[syslog-ng] syslog-ng Digest, Vol 39, Issue 20

Anurag Agarwal Anurag.Agarwal at telsima.com
Tue Aug 12 08:54:04 CEST 2008


 
Hello Bazsi,

I did some more observation and I have following more precise inputs

1) Same config file is working correctly in my lab Solaris v240 machine. Filtered syslog sent to destined user only.

2) In production the destined user is receiving logs twice ( 2 copies). It means one copy for itself because it is  destination user and 2nd copy is because all users are copied.

3) If you telnet to server and don't enter login/password even, still you start receiving a copy of message.
 

Please help !

Anurag aggarwal

-----Original Message-----
From: Anurag Agarwal 
Sent: Thursday, July 24, 2008 4:54 PM
To: 'syslog-ng at lists.balabit.hu'
Subject: RE: syslog-ng Digest, Vol 39, Issue 20

Thanks Bazsi for reply.

Relevant portion is below
**************************************************************
destination console {
usertty("wimaxnoc");
};

 filter ps_nt_re {
   match("PS NOT REACHABLE");
}; 
 
log { source(network); filter(ps_nt_re); destination(console); };
**************************************************************

Please help.



Anurag aggarwal



-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: Thursday, July 24, 2008 3:30 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 39, Issue 20

Send syslog-ng mailing list submissions to
	syslog-ng at lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
	syslog-ng-request at lists.balabit.hu

You can reach the person managing the list at
	syslog-ng-owner at lists.balabit.hu

When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."


Today's Topics:

   1. Re:  Re :  Re : Re :  Syslogd + Syslog-ng (Christopher Cashell)
   2. Re:  Re :  Re : Re :  Syslogd + Syslog-ng
      (Leandro Ferreira da Silva)
   3. Re:  Using regexp in match() (Balazs Scheidler)
   4. Re:  Usertty sending messages to all user and	without	login
      also (Balazs Scheidler)


----------------------------------------------------------------------

Message: 1
Date: Wed, 23 Jul 2008 10:04:34 -0500
From: Christopher Cashell <ChristopherCashell at solutionary.com>
Subject: Re: [syslog-ng] Re :  Re : Re :  Syslogd + Syslog-ng
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <48874882.8070904 at solutionary.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
> The configuration is the standart, I only do the follow changes.
> 
> # sources
> source src { unix-dgram("/var/run/log");
>              unix-dgram("/var/run/logpriv" perm(0600));
>              udp(); internal(); file("/dev/klog"); };
> 
> I add this,
> source r_src { udp(ip("*client.domain*") port(514));  };

Here's your problem.  For src, you define 'udp()' as one of your log sources, without including any specific options for it.  This will cause syslog-ng to go with its defaults for udp(), which is bind to *all* IP addresses assigned to the box, on port 514.

Then, for r_src, you are telling syslog-ng to bind to a specific IP address on the box and port 514.  When syslog-ng attempts to start, it will fail with the error message you received because that ip/port is already in use (by the source src, which is bound to all IP's).

Unless you have a need to bind to a specific IP address on the box, I'd recommend removing 'udp();' from src, and replacing the current
'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'.

--
Christopher Cashell


------------------------------

Message: 2
Date: Wed, 23 Jul 2008 14:39:03 -0300
From: Leandro Ferreira da Silva <ferreira at iqm.unicamp.br>
Subject: Re: [syslog-ng] Re :  Re : Re :  Syslogd + Syslog-ng
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <48876CB7.7080909 at iqm.unicamp.br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Christopher Cashell wrote:
> Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
>> The configuration is the standart, I only do the follow changes.
>>
>> # sources
>> source src { unix-dgram("/var/run/log");
>>              unix-dgram("/var/run/logpriv" perm(0600));
>>              udp(); internal(); file("/dev/klog"); };
>>
>> I add this,
>> source r_src { udp(ip("*client.domain*") port(514));  };
>
> Here's your problem.  For src, you define 'udp()' as one of your log 
> sources, without including any specific options for it.  This will 
> cause syslog-ng to go with its defaults for udp(), which is bind to
> *all* IP addresses assigned to the box, on port 514.
>
> Then, for r_src, you are telling syslog-ng to bind to a specific IP 
> address on the box and port 514.  When syslog-ng attempts to start, it 
> will fail with the error message you received because that ip/port is 
> already in use (by the source src, which is bound to all IP's).
>
> Unless you have a need to bind to a specific IP address on the box, 
> I'd recommend removing 'udp();' from src, and replacing the current
> 'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'.
>
It worked!!
The real problem was udp () at src.
Thank you very much for all the help...
Now I'll go complete my rules..

See you!! =P


------------------------------

Message: 3
Date: Thu, 24 Jul 2008 10:16:27 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Using regexp in match()
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Cc: documentation at balabit.com
Message-ID: <1216887387.8130.5.camel at bzorp.balabit>
Content-Type: text/plain; charset=UTF-8

On Tue, 2008-07-22 at 09:45 +0200, Jan Kreps wrote:
> > ------------ P?vodn? zpr?va ------------
> > Od: Jan Kreps <krepsj at seznam.cz>
> > P?edm?t: Re: [syslog-ng] Using regexp in match()
> > Datum: 10.7.2008 10:29:35
> > ----------------------------------------
> > 
> > > > I'm trying to setup central syslog-ng server for my Exchange 
> > > > servers. On
> > > windows servers I use Epilog agent (brother of Snare) forwarding 
> > > tracking logs to central syslog.
> 
> > Obviously I have used bad regexp. Exchange tracking log uses tabs as delimiters.
> > But when I saved $MSG string to text log, tabs was changed to '\011'. 
> > 
> > So now I changed my regexp to use tabs as delimiters:
> > 
> > filter f_parsing {
> >   match("([^\t]*)\t([^\t]*)\t");
> > };
> > 
> > This works like charm and saves first two tab delimited fields (date 
> > and time in this case) to $1 and $2.
> > 
> 
> Some more remarks to subject. 
> 
> Syslog-ng Administrator guide 1.1.1 Edition from May 2008 says on page 111:
> 
> "The regular expressions can use up to 255 regexp matches ($1 ... $255)."
> 
> and on page 112:
> 
> "Regarding braces around macro names, the following two formats are equivalent "$MSG" and "${MSG}"."
> 
> Fact is that for regexp matches greater than 9 it MUST be in ${} format. If you use for instance $12 it resolves as content of $1 + character '2'. I found that I have to use ${} syntax in ChangeLog remark for patch 137. I guess that should be stated in Admin Guide more clearly. In this respect, statement "The regular expressions can use up to 255 regexp matches ($1 ... $255)" is not true and should be corrected. 
> 

right, this should be fixed in the documentation.

> And I have one question about file creation.
> 
> When something is logged a file is created according to destination(). But when I delete the file, it's not created anymore, until restart of syslog-ng. Is that correct/expected behaviour?
> 
> I run Debian Etch and syslog-ng 2.0.9-1 from unstable branch (in 
> stable is still version 2.0.0)

Yes, you need to send the HUP signal to syslog-ng in order to reopen log files. This is the way UNIX works. (the application does not know about the deletion of a logfile)

--
Bazsi



------------------------------

Message: 4
Date: Thu, 24 Jul 2008 10:28:06 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Usertty sending messages to all user and
	without	login also
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <1216888086.8130.10.camel at bzorp.balabit>
Content-Type: text/plain

On Wed, 2008-07-23 at 13:39 +0530, Anurag Agarwal wrote:
> Hello everybuddy,
>  
> I am using syslog-ng and used usertty in destination. I am using a user
> 'test' as destination. But other users can also see the message on their
> console e.g root and other users. Please help as this is creating a
> problem and NG not working as desired.
>  OS: Solaris 10
> 

It does work for me. Can you show us the relevant portions of your
configuration file? I tried with this:

source local { sun-streams("/dev/log" door("/etc/.syslog_door"));
internal(); };

destination all { file("/var/log/messages"); };

log { source(local); destination(all); };

destination all_users {
  usertty("bazsi");
};

filter alert_emerg {
  level(err..emerg);
};
log {
  source(local);
  filter(alert_emerg);
  destination(all_users);
};


It correctly printed err..emerg messages on my tty, and not on others.
The relevant portion of the code is here:

#if HAVE_MODERN_UTMP
      if (ut->ut_type == USER_PROCESS &&
          ((self->username->len == 1 &&
            self->username->str[0] == '*') ||
           (self->username->len <= sizeof(ut->ut_user) &&
            memcmp(self->username->str, ut->ut_user, self->username->len) == 0))) 
#else
      if ((self->username->len == 1 &&
           self->username->str[0] == '*') ||
          (self->username->len <= sizeof(ut->ut_name) &&
           memcmp(self->username->str, ut->ut_name, self->username->len) == 0)) 
#endif

I don't see how this condition could match for everyone. Even if the
wtmp format is different and ut->ut_name would contain a bogus value,
the expected breakage would be to not display anywhere, not to display
everywhere.

-- 
Bazsi



------------------------------

_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng


End of syslog-ng Digest, Vol 39, Issue 20
*****************************************



More information about the syslog-ng mailing list