[syslog-ng]Loghost can't see its own syslogs

Doug Hanks syslog-ng@lists.balabit.hu
Thu, 30 Sep 2004 15:14:41 -0700


Same thing - no local output.  I'm using AIX 5.2


On Mon, 27 Sep 2004 11:53:31 -0500, Dave Johnson <davejjohnson@gmail.com> wrote:
> What happens if you have the most basic syslog-ng.conf file with something like:
> 
> source test { unix-stream("/dev/log"); };
> destination debug { file("/usr/logs/syslog/messages.debug"); };
> log { source(test); destination(debug); };
> 
> -----
> 
> Does it log through logger?  What OS are you using?
> 
> 
> 
> 
> On Sun, 26 Sep 2004 14:20:28 -0700, Doug Hanks <dhanks@gmail.com> wrote:
> > Hello,
> >
> > I have an interesting problem.  I have a loghost with the servername
> > of FFLOGSVR.  Everything works wonderfully except that FFLOGSVR isn't
> > logging its own logs.  When I perform the command "logger FFLOGSVR" I
> > do not see entry in my syslog.
> >
> > I have attached my syslog-ng.conf for review.
> >
> > Thank you in advance,
> >
> > --
> > - Doug Hanks = dhanks(at)gmail(dot)com
> >
> > # Syslog-ng (new generation) configuration file
> > # syslog.conf by Doug Hanks 9/25/04
> >
> > # Global options
> > options {
> >        time_reopen (10);
> >        log_fifo_size (1000);
> >        long_hostnames (on);
> >        use_dns (yes);
> >        use_fqdn (no);
> >        create_dirs(yes);
> >        dns_cache(yes);
> >        keep_hostname(yes);
> > };
> >
> > # Define where the logs come from - udp and /dev/log only
> > source gateway {
> >        unix-stream("/dev/log");
> >        internal();
> >        udp(port(514));
> > };
> >
> > # Define some filters so we can break down the logs by facility
> >
> > filter f_auth { facility(auth); };
> > filter f_syslog { not facility(authpriv, mail); };
> > filter f_cron { facility(cron); };
> > filter f_daemon { facility(daemon); };
> > filter f_kern { facility(kern); };
> > filter f_mail { facility(mail); };
> > filter f_user { facility(user); };
> > filter f_debug { not facility(auth, authpriv, news, mail); };
> > filter f_messages { level(info..warn)
> >        and not facility(auth, authpriv, mail, news); };
> > filter f_emergency { level(emerg); };
> > filter f_info { level(info); };
> > filter f_notice { level(notice); };
> > filter f_warn { level(warn); };
> > filter f_crit { level(crit); };
> > filter f_err { level(err); };
> >
> > # LogWatch
> > filter f_logwatch {
> >        match("su") or
> >        match("ssh") or
> >        match("sudo");
> > };
> >
> > # SU
> > filter f_su_0 {
> >        match("su: from [a-zA-Z0-9]+ to") or # AIX
> >        match("'su [a-zA-Z0-9]+' succeeded for") or # Solaris
> >        match(": su : \+"); # HPUX
> > };
> >
> > filter f_su_1 {
> >        match("su: BAD SU from") or # AIX
> >        match("'su [a-zA-Z0-9]+' failed for") or # Solaris
> >        match(": su : \-"); # HPUX
> > };
> >
> > # SSH
> > filter f_ssh_0 {
> >        match("Accepted [a-zA-Z0-9]+ for") or # AIX, Solaris, and HPUX
> >        match("[a-zA-Z0-9]+ authentication for user [a-zA-Z0-9]+
> > accepted"); # SAP
> > };
> >
> > filter f_ssh_1 {
> >        match("Failed [a-zA-Z0-9]+ for") or # AIX, Solaris, and HPUX
> >        match("[a-zA-Z0-9]+ authentication for user [a-zA-Z0-9]+ failed"); # SAP
> > };
> >
> > # SUDO
> > filter f_sudo_0 { match("sudo:"); };
> > filter f_sudo_1 {
> >        match("sudo:") and
> >        (
> >                match("command not allowed") or
> >                match("user NOT in sudoers")
> >        );
> > };
> >
> > # Define containers where you want to stuff the logs
> > destination localhost { file("/usr/logs/syslog/messages.all"); };
> > destination loghost {
> >        file("/usr/logs/HOSTS/$HOST/messages"
> >                owner(root) group(root) perm(0600) dir_perm(0700)
> > create_dirs(yes)
> >        );
> > };
> >
> > # Program template for alerts
> > destination fifo_alert {
> >        program("/usr/local/sbin/email-syslog-alert"
> >                template("$HOST:$PROGRAM:$MSG\n")
> >                template-escape(yes)
> >        );
> > };
> >
> > # SU log
> > destination su_0 { file("/usr/logs/syslog/messages.su0"); };
> > destination su_1 { file("/usr/logs/syslog/messages.su1"); };
> >
> > # SSH logs
> > destination ssh_0 { file("/usr/logs/syslog/messages.ssh0"); };
> > destination ssh_1 { file("/usr/logs/syslog/messages.ssh1"); };
> >
> > # SUDO logs
> > destination sudo_0 { file("/usr/logs/syslog/messages.sudo0"); };
> > destination sudo_1 { file("/usr/logs/syslog/messages.sudo1"); };
> >
> > # LogWatch
> > destination logwatch { file("/usr/logs/syslog/logwatch.log"); };
> >
> > # Regular syslogs
> > destination authlog { file("/usr/logs/syslog/messages.auth"); };
> > destination cron { file("/usr/logs/syslog/messages.cron"); };
> > destination daemon { file("/usr/logs/syslog/messages.daemon"); };
> > destination kern { file("/usr/logs/syslog/messages.kern"); };
> > destination lpr { file("/usr/logs/syslog/messages.lpr"); };
> > destination user { file("/usr/logs/syslog/messages.user"); };
> > destination mail { file("/usr/logs/syslog/messages.mail"); };
> > destination debug { file("/usr/logs/syslog/messages.debug"); };
> > destination messages { file("/usr/logs/syslog/messages"); };
> > destination console { file("/dev/console"); };
> >
> > # Bring the sources, filters (if any) together and shove it in a log
> > (read destination)
> > log { source(gateway); destination(localhost); };
> > log { source(gateway); destination(loghost); };
> >
> > # FIFO alert
> > log { source(gateway); filter(f_su_1); destination(fifo_alert); };
> > log { source(gateway); filter(f_ssh_1); destination(fifo_alert); };
> > log { source(gateway); filter(f_sudo_1); destination(fifo_alert); };
> >
> > # Log SU to roots
> > log { source(gateway); filter(f_su_0); destination(su_0); };
> > log { source(gateway); filter(f_su_1); destination(su_1); };
> >
> > # Log SSH stuff
> > log { source(gateway); filter(f_ssh_0); destination(ssh_0); };
> > log { source(gateway); filter(f_ssh_1); destination(ssh_1); };
> >
> > # Log SUDO stuff
> > log { source(gateway); filter(f_sudo_0); destination(sudo_0); };
> > log { source(gateway); filter(f_sudo_1); destination(sudo_1); };
> >
> > # A master log of SSH, SUDO and SU for LogWatch
> > log { source(gateway); filter(f_logwatch); destination(logwatch); };
> >
> > # Break down the logs further
> > log { source(gateway); filter(f_auth); destination(authlog); };
> > log { source(gateway); filter(f_cron); destination(cron); };
> > log { source(gateway); filter(f_daemon); destination(daemon); };
> > log { source(gateway); filter(f_kern); destination(kern); };
> > log { source(gateway); filter(f_mail); destination(mail); };
> > log { source(gateway); filter(f_user); destination(user); };
> > log { source(gateway); filter(f_debug); destination(debug); };
> > log { source(gateway); filter(f_messages); destination(messages); };
> > log { source(gateway); filter(f_emergency); destination(console); };
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> >
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
> 



-- 
- Doug Hanks = dhanks(at)gmail(dot)com