[syslog-ng] Client forwarding to server

Thu Aug 30 21:14:59 CEST 2007

--- "Geller, Sandor (IT)" <Sandor.Geller at morganstanley.com> wrote:

> > SERVER SIDE
> > #####################################################################
> > 
> > options {
> >         long_hostnames(off);
> >         log_msg_size(8192);
> >         sync(1);
> >         log_fifo_size(2048); 
> >         bad_hostname("^(ctld.|cmd|tmd|last)$");
> >         time_reopen(10);
> > };
> > 
> > #####################################################################
> > 
> > source src { sun-stream("/dev/log" 
> > door("/etc/.syslog_door")); internal(); };
> > source loghost { tcp(ip(192.168.1.11) port(5140)); };
> > source s_tcp { tcp(port(5140) keep-alive(yes) 
> > max_connections(100)); };
> > 
> > destination syslog { file("/var/log/syslog"); };
> > destination mail   { file("/var/log/syslog"); };
> > destination messages { file("/var/adm/messages"); };
> > 
> > filter f_mail { facility(mail); };
> > filter f_not_mail { not facility(mail); };
> > 
> > # log { source(loghost); };
> > log { source(src); filter(f_mail); destination(syslog); };
> > log { source(src); filter(f_not_mail); destination(messages); };
> 
> Please note that defining a source isn't enough. You have to use
> it in your log statements too. In your config you defined 3
> sources, while in the log{} sections you're using only a single
> one. Either modify your sources definition to something like:

Thank you for pointing out this relationship.  I read section 3.3 (sources) and
3.5 (log path) but it did not point this out (or maybe it did and I missed it).

> source src {
>   sun-stream("/dev/log"  door("/etc/.syslog_door"));
>   internal();
>   tcp(port(5140) keep-alive(yes) max_connections(100));
> };
> 
> and then use your existing log{} sections, or add another log{}
> sections which use loghost and the s_tcp sources explicitely.
> 
> > CLIENT SIDE
> > #####################################################################
> > 
> > options {
> >         long_hostnames(off);
> >         log_msg_size(8192);
> >         sync(1);
> >         log_fifo_size(2048);
> >         bad_hostname("^(ctld.|cmd|tmd|last)$");
> >         time_reopen(10);
> > };
> > 
> > #####################################################################
> > 
> > source src { sun-stream("/dev/log" 
> > door("/etc/.syslog_door")); internal(); };
> > 
> > destination syslog { file("/var/log/syslog"); };
> > # destination mail   { file("/var/log/syslog"); };
> > destination messages { file("/var/adm/messages"); };
> > destination loghost { tcp("192.168.1.11" port(5140)); };
> > 
> > filter f_mail { facility(mail); };
> > filter f_not_mail { not facility(mail); };
> > 
> > # log { source(loghost); };
> > log { source(src); filter(f_mail); destination(syslog); };
> > log { source(src); filter(f_not_mail); destination(messages); };
> > 
> > source s_localhost { tcp(ip(127.0.0.1) port(5140) ); };
> > log { source(s_localhost); destination(loghost); };
> 
> What I wrote above apply to this configuration too. You're
> defining s_localhost to be a tcp source (which shouldn't be
> used on clients only on servers and syslog relays).
> 
> The logs generated on the client will come through the 'src'
> source, which won't get logged to the loghost. I recommend
> staring with a quite simple configuration like:
> 
> source src {
>   sun-stream("/dev/log" door ("/etc/.syslog_door"));
>   internal();
> };
> 
> destination syslog { file("/var/log/syslog"); };
> destination messages { file("/var/adm/messages"); };
> destination loghost { tcp("192.168.1.11" port(5140)); };
>  
> filter f_mail { facility(mail); };
> filter f_not_mail { not facility(mail); };
>  
> log {
>   source(src);
>   filter(f_mail);
>   destination(syslog);
>   destination(loghost);
> };
> 
> log {
>   source(src);
>   filter(f_not_mail);
>   destination(messages);
>   destination(loghost);
> };

Thank you all for your help.  I was able to capture the log on the server from
the client.  A simple "logger -p daemon.crit syslog-ng test" from the client is
now seen in /var/adm/messages on the server.

____________________________________________________________________________________
Pinpoint customers who are looking for what you sell. 
http://searchmarketing.yahoo.com/