[syslog-ng] Remote SYSLOG-NG logging - can't log from remote

Wed May 3 01:01:57 CEST 2006

On Tue, May 02, 2006 at 10:24:27PM -0000, rlubbers at sysctl.net wrote:
> 
> I am at my wits end with this.  Some devices are logging remotely, but others
> are not.  I can see the packets arrive on UDP port 514 using tcpdump, but the
> packets don't get recorded in the proper file.  I have tried nearly
> everything, and I am certain I am doing something silly, but maybe you can
> help out.
> 
> Here is my syslog-ng.conf.file:
> 
> *************************************************************
> 
> source local {
>         unix-dgram("/var/run/log");
>         udp(ip(0.0.0.0) port(514));
>         internal();
> };
> 
> ### SECURITY LOG  -  This logs
> 
> filter f_9 {
>         facility(security) and level(debug..emerg);
> };
> 
> destination d_3 {
>         file("/var/log/security" create_dirs(yes));
> };
> 
> log { source(local); filter(f_9); destination(d_3); };

Does your system define a "security" facility? Probably not. From
/usr/include/sys/syslog.h on my Linux box:

/* facility codes */
#define LOG_KERN        (0<<3)  /* kernel messages */
#define LOG_USER        (1<<3)  /* random user-level messages */
#define LOG_MAIL        (2<<3)  /* mail system */
#define LOG_DAEMON      (3<<3)  /* system daemons */
#define LOG_AUTH        (4<<3)  /* security/authorization messages */
#define LOG_SYSLOG      (5<<3)  /* messages generated internally by
syslogd */
#define LOG_LPR         (6<<3)  /* line printer subsystem */
#define LOG_NEWS        (7<<3)  /* network news subsystem */
#define LOG_UUCP        (8<<3)  /* UUCP subsystem */
#define LOG_CRON        (9<<3)  /* clock daemon */
#define LOG_AUTHPRIV    (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP         (11<<3) /* ftp daemon */
	/* other codes through 15 reserved for system use */
#define LOG_LOCAL0      (16<<3) /* reserved for local use */
#define LOG_LOCAL1      (17<<3) /* reserved for local use */
#define LOG_LOCAL2      (18<<3) /* reserved for local use */
#define LOG_LOCAL3      (19<<3) /* reserved for local use */
#define LOG_LOCAL4      (20<<3) /* reserved for local use */
#define LOG_LOCAL5      (21<<3) /* reserved for local use */
#define LOG_LOCAL6      (22<<3) /* reserved for local use */
#define LOG_LOCAL7      (23<<3) /* reserved for local use */

...and from a solaris box:

/*
 *  Facility codes
*/
#define LOG_KERN        (0<<3)  /* kernel messages */
#define LOG_USER        (1<<3)  /* random user-level messages */
#define LOG_MAIL        (2<<3)  /* mail system */
#define LOG_DAEMON      (3<<3)  /* system daemons */
#define LOG_AUTH        (4<<3)  /* security/authorization messages */
#define LOG_SYSLOG      (5<<3)  /* messages generated internally by syslogd */
#define LOG_LPR         (6<<3)  /* line printer subsystem */
#define LOG_NEWS        (7<<3)  /* netnews subsystem */
#define LOG_UUCP        (8<<3)  /* uucp subsystem */
#define LOG_CRON        (15<<3) /* cron/at subsystem */
	/* other codes through 15 reserved for system use */
#define LOG_LOCAL0      (16<<3) /* reserved for local use */
#define LOG_LOCAL1      (17<<3) /* reserved for local use */
#define LOG_LOCAL2      (18<<3) /* reserved for local use */
#define LOG_LOCAL3      (19<<3) /* reserved for local use */
#define LOG_LOCAL4      (20<<3) /* reserved for local use */
#define LOG_LOCAL5      (21<<3) /* reserved for local use */
#define LOG_LOCAL6      (22<<3) /* reserved for local use */
#define LOG_LOCAL7      (23<<3) /* reserved for local use */

You need to pick from the available facilities. You might mean authpriv,
if you're on a Linux box and messages are coming from a Linux box.

If you're wondering what's coming in, define a catchall destination and
see what's recorded:

 http://www.campin.net/syslog-ng/faq.html#logall

You might define a template that includes the facility/severity in the
logfile so you can set your filters accordingly:

 http://www.campin.net/syslog-ng/faq.html#template

Something like this:

destination std {
       file("/var/log/catchall.log"
       owner(syslog-ng) group (syslog-ng) perm(0600) dir_perm(0700) create_dirs(yes) template("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MESSAGE\n")  ); 

};

log {
       source(src);
       destination(std);
};

-- 
Nate

"I had to quit my job to have time to read my email." - Curry, Adam [MTV
Host and net.legend] his occasional signature quote