Antw: [syslog-ng]syslog on HP-UX 11

Stephan Hendl syslog-ng@lists.balabit.hu
Wed, 10 Nov 2004 09:44:07 +0100


--=_9DBD40F1.ABCB8EDE
Content-Type: text/plain; charset=US-ASCII

Hi, 
 
your source-line should be like 
 
source s_sys { pipe(/dev/log pad_size(2048)); internal(); }; 
 
The pad_size is important (see manual and faq) 
 
Stephan 
 
>>>Olivia.Leonard@davy.ie 11/04 12:13 pm >>> 
 
Hi 
I have set up a central logging server using syslog-ng (on solaris 8) -
all the solaris servers, windows servers, and routers are logging to it
with no big issues. 
I want to get a HP-UX box logging to it and it's proving difficult.
Initially In installed syslog-ng 1.5.8 from a depot and it sent only a
startup message to the central server but none of the other messages
such as logins, su and so on. 
So I tried getting it to log to it using it's own native syslog - it
just won't log anything. It resolves loghost and gives no errors on
startup/restart but it just doesn't log anything (eventhough my central
server listens on UDP 514 and gets messages from routers/switches) 
Could anyone help me out with this?? Attached are both my syslog.conf
and my syslog-ng.conf. 
Thanks
Olivia 
**********************************************************************************************************************************************************************

/etc/syslog.conf
#
mail.debug              /var/adm/syslog/mail.log
#*.info;mail.none       /var/adm/syslog/syslog.log
#*.alert                        /dev/console
#*.alert                        root
#*.emerg                        *
*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug  @loghost
#
***********************************************************************************************************************************************************************

/opt/syslog_ng/etc/syslog-ngsyslog-ng.conf 
options { sync (0);
          time_reopen (10);
          log_fifo_size (1000);
          long_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          create_dirs (no);
          keep_hostname (yes);
        }; 
source src {unix-stream(/dev/log); internal(); }; 
destination everything {file(/home/leonarol/logfile); }; 
## set up logging to loghost
destination loghost {
        tcp(172.16.117.170 port(5140));
}; 

filter f_ssh_login_attempt {
        program(sshd.*)
        and match((Failed|Accepted))
        and not match(Accepted (hostbased|publickey));
}; 
filter f_emergency { level(emerg); };
filter f_alert { level(alert); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_warn { level(warn); };
filter f_notice { level(notice); };
filter f_info { level(info); }; 
log { source(src); filter(f_emergency); destination(everything); };
log { source(src); filter(f_alert); destination(everything); };
log { source(src); filter(f_crit); destination(everything); };
log { source(src); filter(f_err); destination(everything); };
log { source(src); filter(f_warn); destination(everything); };
log { source(src); filter(f_notice); destination(everything); };
log { source(src); filter(f_info); destination(everything); }; 
log { source(src); filter(f_emergency); destination(loghost); };
log { source(src); filter(f_alert); destination(loghost); };
log { source(src); filter(f_crit); destination(loghost); };
log { source(src); filter(f_err); destination(loghost); };
log { source(src); filter(f_warn); destination(loghost); };
log { source(src); filter(f_notice); destination(loghost); };
log { source(src); filter(f_info); destination(loghost); }; 


The information in this e-mail is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
e-mail by anyone else is unauthorised. If you are not the intended
recipient, any disclosure, copying, distribution or any other action
taken or any views, opinions or advice contained in this e-mail are
those of the sending individual and not necessarily those of the firm.
It is possible for data transmitted by e-mail to be deliberately or
accidentally corrupted or intercepted. For this reason where the
communication is by e-mail, J&E Davy does not accept any responsibility
for any breach of confidence which may arise from the use of this
medium. If you have received this e-mail in error please notify us
immediately at mailto:helpdesk@davy.ie and delete this e-mail from your
system.


--=_9DBD40F1.ABCB8EDE
Content-Type: text/html; charset=ISO-8859-1
Content-Description: HTML

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <meta name="Generator" content="MS Exchange Server version 5.5.2656.60">
    <title>syslog on HP-UX 11    </title>
    
  </head>
  <body>
    <DIV>
      Hi,
    </DIV>
    <DIV>&nbsp;</DIV>
    <DIV>
      your source-line should be like
    </DIV>
    <DIV>&nbsp;</DIV>
    <DIV>
      source s_sys { pipe(&quot;/dev/log&quot; pad_size(2048)); internal(); };
    </DIV>
    <DIV>&nbsp;</DIV>
    <DIV>
      The pad_size is important (see manual and faq)
    </DIV>
    <DIV>&nbsp;</DIV>
    <DIV>
      Stephan
    </DIV>
    <DIV>&nbsp;</DIV>
    <DIV>    &gt;&gt;&gt;Olivia.Leonard@davy.ie 11/04 12:13 pm &gt;&gt;&gt;

    <DIV>&nbsp;</DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">Hi</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">I have set up a central logging server using syslog-ng (on solaris 8) - all the solaris servers, windows servers, and routers are logging to it with no big issues.</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">I want to get a HP-UX box logging to it and it's proving difficult. Initially In installed syslog-ng 1.5.8 from a depot and it sent only a startup message to the central server but none of the other messages such as logins, su and so on.</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">So I tried getting it to log to it using it's own native syslog - it just won't log anything. It resolves loghost and gives no errors on startup/restart but it just doesn't log anything (eventhough my central server listens on UDP 514 and gets messages from routers/switches)</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">Could anyone help me out with this?? Attached are both my syslog.conf and my syslog-ng.conf.</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">Thanks</font><br><font color="#800080" size="2" face="Century Gothic">Olivia</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">**********************************************************************************************************************************************************************</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">/etc/syslog.conf</font><br><font color="#800080" size="2" face="Century Gothic">#</font><br><font color="#800080" size="2" face="Century Gothic">mail.debug&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;/var/adm/syslog/mail.log</font><br><font color="#800080" size="2" face="Century Gothic">#*.info;mail.none&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;/var/adm/syslog/syslog.log</font><br><font color="#800080" size="2" face="Century Gothic">#*.alert&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;/dev/console</font><br><font color="#800080" size="2" face="Century Gothic">#*.alert&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;root</font><br><font color="#800080" size="2" face="Century Gothic">#*.eme!
 rg&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;*</font><br><font color="#800080" size="2" face="Century Gothic">*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug&#160;&nbsp;@loghost</font><br><font color="#800080" size="2" face="Century Gothic">#</font><br><font color="#800080" size="2" face="Century Gothic">***********************************************************************************************************************************************************************</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">/opt/syslog_ng/etc/syslog-ngsyslog-ng.conf</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">options { sync (0);</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;time_reopen (10);</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;log_fifo_size (1000);</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;long_hostnames (off);</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;use_dns (no);</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;use_fqdn (no);</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;create_dirs (no);</font><br><font color="#800080" size="2" face="Century Gothic">!
 &#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;keep_hostname (yes);</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;};</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">source src {unix-stream(&quot;/dev/log&quot;); internal(); };</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">destination everything {file(&quot;/home/leonarol/logfile&quot;); };</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">## set up logging to loghost</font><br><font color="#800080" size="2" face="Century Gothic">destination loghost {</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;tcp(&quot;172.16.117.170&quot; port(5140));</font><br><font color="#800080" size="2" face="Century Gothic">};</font>
    </DIV>
    <DIV>    <br>
    

    <DIV>
      <font color="#800080" size="2" face="Century Gothic">filter f_ssh_login_attempt {</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;program(&quot;sshd.*&quot;)</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;and match(&quot;(Failed|Accepted)&quot;)</font><br><font color="#800080" size="2" face="Century Gothic">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&nbsp;and not match(&quot;Accepted (hostbased|publickey)&quot;);</font><br><font color="#800080" size="2" face="Century Gothic">};</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">filter f_emergency { level(emerg); };</font><br><font color="#800080" size="2" face="Century Gothic">filter f_alert { level(alert); };</font><br><font color="#800080" size="2" face="Century Gothic">filter f_crit { level(crit); };</font><br><font color="#800080" size="2" face="Century Gothic">filter f_err { level(err); };</font><br><font color="#800080" size="2" face="Century Gothic">filter f_warn { level(warn); };</font><br><font color="#800080" size="2" face="Century Gothic">filter f_notice { level(notice); };</font><br><font color="#800080" size="2" face="Century Gothic">filter f_info { level(info); };</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_emergency); destination(everything); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_alert); destination(everything); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_crit); destination(everything); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_err); destination(everything); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_warn); destination(everything); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_notice); destination(everything); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_info); destination(everything); };</font>
    </DIV>
    <DIV>
      <font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_emergency); destination(loghost); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_alert); destination(loghost); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_crit); destination(loghost); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_err); destination(loghost); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_warn); destination(loghost); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_notice); destination(loghost); };</font><br><font color="#800080" size="2" face="Century Gothic">log { source(src); filter(f_info); destination(loghost); };</font>
    </DIV>
    <DIV>    <font size="3"><br>
    <br>
    The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any other action taken or any views, opinions or advice contained in this e-mail are those of the sending individual and not necessarily those of the firm. It is possible for data transmitted by e-mail to be deliberately or accidentally corrupted or intercepted. For this reason where the communication is by e-mail, J&amp;E Davy does not accept any responsibility for any breach of confidence which may arise from the use of this medium. If you have received this e-mail in error please notify us immediately at mailto:helpdesk@davy.ie and delete this e-mail from your system.<br></font>
  </body>
</html>

--=_9DBD40F1.ABCB8EDE--