[syslog-ng] syslog-ng won't log to syslog server
Azizul
azizuldarus at gmail.com
Fri Sep 12 03:24:19 CEST 2008
Thanks for reply. I am a newbie on syslog-ng and quite confuse aboute the
src. I have install it on Freebsd 6.3 and syslog-ng 1.6.12. I really
appriciate that you guys can help me. This is my syslog-ng.conf:
#
# This sample configuration file is essentially equilivent to the stock
# FreeBSD /etc/syslog.conf file.
#
#
# options
#
options { long_hostnames(off); sync(0); };
#
# sources
#
source src { unix-dgram("/var/run/log");
unix-dgram("/var/run/logpriv" perm(0600));
udp(); internal(); file("/dev/klog"); };
#
# destinations
#
#destination local0.info {
#file("/var/log/remote/servers/$HOST/$YEAR/$MONTH/$DAY/pflogd/pflogd.log"
#owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
#);
#};
destination messages { file("/var/log/remote/messages"); };
destination localhost { file("/var/log/remote/syslog-ng.all"); };
destination security { file("/var/log/remote/security"); };
destination authlog { file("/var/log/remote/auth.log"); };
destination maillog { file("/var/log/remote/maillog"); };
destination lpd-errs { file("/var/log/remote/lpd-errs"); };
destination xferlog { file("/var/log/remote/xferlog"); };
destination cron { file("/var/log/remote/cron"); };
destination debuglog { file("/var/log/remote/debug.log"); };
destination consolelog { file("/var/log/remote/console.log"); };
destination all { file("/var/log/remote/all.log"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination slip { file("/var/log/remote/slip.log"); };
destination ppp { file("/var/log/remote/ppp.log"); };
destination console { file("/dev/console"); };
destination allusers { usertty("*"); };
#destination loghost { udp("loghost" port(514)); };
#destination local0 { file("/var/log/remote/pflog.txt"); };
destination local0 { file("/var/log/remote/local0.log"); };
#destination local1 { file("/var/log/remote/alert"); };
destination local1 { file("/var/log/remote/local1.log"); };
#log {
# source(tcp); source(internal); source(udp); source(unix);
# source(s_tcp); source(s_internal); source(s_udp); source(s_unix);
# filter(f_local0); filter(f_local1);
# destination(df_local1);
# };
#
# log facility filters
#
filter f_auth { facility(auth); };
filter f_authpriv { facility(authpriv); };
filter f_not_authpriv { not facility(authpriv); };
filter f_console { facility(console); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_ftp { facility(ftp); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_security { facility(security); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
#filter f_local0 { facility(local0); };
#filter f_local00 { facility(local0); };
#filter f_local1 { facility(local1); };
#filter f_local01 { facility(local1) or facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
#
# log level filters
#
filter f_emerg { level(emerg); };
filter f_alert { level(alert..emerg); };
filter f_crit { level(crit..emerg); };
filter f_err { level(err..emerg); };
filter f_warning { level(warning..emerg); };
filter f_notice { level(notice..emerg); };
filter f_info { level(info..emerg); };
filter f_debug { level(debug..emerg); };
filter f_is_debug { level(debug); };
#
# program filters
#
filter f_ppp { program("ppp"); };
filter f_slip { program("startslip"); };
#
# *.err;kern.warning;auth.notice;mail.crit /dev/console
#
log { source(src); filter(f_err); destination(console); };
log { source(src); filter(f_kern); filter(f_warning); destination(console);
};
log { source(src); filter(f_auth); filter(f_notice); destination(console);
};
log { source(src); filter(f_mail); filter(f_crit); destination(console); };
#
# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/messages
#
log { source(src); filter(f_notice); filter(f_not_authpriv);
destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages);
};
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
log { source(src); filter(f_news); filter(f_err); destination(messages); };
#
# security.* /var/log/security
#
log { source(src); filter(f_security); destination(security); };
#
# auth.info;authpriv.info /var/log/auth.log
log { source(src); filter(f_auth); filter(f_info); destination(authlog); };
log { source(src); filter(f_authpriv); filter(f_info); destination(authlog);
};
#
# mail.info /var/log/maillog
#
log { source(src); filter(f_mail); filter(f_info); destination(maillog); };
#
# lpr.info /var/log/lpd-errs
#
log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); };
#
# ftp.info /var/log/xferlog
#
log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); };
#
# cron.* /var/log/cron
#
log { source(src); filter(f_cron); destination(cron); };
#
# *.=debug /var/log/debug.log
#
log { source(src); filter(f_is_debug); destination(debuglog); };
#
# *.emerg *
#
log { source(src); filter(f_emerg); destination(allusers); };
#
# uncomment this to log all writes to /dev/console to /var/log/console.log
# console.info /var/log/console.log
#
#log { source(src); filter(f_console); filter(f_info);
destination(consolelog); };
#
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
# *.* /var/log/all.log
#
#log { source(src); destination(all); };
#
# uncomment this to enable logging to a remote loghost named loghost
# *.* @loghost
#
#log { source(src); destination(loghost); };
#
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
#
#log { source(src); filter(f_news); filter(f_crit); destination(newscrit);
};
#log { source(src); filter(f_news); filter(f_err); destination(newserr); };
#log { source(src); filter(f_news); filter(f_notice);
destination(newsnotice); };
#
# !startslip
# *.* /var/log/slip.log
#
log { source(src); filter(f_slip); destination(slip); };
#
# !ppp
# *.* /var/log/ppp.log
#
log { source(src); filter(f_ppp); destination(ppp); };
Thanks...
On Thu, Sep 11, 2008 at 4:16 PM, Geller, Sandor (IT) <
Sandor.Geller at morganstanley.com> wrote:
> Hi,
>
> > I have install syslog-ng on my remote server. I need to
> > centralized my pflog (firewall log) and snort alert to the
> > syslog server. For your info i have successfully log all log
> > except the pflog and snort alert. I have define the snort
> > alert as local0.info and pflog as local1.info. Can you all
> > give me the sample of configuration?
> >1.
> > I have tcpdump for and grep the local1.info and local0.info
> > and its show on console. I'm confuse why the system not write
> > to destination that i specify.
> >
> > Below is some configuration that i do on syslog-ng.conf (destination):
> > destination local0 { file("/var/log/remote/local0.log"); };
> > destination local1 { file("/var/log/remote/local1.log"); };
>
> Do you have log sections which actually use the destinations above?
> Filters, etc.? Without seeing the complete config there is no way to
> correct your config.
>
> Check whether you have something like the following in your config:
>
> filter f_snort {
> facility(local0) and severity(info);
> };
>
> filter f_pflog {
> facility(local1) and severity(info);
> };
>
> ...
>
> log {
> source(s_something);
> filter(f_snort);
> destination(d_local0);
> };
>
> log {
> source(s_something);
> filter(f_pflog);
> destination(d_local1);
> };
>
> Of course there are many ways to achieve this logging. Refer to
> the reference guide and check the sample configs included in the
> source tarball, this might help you understanding how syslog-ng
> works.
>
> Regards,
>
> Sandor
> --------------------------------------------------------
>
> NOTICE: If received in error, please destroy and notify sender. Sender does
> not intend to waive confidentiality or privilege. Use of this email is
> prohibited when received in error.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
--
MUHAMMAD AZIZUL DARUS
http://www.foodmalaysia.net
http://www.myfelis.com
http://yourubuntulinux.blogspot.com
http://opensource-2u.blogspot.com
http://photograph2u.blogspot.com
http://malaysiataste.blogspot.com
http://jomshopping.blogspot.com
http://jahitan-manik.blogspot.com
http://nissan-maniac.blogspot.com
http://narutoslash.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080912/71cf44a9/attachment-0001.htm
More information about the syslog-ng
mailing list