[syslog-ng] missing logs when forwarded from one syslog-ng to another syslog-ng

Arnold Wang arnold.wang at inovis.com
Tue Aug 9 23:08:13 CEST 2005 

I have two syslog-ng servers configured, one in the DMZ for devices
outside firewall send logs to and another one in the LAN. The logs send
to the DMZ one will be forwarded to the LAN one, at least that's my
original idea. However, it seems very unstable on the forwarding. Some
of the logs appeared in the DMZ one were not shown up in the LAN one.
For example, I just did a test from two routers outside the firewall and
there were two logs generated in DMZ log server:
[root at rcarhlp01 qwestdia1]# tail -1 qwestdia1.log
Aug  9 13:30:25 qwestdia1 128: *Apr 28 06:56:48: %SYS-5-CONFIG_I:
Configured from console by vty0 (204.146.209.151)
[root at rcarhlp01 qwestdia1]# tail -1 ../qwestdia2/qwestdia2.log
Aug  9 13:30:59 qwestdia2 46: *Apr 28 06:57:24: %SYS-5-CONFIG_I:
Configured from console by vty0 (204.146.209.151)
However, I only saw one in the LAN log server:
[root at rcarhlp02 qwestdia1]# tail -1 qwestdia1.log
Aug  8 16:18:39 qwestdia1 127: *Apr 27 09:35:42: %SYS-5-CONFIG_I:
Configured from console by vty0 (204.146.209.248) ** This is still the
one from last night **
[root at rcarhlp02 qwestdia1]# tail -1 ../qwestdia2/qwestdia2.log
Aug  9 13:30:59 qwestdia2 46: *Apr 28 06:57:24: %SYS-5-CONFIG_I:
Configured from console by vty0 (204.146.209.151)
My configurations on both machines are like the following:
---- Configuration for LAN server --------
[root at rcarhlp02 syslog-ng]# more syslog-ng.conf
options { sync (0);
          time_reopen (10);
          log_fifo_size (1000);
          long_hostnames (off);
          use_dns (yes);
          use_fqdn (no);
          create_dirs (no);
          keep_hostname (yes);
        };

source s_slng { internal(); };
source s_tcp { tcp(port (5140) tcp-keep-alive(yes)); };
source s_udp { udp(port (514)); };

destination d_slng { file("/var/syslog-ng/syslog-ng.log"); };
destination d_file { file("/var/syslog-ng/HOSTS/$HOST/$HOST.log" owner
(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
destination d_mysql {
        pipe("/var/syslog-ng/mysql.pipe"
        template("INSERT INTO logs
                (host, facility, priority, level, tag, datetime,
program, msg)
                VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL',
'$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
                '$PROGRAM', '$MSG' );\n") template-escape(yes));
};

log { source(s_slng); destination(d_slng); };
log { source(s_tcp); source(s_udp); destination(d_file); destination
(d_mysql); };
#log { source(s_tcp); destination(d_mysql); };
#log { source(s_udp); destination(d_file); };
#log { source(s_udp); destination(d_mysql); };

# vim: syntax=syslog-ng
[root at rcarhlp02 syslog-ng]#

----- Configuration for DMZ server ---------
[root at rcarhlp01 syslog-ng]# more syslog-ng.conf
options { sync (0);
          time_reopen (10);
          log_fifo_size (1000);
          long_hostnames (off);
          use_dns (yes);
          use_fqdn (no);
          create_dirs (no);
          keep_hostname (yes);
        };

source s_udp { udp(port(514)); };
source s_slng { internal(); };

destination d_slng { file("/var/syslog-ng/syslog-ng.log"); };
destination d_local { file("/var/syslog-ng/HOSTS/$HOST/$HOST.log" owner
(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
destination d_remote { tcp("10.17.2.146" port(5140) tcp-keep-alive
(yes)); };

log { source(s_udp); destination(d_local); destination(d_remote); };
#log { source(s_udp); destination(d_remote); };
log { source(s_slng); destination(d_slng); };

# vim: syntax=syslog-ng
[root at rcarhlp01 syslog-ng]#

More information about the syslog-ng mailing list