[syslog-ng]syslog-ng NOT Reading source file, which grows. HELP!

alex syslog-ng@lists.balabit.hu
Tue, 13 Jul 2004 16:15:57 -0400


This is a multi-part message in MIME format.

------=_NextPart_000_009B_01C468F4.AE2892A0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello,

I have compiled syslog-ng (latest ver syslog-ng 1.6.4) on AIX 5.1 and =
have configured the client to send sudo logs to the centrilized server. =
The Network part is working fine, and I know my binary compiled OK.
In addition to sudo activity logging I was going to send logs, produced =
by the other daemon--sudoscriptd--which logs all root shell activities =
to some predefined file on the same server (for testing) and later I =
will send it too. In my case: var/log/sudoscript. I was going to =
centrilized this one as well, but for now I can't figured out why =
syslog-ng is NOT READING from the source file.
Also, I was trying:  source sudo_scr {pipe("/var/log/sudoscript"); }; - =
with no success.

PLEASE HELP!


##HERE IS MY syslon-ng.conf####
#cat syslog-ng.conf
options { sync (0);
        mark (10);
          time_reopen (10);
          log_fifo_size (2000);
          long_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          create_dirs (no);
          keep_hostname (yes);
        };
source sys { unix-dgram("/dev/log" ); internal(); };  #STANDARD staff. =
This works.
source sudo_scr {file("/var/log/sudoscript"); };  # THIS IS FILE WHICH  =
GROWS as sudoscript writes to it.
                                                                     =
#syslog-ng CAN"T READ from it.=20

destination internal_1 { file("/var/log/sudologs/sudolog"); };  #THIS  =
IS TEMP. DESTINATION FILE (EMPTY?)

destination host01 { tcp(1.5.7.15 port(514)); }; #THIS IS WORKING PART =
TOO
filter f_sudo { facility(local2); };


log { source(sudo_scr); destination(internal_1); };    # THIS IS NOT =
WORKING PART

log { source(sys); filter(f_sudo); destination(host01); };  # THIS PART =
IS WORKING

------=_NextPart_000_009B_01C468F4.AE2892A0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1170" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I have compiled syslog-ng (latest ver =
syslog-ng=20
1.6.4)&nbsp;on AIX 5.1 and have configured the client to send sudo logs =
to the=20
centrilized server.&nbsp;The Network part&nbsp;is working fine, and I =
know my=20
binary compiled OK.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>In addition to sudo =
activity&nbsp;logging I was=20
going to send logs, produced by the other daemon--sudoscriptd--which =
logs all=20
root shell activities to some predefined file&nbsp;on the same =
server&nbsp;(for=20
testing) and later I will send it too. In my case: var/log/sudoscript. I =
was=20
going to centrilized this one as well, but for now I can't figured out =
why=20
syslog-ng is NOT READING from the source file.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Also, I was trying:&nbsp; source =
sudo_scr=20
{pipe("/var/log/sudoscript"); }; - with no success.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>PLEASE HELP!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>##HERE IS MY =
syslon-ng.conf####</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>#cat syslog-ng.conf<BR>options { sync=20
(0);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mark=20
(10);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
time_reopen=20
(10);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
log_fifo_size=20
(2000);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
long_hostnames=20
(off);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; use_dns =

(no);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; use_fqdn =

(no);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
create_dirs=20
(no);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
keep_hostname=20
(yes);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; };<BR>source sys {=20
unix-dgram("/dev/log" ); internal(); };&nbsp; #STANDARD staff. This=20
works.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>source sudo_scr =
{file("/var/log/sudoscript");=20
};&nbsp; # THIS IS FILE WHICH&nbsp; GROWS as sudoscript writes to=20
it.</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
#syslog-ng CAN"T READ from it. <BR></DIV></FONT>
<DIV><FONT face=3DArial size=3D2>destination internal_1 {=20
file("/var/log/sudologs/sudolog"); }; &nbsp;#THIS&nbsp; IS=20
TEMP.&nbsp;DESTINATION FILE (EMPTY?)<BR></DIV>
<DIV>destination host01 { tcp(1.5.7.15 port(514)); }; #THIS IS WORKING =
PART=20
TOO<BR>filter f_sudo { facility(local2); };</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>log { source(sudo_scr); destination(internal_1); };&nbsp;&nbsp; =
&nbsp;#=20
THIS IS NOT WORKING PART</DIV>
<DIV><BR>log { source(sys); filter(f_sudo); destination(host01); =
};&nbsp; # THIS=20
PART IS WORKING<BR></DIV></FONT></BODY></HTML>

------=_NextPart_000_009B_01C468F4.AE2892A0--