[syslog-ng] Error parsing conf file?
Zb Indelak
zb.indelak at telus.com
Thu Jun 30 21:27:20 CEST 2005
Here's my complete syslog-ng.conf file. It only has a single reference to each destination.
---syslog-ng.conf---
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb at sysfive.com
#
# Updated by Frank Crawford (<Frank.Crawford at ac3.com.au>) - 10 Aug 2002
# - for Red Hat 7.3
# - totally do away with klogd
# - add message "kernel:" as is done with klogd.
#
# Updated by Frank Crawford (<Frank.Crawford at ac3.com.au>) - 22 Aug 2002
# - use the log_prefix option as per Balazs Scheidler's email
#
options {
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
dir_perm (0755);
perm(0644);
chain_hostnames(yes);
keep_hostname (no);
use_time_recvd(yes);
time_reap(1);
};
source remote {
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514));
};
source local {
pipe ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
# SDW Inbox destinations start here
destination d_alcatel { file("/var/nsm/inbox/switch/alcatel/7450/syslog/alcatel-$MONTH$DAY$HOUR$MIN"); };
destination d_arbor { file("/var/nsm/inbox/nids/arbor_networks/peakflow_dos/2.5/syslog/arbor-$MONTH$DAY$HOUR$MIN"); };
destination d_nortel { file("/var/nsm/inbox/switch/nortel/passport_8600/syslog/nortel-$MONTH$DAY$HOUR$MIN"); };
destination d_juniper { file("/var/nsm/inbox/oslog/juniper/junos/6.4/syslog/juniper-$MONTH$DAY$HOUR$MIN"); };
destination d_pix { file("/var/nsm/inbox/fw/cisco/pix/6.0/syslog/pix-$MONTH$DAY$HOUR$MIN"); };
destination d_ios { file("/var/nsm/inbox/router/cisco/ios/12.0/syslog/ios-$MONTH$DAY$HOUR$MIN"); };
destination d_snort { file("/var/nsm/inbox/nids/snort.org/snort/1.9/syslog/snort-$MONTH$DAY$HOUR$MIN"); };
destination d_netscreen { file("/var/nsm/inbox/fw/netscreen/netscreen/syslog/netscreen-$MONTH$DAY$HOUR$MIN"); };
destination d_neoteris { file("/var/nsm/inbox/fw/netscreen/neoteris/3.2/syslog/neoteris-$MONTH$DAY$HOUR$MIN"); };
destination d_solaris { file("/var/nsm/inbox/oslog/sun/solaris/7/syslog/solaris-$MONTH$DAY$HOUR$MIN"); };
destination d_gnu { file("/var/nsm/inbox/oslog/gnu/tools/syslog/gnu-$MONTH$DAY$HOUR$MIN"); };
destination d_tripwire { file("/var/nsm/inbox/hids/tripwire/tripwire_for_servers/3/syslog/tripwire-$MONTH$DAY$HOUR$MIN"); };
destination d_sidewinder { file("/var/nsm/inbox/fw/secure_computing/sidewinder/g2/syslog/sidewinder-$MONTH$DAY$HOUR$MIN"); };
destination d_dragon { file("/var/nsm/inbox/nids/enterasys/dragon/6.0/syslog/dragon-$MONTH$DAY$HOUR$MIN"); };
destination d_catchall { tcp("154.11.193.8" port(514)); };
destination d_dump { file("/var/tmp/dump-$MONTH$DAY$HOUR"); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail) or
facility(authpriv) or
facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
# Filters for NSM supported products start here
filter f_pix { match(PIX); };
filter f_tripwire { match(tripwire); };
filter f_snort { program(snort); };
filter f_netscreen { match(NetScreen); };
filter f_neoteris { match(Neoteris); };
filter f_arbor { match(Neoteris); };
filter f_alcatel { match(TMNX) and (match(login) or match(logout)); };
filter f_juniper { match("LOGIN_") or match("ASP_") or match("UI_") ; };
filter f_nortel { match("\\[[[:digit:]]{2}/[[:digit:]]{2}/[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}\\]"); };
#filter f_nortel_test { match("\\[[[:digit:]]{2}/[[:digit:]]{2}/[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}\\]"); };
# IOS filter is IP address/hostname based, customize for your network
filter f_ios { match(%) and not match(PIX); };
# Solaris filter is IP address/hostname based, customize for your network
#filter f_solaris { host("192\.168\.101\.2"); };
# GNU filter is IP address/hostname based, customize for your network
#filter f_gnu { host("192\.168\.101\.3"); };
# Sidewinder filter is IP address/hostname based, customize for your network
#filter f_sidewinder { host("192\.168\.101\.4"); };
# Dragon filter is IP address/hostname based, customize for your network
#filter f_dragon { host("192\.168\.101\.5"); };
#filter f_only_printable_chars { match("^[[\s!-~]]*$"); };
filter f_only_printable_chars { match(^[[:print:]]*$); };
filter f_troubleshoot { host("207\.229\.63\.39"); };
filter f_test { match(TEST); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(local); filter(f_filter2); destination(d_mesg); };
log { source(local); filter(f_filter3); destination(d_auth); };
log { source(local); filter(f_filter4); destination(d_mail); };
log { source(local); filter(f_filter5); destination(d_mlal); };
log { source(local); filter(f_filter6); destination(d_spol); };
log { source(local); filter(f_filter7); destination(d_boot); };
log { source(local); filter(f_filter8); destination(d_cron); };
# Log NSM supported devices to the correct inbox
log { source(remote); filter(f_only_printable_chars); filter(f_pix); destination(d_pix); };
log { source(remote); filter(f_only_printable_chars); filter(f_ios); destination(d_ios); };
log { source(remote); filter(f_only_printable_chars); filter(f_snort); destination(d_snort); };
log { source(remote); filter(f_only_printable_chars); filter(f_netscreen); destination(d_netscreen); };
log { source(remote); filter(f_only_printable_chars); filter(f_neoteris); destination(d_neoteris); };
log { source(remote); filter(f_only_printable_chars); filter(f_tripwire); destination(d_tripwire); };
log { source(remote); filter(f_only_printable_chars); filter(f_arbor); destination(d_arbor); };
#log { source(remote); filter(f_arbor); destination(d_arbor); };
log { source(remote); filter(f_only_printable_chars); filter(f_juniper); destination(d_juniper); };
#log { source(remote); filter(f_juniper); destination(d_juniper); };
log { source(remote); filter(f_only_printable_chars); filter(f_alcatel); destination(d_alcatel); };
log { source(remote); filter(f_only_printable_chars); filter(f_nortel); destination(d_nortel); };
log { source(remote); filter(f_only_printable_chars); destination(d_catchall); };
#log { source(remote); destination(d_dump); };
#log { source(remote); filter(f_sidewinder); destination(d_sidewinder); };
#log { source(remote); filter(f_only_printable_chars); filter(f_dragon); destination(d_dragon); };
#log { source(remote); destination(d_catchall); };
#log { source(remote); filter(f_solaris); destination(d_solaris); };
#log { source(remote); filter(f_gnu); destination(d_gnu); };
# Use the following line for testing only and clean up /var/tmp/dump when done
#log { source(remote); destination(d_dump); };
#log { source(remote); filter(f_troubleshoot); destination(d_dump); };
#log { source(remote); filter(f_only_printable_chars); destination(d_dump); };
#log { source (local); filter(f_only_printable_chars); filter(f_nortel_test); destination(d_dump); };
#log { source(local); filter(f_test); destination(d_dump); };
---end syslog-ng.conf---
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Thursday, June 30, 2005 3:16 AM
To: Syslog-ng users' and developers' mailing list
Subject: RE: [syslog-ng] Error parsing conf file?
On Thu, 2005-06-30 at 11:07 +0200, Balazs Scheidler wrote:
> On Tue, 2005-06-28 at 09:46 -0600, Zb Indelak wrote:
> > *** Problems start here ***
> > syslog-ng 1651 root 82w REG 8,8 489 5216302 /var/nsm/inbox/router/cisco/ios/12.0/syslog/ios-06280843
> > syslog-ng 1651 root 83w REG 8,8 489 5216302 /var/nsm/inbox/router/cisco/ios/12.0/syslog/ios-06280843
> > [root at simda02 NSM]# ps -ef|grep syslog
> > root 1651 1 0 15:36 ? 00:00:01 ./syslog-ng -f /etc/syslog-ng/syslog-ng.conf
> > root 1682 1508 0 15:39 pts/2 00:00:00 grep syslog
> > [root at simda02 NSM]# kill -9 1651
> > [root at simda02 NSM]# echo;date;lsof +d
> > /var/nsm/inbox/router/cisco/ios/12.0/syslog
> >
>
> This seems to be an unrelated issue that it opens the same file
> multiple times. This is no good. I'll look into this as well.
>
I don't really see how syslog-ng could open the same file twice, unless you had multiple file() destinations which refers to the same file. Is it the case? (judging your posted configuration, it is not, but maybe you did not copy-paste your complete config.
--
Bazsi
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list