined source as the > /etc/httpd/logs/access_log > and destination as the terminal : /dev/tty1 > > Syslog-ng get started with no problem but it doesnot logs the > information from the access_log file or any other log file ... i > think thr is problem reading the file (but syslog-ng does not give > any error) ... Plz help me out From syslog-ng@lists.balabit.hu Thu Dec 9 15:00:43 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Thu, 9 Dec 2004 09:00:43 -0600 Subject: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") In-Reply-To: <4b9601ce04120817264adaf18c@mail.gmail.com> Message-ID: This is a multipart message in MIME format. --=_alternative 0051B56086256F65_= Content-Type: text/plain; charset="US-ASCII" The easiest way to get your apache logs into syslog is to simply enable the syslog option in apache. For example: ErrorLog syslog[:facility] Where facility is a valid syslog facility. Note that when you do this, apache will no longer write a file out, but will ONLY log to syslog. -- ____________________________________________ Joe Reeves Security Engineer II, IDS Regions Technology Risk Management Office: 334-956-6189 joe.reeves@regions.com ____________________________________________ "To err is human, but to really foul things up requires a computer." ~ Farmers' Almanac, 1978 Jay Guerette Sent by: syslog-ng-admin@lists.balabit.hu 08/12/2004 19:26 Please respond to syslog-ng@lists.balabit.hu To syslog-ng@lists.balabit.hu cc Subject Re: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") That is not a valid syslog source. No variation of options will make that work all by itself. A sample of your configuration would be helpful... The 'file()' souce driver is explained here: http://www.balabit.com/products/syslog_ng/reference/reference.html#AEN279 The above reference demonstrates a method to feed web server logs into syslog-ng. Never having done it myself, I can only hope the documentation is up-to-date and correct. On Tue, 7 Dec 2004 22:44:51 -0600, torpedo wrote: > I have installed the syslog-ng 1.6.5 > In configuration file I have defined source as the > /etc/httpd/logs/access_log > and destination as the terminal : /dev/tty1 > > Syslog-ng get started with no problem but it doesnot logs the > information from the access_log file or any other log file ... i > think thr is problem reading the file (but syslog-ng does not give > any error) ... Plz help me out _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --=_alternative 0051B56086256F65_= Content-Type: text/html; charset="US-ASCII"
The easiest way to get your apache logs into syslog is to simply enable the syslog option in apache. For example:
ErrorLog syslog[:facility]

Where facility is a valid syslog facility.
Note that when you do this, apache will no longer write a file out, but will ONLY log to syslog.

--
____________________________________________
Joe Reeves
Security Engineer II, IDS
Regions Technology Risk Management
Office: 334-956-6189
joe.reeves@regions.com
____________________________________________

"To err is human, but to really foul things up requires a computer."
~ Farmers' Almanac, 1978

Jay Guerette <jayguerette@gmail.com>
Sent by: syslog-ng-admin@lists.balabit.hu

08/12/2004 19:26

Please respond to
syslog-ng@lists.balabit.hu

To	syslog-ng@lists.balabit.hu
cc
Subject	Re: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log")

That is not a valid syslog source. No variation of options will make that work all by itself. A sample of your configuration would be helpful... The 'file()' souce driver is explained here: http://www.balabit.com/products/syslog_ng/reference/reference.html#AEN279 The above reference demonstrates a method to feed web server logs into syslog-ng. Never having done it myself, I can only hope the documentation is up-to-date and correct. On Tue, 7 Dec 2004 22:44:51 -0600, torpedo <torpedo@bluebottle.com> wrote: > I have installed the syslog-ng 1.6.5 > In configuration file I have defined source as the > /etc/httpd/logs/access_log > and destination as the terminal : /dev/tty1 > > Syslog-ng get started with no problem but it doesnot logs the > information from the access_log file or any other log file ... i > think thr is problem reading the file (but syslog-ng does not give > any error) ... Plz help me out _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
--=_alternative 0051B56086256F65_=-- From syslog-ng@lists.balabit.hu Thu Dec 9 15:50:16 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Thu, 9 Dec 2004 10:50:16 -0500 Subject: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") In-Reply-To: References: <4b9601ce04120817264adaf18c@mail.gmail.com> Message-ID: <4b9601ce04120907502f2297c6@mail.gmail.com> That is only for error logs, but does not apply to access logs, which is what he was looking for. On Thu, 9 Dec 2004 09:00:43 -0600, Joe.Reeves@regions.com wrote: > The easiest way to get your apache logs into syslog is to simply enable the > syslog option in apache. For example: > ErrorLog syslog[:facility] > > Where facility is a valid syslog facility. > Note that when you do this, apache will no longer write a file out, but will > ONLY log to syslog. From syslog-ng@lists.balabit.hu Thu Dec 9 17:04:17 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Thu, 9 Dec 2004 11:04:17 -0600 Subject: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") In-Reply-To: <4b9601ce04120907502f2297c6@mail.gmail.com> Message-ID: This is a multipart message in MIME format. --=_alternative 005D058186256F65_= Content-Type: text/plain; charset="US-ASCII" That was an _Example_. Here's the apache directive for the access logs: TransferLog syslog[:facility] This is all very basic apache config. Please see here for more: http://httpd.apache.org/docs-2.0/mod/directives.html cheers, -- ____________________________________________ Joe Reeves Security Engineer II, IDS Regions Technology Risk Management Office: 334-956-6189 joe.reeves@regions.com ____________________________________________ "To err is human, but to really foul things up requires a computer." ~ Farmers' Almanac, 1978 Jay Guerette Sent by: syslog-ng-admin@lists.balabit.hu 09/12/2004 09:50 Please respond to syslog-ng@lists.balabit.hu To syslog-ng@lists.balabit.hu cc Subject Re: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") That is only for error logs, but does not apply to access logs, which is what he was looking for. On Thu, 9 Dec 2004 09:00:43 -0600, Joe.Reeves@regions.com wrote: > The easiest way to get your apache logs into syslog is to simply enable the > syslog option in apache. For example: > ErrorLog syslog[:facility] > > Where facility is a valid syslog facility. > Note that when you do this, apache will no longer write a file out, but will > ONLY log to syslog. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --=_alternative 005D058186256F65_= Content-Type: text/html; charset="US-ASCII"
That was an _Example_. Here's the apache directive for the access logs:

TransferLog syslog[:facility]

This is all very basic apache config. Please see here for more: http://httpd.apache.org/docs-2.0/mod/directives.html

cheers,

--
____________________________________________
Joe Reeves
Security Engineer II, IDS
Regions Technology Risk Management
Office: 334-956-6189
joe.reeves@regions.com
____________________________________________

"To err is human, but to really foul things up requires a computer."
~ Farmers' Almanac, 1978

Jay Guerette <jayguerette@gmail.com>
Sent by: syslog-ng-admin@lists.balabit.hu

09/12/2004 09:50

Please respond to
syslog-ng@lists.balabit.hu

To	syslog-ng@lists.balabit.hu
cc
Subject	Re: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log")

That is only for error logs, but does not apply to access logs, which is what he was looking for. On Thu, 9 Dec 2004 09:00:43 -0600, Joe.Reeves@regions.com <Joe.Reeves@regions.com> wrote: > The easiest way to get your apache logs into syslog is to simply enable the > syslog option in apache. For example: > ErrorLog syslog[:facility] > > Where facility is a valid syslog facility. > Note that when you do this, apache will no longer write a file out, but will > ONLY log to syslog. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
--=_alternative 005D058186256F65_=-- From syslog-ng@lists.balabit.hu Thu Dec 9 18:48:38 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Thu, 9 Dec 2004 13:48:38 -0500 Subject: [syslog-ng]Problem reading the source file("/etc/httpd/logs/access_log") In-Reply-To: References: <4b9601ce04120907502f2297c6@mail.gmail.com> Message-ID: <4b9601ce04120910487bb1df27@mail.gmail.com> Um.... perhaps I'm confused; but the arguments for TransferLog from the page you referenced are listed as 'file|pipe'. Further, the word 'syslog' does not even appear anywhere on the page. The only place the word 'syslog" is used, in all of the Apache documentation, is in reference to error logging. On Thu, 9 Dec 2004 11:04:17 -0600, Joe.Reeves@regions.com wrote: > That was an _Example_. Here's the apache directive for the access logs: > > TransferLog syslog[:facility] > > This is all very basic apache config. Please see here for more: > http://httpd.apache.org/docs-2.0/mod/directives.html From syslog-ng@lists.balabit.hu Fri Dec 10 02:46:25 2004 From: syslog-ng@lists.balabit.hu (Igor Gueths) Date: Thu, 9 Dec 2004 21:46:25 -0500 Subject: [syslog-ng]Syslog-ng not receiving remote logs from stock Syslogd Message-ID: <20041210024625.GA23881@lava-net.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all. I'm running the latest version of Syslog-ng (1.6.5). I've got all manner of local logging via unix-stream working just fine. My problem comes when I try and pull remote logs from a machine that's running the stock Syslogd, as shipped with Slackware-10.0. I first made sure my Iptables rules were accepting any traffic to UDP port 514. I then set up something like this in syslog-ng.conf. Note h14me is the hostname of the remote machine. source h14me { udp(); }; destination h14melog { file("/var/log/h14me.log"); }; log { source(h14me); destination(h14melog); }; Syslog-ng -s didn't report any errors with this syntax, therefore I assumed it was correct. However, when I restart Syslog-ng I don't see an h14me.log file in /var/log. On the remote machine I did this: @24.249.27.228 That was in /etc/syslog.conf. I had this type of setup going on another machine, however the difference was that I was running stock Syslogd as well. Does anyone know what I might be doing wrong here? Shouldn't Syslog-ng/regular Syslogd be able to communicate since they can both use the UDP standard? Should I instead specify the udp driver in the source that's already working, and then write a filter rule to take anything that comes from given host and put it in its own logfile? Or should I be able to specify 2 completely seperate sources? Thanks! - -- "The answer to life, the universe, and everything is 42." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBuQ4BNohoaf1zXJMRApsTAKCcODwcOdfajdKoldQVFbOf5Ew7lQCfTYYe cKJDLElWmMeJNv4FWC1+Tl0= =FsH9 -----END PGP SIGNATURE----- From syslog-ng@lists.balabit.hu Fri Dec 10 08:01:39 2004 From: syslog-ng@lists.balabit.hu (Conrad Tiflin (CF)) Date: Fri, 10 Dec 2004 10:01:39 +0200 Subject: [syslog-ng]Logging to from a windows host to syslog-ng Message-ID: <4D2337DE44E0E1478F62D4840FA92E88015BF2AA@CNTRRA20-XCS00.telkom.co.za> Hello, I presume sys-logging is not configured in the same way for windows versus that of unix. Does anyone know were can obtain info. on setting this up? Thanks, Conrad =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This e-mail and its contents are subject to the Telkom SA Limited e-mail legal notice available at=0D http://www.telkom.co.za/TelkomEMailLegalNotice.PDF From syslog-ng@lists.balabit.hu Fri Dec 10 14:26:19 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 10 Dec 2004 15:26:19 +0100 Subject: [syslog-ng][PATCH] syslog-ng-1.6.5+20041206 fixes missing facility/priority in afinet.c In-Reply-To: <41B75ADB.5040607@tac.ch> References: <41B75ADB.5040607@tac.ch> Message-ID: <1102688779.2766.5.camel@bzorp.balabit> On Wed, 2004-12-08 at 20:49, Roberto Nibali wrote: > Hello, > > Somehow we either forgot this piece or it dropped out of the CVS again ;). The > inlined patch fixes a missing facility/priority addition for template expansion > over the network in afinet.c > > The goal is to be able to send the node name in each syslog message in order to > distinguish the two systems: unfortunately when using templates in destination > files, the facility/priority is lost. > > This fixes it I hope: > > --- syslog-ng-1.6.5+20041206/src/afinet.c 2004-08-05 13:35:12.000000000 +0200 > +++ syslog-ng-1.6.5+20041206-fixed/src/afinet.c 2004-12-08 20:44:15.000000000 +0100 > @@ -595,7 +595,8 @@ > struct ol_string *msg_line; > > if (self->template_output) { > - msg_line = c_format("%fS", > + msg_line = c_format("<%i>%fS", > + msg->pri, > expand_macros( > self->cfg, > self->template_output, > > > I'm under the distinct impression that something like that has already been > addressed in the past. Maybe it was a copy'n'paste error or so ... it was removed by intent, as that code path is processed when template() is specified by the user. if you want to include the pri/level then you need to add it into your template: destination d_udp { udp("1.2.3.4" template("<$TAG>$DATE $HOST $MSG\n"); }; -- Bazsi From syslog-ng@lists.balabit.hu Fri Dec 10 14:52:07 2004 From: syslog-ng@lists.balabit.hu (Ronnie Clark) Date: Fri, 10 Dec 2004 06:52:07 -0800 (PST) Subject: [syslog-ng]Logging to from a windows host to syslog-ng In-Reply-To: <4D2337DE44E0E1478F62D4840FA92E88015BF2AA@CNTRRA20-XCS00.telkom.co.za> Message-ID: <20041210145207.77339.qmail@web52509.mail.yahoo.com> Conrad, I have found an agent for getting Windows clients to send syslog messages to syslog-ng. It is here: http://www.intersectalliance.com/projects/SnareWindows/index.html I use it straight out of the box with no issues. Ron Clark --- "Conrad Tiflin (CF)" wrote: > > Hello, > > I presume sys-logging is not configured in the same > way for windows > versus that of unix. > > Does anyone know were can obtain info. on setting > this up? > > Thanks, > Conrad > > ================================================================== > This e-mail and its contents are subject to the > Telkom SA Limited > e-mail legal notice available at > http://www.telkom.co.za/TelkomEMailLegalNotice.PDF > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at > http://www.campin.net/syslog-ng/faq.html > > __________________________________ Do you Yahoo!? All your favorites on one personal page � Try My Yahoo! http://my.yahoo.com From syslog-ng@lists.balabit.hu Fri Dec 10 15:00:57 2004 From: syslog-ng@lists.balabit.hu (Ronnie Clark) Date: Fri, 10 Dec 2004 07:00:57 -0800 (PST) Subject: [syslog-ng]Syslog-NG / sqlsyslogd Date Issues Message-ID: <20041210150057.44174.qmail@web52506.mail.yahoo.com> Hello all, I am using syslog-ng on a FreeBSD 5.3 STABLE platform with the sqlsyslogd template to log syslog messages to a MySQL 4.0.22 database. I noticed that when the date rolled from Nov 30 to Dec 1, that the actual messages were no longer being recorded. So I verified that the messages were being captured in the text files, and they were. Now, that the date is the 10th (2 full digits), messages are again being logged into the database. Is this a bug? Anyone else seen this type of behavior? I am pretty sure that it is not the OS causing the issue, since I have another syslog-ng server running on FreeBSD 4.x STABLE and saw the exact same errors on that as well. Any help is greatly appreciated. Thanks, Ron Clark __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail From syslog-ng@lists.balabit.hu Fri Dec 10 16:20:09 2004 From: syslog-ng@lists.balabit.hu (Jesse Molina) Date: Fri, 10 Dec 2004 09:20:09 -0700 Subject: [syslog-ng]Logging to from a windows host to syslog-ng In-Reply-To: <4D2337DE44E0E1478F62D4840FA92E88015BF2AA@CNTRRA20-XCS00.telkom.co.za> References: <4D2337DE44E0E1478F62D4840FA92E88015BF2AA@CNTRRA20-XCS00.telkom.co.za> Message-ID: <20041210162009.GA18363@shoebox> NTsyslog works great. It takes WinNT event log data and copies it over UDP/514 network transport to a standard remote syslog collector. It's not click and go, but when you get it set up, it works. http://ntsyslog.sourceforge.net/ On Fri, Dec 10, 2004 at 10:01:39AM +0200, Conrad Tiflin (CF) wrote: > > Hello, > > I presume sys-logging is not configured in the same way for windows > versus that of unix. > > Does anyone know were can obtain info. on setting this up? > > Thanks, > Conrad > > ================================================================== > This e-mail and its contents are subject to the Telkom SA Limited > e-mail legal notice available at > http://www.telkom.co.za/TelkomEMailLegalNotice.PDF > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > -- # Jesse Molina # Mail = jesse@opendreams.net # Page = page-jesse@opendreams.net # Cell = 1.407.970.0280 # Web = http://www.opendreams.net/jesse/ From syslog-ng@lists.balabit.hu Fri Dec 10 16:32:48 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Fri, 10 Dec 2004 11:32:48 -0500 Subject: [syslog-ng]Logging to from a windows host to syslog-ng In-Reply-To: <20041210162009.GA18363@shoebox> References: <4D2337DE44E0E1478F62D4840FA92E88015BF2AA@CNTRRA20-XCS00.telkom.co.za> <20041210162009.GA18363@shoebox> Message-ID: <4b9601ce0412100832196829e0@mail.gmail.com> Just to throw another option in: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ After trying several, I settled on this one; perhaps because I found the source code the easiest to understand and customize. I've used it for a few years on several hundred servers with no issues. On Fri, 10 Dec 2004 09:20:09 -0700, Jesse Molina wrote: > > NTsyslog works great. It takes WinNT event log data and copies it over > UDP/514 network transport to a standard remote syslog collector. > > It's not click and go, but when you get it set up, it works. > > http://ntsyslog.sourceforge.net/ From syslog-ng@lists.balabit.hu Fri Dec 10 20:14:47 2004 From: syslog-ng@lists.balabit.hu (Bill Nash) Date: Fri, 10 Dec 2004 12:14:47 -0800 (PST) Subject: [syslog-ng]Syslog-NG / sqlsyslogd Date Issues In-Reply-To: <20041210150057.44174.qmail@web52506.mail.yahoo.com> References: <20041210150057.44174.qmail@web52506.mail.yahoo.com> Message-ID: I'm not familiar with sqlsyslogd, but: Is there a sanity check being performed on incoming messages, that expects a two digit date, typically 01, 02, etc? - billn On Fri, 10 Dec 2004, Ronnie Clark wrote: > Hello all, > > I am using syslog-ng on a FreeBSD 5.3 STABLE platform > with the sqlsyslogd template to log syslog messages to > a MySQL 4.0.22 database. I noticed that when the date > rolled from Nov 30 to Dec 1, that the actual messages > were no longer being recorded. So I verified that the > messages were being captured in the text files, and > they were. Now, that the date is the 10th (2 full > digits), messages are again being logged into the > database. > Is this a bug? Anyone else seen this type of behavior? > I am pretty sure that it is not the OS causing the > issue, since I have another syslog-ng server running > on FreeBSD 4.x STABLE and saw the exact same errors on > that as well. > > Any help is greatly appreciated. > > Thanks, > Ron Clark > > > > > > > __________________________________ > Do you Yahoo!? > Read only the mail you want - Yahoo! Mail SpamGuard. > http://promotions.yahoo.com/new_mail > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > From syslog-ng@lists.balabit.hu Fri Dec 10 20:46:19 2004 From: syslog-ng@lists.balabit.hu (Jesse Molina) Date: Fri, 10 Dec 2004 13:46:19 -0700 Subject: [syslog-ng]Logging to from a windows host to syslog-ng In-Reply-To: <4b9601ce0412100832196829e0@mail.gmail.com> References: <4D2337DE44E0E1478F62D4840FA92E88015BF2AA@CNTRRA20-XCS00.telkom.co.za> <20041210162009.GA18363@shoebox> <4b9601ce0412100832196829e0@mail.gmail.com> Message-ID: <20041210204619.GA18638@shoebox> That's 3. Thank you. It's very similar to ntsyslog in that it does the same thing. It's nice to have choices. On Fri, Dec 10, 2004 at 11:32:48AM -0500, Jay Guerette wrote: > Just to throw another option in: > > https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ > > After trying several, I settled on this one; perhaps because I found > the source code the easiest to understand and customize. I've used it > for a few years on several hundred servers with no issues. > > On Fri, 10 Dec 2004 09:20:09 -0700, Jesse Molina wrote: > > > > NTsyslog works great. It takes WinNT event log data and copies it over > > UDP/514 network transport to a standard remote syslog collector. > > > > It's not click and go, but when you get it set up, it works. > > > > http://ntsyslog.sourceforge.net/ > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > -- # Jesse Molina # Mail = jesse@opendreams.net # Page = page-jesse@opendreams.net # Cell = 1.407.970.0280 # Web = http://www.opendreams.net/jesse/ From syslog-ng@lists.balabit.hu Mon Dec 13 08:44:06 2004 From: syslog-ng@lists.balabit.hu (Roberto Nibali) Date: Mon, 13 Dec 2004 09:44:06 +0100 Subject: [syslog-ng][PATCH] syslog-ng-1.6.5+20041206 fixes missing facility/priority in afinet.c In-Reply-To: <1102688779.2766.5.camel@bzorp.balabit> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> Message-ID: <41BD5656.8090502@tac.ch> Hi Bazsi, >>I'm under the distinct impression that something like that has already been >>addressed in the past. Maybe it was a copy'n'paste error or so ... > > it was removed by intent, as that code path is processed when template() > is specified by the user. if you want to include the pri/level then you > need to add it into your template: > > destination d_udp { udp("1.2.3.4" template("<$TAG>$DATE $HOST $MSG\n"); > }; Colour me stupid but this does not provide me with the same functionality. If I provide the prio/level (it's translated into hex, when you read the tcpdump output; which I don't recall being valid by the specs) the code fails in log.c: Jan 1 00:00:00 unparseable log message: \"<4e>Dec 13 07:05:01 [snip]\" This is the code snippet that gets hit: if (left && src[0] == '<') { src++; left--; pri = 0; while (left && *src != '>') { if (isdigit(*src)) { ^^^^^^^ my tcpdump shows me 4e for my prio/level combo I send pri = pri * 10 + ((*src) - '0'); } else { lm->msg = c_format_cstring("unparseable log message: \"%s\"", length, data); lm->pri = LOG_SYSLOG | LOG_ERR; return; } src++; left--; } lm->pri = pri; if (left) { src++; left--; } Please consider applying the patch, or tell me what I'm missing. I'll patch my local copy of syslog-ng because I'm honestly unable to configure it they way you think it should be working. Thanks and best regards, Roberto Nibali, ratz -- ------------------------------------------------------------- addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355 http://www.terreactive.com fax://++41 62 823 9356 ------------------------------------------------------------- terreActive AG Wir sichern Ihren Erfolg ------------------------------------------------------------- From syslog-ng@lists.balabit.hu Mon Dec 13 09:56:51 2004 From: syslog-ng@lists.balabit.hu (wei) Date: Mon, 13 Dec 2004 17:56:51 +0800 Subject: [syslog-ng]How can I stop syslog-ng by command Message-ID: <20041213095708.9D7C412C241@www.balabit.hu> This is a multi-part message in MIME format. ------=_NextPart_000_00D7_01C4E13D.2034EA90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello everyone: I have a simple question to ask you. Could you tell me a command to stop/start my syslog-ng server? In my Syslog-ng 1.6.5, I can't use "syslog-ng stop" to stop my syslog-ng. I can only use kill, but I don't think it is a good idea. Thx!! ------=_NextPart_000_00D7_01C4E13D.2034EA90 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello everyone:

I have a simple question to ask you. Could you = tell me a command to stop/start my syslog-ng = server?

In my Syslog-ng 1.6.5, I can’t use “syslog-ng stop” to stop my syslog-ng. I = can only use kill, but I don’t think it is a good = idea.

Thx!!

------=_NextPart_000_00D7_01C4E13D.2034EA90-- From syslog-ng@lists.balabit.hu Mon Dec 13 12:31:05 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 13 Dec 2004 13:31:05 +0100 Subject: [syslog-ng][PATCH] syslog-ng-1.6.5+20041206 fixes missing facility/priority in afinet.c In-Reply-To: <41BD5656.8090502@tac.ch> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> <41BD5656.8090502@tac.ch> Message-ID: <1102941065.3165.13.camel@bzorp.balabit> On Mon, 2004-12-13 at 09:44, Roberto Nibali wrote: > Hi Bazsi, > > >>I'm under the distinct impression that something like that has already been > >>addressed in the past. Maybe it was a copy'n'paste error or so ... > > > > it was removed by intent, as that code path is processed when template() > > is specified by the user. if you want to include the pri/level then you > > need to add it into your template: > > > > destination d_udp { udp("1.2.3.4" template("<$TAG>$DATE $HOST $MSG\n"); > > }; > > Colour me stupid but this does not provide me with the same functionality. If I > provide the prio/level (it's translated into hex, when you read the tcpdump > output; which I don't recall being valid by the specs) the code fails in log.c: > > Jan 1 00:00:00 unparseable log message: \"<4e>Dec 13 07:05:01 [snip]\" > > This is the code snippet that gets hit: > > if (left && src[0] == '<') { > src++; > left--; > pri = 0; > while (left && *src != '>') { > if (isdigit(*src)) { > ^^^^^^^ > my tcpdump shows me 4e for my prio/level combo I send > > pri = pri * 10 + ((*src) - '0'); > } > else { > lm->msg = c_format_cstring("unparseable log message: \"%s\"", > length, data); > lm->pri = LOG_SYSLOG | LOG_ERR; > return; > } > src++; > left--; > } > lm->pri = pri; > if (left) { > src++; > left--; > } > > Please consider applying the patch, or tell me what I'm missing. I'll patch my > local copy of syslog-ng because I'm honestly unable to configure it they way you > think it should be working. Thanks and best regards, sorry, it is not the TAG macro, but the PRI macro, so it should read: template("<$PRI>$DATE $HOST $MSG\n"); -- Bazsi From syslog-ng@lists.balabit.hu Mon Dec 13 13:23:52 2004 From: syslog-ng@lists.balabit.hu (=?big5?B?taOlw6pA?=) Date: Mon, 13 Dec 2004 21:23:52 +0800 (CST) Subject: [syslog-ng]How can I stop syslog-ng by command Message-ID: <1102944232.69843.ystung@mail2000.com.tw> In=20FreeBSD=20,you=20may=20can=20use=20/usr/local/etc/rc.d/syslog-ng.sh=20=20= =20\=20[start|stop] -----Original=20message----- From:wei To:syslog-ng Date:=20Mon,=2013=20Dec=202004=2017:56:51=20+0800 Subject:=20[syslog-ng]How=20can=20I=20stop=20syslog-ng=20by=20command Hello=20everyone: =20 I=20have=20a=20simple=20question=20to=20ask=20you.=20Could=20you=20tell=20me= =20a=20command=20to=20stop/start=20my=20syslog-ng=20server? In=20my=20Syslog-ng=201.6.5,=20I=20can=A1=A6t=20use=20=A1=A7syslog-ng=20stop= =A1=A8=20to=20stop=20my=20syslog-ng.=20I=20can=20only=20use=20kill,=20but=20= I=20don=A1=A6t=20think=20it=20is=20a=20good=20idea. =20 =20 Thx!! =20 =20 _______________________________________________ syslog-ng=20maillist=20=20-=20=20syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently=20asked=20questions=20at=20http://www.campin.net/syslog-ng/faq.ht= ml From syslog-ng@lists.balabit.hu Mon Dec 13 13:25:06 2004 From: syslog-ng@lists.balabit.hu (=?big5?B?taOlw6pA?=) Date: Mon, 13 Dec 2004 21:25:06 +0800 (CST) Subject: [syslog-ng]A remote logging problem.. Message-ID: <1102944306.70407.ystung@mail2000.com.tw> =20=20 hi=20...=20I=20am=20a=20newbie=20in=20syslog-ng=20 I=20meet=20some=20problems=20in=20configure=20syslog-ng I=20have=20three=20machine,=20A=20is=20inside=20NAT,=20B=20is=20NAT=20server= ,=20C=20is loghost=20outside=20NAT B=20forward=20log=20message=20from=20A=20to=20C. A's=20syslog-ng.conf=20setting options=20{=20long_hostnames(off); =20sync(0);=20 }; source=20src {unix-dgram("/var/run/log");udp();internal();file("/dev/klog");}; destination=20loghost{udp("B"=20port(514));}; log{=20source(src);destination(loghost);}; B's=20syslog-ng.conf=20=20setting options=20{=20chain_hostnames(yes); =20=20=20=20=20=20=20=20=20keep_hostname(no); =20=20=20=20=20=20=20=20=20long_hostnames(off); =20=20=20=20=20=20=20=20=20sync(0); =20=20=20=20=20=20=20=20=20use_dns(yes); =20=20=20=20=20=20=20=20=20use_fqdn(yes); =20=20=20=20=20=20=20}; source=20src=20{=20unix-dgram("/var/run/log");=20internal(); file("/dev/klog");=20}; source=20fwd=20{udp(=20ip(10.1.1.254)=20port(514));}; destination=20loghost=20{=20udp("C"=20port(514));=20}; log=20{=20source(src);source(fwd);=20destination(loghost);=20}; C's=20syslog-ng.conf=20=20setting=20 options=20{=20chain_hostnames(yes); =20=20=20=20=20=20=20=20=20keep_hostname(no); =20=20=20=20=20=20=20=20=20create_dirs(yes); =20=20=20=20=20=20=20=20=20long_hostnames(off); =20=20=20=20=20=20=20=20=20sync(0); =20=20=20=20=20=20=20=20=20use_dns(yes); =20=20=20=20=20=20=20=20=20use_fqdn(yes); =20=20=20=20=20=20=20=20}; source=20src=20{=20unix-dgram("/var/run/log");=20udp();=20internal(); file("/dev/klog");=20}; destination=20all=20{=20file("/var/log/all.log");=20}; log=20{=20source(src);=20destination(all);=20}; three=20machine=20all=20are=20FreeBSD=20machine=20A=20FreeBSD=20is=205.3=20=20= B=20is FreeBSD=204.11=20C=20is=20FreeBSD=204.10 syslog-ng=20version=20are=20the=20same(syslog-ng=201.6.5) the=20FAQ=20say's=20that.. =20=20=20keep_hostname(yes)=20=20=20keep_hostname(no) chain_hostname(yes)=20server=20server/server2 chain_hostname(no)=20server=20server2 i=20have=20see=20that=20FAQ,but=20i=20can=20not=20produce=20the=20log=20reco= rd like=20scr@host1/host2 when=20the=20root=20login=20at=20A=20machine,syslog-ng=20record=20this action,but...=20 A=20=3D=3D>=20Dec=2013=2020:42:36=20A=20login:=20ROOT=20LOGIN=20(root)=20ON=20= ttyv0 B=20=3D=3D>=20Dec=2013=2020:42:36=2010.1.1.11=20login:=20login=20on=20ttyv0=20= as=20root =20=20=20=20=20Dec=2013=2020:42:36=2010.1.1.11=20login:=20ROOT=20LOGIN=20(ro= ot)=20ON ttyv0 =20=20=20=20=20Dec=2013=2020:42:36=2010.1.1.11=20login:=20ROOT=20LOGIN=20(ro= ot)=20ON ttyv0 C=20=3D=3D>=20Dec=2013=2020:42:36=20B=20login:=20login=20on=20ttyv0=20as=20r= oot =20=20=20=20=20Dec=2013=2020:42:36=20B=20login:=20ROOT=20LOGIN=20(root)=20ON= =20ttyv0 =20=20=20=20=20Dec=2013=2020:42:36=20C=20login:=20ROOT=20LOGIN=20(root)=20ON= =20ttyv0 =20=20=20=20=20Dec=2013=2020:42:36=20B=20login:=20ROOT=20LOGIN=20(root)=20ON= =20ttyv0=20 (B=A1BC=20is=20his=20hostname) it=20seems=20quiet=20strange. Can=20someone=20hlep=20me?=20=20thanks=20a=20lot (sorry=20for=20my=20poor=20English=20^^") From syslog-ng@lists.balabit.hu Mon Dec 13 13:51:17 2004 From: syslog-ng@lists.balabit.hu (Roberto Nibali) Date: Mon, 13 Dec 2004 14:51:17 +0100 Subject: [syslog-ng][PATCH] syslog-ng-1.6.5+20041206 fixes missing facility/priority in afinet.c In-Reply-To: <1102941065.3165.13.camel@bzorp.balabit> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> <41BD5656.8090502@tac.ch> <1102941065.3165.13.camel@bzorp.balabit> Message-ID: <41BD9E55.1090900@tac.ch> Hello, Thanks for the prompt reply. Unfortunately it does not solve the problem. > sorry, it is not the TAG macro, but the PRI macro, so it should read: > template("<$PRI>$DATE $HOST $MSG\n"); Sorry I don't want to be a pest and I only did short debugging since I have no time to look through the code. Even with $PRI expansion it does not work. In fact contrary to $TAG it is not even submitted through macros.c. I've sprinkled a few printf()'s into the macros.c to see if we hit the relevant code but we don't: static void expand_macro(struct syslog_config *cfg, int id, int escape, char **dest, unsigned int *left, struct log_info *msg) { int length = 0; printf("DEBUG: this is the id '%d'\n",id); switch (id) { case M_FACILITY: { /* facility */ char *n = syslog_lookup_value(msg->pri & LOG_FACMASK, sl_facilities); if (n) { length = append_string(dest, left, n, strlen(n), 0); } else { length = snprintf(*dest, *left, "%x", (msg->pri & LOG_FACMASK) >> 3); } break; } case M_LEVEL: { /* level */ char *n = syslog_lookup_value(msg->pri & LOG_PRIMASK, sl_levels); if (n) { length = append_string(dest, left, n, strlen(n), 0); } else { /* should never happen */ length = snprintf(*dest, *left, "%d", msg->pri & LOG_PRIMASK); } break; } case M_TAG: { printf("DEBUG: I'm in M_TAG in macros.c\n"); length = snprintf(*dest, *left, "%02x", msg->pri); break; } case M_PRI: { printf("DEBUG: I'm in M_PRI in macros.c\n"); length = snprintf(*dest, *left, "%d", msg->pri); break; } When I start syslog-ng like follows: # /sbin/syslog-ng -F -f /etc/syslog-ng.conf I get the output (regarding the line: tcp("X.Y.W.Z" port(1514) template("<$PRI>$DATE $HOST $TAG $MSG\n")); DEBUG: this is the id '30' DEBUG: this is the id '20' DEBUG: I'm in M_TAG in macros.c DEBUG: this is the id '440' DEBUG: this is the id '480' The real syslog-ng.conf is huge but the line above is the only part where I have macro expansion, so I know that I fall through that destination. As you can see I do not get the id '21' which would be M_PRI. It seems to be lost. If I check with tcpdump -X -s 1500 -n -i eth0 tcp and port 1514 I get something like following line: <>Dec 13 12:57:01 hostname app[1213]: Look, to me it looks like maybe msg-pri is not available at the expansion time. Maybe I also did something extremely stupid but I honestly have no time to debug it any further right now and the patch I've sent earlier solves my problem. I'll check once again though to see if I really missed something obvious :). Best regards, Roberto Nibali, ratz -- ------------------------------------------------------------- addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355 http://www.terreactive.com fax://++41 62 823 9356 ------------------------------------------------------------- terreActive AG Wir sichern Ihren Erfolg ------------------------------------------------------------- From syslog-ng@lists.balabit.hu Mon Dec 13 14:05:15 2004 From: syslog-ng@lists.balabit.hu (Ronnie Clark) Date: Mon, 13 Dec 2004 06:05:15 -0800 (PST) Subject: [syslog-ng]Syslog-NG / sqlsyslogd Date Issues In-Reply-To: Message-ID: <20041213140515.80051.qmail@web52508.mail.yahoo.com> Bill, Not being a C programmer, I'll try to explain what I know and can prove... Syslog-NG is actually logging the message section during the times that the date is a single digit. I can open up the flat text files and see the entire message there. It is with sqlsyslogd in the single digit dates where this issue is noticed. If I had to make a guess, I'd say that sqlsyslogd is having the issue with the date. Thanks, Ron Clark --- Bill Nash wrote: > > I'm not familiar with sqlsyslogd, but: > > Is there a sanity check being performed on incoming > messages, that expects > a two digit date, typically 01, 02, etc? > > - billn > > On Fri, 10 Dec 2004, Ronnie Clark wrote: > > > Hello all, > > > > I am using syslog-ng on a FreeBSD 5.3 STABLE > platform > > with the sqlsyslogd template to log syslog > messages to > > a MySQL 4.0.22 database. I noticed that when the > date > > rolled from Nov 30 to Dec 1, that the actual > messages > > were no longer being recorded. So I verified that > the > > messages were being captured in the text files, > and > > they were. Now, that the date is the 10th (2 full > > digits), messages are again being logged into the > > database. > > Is this a bug? Anyone else seen this type of > behavior? > > I am pretty sure that it is not the OS causing the > > issue, since I have another syslog-ng server > running > > on FreeBSD 4.x STABLE and saw the exact same > errors on > > that as well. > > > > Any help is greatly appreciated. > > > > Thanks, > > Ron Clark > > > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Read only the mail you want - Yahoo! Mail > SpamGuard. > > http://promotions.yahoo.com/new_mail > > _______________________________________________ > > syslog-ng maillist - syslog-ng@lists.balabit.hu > > > https://lists.balabit.hu/mailman/listinfo/syslog-ng > > Frequently asked questions at > http://www.campin.net/syslog-ng/faq.html > > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at > http://www.campin.net/syslog-ng/faq.html > > __________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 From syslog-ng@lists.balabit.hu Mon Dec 13 14:34:10 2004 From: syslog-ng@lists.balabit.hu (Roberto Nibali) Date: Mon, 13 Dec 2004 15:34:10 +0100 Subject: [syslog-ng][PATCH] syslog-ng-1.6.5+20041206 fixes missing facility/priority in afinet.c In-Reply-To: <41BD9E55.1090900@tac.ch> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> <41BD5656.8090502@tac.ch> <1102941065.3165.13.camel@bzorp.balabit> <41BD9E55.1090900@tac.ch> Message-ID: <41BDA862.2040706@tac.ch> ADDENDUM: > Look, to me it looks like maybe msg-pri is not available at the > expansion time. Maybe I also did something extremely stupid but I > honestly have no time to debug it any further right now and the patch > I've sent earlier solves my problem. > > I'll check once again though to see if I really missed something obvious > :). Ok, now I've found out that something is fishy with find_macro(). It doesn't find the PRI tag. My DEBUG output: DEBUG: beginning of macro: H|O|S|T| DEBUG: Found macro 'HOST' DEBUG: this is the id '440' DEBUG: beginning of macro: M|S|G| DEBUG: Found macro 'MSG' DEBUG: this is the id '480' DEBUG: beginning of macro: D|A|T|E| DEBUG: Found macro 'DATE' DEBUG: this is the id '30' DEBUG: beginning of macro: P|R|I| DEBUG: macro not found DEBUG: beginning of macro: T|A|G| DEBUG: Found macro 'TAG' DEBUG: this is the id '20' DEBUG: I'm in M_TAG in macros.c This is with libol-0.3.14. I'm adding some more debugging to find_macro(). Cheers, Roberto Nibali, ratz -- ------------------------------------------------------------- addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355 http://www.terreactive.com fax://++41 62 823 9356 ------------------------------------------------------------- terreActive AG Wir sichern Ihren Erfolg ------------------------------------------------------------- From syslog-ng@lists.balabit.hu Mon Dec 13 14:48:45 2004 From: syslog-ng@lists.balabit.hu (Roberto Nibali) Date: Mon, 13 Dec 2004 15:48:45 +0100 Subject: [syslog-ng]FOUND: gperf'd src/macros-gperf.c is missing PRI In-Reply-To: <41BDA862.2040706@tac.ch> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> <41BD5656.8090502@tac.ch> <1102941065.3165.13.camel@bzorp.balabit> <41BD9E55.1090900@tac.ch> <41BDA862.2040706@tac.ch> Message-ID: <41BDABCD.3080400@tac.ch> Hi, > This is with libol-0.3.14. I'm adding some more debugging to find_macro(). I found the culprit. We use the gperf'd src/macros-gperf.c which is lacking the PRI in struct macro_def wordlist[] and thus it cannot be found by find_macro(). I think it is fixed as follows (no -p1 diff ;)): --- macros.gprf-orig Mon Dec 13 15:47:46 2004 +++ macros.gprf Mon Dec 13 15:48:09 2004 @@ -7,6 +7,7 @@ PRIORITY, M_LEVEL LEVEL, M_LEVEL TAG, M_TAG +PRI, M_PRI DATE, M_DATE FULLDATE, M_FULLDATE ISODATE, M_ISODATE Best regards, Roberto Nibali, ratz -- ------------------------------------------------------------- addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355 http://www.terreactive.com fax://++41 62 823 9356 ------------------------------------------------------------- terreActive AG Wir sichern Ihren Erfolg ------------------------------------------------------------- From syslog-ng@lists.balabit.hu Mon Dec 13 15:36:25 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Mon, 13 Dec 2004 10:36:25 -0500 Subject: [syslog-ng]How can I stop syslog-ng by command In-Reply-To: <20041213095708.9D7C412C241@www.balabit.hu> References: <20041213095708.9D7C412C241@www.balabit.hu> Message-ID: <4b9601ce04121307365ef59ba2@mail.gmail.com> This is going to vary widely by operating system, distribution, and installation method. We would need to know these things in order to help. There is absolutely nothing wrong with using 'kill', as long as you are doing a normal 'kill', which sends a TERM signal to the process, and not a 'kill -9' which sends a KILL signal. TERM tells the process to shut down normally, while KILL abruptly stops it. On Mon, 13 Dec 2004 17:56:51 +0800, wei wrote: > I have a simple question to ask you. Could you tell me a command to > stop/start my syslog-ng server? > > In my Syslog-ng 1.6.5, I can't use "syslog-ng stop" to stop my syslog-ng. I > can only use kill, but I don't think it is a good idea. From syslog-ng@lists.balabit.hu Mon Dec 13 18:17:52 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 13 Dec 2004 19:17:52 +0100 Subject: [syslog-ng][PATCH] syslog-ng-1.6.5+20041206 fixes missing facility/priority in afinet.c In-Reply-To: <41BD9E55.1090900@tac.ch> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> <41BD5656.8090502@tac.ch> <1102941065.3165.13.camel@bzorp.balabit> <41BD9E55.1090900@tac.ch> Message-ID: <1102961872.19896.35.camel@bzorp.balabit> On Mon, 2004-12-13 at 14:51, Roberto Nibali wrote: > When I start syslog-ng like follows: > > # /sbin/syslog-ng -F -f /etc/syslog-ng.conf > > I get the output (regarding the line: tcp("X.Y.W.Z" port(1514) > template("<$PRI>$DATE $HOST $TAG $MSG\n")); > > DEBUG: this is the id '30' > DEBUG: this is the id '20' > DEBUG: I'm in M_TAG in macros.c > DEBUG: this is the id '440' > DEBUG: this is the id '480' > > The real syslog-ng.conf is huge but the line above is the only part where I have > macro expansion, so I know that I fall through that destination. As you can see > I do not get the id '21' which would be M_PRI. It seems to be lost. If I check with > > tcpdump -X -s 1500 -n -i eth0 tcp and port 1514 > > I get something like following line: > > <>Dec 13 12:57:01 hostname app[1213]: > > Look, to me it looks like maybe msg-pri is not available at the expansion time. > Maybe I also did something extremely stupid but I honestly have no time to debug > it any further right now and the patch I've sent earlier solves my problem. > > I'll check once again though to see if I really missed something obvious :). Sorry. You are right, PRI was not added to the gperf lookup table, thus it was never resolved. Index: macros.gprf =================================================================== RCS file: /var/cvs/syslog-ng/syslog-ng/src/macros.gprf,v retrieving revision 1.1.4.1 diff -u -r1.1.4.1 macros.gprf --- macros.gprf 6 May 2004 07:37:10 -0000 1.1.4.1 +++ macros.gprf 13 Dec 2004 18:16:37 -0000 @@ -7,6 +7,7 @@ PRIORITY, M_LEVEL LEVEL, M_LEVEL TAG, M_TAG +PRI, M_PRI DATE, M_DATE FULLDATE, M_FULLDATE ISODATE, M_ISODATE -- Bazsi From syslog-ng@lists.balabit.hu Mon Dec 13 18:19:06 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 13 Dec 2004 19:19:06 +0100 Subject: [syslog-ng]FOUND: gperf'd src/macros-gperf.c is missing PRI In-Reply-To: <41BDABCD.3080400@tac.ch> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> <41BD5656.8090502@tac.ch> <1102941065.3165.13.camel@bzorp.balabit> <41BD9E55.1090900@tac.ch> <41BDA862.2040706@tac.ch> <41BDABCD.3080400@tac.ch> Message-ID: <1102961946.19896.37.camel@bzorp.balabit> On Mon, 2004-12-13 at 15:48, Roberto Nibali wrote: > Hi, > > > This is with libol-0.3.14. I'm adding some more debugging to find_macro(). > > I found the culprit. We use the gperf'd src/macros-gperf.c which is lacking the > PRI in struct macro_def wordlist[] and thus it cannot be found by find_macro(). > > I think it is fixed as follows (no -p1 diff ;)): > > --- macros.gprf-orig Mon Dec 13 15:47:46 2004 > +++ macros.gprf Mon Dec 13 15:48:09 2004 > @@ -7,6 +7,7 @@ > PRIORITY, M_LEVEL > LEVEL, M_LEVEL > TAG, M_TAG > +PRI, M_PRI > DATE, M_DATE > FULLDATE, M_FULLDATE > ISODATE, M_ISODATE Thanks, I've commited the same fix just a minute ago. Next time I'll read all my messages before trying to find bugs, especially if you post about them ;) So you can find this fix in tomorrow's snapshot. -- Bazsi From syslog-ng@lists.balabit.hu Tue Dec 14 01:03:37 2004 From: syslog-ng@lists.balabit.hu (wei) Date: Tue, 14 Dec 2004 09:03:37 +0800 Subject: [syslog-ng]=?gb2312?B?tPC4tDogW3N5c2xvZy1uZ11Ib3cgY2FuIEkgc3RvcCBzeXNsb2ctbmcgYnk=?= =?gb2312?B?IGNvbW1hbmQ=?= In-Reply-To: <1102944232.69843.ystung@mail2000.com.tw> Message-ID: <20041214010357.8DE5B12C248@www.balabit.hu> Dear=CD=AF=D3=C0=95N: Thanks for your response, my syslog-ng is installed on Linux RH9, so I = don't have the syslog-ng.sh file. What should I do? Could you mail me that = file? Thx. -----=D3=CA=BC=FE=D4=AD=BC=FE----- =B7=A2=BC=FE=C8=CB: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] =B4=FA=B1=ED =CD=AF=D3=C0=95N =B7=A2=CB=CD=CA=B1=BC=E4: 2004=C4=EA12=D4=C213=C8=D5 21:24 =CA=D5=BC=FE=C8=CB: syslog-ng@lists.balabit.hu =D6=F7=CC=E2: Re: [syslog-ng]How can I stop syslog-ng by command In FreeBSD ,you may can use /usr/local/etc/rc.d/syslog-ng.sh \ [start|stop] -----Original message----- From:wei To:syslog-ng Date: Mon, 13 Dec 2004 17:56:51 +0800 Subject: [syslog-ng]How can I stop syslog-ng by command Hello everyone: =20 I have a simple question to ask you. Could you tell me a command to stop/start my syslog-ng server? In my Syslog-ng 1.6.5, I can=A1=AFt use =A1=B0syslog-ng stop=A1=B1 to = stop my syslog-ng. I can only use kill, but I don=A1=AFt think it is a good idea. =20 =20 Thx!! =20 =20 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue Dec 14 01:20:49 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Mon, 13 Dec 2004 20:20:49 -0500 Subject: =?UTF-8?Q?Re:_[syslog-ng]=E7=AD=94=E5=A4=8D:_[syslog-ng]Ho?= =?UTF-8?Q?w_can_I_stop_syslog-ng_by_command?= In-Reply-To: <20041214010357.8DE5B12C248@www.balabit.hu> References: <1102944232.69843.ystung@mail2000.com.tw> <20041214010357.8DE5B12C248@www.balabit.hu> Message-ID: <4b9601ce041213172051f24679@mail.gmail.com> If you installed from an RPM, there *should* be a script already; try running: /etc/init.d/syslog-ng start' If that doesn't work, you can create that script by copying it from https://lists.balabit.hu/pipermail/syslog-ng/1999-October/000250.html If you built and installed from source, there is a script called 'init.d.RedHat' in the 'contrib' directory that was included with the source. Copy it to '/etc/init.d/'' and re-name it 'syslog-ng'; then run it. On Tue, 14 Dec 2004 09:03:37 +0800, wei wrote: > Thanks for your response, my syslog-ng is installed on Linux RH9, so I don't > have the syslog-ng.sh file. What should I do? Could you mail me that file? From syslog-ng@lists.balabit.hu Tue Dec 14 20:08:15 2004 From: syslog-ng@lists.balabit.hu (Vaibhav Goel) Date: Tue, 14 Dec 2004 12:08:15 -0800 Subject: [syslog-ng]Using logger with syslog-ng Message-ID: <1103054895.1310.5.camel@flanker> Hi all, I am new syslog-ng user. I am trying to figure out how to get a loghost going and taking baby steps with the documentation available :-) I got syslog-ng configured on a Linux server as such: source s_test { tcp(ip(0.0.0.0) port(514)); }; destination d_test { file("/var/log/test.log"); }; log { source(s_test); destination(d_test); }; I can connect to localhost on 514 fine: telnet localhost 514 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. So it appears that syslog-ng is at least running fine. I would like to use logger to send a test log message to syslog-ng. I googled and looked at the FAQ and docs but cannot find a way. Can anyone help or point me to a relevant document I could read? :-) Thanks! From syslog-ng@lists.balabit.hu Tue Dec 14 20:25:24 2004 From: syslog-ng@lists.balabit.hu (Ed Ravin) Date: Tue, 14 Dec 2004 15:25:24 -0500 Subject: [syslog-ng]Using logger with syslog-ng In-Reply-To: <1103054895.1310.5.camel@flanker> References: <1103054895.1310.5.camel@flanker> Message-ID: <20041214202524.GB29810@panix.com> On Tue, Dec 14, 2004 at 12:08:15PM -0800, Vaibhav Goel wrote: > > I am new syslog-ng user. I am trying to figure out how to get a loghost > going and taking baby steps with the documentation available :-) > > I got syslog-ng configured on a Linux server as such: > > source s_test { > tcp(ip(0.0.0.0) port(514)); > }; logger uses the standard Unix syslog library to send its messages. That library doesn't know how to send messages via TCP. Also, you didn't mention what OS you were running, chances are close to 100% that your OS libraries by default send syslog messages via a local IPC method like a Unix domain socket. You'll need to tell syslog-ng to listen for packets coming in on that method. It would be nice if we had a version of logger where you could specify the transport method - it would be good for testing syslog-ng when you're setting up centralized servers. Patches anyone? From syslog-ng@lists.balabit.hu Tue Dec 14 20:35:41 2004 From: syslog-ng@lists.balabit.hu (Vaibhav Goel) Date: Tue, 14 Dec 2004 12:35:41 -0800 Subject: [syslog-ng]Using logger with syslog-ng In-Reply-To: <20041214202524.GB29810@panix.com> References: <1103054895.1310.5.camel@flanker> <20041214202524.GB29810@panix.com> Message-ID: <1103056541.1310.9.camel@flanker> Hi Ed, Thanks for your prompt reply. It is as I suspected....I won't be able to use logger to test. I am running RedHat Linux. Please note that syslogd and syslog-ng need to co-exist on the source as well as the loghost. I see in the FAQ that this is possible. Should I get syslog-ng to listen on the UDP port 514 meant for syslogd? Is there any quick way I can test this setup? Thanks, Vaibhav Goel On Tue, 2004-12-14 at 12:25, Ed Ravin wrote: > On Tue, Dec 14, 2004 at 12:08:15PM -0800, Vaibhav Goel wrote: > > > > I am new syslog-ng user. I am trying to figure out how to get a loghost > > going and taking baby steps with the documentation available :-) > > > > I got syslog-ng configured on a Linux server as such: > > > > source s_test { > > tcp(ip(0.0.0.0) port(514)); > > }; > > logger uses the standard Unix syslog library to send its messages. > That library doesn't know how to send messages via TCP. Also, > you didn't mention what OS you were running, chances are close to 100% > that your OS libraries by default send syslog messages via a local > IPC method like a Unix domain socket. You'll need to tell syslog-ng > to listen for packets coming in on that method. > > It would be nice if we had a version of logger where you could specify > the transport method - it would be good for testing syslog-ng when you're > setting up centralized servers. Patches anyone? > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > From syslog-ng@lists.balabit.hu Wed Dec 15 01:24:39 2004 From: syslog-ng@lists.balabit.hu (wei) Date: Wed, 15 Dec 2004 09:24:39 +0800 Subject: [syslog-ng]=?gb2312?B?tPC4tDogW3N5c2xvZy1uZ1208Li0OiBbc3lzbG9nLW5nXUhvdyBjYQ==?= =?gb2312?B?biBJIHN0b3Agc3lzbG9nLW5nIGJ5IGNvbW1hbmQ=?= In-Reply-To: <4b9601ce041213172051f24679@mail.gmail.com> Message-ID: <20041215012510.8C78012C362@www.balabit.hu> Dear Jay Guerette: Thanks for your help, I have found the shell file in /etc/init.d, it = works well. -----=D3=CA=BC=FE=D4=AD=BC=FE----- =B7=A2=BC=FE=C8=CB: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] =B4=FA=B1=ED Jay Guerette =B7=A2=CB=CD=CA=B1=BC=E4: 2004=C4=EA12=D4=C214=C8=D5 9:21 =CA=D5=BC=FE=C8=CB: syslog-ng@lists.balabit.hu =D6=F7=CC=E2: Re: [syslog-ng]=B4=F0=B8=B4: [syslog-ng]How can I stop = syslog-ng by command If you installed from an RPM, there *should* be a script already; try running: /etc/init.d/syslog-ng start' If that doesn't work, you can create that script by copying it from https://lists.balabit.hu/pipermail/syslog-ng/1999-October/000250.html If you built and installed from source, there is a script called 'init.d.RedHat' in the 'contrib' directory that was included with the source. Copy it to '/etc/init.d/'' and re-name it 'syslog-ng'; then run it. On Tue, 14 Dec 2004 09:03:37 +0800, wei wrote: > Thanks for your response, my syslog-ng is installed on Linux RH9, so I don't > have the syslog-ng.sh file. What should I do? Could you mail me that = file? _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Wed Dec 15 02:16:38 2004 From: syslog-ng@lists.balabit.hu (Ed Ravin) Date: Tue, 14 Dec 2004 21:16:38 -0500 Subject: [syslog-ng]Using logger with syslog-ng In-Reply-To: <1103056541.1310.9.camel@flanker> References: <1103054895.1310.5.camel@flanker> <20041214202524.GB29810@panix.com> <1103056541.1310.9.camel@flanker> Message-ID: <20041215021638.GA1855@panix.com> On Tue, Dec 14, 2004 at 12:35:41PM -0800, Vaibhav Goel wrote: > Thanks for your prompt reply. It is as I suspected....I won't be able > to use logger to test. > > I am running RedHat Linux. Please note that syslogd and syslog-ng need > to co-exist on the source as well as the loghost. I see in the FAQ that > this is possible. Should I get syslog-ng to listen on the UDP port 514 > meant for syslogd? Is there any quick way I can test this setup? If you tell syslog-ng to listen to the UDP port, then you can write a Perl script using the Sys::Syslog module (which comes with Perl 5 and later) to do your testing. If you already know some Perl, that should be pretty quick. From syslog-ng@lists.balabit.hu Wed Dec 15 08:33:56 2004 From: syslog-ng@lists.balabit.hu (Roberto Nibali) Date: Wed, 15 Dec 2004 09:33:56 +0100 Subject: [syslog-ng]FOUND: gperf'd src/macros-gperf.c is missing PRI In-Reply-To: <1102961946.19896.37.camel@bzorp.balabit> References: <41B75ADB.5040607@tac.ch> <1102688779.2766.5.camel@bzorp.balabit> <41BD5656.8090502@tac.ch> <1102941065.3165.13.camel@bzorp.balabit> <41BD9E55.1090900@tac.ch> <41BDA862.2040706@tac.ch> <41BDABCD.3080400@tac.ch> <1102961946.19896.37.camel@bzorp.balabit> Message-ID: <41BFF6F4.1080100@tac.ch> Hi, > Thanks, I've commited the same fix just a minute ago. Next time I'll > read all my messages before trying to find bugs, especially if you post > about them ;) Excellent, so we've done the peer review already. One bug less and verified ;). > So you can find this fix in tomorrow's snapshot. Thanks, I've already rolled my own syslog-ng patchset. We maintain two other smallish patches which are probably not suitable for your syslog-ng tree. Take care, Roberto Nibali, ratz -- ------------------------------------------------------------- addr://Rathausgasse 31, CH-5001 Aarau tel://++41 62 823 9355 http://www.terreactive.com fax://++41 62 823 9356 ------------------------------------------------------------- terreActive AG Wir sichern Ihren Erfolg ------------------------------------------------------------- From syslog-ng@lists.balabit.hu Wed Dec 15 13:28:45 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Wed, 15 Dec 2004 08:28:45 -0500 Subject: [syslog-ng]repost: line truncation with spamd In-Reply-To: <41B72103.3040908@slittle.com> References: <41B72103.3040908@slittle.com> Message-ID: <4b9601ce0412150528673c822e@mail.gmail.com> I am running syslog-ng 1.6.5 and spamassasin 3.01 on linux without a problem. What OS and versions are on your end? On Thu, 09 Dec 2004 01:42:59 +1000, scott wrote: > Is anyone looking into this issue? > > To refresh your memory, all five of these entries appear on the same line: > > 2004-12-09T01:09:35+1000 chloe spamd[704]: connection from localhost > [127.0.0.1] at port 40811 2004-12-09T01:09:35+1000 chloe spamd[13558]: > info: setuid to slittle succeeded 2004-12-09T01:09:35+1000 chloe > spamd[13558]: processing message > <35089309.09501@cbuki@getherbalnow.info> for slittle:1000. > 2004-12-09T01:09:36+1000 chloe spamd[13558]: identified spam (20.8/5.0) > for slittle:1000 in 0.8 seconds, 1475 bytes. 2004-12-09T01:09:36+1000 > chloe qmail: 1102514976.416174 new msg 12808775 From syslog-ng@lists.balabit.hu Wed Dec 15 15:40:13 2004 From: syslog-ng@lists.balabit.hu (scott) Date: Thu, 16 Dec 2004 01:40:13 +1000 Subject: [syslog-ng]repost: line truncation with spamd In-Reply-To: <4b9601ce0412150528673c822e@mail.gmail.com> References: <41B72103.3040908@slittle.com> <4b9601ce0412150528673c822e@mail.gmail.com> Message-ID: <41C05ADD.9060105@slittle.com> > I am running syslog-ng 1.6.5 and spamassasin 3.01 on linux without a problem. > What OS and versions are on your end? Debian Testing and Debian Stable. A recent upgrade to SA 3.01 didn't fix it. Nor did compiling syslog-ng from source. From syslog-ng@lists.balabit.hu Wed Dec 15 17:39:45 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Wed, 15 Dec 2004 18:39:45 +0100 Subject: [syslog-ng]repost: line truncation with spamd In-Reply-To: <41C05ADD.9060105@slittle.com> References: <41B72103.3040908@slittle.com> <4b9601ce0412150528673c822e@mail.gmail.com> <41C05ADD.9060105@slittle.com> Message-ID: <1103132385.11771.1.camel@bzorp.balabit> On Wed, 2004-12-15 at 16:40, scott wrote: > > I am running syslog-ng 1.6.5 and spamassasin 3.01 on linux without a problem. > > What OS and versions are on your end? > > Debian Testing and Debian Stable. > > A recent upgrade to SA 3.01 didn't fix it. Nor did compiling syslog-ng > from source. I think the problem is caused by a bug in syslog-ng in which it includes NUL characters in the message, e.g. it tries to write something like $MSG\0\n, thus the line is truncated by the '\0' character. it is triggered only with unix-dgram and udp sources, but I didn't have time to look into it. Can you check whether switching over to using unix-stream sources solves your problem? -- Bazsi From syslog-ng@lists.balabit.hu Wed Dec 15 19:08:08 2004 From: syslog-ng@lists.balabit.hu (scott) Date: Thu, 16 Dec 2004 05:08:08 +1000 Subject: [syslog-ng]repost: line truncation with spamd In-Reply-To: <1103132385.11771.1.camel@bzorp.balabit> References: <41B72103.3040908@slittle.com> <4b9601ce0412150528673c822e@mail.gmail.com> <41C05ADD.9060105@slittle.com> <1103132385.11771.1.camel@bzorp.balabit> Message-ID: <41C08B98.5030403@slittle.com> Yep, so far so good. > Can you check whether switching over to using unix-stream sources solves > your problem? From syslog-ng@lists.balabit.hu Thu Dec 16 09:42:57 2004 From: syslog-ng@lists.balabit.hu (Timothy Webster) Date: Thu, 16 Dec 2004 04:42:57 -0500 Subject: [syslog-ng]how to write efficient filters? Message-ID: <20041216044257.7ce2acbc@delta.hk.office.outblaze.com> Which is more efficient? filter f_pop_acc { program("pop3") and match("not have pop"); }; filter f_mail { facility(mail); }; log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc); or filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc); Sorry too lazy to look at the code :) -tim From syslog-ng@lists.balabit.hu Thu Dec 16 10:37:13 2004 From: syslog-ng@lists.balabit.hu (Roberto Nibali) Date: Thu, 16 Dec 2004 11:37:13 +0100 Subject: [syslog-ng]how to write efficient filters? In-Reply-To: <20041216044257.7ce2acbc@delta.hk.office.outblaze.com> References: <20041216044257.7ce2acbc@delta.hk.office.outblaze.com> Message-ID: <41C16559.5080902@drugphish.ch> Hi, > Which is more efficient? Hard to say but I should like to ask you if it really matters? > filter f_pop_acc { program("pop3") and match("not have pop"); }; > filter f_mail { facility(mail); }; > > log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc); > > filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; > log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc); > > Sorry too lazy to look at the code :) Me too but you could use ltrace or strace and count the times spent in each library and syscall. Of course this is only an indication. To be honest, reading your example doesn't strike me as particularly high volume traffic. I'd say that your popd dies before syslog-ng is not able to send your filtered traffic anymore ;). HTH and have a nice day, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc From syslog-ng@lists.balabit.hu Thu Dec 16 13:07:49 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 16 Dec 2004 14:07:49 +0100 Subject: [syslog-ng]how to write efficient filters? In-Reply-To: <20041216044257.7ce2acbc@delta.hk.office.outblaze.com> References: <20041216044257.7ce2acbc@delta.hk.office.outblaze.com> Message-ID: <1103202469.4413.30.camel@bzorp.balabit> On Thu, 2004-12-16 at 10:42, Timothy Webster wrote: > Which is more efficient? > > filter f_pop_acc { program("pop3") and match("not have pop"); }; > filter f_mail { facility(mail); }; > > log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc); > > > or > > filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; > log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc); > > Sorry too lazy to look at the code :) I think it should be about the same. The first one traverses a linked list of filters and breaks out the loop if a filter does not match, the second uses the parse tree generated by the config parser, using C's && operator, which similarly does lazy evaluation. -- Bazsi From syslog-ng@lists.balabit.hu Thu Dec 16 19:20:07 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Thu, 16 Dec 2004 14:20:07 -0500 (EST) Subject: [syslog-ng]-v and -p parameters not working as advertised Message-ID: Excerpts from man syslog-ng: -p Write the current PID information to the specified file. -v Enable verbose mode. Process will not become a daemon. Prints out fewer messages, compared to -d. Despite what that says, syslog-ng forks into the background when -v is used. Also, when -d is used to force syslog-ng to run in the foreground it does not create a pid file even when -p is used. I need the pidfile to be created even when running in the foreground. I am running syslog-ng with: syslog-ng -d -p /var/run/syslog-ng.pid -- Kevin From syslog-ng@lists.balabit.hu Thu Dec 16 20:58:50 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Thu, 16 Dec 2004 15:58:50 -0500 Subject: [syslog-ng]Christmas Message-ID: <4b9601ce04121612584e29fdee@mail.gmail.com> Although 10 days too late, I was thinking: "What can Mikul=E1s bring Bal=E1zs for Christmas?" After all, giving us syslog-ng and 5 years of support on this list deserves *something*. Then it hit me; "I'll buy a syslog-ng support contract!" I'm reasonably sure I can get my company to go for it; so how can I get prices on the various support packs available? From syslog-ng@lists.balabit.hu Thu Dec 16 22:55:14 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Thu, 16 Dec 2004 14:55:14 -0800 Subject: [syslog-ng]Christmas In-Reply-To: <4b9601ce04121612584e29fdee@mail.gmail.com> References: <4b9601ce04121612584e29fdee@mail.gmail.com> Message-ID: <1103237714.41c212528e483@www.campin.net> Quoting Jay Guerette : > Although 10 days too late, I was thinking: "What can Mikul�s bring > Bal�zs for Christmas?" > After all, giving us syslog-ng and 5 years of support on this list > deserves *something*. Then it hit me; "I'll buy a syslog-ng support > contract!" I'm reasonably sure I can get my company to go for it; so > how can I get prices on the various support packs available? Hey Jay, I work at a big financial institution now and we're actually going to pay Balabit for some enhancements I've wanted for quite some time and for top-tier support. The big feature request is having overflowing local buffers log to disk and replay when a TCP destination is available again (surely up to some configurable amount of disk space and a configurable location on disk - we'll need to talk to Bazsi about that). It's needed for an internal project so they're happy to pay. That's not to say that you can't pay them too. I just wanted to mention that I'm having a very good Christmas since we'll be paying Bazsi to implement my wishlist! :) Merry Chrismas Bazsi, and thanks for all your hard work. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From syslog-ng@lists.balabit.hu Thu Dec 16 23:18:42 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Thu, 16 Dec 2004 18:18:42 -0500 Subject: [syslog-ng]Christmas In-Reply-To: <1103237714.41c212528e483@www.campin.net> References: <4b9601ce04121612584e29fdee@mail.gmail.com> <1103237714.41c212528e483@www.campin.net> Message-ID: <4b9601ce04121615185c2f2140@mail.gmail.com> Reading between the lines... So.... any feature *I* want, I just send an email to my old pal Nate! Yay! :-P On Thu, 16 Dec 2004 14:55:14 -0800, nate@campin.net wrote: > Hey Jay, I work at a big financial institution now and we're actually going to > pay Balabit for some enhancements I've wanted for quite some time and for > top-tier support. The big feature request is having overflowing local buffers > log to disk and replay when a TCP destination is available again (surely up to > some configurable amount of disk space and a configurable location on disk - > we'll need to talk to Bazsi about that). It's needed for an internal project so > they're happy to pay. From syslog-ng@lists.balabit.hu Fri Dec 17 10:37:16 2004 From: syslog-ng@lists.balabit.hu (syslog-ng@lists.balabit.hu) Date: Fri, 17 Dec 2004 11:37:16 +0100 Subject: [syslog-ng]iptables syslog-ng logs way to big Message-ID: <41B792E100040EBD@mssazhh-int.msg.bluewin.ch> hi there bit of a problem with too many logs being generated and i'm not sure what to do. I'm using a iptables firewall setup like this: $IPTABLES -t filter -N ACCEPTLOG $IPTABLES -t filter -A ACCEPTLOG -j LOG --log-prefix "iptables:" --log-level\ debug $IPTABLES -t filter -A ACCEPTLOG -j ACCEPT the firewall is also a masquerading NAT gateway for about 50 clients. I want to record all traffic flowing through the gateway, so along with the firewall rules stated above i have this in my syslog-ng.conf : destination iptables { file("/var/log/iptables"); }; filter iptables { match("^iptables:"); }; log { source(src); filter(iptables); destination(iptables); }; all very nice, except for the fact that within 24 hours the log grew to 500MB's, which is a little too big. Of course i've configured logrotate to g-zip the file every day which greatly reduces the size, but i'd much prefer to have smaller logs but with the necessary information still there. Here's an example from one client just for a simple request to port 445: Dec 17 11:33:18 iptables:IN=eth1 OUT=eth0 SRC=192.168.1.220 DST=213.220.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=974 DF PROTO=TCP SPT=32900 DPT=445 WINDOW=10136 RES=0x00 ACK URGP=0 this entry is repeated 10 times per second !! i've tried different log levels in my firewall but it doesnt seem to change anything. Would be grateful for any help. cheers, garvald From syslog-ng@lists.balabit.hu Fri Dec 17 10:37:59 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Fri, 17 Dec 2004 11:37:59 +0100 Subject: [syslog-ng]Christmas In-Reply-To: <1103237714.41c212528e483@www.campin.net> References: <4b9601ce04121612584e29fdee@mail.gmail.com> <1103237714.41c212528e483@www.campin.net> Message-ID: <1103279879.2820.31.camel@bzorp.balabit> On Thu, 2004-12-16 at 23:55, nate@campin.net wrote: > Quoting Jay Guerette : > > > Although 10 days too late, I was thinking: "What can Mikul�s bring > > Bal�zs for Christmas?" > > After all, giving us syslog-ng and 5 years of support on this list > > deserves *something*. Then it hit me; "I'll buy a syslog-ng support > > contract!" I'm reasonably sure I can get my company to go for it; so > > how can I get prices on the various support packs available? > > Hey Jay, I work at a big financial institution now and we're actually going to > pay Balabit for some enhancements I've wanted for quite some time and for > top-tier support. The big feature request is having overflowing local buffers > log to disk and replay when a TCP destination is available again (surely up to > some configurable amount of disk space and a configurable location on disk - > we'll need to talk to Bazsi about that). It's needed for an internal project so > they're happy to pay. > > That's not to say that you can't pay them too. I just wanted to mention that I'm > having a very good Christmas since we'll be paying Bazsi to implement my > wishlist! :) > > Merry Chrismas Bazsi, and thanks for all your hard work. Merry Christmas for you guys as well. -- Bazsi From syslog-ng@lists.balabit.hu Fri Dec 17 16:14:09 2004 From: syslog-ng@lists.balabit.hu (Wolfgang Braun) Date: Fri, 17 Dec 2004 17:14:09 +0100 Subject: [syslog-ng]iptables syslog-ng logs way to big In-Reply-To: <41B792E100040EBD@mssazhh-int.msg.bluewin.ch> References: <41B792E100040EBD@mssazhh-int.msg.bluewin.ch> Message-ID: <1103300049.31783.48.camel@pups.10er> Am Fr, den 17.12.2004 schrieb garvald@bluemail.ch um 11:37: > hi there Hi > bit of a problem with too many logs being generated and i'm not sure what > to do. I'm using a iptables firewall setup like this: > > $IPTABLES -t filter -N ACCEPTLOG > $IPTABLES -t filter -A ACCEPTLOG -j LOG --log-prefix "iptables:" --log-level\ > debug > $IPTABLES -t filter -A ACCEPTLOG -j ACCEPT > > the firewall is also a masquerading NAT gateway for about 50 clients. I want > to record all traffic flowing through the gateway,[...] I do something similar but limit the amount of packets being logged by iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j LOG ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ so I get only one entry (the first packet) per connection; used mainly to do a statistic on what ports are being knocked on. > [...] but i'd much prefer to have > smaller logs but with the necessary information still there. ^^^^^^^^^^^^^^^^^^^^^ Which leads to my main question: What exactly do you do with the logged data? (If you don't mind telling) I currently whitepaper the use of syslog-ng to build a syslog infrastructure (collect logs on a central loghost, dump them into a relational DB, get useful information out of the DB). The most interesting part so far is the latter, getting something useful out of the logs, so i'm very curious what you do with those 500MB+ per day. > [...] i've tried different log levels in my firewall but it doesnt seem to change > anything. Would be grateful for any help. The '--log-level debug' parameter you use specifies the priority the message gets tagged with, it doesn't change the behaviour of the packet filter in any way. > > cheers, garvald Wolfgang -- Wolfgang Braun , Dipl. Inform. (FH) gpg-key: 1024D/4B32CE55 From syslog-ng@lists.balabit.hu Fri Dec 17 16:38:08 2004 From: syslog-ng@lists.balabit.hu (Dave Johnson) Date: Fri, 17 Dec 2004 10:38:08 -0600 Subject: [syslog-ng]iptables syslog-ng logs way to big In-Reply-To: <1103300049.31783.48.camel@pups.10er> References: <41B792E100040EBD@mssazhh-int.msg.bluewin.ch> <1103300049.31783.48.camel@pups.10er> Message-ID: <90cdf79a0412170838221ea0fe@mail.gmail.com> Are you logging _all_ your traffic through the firewall? If you have requirements to log good traffic (and/or report on it), then try and only log initial connection setups (this is all done in iptables configs and is out of the scope of syslog-ng). However, to point you in the right direction-- IE: maybe try a chain that sequentially: - connection established rules without logging - log new connections - allow these ports/new connections - deny log - deny On Fri, 17 Dec 2004 17:14:09 +0100, Wolfgang Braun wrote: > Am Fr, den 17.12.2004 schrieb garvald@bluemail.ch um 11:37: > > > hi there > > Hi > > > bit of a problem with too many logs being generated and i'm not sure what > > to do. I'm using a iptables firewall setup like this: > > > > $IPTABLES -t filter -N ACCEPTLOG > > $IPTABLES -t filter -A ACCEPTLOG -j LOG --log-prefix "iptables:" --log-level\ > > debug > > $IPTABLES -t filter -A ACCEPTLOG -j ACCEPT > > > > the firewall is also a masquerading NAT gateway for about 50 clients. I want > > to record all traffic flowing through the gateway,[...] > > I do something similar but limit the amount of packets being logged by > > iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j LOG > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > so I get only one entry (the first packet) per connection; used mainly > to do a statistic on what ports are being knocked on. > > > [...] but i'd much prefer to have > > smaller logs but with the necessary information still there. > ^^^^^^^^^^^^^^^^^^^^^ > Which leads to my main question: > > What exactly do you do with the logged data? (If you don't mind telling) > > I currently whitepaper the use of syslog-ng to build a syslog > infrastructure (collect logs on a central loghost, dump them into a > relational DB, get useful information out of the DB). > The most interesting part so far is the latter, getting something useful > out of the logs, so i'm very curious what you do with those 500MB+ per > day. > > > [...] i've tried different log levels in my firewall but it doesnt seem to change > > anything. Would be grateful for any help. > > The '--log-level debug' parameter you use specifies the priority the > message gets tagged with, it doesn't change the behaviour of the packet > filter in any way. > > > > > cheers, garvald > > Wolfgang > > -- > Wolfgang Braun , Dipl. Inform. (FH) > gpg-key: 1024D/4B32CE55 > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > > From syslog-ng@lists.balabit.hu Sun Dec 19 04:34:01 2004 From: syslog-ng@lists.balabit.hu (Jay Guerette) Date: Sat, 18 Dec 2004 23:34:01 -0500 Subject: [syslog-ng]Christmas In-Reply-To: <1103279879.2820.31.camel@bzorp.balabit> References: <4b9601ce04121612584e29fdee@mail.gmail.com> <1103237714.41c212528e483@www.campin.net> <1103279879.2820.31.camel@bzorp.balabit> Message-ID: <4b9601ce04121820347f93e746@mail.gmail.com> Back on the original topic: How can I get prices on the various support packs available? On Fri, 17 Dec 2004 11:37:59 +0100, Balazs Scheidler wro= te: > On Thu, 2004-12-16 at 23:55, nate@campin.net wrote: > > Quoting Jay Guerette : > > > > > Although 10 days too late, I was thinking: "What can Mikul=E1s bring > > > Bal=E1zs for Christmas?" > > > After all, giving us syslog-ng and 5 years of support on this list > > > deserves *something*. Then it hit me; "I'll buy a syslog-ng support > > > contract!" I'm reasonably sure I can get my company to go for it; so > > > how can I get prices on the various support packs available? > > > > Hey Jay, I work at a big financial institution now and we're actually g= oing to > > pay Balabit for some enhancements I've wanted for quite some time and f= or > > top-tier support. The big feature request is having overflowing local b= uffers > > log to disk and replay when a TCP destination is available again (surel= y up to > > some configurable amount of disk space and a configurable location on d= isk - > > we'll need to talk to Bazsi about that). It's needed for an internal pr= oject so > > they're happy to pay. > > > > That's not to say that you can't pay them too. I just wanted to mention= that I'm > > having a very good Christmas since we'll be paying Bazsi to implement m= y > > wishlist! :) > > > > Merry Chrismas Bazsi, and thanks for all your hard work. >=20 > Merry Christmas for you guys as well. From syslog-ng@lists.balabit.hu Sun Dec 19 05:43:00 2004 From: syslog-ng@lists.balabit.hu (John Kristoff) Date: Sat, 18 Dec 2004 23:43:00 -0600 Subject: [syslog-ng]iptables syslog-ng logs way to big In-Reply-To: <41B792E100040EBD@mssazhh-int.msg.bluewin.ch> References: <41B792E100040EBD@mssazhh-int.msg.bluewin.ch> Message-ID: <20041218234300.0f6dc09f@dsl017-022-068.chi1.dsl.speakeasy.net> On Fri, 17 Dec 2004 11:37:16 +0100 garvald@bluemail.ch wrote: > bit of a problem with too many logs being generated and i'm not sure what > to do. I'm using a iptables firewall setup like this: Log sampling might be a nice experimental feature to have in this and other related cases. In some cases such as logging all possible filter denies or logging all queries in busy DNS servers, getting a copy of every single log may not be necessary and due to quantity, impractical. In the simplest case, every N messages would be logged to disk, but in more complex scenarios it could based on message content or specific source and use a more advanced algorithm rather than logging every N messages. John From syslog-ng@lists.balabit.hu Sun Dec 19 20:45:51 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Sun, 19 Dec 2004 21:45:51 +0100 Subject: [syslog-ng]Christmas In-Reply-To: <4b9601ce04121820347f93e746@mail.gmail.com> References: <4b9601ce04121612584e29fdee@mail.gmail.com> <1103237714.41c212528e483@www.campin.net> <1103279879.2820.31.camel@bzorp.balabit> <4b9601ce04121820347f93e746@mail.gmail.com> Message-ID: <1103489150.2701.1.camel@bzorp.balabit> On Sun, 2004-12-19 at 05:34, Jay Guerette wrote: > Back on the original topic: > > How can I get prices on the various support packs available? Just send an email to sales@balabit.hu, but I'll forward your mail to the appropriate collegue who will return this information for you in private. -- Bazsi From syslog-ng@lists.balabit.hu Mon Dec 20 07:42:49 2004 From: syslog-ng@lists.balabit.hu (Stephan Hendl) Date: Mon, 20 Dec 2004 08:42:49 +0100 Subject: [syslog-ng]pipe destination and HPUX Message-ID: Hi all, I try to get syslog messages via tcp and want to write them into a pipe with HPUX 11.11v1 and syslog-ng-1.6.5. The messages arrive perfectly (I conttrolled this via writing in a file) but the pipe is still empty. Only messages from local sources get into it. Does anybody have an idea? Ciao Stephan # syslog-ng configuration file. # # This should behave pretty much like the original syslog on HP-UX. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(8) for more information. # # 20000925 gb@sysfive.com options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { pipe("/dev/log" pad_size(2048)); internal(); }; source s_tcp { tcp(ip(10.128.8.173) port(10514) keep-alive(no)); }; destination d_cic.log { file("/var/adm/syslog/cic.$YEAR$MONTH$DAY" owner("root") group("sys") perm(0644) template( "$DATE $HOST $MESSAGE\n") template-escape(yes)); }; destination d_cic.pipe { pipe("/tmp/cic.pipe" owner("root") group("root") perm(0640) template( "$DATE $HOST $MESSA GE\n") template-escape(yes)); }; log { source(s_sys); destination(d_cic.log); }; log { source(s_tcp); destination(d_cic.log); }; log { source(s_sys); destination(d_cic.pipe); }; log { source(s_tcp); destination(d_cic.pipe); }; From syslog-ng@lists.balabit.hu Mon Dec 20 11:31:09 2004 From: syslog-ng@lists.balabit.hu (Timothy Webster) Date: Mon, 20 Dec 2004 06:31:09 -0500 Subject: [syslog-ng]how to write efficient filters? In-Reply-To: <1103202469.4413.30.camel@bzorp.balabit> References: <20041216044257.7ce2acbc@delta.hk.office.outblaze.com> <1103202469.4413.30.camel@bzorp.balabit> Message-ID: <20041220063109.673e1a5e@delta.hk.office.outblaze.com> On Thu, 16 Dec 2004 14:07:49 +0100 Balazs Scheidler wrote: > On Thu, 2004-12-16 at 10:42, Timothy Webster wrote: > > Which is more efficient? > > > > filter f_pop_acc { program("pop3") and match("not have pop"); }; > > filter f_mail { facility(mail); }; > > > > log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc); > > > > > > or > > > > filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; > > log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc); > > > > Sorry too lazy to look at the code :) > > I think it should be about the same. The first one traverses a linked > list of filters and breaks out the loop if a filter does not match, the > second uses the parse tree generated by the config parser, using C's && > operator, which similarly does lazy evaluation. > > -- > Bazsi thx, -tim. From syslog-ng@lists.balabit.hu Mon Dec 20 23:02:27 2004 From: syslog-ng@lists.balabit.hu (Brett Stevens) Date: Tue, 21 Dec 2004 10:02:27 +1100 Subject: [syslog-ng]pipe destination and HPUX Message-ID: <60736F697E66E542B9672458913B91150C0212@TOTO.oz.hubbub.com.au> Looking at your config you seem to have specified a ip and prot for your tcp. Just try it without such as source s_tcp{();}; This is what I use to log approximately 80-100 devices to two servers (number varies as this is a development site with large amounts of vmware servers. Best of luck Brett Stevens -----Original Message----- From: Stephan Hendl [mailto:Stephan.Hendl@lds.brandenburg.de] Sent: Monday, December 20, 2004 6:43 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]pipe destination and HPUX Hi all, I try to get syslog messages via tcp and want to write them into a pipe with HPUX 11.11v1 and syslog-ng-1.6.5. The messages arrive perfectly (I conttrolled this via writing in a file) but the pipe is still empty. Only messages from local sources get into it. Does anybody have an idea? Ciao Stephan # syslog-ng configuration file. # # This should behave pretty much like the original syslog on HP-UX. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(8) for more information. # # 20000925 gb@sysfive.com options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { pipe("/dev/log" pad_size(2048)); internal(); }; source s_tcp { tcp(ip(10.128.8.173) port(10514) keep-alive(no)); }; destination d_cic.log { file("/var/adm/syslog/cic.$YEAR$MONTH$DAY" owner("root") group("sys") perm(0644) template( "$DATE $HOST $MESSAGE\n") template-escape(yes)); }; destination d_cic.pipe { pipe("/tmp/cic.pipe" owner("root") group("root") perm(0640) template( "$DATE $HOST $MESSA GE\n") template-escape(yes)); }; log { source(s_sys); destination(d_cic.log); }; log { source(s_tcp); destination(d_cic.log); }; log { source(s_sys); destination(d_cic.pipe); }; log { source(s_tcp); destination(d_cic.pipe); }; _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue Dec 21 06:36:52 2004 From: syslog-ng@lists.balabit.hu (Stephan Hendl) Date: Tue, 21 Dec 2004 07:36:52 +0100 Subject: [syslog-ng]pipe destination and HPUX Message-ID: I've tried that out but it doesn't help me. The messages from the "syslog-clients" arrive perectly and are written into the cic.log-file but _not_ into the pipe ;-((( Stephan >>> brett.stevens@hubbub.com.au 12/21/04 12:02 >>> Looking at your config you seem to have specified a ip and prot for your tcp. Just try it without such as source s_tcp{();}; This is what I use to log approximately 80-100 devices to two servers (number varies as this is a development site with large amounts of vmware servers. Best of luck Brett Stevens -----Original Message----- From: Stephan Hendl [mailto:Stephan.Hendl@lds.brandenburg.de] Sent: Monday, December 20, 2004 6:43 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]pipe destination and HPUX Hi all, I try to get syslog messages via tcp and want to write them into a pipe with HPUX 11.11v1 and syslog-ng-1.6.5. The messages arrive perfectly (I conttrolled this via writing in a file) but the pipe is still empty. Only messages from local sources get into it. Does anybody have an idea? Ciao Stephan # syslog-ng configuration file. # # This should behave pretty much like the original syslog on HP-UX. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(8) for more information. # # 20000925 gb@sysfive.com options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { pipe("/dev/log" pad_size(2048)); internal(); }; source s_tcp { tcp(ip(10.128.8.173) port(10514) keep-alive(no)); }; destination d_cic.log { file("/var/adm/syslog/cic.$YEAR$MONTH$DAY" owner("root") group("sys") perm(0644) template( "$DATE $HOST $MESSAGE\n") template-escape(yes)); }; destination d_cic.pipe { pipe("/tmp/cic.pipe" owner("root") group("root") perm(0640) template( "$DATE $HOST $MESSA GE\n") template-escape(yes)); }; log { source(s_sys); destination(d_cic.log); }; log { source(s_tcp); destination(d_cic.log); }; log { source(s_sys); destination(d_cic.pipe); }; log { source(s_tcp); destination(d_cic.pipe); }; _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Wed Dec 22 20:16:54 2004 From: syslog-ng@lists.balabit.hu (ARGEXT-HIDALGO, FRANCISCO) Date: Wed, 22 Dec 2004 17:16:54 -0300 Subject: [syslog-ng]Problem with TCP connection not timing out Message-ID: I'm really not sure what the problem is, I'm logging with a server in = different countries and they send through TCP the logs to a central = server. The problem I'm having is that the central server is not = dropping TCP connections that no longer exist. As an example: CENTRAL SERVER: TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q = State -------------------- -------------------- ----- ------ ----- ------ = ------- CENTRAL.shell syslogA.33969 5840 0 10136 0 = ESTABLISHED CENTRAL.shell syslogB.4930 5840 0 10136 0 = ESTABLISHED CENTRAL.shell syslogC.33924 24820 0 8760 0 = ESTABLISHED CENTRAL.shell syslogC.33925 24820 0 8760 0 = ESTABLISHED CENTRAL.shell syslogD.44925 5840 0 10136 0 = ESTABLISHED CENTRAL.shell syslogE.32783 24820 0 8760 0 = ESTABLISHED CENTRAL.shell syslogC.33926 24820 0 8760 0 = ESTABLISHED CENTRAL.22 host.1624 51968 0 10136 0 ESTABLISHED CENTRAL.shell syslogD.44934 5840 0 10136 0 = ESTABLISHED SYSLOGC: TCP: IPv4 Local Address Remote Address Swind Send-Q Rwind Recv-Q = State -------------------- -------------------- ----- ------ ----- ------ = ------- syslogC.33926 CENTRAL.shell 8760 0 24820 0 = ESTABLISHED SyslogC.22 host.4663 57920 0 24616 0 = ESTABLISHED Notice that the active conection is the one from SyslogC port 33926, but = CentralSyslog has 3 established connections (33924, 33925 and 33926), = 33924 is active since some days ago, but doesn't exist in the original = server. The problem is that my total connections allowed start to fill = up and then I can no longer connect. Any ideas on what could this be? Thank you. From syslog-ng@lists.balabit.hu Thu Dec 23 01:40:31 2004 From: syslog-ng@lists.balabit.hu (Majumdar, Anamitra) Date: Wed, 22 Dec 2004 17:40:31 -0800 Subject: [syslog-ng]syslog2ng not working on Solaris10 Message-ID: <8C53AAFA2050EE40BDCDB9455DA7D63401495887@sw720ex020.visa.com> Hello, I need to convert some existing syslog.conf files to the syslog-ng = configuration. There is an utility syslog2ng which is packaged with syslog-ng. But does not work on solaris 10. I am having the folowing error ./syslog2ng syslog-ng.conf ./syslog2ng: BEGIN: not found ./syslog2ng: getline: not found ./syslog2ng: syntax error at line 9: `close' unexpected Anamitra X4696 From syslog-ng@lists.balabit.hu Thu Dec 23 02:45:37 2004 From: syslog-ng@lists.balabit.hu (Ed Ravin) Date: Wed, 22 Dec 2004 21:45:37 -0500 Subject: [syslog-ng]syslog2ng not working on Solaris10 In-Reply-To: <8C53AAFA2050EE40BDCDB9455DA7D63401495887@sw720ex020.visa.com> References: <8C53AAFA2050EE40BDCDB9455DA7D63401495887@sw720ex020.visa.com> Message-ID: <20041223024537.GA28437@panix.com> On Wed, Dec 22, 2004 at 05:40:31PM -0800, Majumdar, Anamitra wrote: > There is an utility syslog2ng which is packaged with syslog-ng. > But does not work on solaris 10. > > I am having the folowing error > > ./syslog2ng syslog-ng.conf > ./syslog2ng: BEGIN: not found > ./syslog2ng: getline: not found > ./syslog2ng: syntax error at line 9: `close' unexpected Look at the first few lines of syslog2ng: #!/usr/bin/awk -f # # syslog2ng # # Translator from syslog.conf to syslog-ng.conf # by Jonathan W. Marks You probably don't have /usr/bin/awk - maybe Sun keeps it in /bin, /usr/ucb, or some other directory? From syslog-ng@lists.balabit.hu Thu Dec 23 13:47:11 2004 From: syslog-ng@lists.balabit.hu (Stew Redfield) Date: Thu, 23 Dec 2004 08:47:11 -0500 Subject: [syslog-ng]syslog2ng not working on Solaris10 Message-ID: on Solaris10 (s10_63 at least)=20 /usr/bin/awk=20 ||=20 /usr/bin/nawk Usually that error means a missing ' in the script or sourced in config. Happy non-religious merry generic holiday greetings... -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Ed Ravin Sent: Wednesday, December 22, 2004 9:46 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]syslog2ng not working on Solaris10 On Wed, Dec 22, 2004 at 05:40:31PM -0800, Majumdar, Anamitra wrote: > There is an utility syslog2ng which is packaged with syslog-ng. > But does not work on solaris 10. >=20 > I am having the folowing error >=20 > ./syslog2ng syslog-ng.conf > ./syslog2ng: BEGIN: not found > ./syslog2ng: getline: not found > ./syslog2ng: syntax error at line 9: `close' unexpected Look at the first few lines of syslog2ng: #!/usr/bin/awk -f # # syslog2ng # # Translator from syslog.conf to syslog-ng.conf # by Jonathan W. Marks You probably don't have /usr/bin/awk - maybe Sun keeps it in /bin, /usr/ucb, or some other directory? _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Thu Dec 23 19:08:51 2004 From: syslog-ng@lists.balabit.hu (Nate Campi) Date: Thu, 23 Dec 2004 11:08:51 -0800 Subject: [syslog-ng]syslog2ng not working on Solaris10 In-Reply-To: <8C53AAFA2050EE40BDCDB9455DA7D63401495887@sw720ex020.visa.com> References: <8C53AAFA2050EE40BDCDB9455DA7D63401495887@sw720ex020.visa.com> Message-ID: <20041223190851.GB21568@campin.net> Use /usr/bin/nawk, change the shebang line and it's fine: $ cat /etc/syslog.conf | ./syslog2ng awk: syntax error near line 12 awk: illegal statement near line 12 awk: syntax error near line 52 awk: illegal statement near line 52 awk: syntax error near line 55 awk: bailing out near line 55 Change the first line of syslog2ng from "#!/usr/bin/awk -f" to "#!/usr/bin/nawk -f" and... $ cat /etc/syslog.conf | ./syslog2ng options { dir_perm(0755); perm(0644); chain_hostnames(no); keep_hostname(yes); }; source local { sun-streams("/dev/log"); udp(ip(0.0.0.0) port(514)); internal(); }; ....more and more syslog-ng config On Wed, Dec 22, 2004 at 05:40:31PM -0800, Majumdar, Anamitra wrote: > Hello, > > I need to convert some existing syslog.conf files to the syslog-ng configuration. > There is an utility syslog2ng which is packaged with syslog-ng. > But does not work on solaris 10. > > I am having the folowing error > > ./syslog2ng syslog-ng.conf > ./syslog2ng: BEGIN: not found > ./syslog2ng: getline: not found > ./syslog2ng: syntax error at line 9: `close' unexpected > > > > Anamitra > X4696 > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html > -- Nate Don't go around saying the world owes you a living; the world owes you nothing; it was here first." - Samuel Clemens From syslog-ng@lists.balabit.hu Sat Dec 25 23:09:02 2004 From: syslog-ng@lists.balabit.hu (Matthias Keller) Date: Sun, 26 Dec 2004 00:09:02 +0100 Subject: [syslog-ng]STATS: dropped 644 ? Message-ID: <41CDF30E.5030803@matthias-keller.ch> Hi I'm using syslog-ng for quite a while now and finally want to resolve this problem (I suppose)... I pretty much daily get a whole bunch of dropped messages... It's not always at the same times but always for several hours! I'm logging the stats hourly so usually for about 8h a day I get drops in the hundreds....? I guess this isn't normal and shouldn't be as my system isn't really busy at all... As options I'm using: options { long_hostnames(off); sync(5); # How many lines have to be queued until a disc synch is done. use 0 for immediate stats(3600); log_fifo_size(8192); log_msg_size(1024); time_reopen(10); }; Since there are a lot of apps running on the system I dont go for a 'Application X gets localZ' approach but instead I'm filtering by application name One example entry would be: filter f_dhcpd { program("dhcpd"); }; destination dhcpd { file("/var/log/dhcpd.log"); }; log { source(src); filter(f_dhcpd); destination(dhcpd); flags(final); }; I dont know if that flags(final) does some harm as I haven't seen that much in the wild but I dont want any further rule care about dhcpd-logs so I want to stop matched entries there... I have about 10 such entries... I also have a catchall in the end: destination other { file("/var/log/other"); }; log { source(src); destination(other); }; which doesn't really catch anything at all because the messages before already catches pretty much everything I can give you the whole config if you like So I'm hoping you could give me some good advices on how to track down my problem? Thanks!! Matt From syslog-ng@lists.balabit.hu Mon Dec 27 14:02:11 2004 From: syslog-ng@lists.balabit.hu (Philip J. Hollenback) Date: Mon, 27 Dec 2004 09:02:11 -0500 Subject: [syslog-ng]can't figure out how to convert syslog.conf entry to syslog-ng Message-ID: <20041227140211.GK14970@telemetry-investments.com> I have the following syslog.conf entry on my linux server: *.info;mail.none;mail.err;authpriv.none;auth.none;auth.warning;cron.none;cron.warning;local0.none /var/log/messages The syslog2ng script converts it to this: destination d_mesg { file("/var/log/messages"); }; filter f_1 { level(info..emerg); }; filter f_2 { not facility(mail); }; filter f_3 { facility(mail) and level(err..emerg); }; filter f_4 { not facility(authpriv); }; filter f_5 { not facility(auth); }; filter f_6 { facility(auth) and level(warning..emerg); }; filter f_7 { not facility(cron); }; filter f_8 { facility(cron) and level(warning..emerg); }; filter f_9 { not facility(local0); }; log { source(local); filter(f_1); filter(f_2); filter(f_3); filter(f_4); filter(f_5); filter(f_6); filter(f_7); filter(f_8); filter(f_9); destination(d_mesg); }; Problem: this doesn't work; the above syslog-ng.conf entry doesn't send any messages to /var/log/messages. I know syslog-ng is working because other entries in the config file do catch messages as they should. I've narrowed it down to something with the compound filter statements. If I remove f_3, f_6, and f_8, the entry starts working. Works correctly on regular syslog. syslog-ng version 1.6.5. Thanks, P. -- Philip J. Hollenback Telemetry Investments phollenback@telemetry-investments.com From syslog-ng@lists.balabit.hu Mon Dec 27 18:10:16 2004 From: syslog-ng@lists.balabit.hu (Wolfgang Braun) Date: Mon, 27 Dec 2004 19:10:16 +0100 Subject: [syslog-ng]can't figure out how to convert syslog.conf entry to syslog-ng In-Reply-To: <20041227140211.GK14970@telemetry-investments.com> References: <20041227140211.GK14970@telemetry-investments.com> Message-ID: <1104171016.30738.8.camel@pups.10er> Am Mo, den 27.12.2004 schrieb Philip J. Hollenback um 15:02: > I have the following syslog.conf entry on my linux server: > [...] > filter f_2 { not facility(mail); }; > filter f_3 { facility(mail) and level(err..emerg); }; [...] > log { > source(local); > filter(f_1); filter(f_2); filter(f_3); filter(f_4); > filter(f_5); filter(f_6); filter(f_7); filter(f_8); > filter(f_9); > destination(d_mesg); > }; The message from source has to match ALL filters (AND'd together) to be logged to destination. That's atleast what I read from chapter 2 (log paths) of the reference manual. > > Problem: this doesn't work; the above syslog-ng.conf entry doesn't > send any messages to /var/log/messages. (facility(mail)) AND (not facility(mail))= {} [...] > > I've narrowed it down to something with the compound filter > statements. If I remove f_3, f_6, and f_8, the entry starts working. You could perhaps define a log{} statement for each filter rule. > Thanks, > P. HTH Wolfgang -- Wolfgang Braun , Dipl. Inform. (FH) gpg-key: 1024D/4B32CE55 From syslog-ng@lists.balabit.hu Mon Dec 27 20:11:45 2004 From: syslog-ng@lists.balabit.hu (Pavel Urban) Date: Mon, 27 Dec 2004 21:11:45 +0100 Subject: [syslog-ng]typo? changelog Message-ID: <41D06C81.5040805@mlp.cz> Hello, I've tried to rebuild our local RPM for syslog-ng and was somewhat confused by 1.6.5 ChangeLog claiming that the required libol version is 0.3.15. It seems to me that it should be 0.3.14, am I right? Or am I wrong as usual? ;-) -- *********************************************************************** Pavel Urban (pavel.urban@imaginet.cz) IOL system disaster Internet OnLine, owned by Cesky Telecom, a.s. (www.ct.cz) *********************************************************************** Vegetables should not operate electronic equipment. Computer Stupidities, http://rinkworks.com/stupid/ *********************************************************************** From syslog-ng@lists.balabit.hu Mon Dec 27 20:58:16 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 27 Dec 2004 21:58:16 +0100 Subject: [syslog-ng]Problem with TCP connection not timing out In-Reply-To: References: Message-ID: <1104181096.3814.14.camel@bzorp.balabit> On Wed, 2004-12-22 at 17:16 -0300, ARGEXT-HIDALGO, FRANCISCO wrote: > I'm really not sure what the problem is, I'm logging with a server in different countries and they send through TCP the logs to a central server. The problem I'm having is that the central server is not dropping TCP connections that no longer exist. > As an example: > > CENTRAL SERVER: > TCP > Local Address Remote Address Swind Send-Q Rwind Recv-Q State > -------------------- -------------------- ----- ------ ----- ------ ------- > CENTRAL.shell syslogA.33969 5840 0 10136 0 ESTABLISHED > CENTRAL.shell syslogB.4930 5840 0 10136 0 ESTABLISHED > CENTRAL.shell syslogC.33924 24820 0 8760 0 ESTABLISHED > CENTRAL.shell syslogC.33925 24820 0 8760 0 ESTABLISHED > CENTRAL.shell syslogD.44925 5840 0 10136 0 ESTABLISHED > CENTRAL.shell syslogE.32783 24820 0 8760 0 ESTABLISHED > CENTRAL.shell syslogC.33926 24820 0 8760 0 ESTABLISHED > CENTRAL.22 host.1624 51968 0 10136 0 ESTABLISHED > CENTRAL.shell syslogD.44934 5840 0 10136 0 ESTABLISHED > > SYSLOGC: > TCP: IPv4 > Local Address Remote Address Swind Send-Q Rwind Recv-Q State > -------------------- -------------------- ----- ------ ----- ------ ------- > syslogC.33926 CENTRAL.shell 8760 0 24820 0 ESTABLISHED > SyslogC.22 host.4663 57920 0 24616 0 ESTABLISHED > > > Notice that the active conection is the one from SyslogC port 33926, but CentralSyslog has 3 established connections (33924, 33925 and 33926), 33924 is active since some days ago, but doesn't exist in the original server. The problem is that my total connections allowed start to fill up and then I can no longer connect. > Any ideas on what could this be? Maybe there were some network outages and the connection on the client timed out, but as there are no packets for established connections without traffic this connection remained in the server's connection table. A possible solution is to enable TCP keep-alive, which periodically sends probes for established connections, and reports an error if the peer does not react to a probe, you can enable this by setting tcp-keep-alive option to yes, for example: source s_tcp { tcp(port(2000) tcp-keep-alive(yes)); }; -- Bazsi From syslog-ng@lists.balabit.hu Mon Dec 27 21:01:17 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 27 Dec 2004 22:01:17 +0100 Subject: [syslog-ng]STATS: dropped 644 ? In-Reply-To: <41CDF30E.5030803@matthias-keller.ch> References: <41CDF30E.5030803@matthias-keller.ch> Message-ID: <1104181277.3814.17.camel@bzorp.balabit> On Sun, 2004-12-26 at 00:09 +0100, Matthias Keller wrote: > Hi > > I'm using syslog-ng for quite a while now and finally want to resolve > this problem (I suppose)... > I pretty much daily get a whole bunch of dropped messages... > It's not always at the same times but always for several hours! > I'm logging the stats hourly so usually for about 8h a day I get drops > in the hundreds....? > > I guess this isn't normal and shouldn't be as my system isn't really > busy at all... > what kind of destinations do you use? the DROP count in STATS reports messages dropped _within_ syslog-ng and affects only pipe and tcp destinations. maybe you have an xconsole not being able to process messages at the required rate? -- Bazsi From syslog-ng@lists.balabit.hu Mon Dec 27 21:04:51 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 27 Dec 2004 22:04:51 +0100 Subject: [syslog-ng]can't figure out how to convert syslog.conf entry to syslog-ng In-Reply-To: <20041227140211.GK14970@telemetry-investments.com> References: <20041227140211.GK14970@telemetry-investments.com> Message-ID: <1104181491.3814.21.camel@bzorp.balabit> On Mon, 2004-12-27 at 09:02 -0500, Philip J. Hollenback wrote: > I have the following syslog.conf entry on my linux server: > > *.info;mail.none;mail.err;authpriv.none;auth.none;auth.warning;cron.none;cron.warning;local0.none /var/log/messages > > The syslog2ng script converts it to this: > > destination d_mesg { file("/var/log/messages"); }; > > filter f_1 { level(info..emerg); }; > filter f_2 { not facility(mail); }; > filter f_3 { facility(mail) and level(err..emerg); }; > filter f_4 { not facility(authpriv); }; > filter f_5 { not facility(auth); }; > filter f_6 { facility(auth) and level(warning..emerg); }; > filter f_7 { not facility(cron); }; > filter f_8 { facility(cron) and level(warning..emerg); }; > filter f_9 { not facility(local0); }; > > log { > source(local); > filter(f_1); filter(f_2); filter(f_3); filter(f_4); > filter(f_5); filter(f_6); filter(f_7); filter(f_8); > filter(f_9); > destination(d_mesg); > }; > > > Problem: this doesn't work; the above syslog-ng.conf entry doesn't > send any messages to /var/log/messages. I know syslog-ng is working > because other entries in the config file do catch messages as they > should. > > I've narrowed it down to something with the compound filter > statements. If I remove f_3, f_6, and f_8, the entry starts working. Note that syslog-ng ANDs the filter expressions listed in your log statement. E.g. while syslogd ORs them syslog-ng ANDs them. in f_3 you require facility(mail) while in f_2 you explicitly disallow it via not. Maybe you should construct a single filter expression ORing the conditions in the original syslog.conf entry. From syslog-ng@lists.balabit.hu Mon Dec 27 21:09:13 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Mon, 27 Dec 2004 22:09:13 +0100 Subject: [syslog-ng]typo? changelog In-Reply-To: <41D06C81.5040805@mlp.cz> References: <41D06C81.5040805@mlp.cz> Message-ID: <1104181753.3814.25.camel@bzorp.balabit> On Mon, 2004-12-27 at 21:11 +0100, Pavel Urban wrote: > Hello, > > I've tried to rebuild our local RPM for syslog-ng and was somewhat > confused by 1.6.5 ChangeLog claiming that the required libol version is > 0.3.15. It seems to me that it should be 0.3.14, am I right? Or am I > wrong as usual? ;-) > I was wondering if anybody notices :) seriously it _is_ a typo, my last libol changelog entry dated 2004-08-05 explicitly mentions the release of 0.3.14 -- Bazsi From syslog-ng@lists.balabit.hu Tue Dec 28 00:27:38 2004 From: syslog-ng@lists.balabit.hu (Nate Campi) Date: Mon, 27 Dec 2004 16:27:38 -0800 Subject: [syslog-ng]reading debug output Message-ID: <20041228002738.GE21568@campin.net> I have syslog-ng (1.6.4) running as "syslog-ng -d -v" and I happen to know that messages are buffering up, because I defined a TCP endpoint where there's nothing listening. I can't tell from the debug output what the buffer looks like (how full it is), is it possible to tell or is there no way to know? Well, no way except failed connection messages on internal() and the eventual STATS messages telling of dropped messages of course. TIA -- Nate "A computer will do what you tell it to do, but that may be much different from what you had in mind." - JOSEPH WEIZENBAUM, quoted in Time From syslog-ng@lists.balabit.hu Tue Dec 28 09:30:22 2004 From: syslog-ng@lists.balabit.hu (Gorm J. Siiger) Date: Tue, 28 Dec 2004 10:30:22 +0100 Subject: [syslog-ng]syslog-ng stopped working yesterday Message-ID: <20041228093022.GC28995@SonnIT.DK> Hi, I have a wierd problem, yesterday around 14:00 CET syslog-ng just stops working. The daemon runs, but allmost nothing is writtes to the logs. I have used syslog-ng for some years now, and it never let me down. When running syslog-ng -dv the last things it tell me is: Objects alive: 203, garbage collected: 1 AF_INET client connected from 80.63.205.142, port 3630 io.c: Preparing fd 14 for reading And then it stops logging, but seeing with tcpdump that i receive tons of syslog, and even local logging with "logger" doesn't work. Installing a new syslog-ng on another machine does the same, which confuses me. Any good ideas ? -- Med venlig hilsen / Best regards Gorm J. Siiger - mail: gjs@sonnit.dk ------------------------------------ SonnIT, Sonnerupvej 83B, 4682 Tureby Tel. 70274777 - http://www.sonnit.dk From syslog-ng@lists.balabit.hu Tue Dec 28 13:35:21 2004 From: syslog-ng@lists.balabit.hu (ARGEXT-HIDALGO, FRANCISCO) Date: Tue, 28 Dec 2004 10:35:21 -0300 Subject: [syslog-ng]Problem with TCP connection not timing out Message-ID: Thanks for the response, I'll test it now, but the documentation says = that this is the default behaviour, so I'm not sure if this will change = anything. On the other hand, shouldn't the OS drop these connections?, some of = them have days there, and this monday, there where almost 40 dead = connections that where "ESTABLISHED". -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler Sent: Lunes, 27 de Diciembre de 2004 05:58 p.m. To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Problem with TCP connection not timing out On Wed, 2004-12-22 at 17:16 -0300, ARGEXT-HIDALGO, FRANCISCO wrote: > I'm really not sure what the problem is, I'm logging with a server in = different countries and they send through TCP the logs to a central = server. The problem I'm having is that the central server is not = dropping TCP connections that no longer exist. > As an example: >=20 > CENTRAL SERVER: > TCP > Local Address Remote Address Swind Send-Q Rwind Recv-Q = State > -------------------- -------------------- ----- ------ ----- ------ = ------- > CENTRAL.shell syslogA.33969 5840 0 10136 0 = ESTABLISHED > CENTRAL.shell syslogB.4930 5840 0 10136 0 = ESTABLISHED > CENTRAL.shell syslogC.33924 24820 0 8760 0 = ESTABLISHED > CENTRAL.shell syslogC.33925 24820 0 8760 0 = ESTABLISHED > CENTRAL.shell syslogD.44925 5840 0 10136 0 = ESTABLISHED > CENTRAL.shell syslogE.32783 24820 0 8760 0 = ESTABLISHED > CENTRAL.shell syslogC.33926 24820 0 8760 0 = ESTABLISHED > CENTRAL.22 host.1624 51968 0 10136 0 = ESTABLISHED > CENTRAL.shell syslogD.44934 5840 0 10136 0 = ESTABLISHED >=20 > SYSLOGC: > TCP: IPv4 > Local Address Remote Address Swind Send-Q Rwind Recv-Q = State > -------------------- -------------------- ----- ------ ----- ------ = ------- > syslogC.33926 CENTRAL.shell 8760 0 24820 0 = ESTABLISHED > SyslogC.22 host.4663 57920 0 24616 0 = ESTABLISHED >=20 >=20 > Notice that the active conection is the one from SyslogC port 33926, = but CentralSyslog has 3 established connections (33924, 33925 and = 33926), 33924 is active since some days ago, but doesn't exist in the = original server. The problem is that my total connections allowed start = to fill up and then I can no longer connect. > Any ideas on what could this be? Maybe there were some network outages and the connection on the client timed out, but as there are no packets for established connections without traffic this connection remained in the server's connection table. A possible solution is to enable TCP keep-alive, which periodically sends probes for established connections, and reports an error if the peer does not react to a probe, you can enable this by setting tcp-keep-alive option to yes, for example: source s_tcp { tcp(port(2000) tcp-keep-alive(yes)); }; --=20 Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Tue Dec 28 15:36:00 2004 From: syslog-ng@lists.balabit.hu (Philip J. Hollenback) Date: Tue, 28 Dec 2004 10:36:00 -0500 Subject: [syslog-ng]can't figure out how to convert syslog.conf entry to syslog-ng In-Reply-To: <1104181491.3814.21.camel@bzorp.balabit> References: <20041227140211.GK14970@telemetry-investments.com> <1104181491.3814.21.camel@bzorp.balabit> Message-ID: <20041228153600.GI23120@telemetry-investments.com> Thanks for the pointers! I was able to code this entry up as follows: filter f_mesg { level(info..emerg) and not facility(authpriv,local0) and not (facility(mail) and level(debug..notice)) and not (facility(auth,cron) and level(debug..notice)); }; and that works great. Thanks, P. On 12/27/04, Balazs Scheidler wrote: > On Mon, 2004-12-27 at 09:02 -0500, Philip J. Hollenback wrote: > > I have the following syslog.conf entry on my linux server: > > > > *.info;mail.none;mail.err;authpriv.none;auth.none;auth.warning;cron.none;cron.warning;local0.none /var/log/messages > > > > The syslog2ng script converts it to this: > > > > destination d_mesg { file("/var/log/messages"); }; > > > > filter f_1 { level(info..emerg); }; > > filter f_2 { not facility(mail); }; > > filter f_3 { facility(mail) and level(err..emerg); }; > > filter f_4 { not facility(authpriv); }; > > filter f_5 { not facility(auth); }; > > filter f_6 { facility(auth) and level(warning..emerg); }; > > filter f_7 { not facility(cron); }; > > filter f_8 { facility(cron) and level(warning..emerg); }; > > filter f_9 { not facility(local0); }; > > > > log { > > source(local); > > filter(f_1); filter(f_2); filter(f_3); filter(f_4); > > filter(f_5); filter(f_6); filter(f_7); filter(f_8); > > filter(f_9); > > destination(d_mesg); > > }; > > > > > > Problem: this doesn't work; the above syslog-ng.conf entry doesn't > > send any messages to /var/log/messages. I know syslog-ng is working > > because other entries in the config file do catch messages as they > > should. > > > > I've narrowed it down to something with the compound filter > > statements. If I remove f_3, f_6, and f_8, the entry starts working. > > Note that syslog-ng ANDs the filter expressions listed in your log > statement. E.g. while syslogd ORs them syslog-ng ANDs them. > > in f_3 you require facility(mail) while in f_2 you explicitly disallow > it via not. > > Maybe you should construct a single filter expression ORing the > conditions in the original syslog.conf entry. > > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html -- Philip J. Hollenback Telemetry Investments phollenback@telemetry-investments.com From syslog-ng@lists.balabit.hu Tue Dec 28 18:03:07 2004 From: syslog-ng@lists.balabit.hu (Matthias Keller) Date: Tue, 28 Dec 2004 19:03:07 +0100 Subject: [syslog-ng]STATS: dropped 644 ? In-Reply-To: <1104181277.3814.17.camel@bzorp.balabit> References: <41CDF30E.5030803@matthias-keller.ch> <1104181277.3814.17.camel@bzorp.balabit> Message-ID: <41D19FDB.3010408@matthias-keller.ch> Balazs Scheidler wrote: >On Sun, 2004-12-26 at 00:09 +0100, Matthias Keller wrote: > > >>Hi >> >>I'm using syslog-ng for quite a while now and finally want to resolve >>this problem (I suppose)... >>I pretty much daily get a whole bunch of dropped messages... >>It's not always at the same times but always for several hours! >>I'm logging the stats hourly so usually for about 8h a day I get drops >>in the hundreds....? >> >>I guess this isn't normal and shouldn't be as my system isn't really >>busy at all... >> >> >what kind of destinations do you use? the DROP count in STATS reports >messages dropped _within_ syslog-ng and affects only pipe and tcp >destinations. > >maybe you have an xconsole not being able to process messages at the >required rate? > > Thanks for that hint There was the pipe to xconsole activated which I suppose I dont need as I dont run any X on that server... I disabled it and didn't get any drops since... Thanks Matt From syslog-ng@lists.balabit.hu Tue Dec 28 18:11:06 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 28 Dec 2004 19:11:06 +0100 Subject: [syslog-ng]syslog-ng stopped working yesterday In-Reply-To: <20041228093022.GC28995@SonnIT.DK> References: <20041228093022.GC28995@SonnIT.DK> Message-ID: <1104257466.8052.9.camel@bzorp.balabit> On Tue, 2004-12-28 at 10:30 +0100, Gorm J. Siiger wrote: > Hi, > > I have a wierd problem, yesterday around 14:00 CET syslog-ng just stops > working. The daemon runs, but allmost nothing is writtes to the logs. > > I have used syslog-ng for some years now, and it never let me down. > > When running syslog-ng -dv the last things it tell me is: > > Objects alive: 203, garbage collected: 1 > AF_INET client connected from 80.63.205.142, port 3630 > io.c: Preparing fd 14 for reading > > And then it stops logging, but seeing with tcpdump that i receive tons of > syslog, and even local logging with "logger" doesn't work. > > Installing a new syslog-ng on another machine does the same, which confuses > me. syslog-ng probably blocks on something, maybe on a DNS query. can you strace syslog-ng while it is blocked like this? -- Bazsi From syslog-ng@lists.balabit.hu Tue Dec 28 18:16:49 2004 From: syslog-ng@lists.balabit.hu (Bill Nash) Date: Tue, 28 Dec 2004 10:16:49 -0800 (PST) Subject: [syslog-ng]syslog-ng stopped working yesterday In-Reply-To: <1104257466.8052.9.camel@bzorp.balabit> References: <20041228093022.GC28995@SonnIT.DK> <1104257466.8052.9.camel@bzorp.balabit> Message-ID: Also, can you include the config portions that handle your logging to disk? - billn On Tue, 28 Dec 2004, Balazs Scheidler wrote: > On Tue, 2004-12-28 at 10:30 +0100, Gorm J. Siiger wrote: >> Hi, >> >> I have a wierd problem, yesterday around 14:00 CET syslog-ng just stops >> working. The daemon runs, but allmost nothing is writtes to the logs. >> >> I have used syslog-ng for some years now, and it never let me down. >> >> When running syslog-ng -dv the last things it tell me is: >> >> Objects alive: 203, garbage collected: 1 >> AF_INET client connected from 80.63.205.142, port 3630 >> io.c: Preparing fd 14 for reading >> >> And then it stops logging, but seeing with tcpdump that i receive tons of >> syslog, and even local logging with "logger" doesn't work. >> >> Installing a new syslog-ng on another machine does the same, which confuses >> me. > > syslog-ng probably blocks on something, maybe on a DNS query. can you > strace syslog-ng while it is blocked like this? > > From syslog-ng@lists.balabit.hu Tue Dec 28 18:17:09 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Tue, 28 Dec 2004 19:17:09 +0100 Subject: [syslog-ng]Problem with TCP connection not timing out In-Reply-To: References: Message-ID: <1104257829.8052.14.camel@bzorp.balabit> On Tue, 2004-12-28 at 10:35 -0300, ARGEXT-HIDALGO, FRANCISCO wrote: > Thanks for the response, I'll test it now, but the documentation says that > this is the default behaviour, so I'm not sure if this will change anything. > On the other hand, shouldn't the OS drop these connections?, some of them > have days there, and this monday, there where almost 40 dead connections > that where "ESTABLISHED". > I'm sorry but no, the OS does not reap these connections. Some application layer timeout could solve the issue, though at the same time it might also cause other problems like message drops. Where did you read that it was default? tcp-keep-alive() yes or no Available for tcp() only, and specifies whether to enable TCP keep alive messages using the SO_KEEPALIVE socket option. no Nevertheless looking at the source it seems not to be enabled by default. But if you tell me a reference I'll fix the documentation. -- Bazsi From syslog-ng@lists.balabit.hu Wed Dec 29 04:17:18 2004 From: syslog-ng@lists.balabit.hu (=?ISO-8859-1?Q?Jos=E9_Pedro_Oliveira?=) Date: Wed, 29 Dec 2004 04:17:18 +0000 Subject: [syslog-ng]Syslog-ng/libol: broken snapshots creation Message-ID: <41D22FCE.5020704@di.uminho.pt> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB0CF6E7B6D9115E4AA7EE9CD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hi, The last syslog-ng (and libol) snapshot listed in the http://www.balabit.com/downloads/syslog-ng/1.6/src-snapshot/ is from 2004-12-06. Could someone correct the problem and, maybe, delete libol-0.3.13 and syslog-ng-1.6.4 snapshots? Thanks in advance, jpo -- Jos� Pedro Oliveira * mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B * --------------enigB0CF6E7B6D9115E4AA7EE9CD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB0i/Tl0metZG9hRsRAjwHAJ97QLi3uFzdy4mgythMxgLb4o1q4QCgm0jD oJLhIHXeP/tavJ0WVqeceSw= =3aaR -----END PGP SIGNATURE----- --------------enigB0CF6E7B6D9115E4AA7EE9CD-- From syslog-ng@lists.balabit.hu Wed Dec 29 08:30:31 2004 From: syslog-ng@lists.balabit.hu (Gorm J. Siiger) Date: Wed, 29 Dec 2004 09:30:31 +0100 Subject: [syslog-ng]syslog-ng stopped working yesterday In-Reply-To: <1104257466.8052.9.camel@bzorp.balabit> References: <20041228093022.GC28995@SonnIT.DK> <1104257466.8052.9.camel@bzorp.balabit> Message-ID: <20041229083031.GB4109@SonnIT.DK> > > syslog-ng probably blocks on something, maybe on a DNS query. can you > strace syslog-ng while it is blocked like this? > I found the problem, the reverse dns zone for one particular host was classless delegated, and that name-server was configured wrong. Pretty interesting that syslog-ng fails that bad when dns doesn't work. Once the problem was fixed everything went back to normal. -- Med venlig hilsen / Best regards Gorm J. Siiger - mail: gjs@sonnit.dk ------------------------------------ SonnIT, Sonnerupvej 83B, 4682 Tureby Tel. 70274777 - http://www.sonnit.dk From syslog-ng@lists.balabit.hu Wed Dec 29 20:12:38 2004 From: syslog-ng@lists.balabit.hu (Michael Gargiullo) Date: Wed, 29 Dec 2004 15:12:38 -0500 Subject: [syslog-ng]testing from a remote server Message-ID: <1104351158.3803.18.camel@localhost.localdomain> I have syslog-ng running, and it logs everything from the server it runs on. How can I test to make sure it logs from remote sources. I'm kind of new to syslog-ng. My server listens to UDP 514, and allows it through the firewall. I have 2 devices I really want to have log to it. A Cisco Aironet 1100, and a symantec firewall device we use on our back up connection. How can I test to make sure syslog-ng is capturing what I'd like it to. -Mike From syslog-ng@lists.balabit.hu Wed Dec 29 20:47:52 2004 From: syslog-ng@lists.balabit.hu (Michael Gargiullo) Date: Wed, 29 Dec 2004 15:47:52 -0500 Subject: [syslog-ng]testing from a remote server In-Reply-To: <1104351158.3803.18.camel@localhost.localdomain> References: <1104351158.3803.18.camel@localhost.localdomain> Message-ID: <1104353272.3803.20.camel@localhost.localdomain> Nevermind.. I used the Sys::Syslog perl module On Wed, 2004-12-29 at 15:12 -0500, Michael Gargiullo wrote: > I have syslog-ng running, and it logs everything from the server it runs > on. How can I test to make sure it logs from remote sources. I'm kind > of new to syslog-ng. > > My server listens to UDP 514, and allows it through the firewall. > > I have 2 devices I really want to have log to it. A Cisco Aironet 1100, > and a symantec firewall device we use on our back up connection. > > How can I test to make sure syslog-ng is capturing what I'd like it to. > > -Mike > > _______________________________________________ > syslog-ng maillist - syslog-ng@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/syslog-ng > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Thu Dec 30 15:46:28 2004 From: syslog-ng@lists.balabit.hu (ARGEXT-HIDALGO, FRANCISCO) Date: Thu, 30 Dec 2004 12:46:28 -0300 Subject: [syslog-ng]Problem with TCP connection not timing out Message-ID: You=B4re right, I was confusing tcp-keep-alive option with keep-alive, = since tcp-keep-alive didn't work in my syslog-1.6.2 I thought you meant = the keep-alive option. I compiled the last version and now the option = works and my problem is solved, thank you very much. Francisco -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler Sent: Martes, 28 de Diciembre de 2004 03:17 p.m. To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Problem with TCP connection not timing out On Tue, 2004-12-28 at 10:35 -0300, ARGEXT-HIDALGO, FRANCISCO wrote: > Thanks for the response, I'll test it now, but the documentation says = that=20 > this is the default behaviour, so I'm not sure if this will change = anything. > On the other hand, shouldn't the OS drop these connections?, some of = them=20 > have days there, and this monday, there where almost 40 dead = connections=20 > that where "ESTABLISHED". >=20 I'm sorry but no, the OS does not reap these connections. Some application layer timeout could solve the issue, though at the same time it might also cause other problems like message drops.=20 Where did you read that it was default? tcp-keep-alive() yes or no Available for tcp() only, and specifies whether to enable TCP keep alive messages using the SO_KEEPALIVE = socket option. no Nevertheless looking at the source it seems not to be enabled by default. But if you tell me a reference I'll fix the documentation. --=20 Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html From syslog-ng@lists.balabit.hu Thu Dec 30 17:36:28 2004 From: syslog-ng@lists.balabit.hu (Balazs Scheidler) Date: Thu, 30 Dec 2004 18:36:28 +0100 Subject: [syslog-ng]syslog-ng stopped working yesterday In-Reply-To: <20041229083031.GB4109@SonnIT.DK> References: <20041228093022.GC28995@SonnIT.DK> <1104257466.8052.9.camel@bzorp.balabit> <20041229083031.GB4109@SonnIT.DK> Message-ID: <1104428188.3430.7.camel@bzorp.balabit> On Wed, 2004-12-29 at 09:30 +0100, Gorm J. Siiger wrote: > > > > syslog-ng probably blocks on something, maybe on a DNS query. can you > > strace syslog-ng while it is blocked like this? > > > > I found the problem, the reverse dns zone for one particular host was > classless delegated, and that name-server was configured wrong. > > Pretty interesting that syslog-ng fails that bad when dns doesn't work. > > Once the problem was fixed everything went back to normal. > > you can always disable resolving names from DNS, but what else could you do? if I'd do non-blocking DNS queries and would continue processing on other messages while waiting for a given message to resolve, then message ordering will be bad. An other solution might be to add non-DNS name lookups, e.g. resolve names from a private mechanism to make it possible to use names in messages and use IP addresses if it fails, but never block. What do you think about this solution? -- Bazsi From syslog-ng@lists.balabit.hu Fri Dec 31 01:08:57 2004 From: syslog-ng@lists.balabit.hu (Carson Gaspar) Date: Thu, 30 Dec 2004 20:08:57 -0500 Subject: [syslog-ng]syslog-ng stopped working yesterday In-Reply-To: <1104428188.3430.7.camel@bzorp.balabit> References: <20041228093022.GC28995@SonnIT.DK> <1104257466.8052.9.camel@bzorp.balabit> <20041229083031.GB4109@SonnIT.DK> <1104428188.3430.7.camel@bzorp.balabit> Message-ID: <9ABC302055FA93D15D4EDF36@[192.168.21.2]> --On Thursday, December 30, 2004 6:36 PM +0100 Balazs Scheidler wrote: > you can always disable resolving names from DNS, but what else could you > do? if I'd do non-blocking DNS queries and would continue processing on > other messages while waiting for a given message to resolve, then > message ordering will be bad. > > An other solution might be to add non-DNS name lookups, e.g. resolve > names from a private mechanism to make it possible to use names in > messages and use IP addresses if it fails, but never block. > > What do you think about this solution? I'd suggest using an async DNS lookup with configurable timeout. This allows you to have multiple DNS queries in-flight at once (assuming you're willing to buffer, but syslog-ng does that already, at least on output). e.g.: recv line 1 start line 1 lookup recv line 2 start line 2 lookup get line 2 answer ... line 1 lookup times out write line 1 (with IP address) write line 2 (with FQDN) This allows me to have names where possible, but tweak the timeout for my DNS setup (I may decide that if it doesn't resolve in 1 second, it isn't going to) -- Carson