[syslog-ng] syslog-ng Digest, Vol 39, Issue 20

Anurag Agarwal Anurag.Agarwal at telsima.com
Thu Jul 24 13:24:20 CEST 2008 

Thanks Bazsi for reply.

Relevant portion is below
**************************************************************
destination console {
usertty("wimaxnoc"); 
};

 filter ps_nt_re {
   match("PS NOT REACHABLE");
}; 
 
log { source(network); filter(ps_nt_re); destination(console); };
**************************************************************

Please help.



Anurag aggarwal



-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of
syslog-ng-request at lists.balabit.hu
Sent: Thursday, July 24, 2008 3:30 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 39, Issue 20

Send syslog-ng mailing list submissions to
	syslog-ng at lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
	syslog-ng-request at lists.balabit.hu

You can reach the person managing the list at
	syslog-ng-owner at lists.balabit.hu

When replying, please edit your Subject line so it is more specific than
"Re: Contents of syslog-ng digest..."


Today's Topics:

   1. Re:  Re :  Re : Re :  Syslogd + Syslog-ng (Christopher Cashell)
   2. Re:  Re :  Re : Re :  Syslogd + Syslog-ng
      (Leandro Ferreira da Silva)
   3. Re:  Using regexp in match() (Balazs Scheidler)
   4. Re:  Usertty sending messages to all user and	without	login
      also (Balazs Scheidler)


----------------------------------------------------------------------

Message: 1
Date: Wed, 23 Jul 2008 10:04:34 -0500
From: Christopher Cashell <ChristopherCashell at solutionary.com>
Subject: Re: [syslog-ng] Re :  Re : Re :  Syslogd + Syslog-ng
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <48874882.8070904 at solutionary.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
> The configuration is the standart, I only do the follow changes.
> 
> # sources
> source src { unix-dgram("/var/run/log");
>              unix-dgram("/var/run/logpriv" perm(0600));
>              udp(); internal(); file("/dev/klog"); };
> 
> I add this,
> source r_src { udp(ip("*client.domain*") port(514));  };

Here's your problem.  For src, you define 'udp()' as one of your log
sources, without including any specific options for it.  This will cause
syslog-ng to go with its defaults for udp(), which is bind to *all* IP
addresses assigned to the box, on port 514.

Then, for r_src, you are telling syslog-ng to bind to a specific IP
address on the box and port 514.  When syslog-ng attempts to start, it
will fail with the error message you received because that ip/port is
already in use (by the source src, which is bound to all IP's).

Unless you have a need to bind to a specific IP address on the box, I'd
recommend removing 'udp();' from src, and replacing the current
'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'.

--
Christopher Cashell


------------------------------

Message: 2
Date: Wed, 23 Jul 2008 14:39:03 -0300
From: Leandro Ferreira da Silva <ferreira at iqm.unicamp.br>
Subject: Re: [syslog-ng] Re :  Re : Re :  Syslogd + Syslog-ng
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <48876CB7.7080909 at iqm.unicamp.br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Christopher Cashell wrote:
> Leandro Ferreira da Silva did thus speak on 7/23/2008 7:14 AM:
>> The configuration is the standart, I only do the follow changes.
>>
>> # sources
>> source src { unix-dgram("/var/run/log");
>>              unix-dgram("/var/run/logpriv" perm(0600));
>>              udp(); internal(); file("/dev/klog"); };
>>
>> I add this,
>> source r_src { udp(ip("*client.domain*") port(514));  };
>
> Here's your problem.  For src, you define 'udp()' as one of your log 
> sources, without including any specific options for it.  This will 
> cause syslog-ng to go with its defaults for udp(), which is bind to 
> *all* IP addresses assigned to the box, on port 514.
>
> Then, for r_src, you are telling syslog-ng to bind to a specific IP 
> address on the box and port 514.  When syslog-ng attempts to start, it

> will fail with the error message you received because that ip/port is 
> already in use (by the source src, which is bound to all IP's).
>
> Unless you have a need to bind to a specific IP address on the box, 
> I'd recommend removing 'udp();' from src, and replacing the current 
> 'udp(ip("*client.domain*") port(514));' in r_src with 'udp();'.
>
It worked!!
The real problem was udp () at src.
Thank you very much for all the help...
Now I'll go complete my rules..

See you!! =P


------------------------------

Message: 3
Date: Thu, 24 Jul 2008 10:16:27 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Using regexp in match()
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Cc: documentation at balabit.com
Message-ID: <1216887387.8130.5.camel at bzorp.balabit>
Content-Type: text/plain; charset=UTF-8

On Tue, 2008-07-22 at 09:45 +0200, Jan Kreps wrote:
> > ------------ P?vodn? zpr?va ------------
> > Od: Jan Kreps <krepsj at seznam.cz>
> > P?edm?t: Re: [syslog-ng] Using regexp in match()
> > Datum: 10.7.2008 10:29:35
> > ----------------------------------------
> > 
> > > > I'm trying to setup central syslog-ng server for my Exchange
servers. On
> > > windows servers I use Epilog agent (brother of Snare) forwarding
tracking
> > > logs to central syslog.
> 
> > Obviously I have used bad regexp. Exchange tracking log uses tabs as
delimiters.
> > But when I saved $MSG string to text log, tabs was changed to
'\011'. 
> > 
> > So now I changed my regexp to use tabs as delimiters:
> > 
> > filter f_parsing {
> >   match("([^\t]*)\t([^\t]*)\t");
> > }; 
> > 
> > This works like charm and saves first two tab delimited fields (date
and time in
> > this case) to $1 and $2.
> > 
> 
> Some more remarks to subject. 
> 
> Syslog-ng Administrator guide 1.1.1 Edition from May 2008 says on page
111:
> 
> "The regular expressions can use up to 255 regexp matches ($1 ...
$255)."
> 
> and on page 112:
> 
> "Regarding braces around macro names, the following two formats are
equivalent "$MSG" and "${MSG}"."
> 
> Fact is that for regexp matches greater than 9 it MUST be in ${}
format. If you use for instance $12 it resolves as content of $1 +
character '2'. I found that I have to use ${} syntax in ChangeLog remark
for patch 137. I guess that should be stated in Admin Guide more
clearly. In this respect, statement "The regular expressions can use up
to 255 regexp matches ($1 ... $255)" is not true and should be
corrected. 
> 

right, this should be fixed in the documentation.

> And I have one question about file creation.
> 
> When something is logged a file is created according to destination().
But when I delete the file, it's not created anymore, until restart of
syslog-ng. Is that correct/expected behaviour?
> 
> I run Debian Etch and syslog-ng 2.0.9-1 from unstable branch (in
stable is still version 2.0.0)

Yes, you need to send the HUP signal to syslog-ng in order to reopen log
files. This is the way UNIX works. (the application does not know about
the deletion of a logfile)

-- 
Bazsi



------------------------------

Message: 4
Date: Thu, 24 Jul 2008 10:28:06 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Usertty sending messages to all user and
	without	login also
To: Syslog-ng users' and developers' mailing list
	<syslog-ng at lists.balabit.hu>
Message-ID: <1216888086.8130.10.camel at bzorp.balabit>
Content-Type: text/plain

On Wed, 2008-07-23 at 13:39 +0530, Anurag Agarwal wrote:
> Hello everybuddy,
>  
> I am using syslog-ng and used usertty in destination. I am using a
user
> 'test' as destination. But other users can also see the message on
their
> console e.g root and other users. Please help as this is creating a
> problem and NG not working as desired.
>  OS: Solaris 10
> 

It does work for me. Can you show us the relevant portions of your
configuration file? I tried with this:

source local { sun-streams("/dev/log" door("/etc/.syslog_door"));
internal(); };

destination all { file("/var/log/messages"); };

log { source(local); destination(all); };

destination all_users {
  usertty("bazsi");
};

filter alert_emerg {
  level(err..emerg);
};
log {
  source(local);
  filter(alert_emerg);
  destination(all_users);
};


It correctly printed err..emerg messages on my tty, and not on others.
The relevant portion of the code is here:

#if HAVE_MODERN_UTMP
      if (ut->ut_type == USER_PROCESS &&
          ((self->username->len == 1 &&
            self->username->str[0] == '*') ||
           (self->username->len <= sizeof(ut->ut_user) &&
            memcmp(self->username->str, ut->ut_user,
self->username->len) == 0))) 
#else
      if ((self->username->len == 1 &&
           self->username->str[0] == '*') ||
          (self->username->len <= sizeof(ut->ut_name) &&
           memcmp(self->username->str, ut->ut_name, self->username->len)
== 0)) 
#endif

I don't see how this condition could match for everyone. Even if the
wtmp format is different and ut->ut_name would contain a bogus value,
the expected breakage would be to not display anywhere, not to display
everywhere.

-- 
Bazsi



------------------------------

_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng


End of syslog-ng Digest, Vol 39, Issue 20
*****************************************

More information about the syslog-ng mailing list