[syslog-ng] logging of auth-priv

Bill Nash billn at bacchus.billn.net
Thu Jan 12 18:28:13 CET 2006 

As a test case, I'd recommend adding a file destination so you can 
interactively tail the file to test your delivery. Once you have that in 
place, force authpriv traffic generation on your source hosts and verify 
that it's arriving at your collector.

A la:
destination test { file("/tmp/foo"); };
log{ source(s_udpmessages); destination(test); };

If you don't see it arrive using a simple configuration like this, 
supplement your diagnosis with `tcpdump udp port 514` and repeat traffic 
generation. If you still don't see the packet arrive, repeat the tcpdump 
step on the device sending the log entry, and verify that the syslogd is 
sending it out.

If your collector has multiple network addresses/interfaces, verify that 
syslog-ng is listening on the address you're expecting to see it on 
(`netstat -plan | grep 514`)

Other things that could prevent delivery include network ACLs, iptables 
firewall rules, and sunspots.

- billn

On Thu, 12 Jan 2006, Peter Koinange wrote:

>
> I have included my config
>
> On Thursday 12 January 2006 20:11, Peter Koinange wrote:
>> I have a very basic setup at the monet for syslog-ng server, am just
>> writing everything i get to the database regardless of the
>> facility/severity combination since the database can get check for specific
>> details
>>
>> k
> source src {unix-stream("/dev/log");
>              pipe("/proc/kmsg");
>              internal();};
> source s_udpmessages { udp(); };
>
> destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs
> (host, facility, priority, level, tag, datetime, program, msg)
> VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
> '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n")
> template-escape(yes)); };
> log { source(src); destination(d_mysql); };
> log { source(s_udpmessages); destination(d_mysql); };
>
>
>>
>> On Thursday 12 January 2006 20:00, Bill Nash wrote:
>>> This is kind of a silly question, but did you bounce the syslogd after
>>> you made that config change? Assuming you're sending this to a syslog-ng
>>> daemon as a central collection source, where is the syslog-ng daemon
>>> configured to place logs for that facility/severity combination?
>>>
>>> - billn
>>>
>>>> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
>>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list