[syslog-ng] Client forwarding to server

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Thu Aug 30 18:54:12 CEST 2007


Hello,

> But I do have the "source loghost..." on the server side, not 
> on the client
> side.  Here's my syslog-ng.conf on the server side (server1). 
>  I read the
> manual but I'm not comprehending some of the explanations :-) 
>  I read the
> "Configuring syslog-ng client" but it gives a list of "to do" 
> rather than "how
> to."
> 
> syslog-ng 2.0.4, Solaris 10, client side is running MP 
> (multi-path, and I'm not
> sure if MP causes any problem?)
> 
> SERVER SIDE
> #####################################################################
> 
> options {
>         long_hostnames(off);
>         log_msg_size(8192);
>         sync(1);
>         log_fifo_size(2048); 
>         bad_hostname("^(ctld.|cmd|tmd|last)$");
>         time_reopen(10);
> };
> 
> #####################################################################
> 
> source src { sun-stream("/dev/log" 
> door("/etc/.syslog_door")); internal(); };
> source loghost { tcp(ip(192.168.1.11) port(5140)); };
> source s_tcp { tcp(port(5140) keep-alive(yes) 
> max_connections(100)); };
> 
> destination syslog { file("/var/log/syslog"); };
> destination mail   { file("/var/log/syslog"); };
> destination messages { file("/var/adm/messages"); };
> 
> filter f_mail { facility(mail); };
> filter f_not_mail { not facility(mail); };
> 
> # log { source(loghost); };
> log { source(src); filter(f_mail); destination(syslog); };
> log { source(src); filter(f_not_mail); destination(messages); };

Please note that defining a source isn't enough. You have to use
it in your log statements too. In your config you defined 3
sources, while in the log{} sections you're using only a single
one. Either modify your sources definition to something like:

source src {
  sun-stream("/dev/log"  door("/etc/.syslog_door"));
  internal();
  tcp(port(5140) keep-alive(yes) max_connections(100));
};

and then use your existing log{} sections, or add another log{}
sections which use loghost and the s_tcp sources explicitely.

> CLIENT SIDE
> #####################################################################
> 
> options {
>         long_hostnames(off);
>         log_msg_size(8192);
>         sync(1);
>         log_fifo_size(2048);
>         bad_hostname("^(ctld.|cmd|tmd|last)$");
>         time_reopen(10);
> };
> 
> #####################################################################
> 
> source src { sun-stream("/dev/log" 
> door("/etc/.syslog_door")); internal(); };
> 
> destination syslog { file("/var/log/syslog"); };
> # destination mail   { file("/var/log/syslog"); };
> destination messages { file("/var/adm/messages"); };
> destination loghost { tcp("192.168.1.11" port(5140)); };
> 
> filter f_mail { facility(mail); };
> filter f_not_mail { not facility(mail); };
> 
> # log { source(loghost); };
> log { source(src); filter(f_mail); destination(syslog); };
> log { source(src); filter(f_not_mail); destination(messages); };
> 
> source s_localhost { tcp(ip(127.0.0.1) port(5140) ); };
> log { source(s_localhost); destination(loghost); };

What I wrote above apply to this configuration too. You're
defining s_localhost to be a tcp source (which shouldn't be
used on clients only on servers and syslog relays).

The logs generated on the client will come through the 'src'
source, which won't get logged to the loghost. I recommend
staring with a quite simple configuration like:

source src {
  sun-stream("/dev/log" door ("/etc/.syslog_door"));
  internal();
};

destination syslog { file("/var/log/syslog"); };
destination messages { file("/var/adm/messages"); };
destination loghost { tcp("192.168.1.11" port(5140)); };
 
filter f_mail { facility(mail); };
filter f_not_mail { not facility(mail); };
 
log {
  source(src);
  filter(f_mail);
  destination(syslog);
  destination(loghost);
};

log {
  source(src);
  filter(f_not_mail);
  destination(messages);
  destination(loghost);
};

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.


More information about the syslog-ng mailing list