[syslog-ng] E-mail alert from Syslog-NG! (Valdis.Kletnieks at vt.edu
Wilson Lai
wilsonlai at macausjm.com
Wed Oct 10 10:18:02 CEST 2007
Dear Valdis,
Could OSSEC do the same thing as I want?
Thanks.
Regards,
Wilson Lai
System Engineer
IT Dept., SJM
Office ( : (853)2978585
Mobile ( : (853)66506709
Email +: : wilsonlai at macausjm.com
-----Original Message-----
From: syslog-ng-request at lists.balabit.hu
[mailto:syslog-ng-request at lists.balabit.hu]
Sent: Tuesday, October 09, 2007 6:00 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 30, Issue 6
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Source-file not working (fabian marcos)
2. Re: E-mail alert from Syslog-NG! (Valdis.Kletnieks at vt.edu)
3. Re: Trying to build RPM (Balazs Scheidler)
4. Re: Source-file not working (Balazs Scheidler)
----------------------------------------------------------------------
Message: 1
Date: Mon, 8 Oct 2007 03:09:50 -0700 (PDT)
From: fabian marcos <ositoll at yahoo.com>
Subject: [syslog-ng] Source-file not working
To: syslog-ng at lists.balabit.hu
Message-ID: <255430.34734.qm at web50902.mail.re2.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi everyone,
I have a problems with a ?source-file?. Syslog-ng can?t read my
?source-file?. I don?t know why, please help me.
This is my simple syslog-ng.conf file (Vers- 1.6.11) on my Solaris 8
(Sparc.117350-16);
options { mark(600); sync(0); use_dns(yes); create_dirs(yes);
};
source src_tail {
file("/var/log/syslog-ng/mar" );
internal();
};
source s_local {
sun-streams("/dev/log" door("/etc/.syslog_door"));
};
destination d_loghost_localhost {
udp("10.10.10.48" port(514)); file
("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost.log");
};
log {
source(src_tail); source(s_local);
destination(d_loghost_localhost) ;
};
I can see on the remote central server log "10.10.10.48" that it is
working with the internal messages;
15:11:50.193397 10.10.1.36.33055 > 10.10.10.48.syslog: udp 92 (DF)
0x0000 4500 0078 df47 4000 fd11 7ec5 0a0a 0124
E..x.G at ...~....$
0x0010 0a0a 0a30 811f 0202 0064 9f5e 3c34 353e
...0.....d.^<45>
0x0020 4f63 7420 2034 2031 353a 3131 3a35 3020
Oct..4.15:11:50.
0x0030 7372 635f 7461 696c 4061 7070 7331 6d6e
src_tail at testhos
0x0040 3120 7379 736c 6f67 2d6e 675b 3139 3933
t.syslog-ng[1993
0x0050 305d 0]
I make a test in the local server #logger -p local3.info test1 and I
can see the message on tcpdump in the remote server;
15:22:58.946246 10.10.1.36.33318 > 10.10.10.48.syslog: udp 78 (DF)
0x0000 4500 006a 014e 4000 fd11 5ccd 0a0a 0124
E..j.N at ...\....$
0x0010 0a0a 0a30 8226 0202 0056 852d 3c31 3538
...0.&...V.-<158
0x0020 3e4f 6374 2020 3420 3135 3a32 323a 3538
>Oct..4.15:22:58
0x0030 2073 5f6c 6f63 616c 4061 7070 7331 6d6e
.s_local at testhos
0x0040 3120 6d61 7266 6162 6961 3a20 5b49 4420 t.marcos:.[ID.
0x0050 3730 70
The file destination local is writing only the internal() but nothing
about my file ?/var/log/syslog-ng/mar? ;
#tail /var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost.log
Oct 4 15:22:54 src_tail at testhost syslog-ng[23738]: syslog-ng version
1.6.11 starting
Oct 4 15:32:54 src_tail at testhost syslog-ng[23738]: STATS: dropped 0
This test script is running ?while true; do date
>>/var/log/syslog-ng/mar; sleep 5; done &? and it is writing every 5
seconds on my ?source file? but I can see nothing on the remote host and
nothing in local host (root at testhost# snoop -d hme0 10.10.10.48) or
local file.
root at testhost # ps -ef|grep syslog
root 28281 1 0 Sep 19 ? 0:00 /usr/sbin/syslogd
root 28310 1 1 16:09:21 ? 0:00
/usr/local/sbin/syslog-ng -f /etc/syslog-ng.conf
root at testhost # ls -la /var/log/syslog-ng/mar
-rwxrwxrwx 1 root other 64042 Oct 4 16:09
/var/log/syslog-ng/mar
Can you help me?
Thanks in advance,
Marcos Fabian.
PS- Also when I include the option ?follow_freq(1)? on the
syslog-ng.conf ;
source s_tail { file("/var/log/apache/access.log" follow_freq(1)
flags(no-parse)); };
I have the next error;
# /usr/local/sbin/syslog-ng -d -v /etc/syslog-ng.conf
syntax error at 10
Parse error reading configuration file, exiting. (line 10)
---------------------------------
Yahoo! oneSearch: Finally, mobile search that gives answers, not web
links.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.balabit.hu/pipermail/syslog-ng/attachments/20071008/919606af/attachment.html
------------------------------
Message: 2
Date: Mon, 08 Oct 2007 11:38:22 -0400
From: Valdis.Kletnieks at vt.edu
Subject: Re: [syslog-ng] E-mail alert from Syslog-NG!
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu>
Message-ID: <17388.1191857902 at turing-police.cc.vt.edu>
Content-Type: text/plain; charset="us-ascii"
On Mon, 08 Oct 2007 16:49:36 +0800, Wilson Lai said:
> Would there be any tool to check the severity of the log
> message and alert me by mail once
>
> receiving the event log message with "error" severity?
We use tools like logwatch and swatch to do this sort of thing:
http://www.logwatch.org
http://swatch.sourceforge.net/
Both of these are regexp based, and would probably need work to flag
stuff
specifically based on the syslog priority. Though it wouldn't be too
hard to say 'log all error and higher to a specific file", and then
point
one of those two at that file, and tell them to match ^.*$ (and your
problem is solved).
You'll probably find out that a good number of programs don't use
'error'
to flag errors (one of the reasons we went with regexp based tools - the
first setup to get them all the regexps to get rid of all the noise was
*huge* (some of our servers blatted out 87M-sized e-mails the first few
times till we ignored the right stuff)....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url :
http://lists.balabit.hu/pipermail/syslog-ng/attachments/20071008/bd258650/attachment-0001.pgp
------------------------------
Message: 3
Date: Tue, 09 Oct 2007 09:39:25 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Trying to build RPM
To: andrew at thekerrs.ca, Syslog-ng users' and developers' mailing
list
<syslog-ng at lists.balabit.hu>
Message-ID: <1191915565.6723.13.camel at bzorp.balabit>
Content-Type: text/plain
On Fri, 2007-10-05 at 13:04 -0600, Andrew Kerr wrote:
> Hi folks,
>
> I've downloaded the source for syslog-ng 2.0.5 and am trying to build
an
> RPM. When I try, I get a missing dependency with libevtlog-devel.
the RPM build expects libevtlog to be compiled as an RPM too.
>
> I did compile and install eventlog-0.2.5, as well as adding
/usr/local/lib
> to /etc/ld.so.conf.
>
> Even if I just try configuring syslog-ng, I get a similar error:
>
> 'No package eventlog' found.
add /usr/local/lib/pkgconfig to your PKG_CONFIG_PATH
--
Bazsi
------------------------------
Message: 4
Date: Tue, 09 Oct 2007 09:43:07 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Source-file not working
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1191915788.6723.17.camel at bzorp.balabit>
Content-Type: text/plain; charset=utf-8
On Mon, 2007-10-08 at 03:09 -0700, fabian marcos wrote:
> Hi everyone,
>
> I have a problems with a ?source-file?. Syslog-ng can?t read my
> ?source-file?. I don?t know why, please help me.
>
>
> This is my simple syslog-ng.conf file (Vers- 1.6.11) on my Solaris 8
> (Sparc.117350-16);
>
you need at least syslog-ng 2.0.5 for source file to work correctly.
>
--
Bazsi
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 30, Issue 6
****************************************
More information about the syslog-ng
mailing list