[syslog-ng] syslog-ng won't log to syslog server
Azizul
azizuldarus at gmail.com
Sun Sep 14 02:00:01 CEST 2008
Hi,
I have been tried with your configuration. I'm very happy, it succeed and my
syslog-ng running like a charm. You are very helpful. Right now, I can sleep
well.
Thank you very much.
On Fri, Sep 12, 2008 at 5:10 PM, Geller, Sandor (IT) <
Sandor.Geller at morganstanley.com> wrote:
> Hi,
>
> > #
> > # This sample configuration file is essentially equilivent to
> > the stock
> > # FreeBSD /etc/syslog.conf file.
> > #
> >
> > #
> > # options
> > #
> > options { long_hostnames(off); sync(0); };
> >
> > #
> > # sources
> > #
> > source src { unix-dgram("/var/run/log");
> > unix-dgram("/var/run/logpriv" perm(0600));
> > udp(); internal(); file("/dev/klog"); };
>
> You have a single source definition having multiple sources. As
> syslog-ng can't differentiate between these sources later, all
> logs arriving from any of the sources above would give a match.
> So I'd recomment moving at least the udp() source to a separate
> source definition, like
>
> source src {
> unix-dgram("/var/run/log");
> unix-dgram("/var/run/logpriv" perm(0600));
> internal();
> file("/dev/klog");
> };
>
> source s_remote {
> udp();
> tcp();
> };
>
> And use these sources in the log sections. This way syslog-ng can
> distinguish between the locally- and the remotely-generated logs.
>
> > #
> > # destinations
> > #
> > #destination local0.info {
> > #file("/var/log/remote/servers/$HOST/$YEAR/$MONTH/$DAY/pflogd/
> pflogd.log"
> > #owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
> > #);
> > #};
> >
> >
> > destination messages { file("/var/log/remote/messages"); };
> > destination localhost { file("/var/log/remote/syslog-ng.all"); };
> > destination security { file("/var/log/remote/security"); };
> > destination authlog { file("/var/log/remote/auth.log"); };
> > destination maillog { file("/var/log/remote/maillog"); };
> > destination lpd-errs { file("/var/log/remote/lpd-errs"); };
> > destination xferlog { file("/var/log/remote/xferlog"); };
> > destination cron { file("/var/log/remote/cron"); };
> > destination debuglog { file("/var/log/remote/debug.log"); };
> > destination consolelog { file("/var/log/remote/console.log"); };
> > destination all { file("/var/log/remote/all.log"); };
> > destination newscrit { file("/var/log/news/news.crit"); };
> > destination newserr { file("/var/log/news/news.err"); };
> > destination newsnotice { file("/var/log/news/news.notice"); };
> > destination slip { file("/var/log/remote/slip.log"); };
> > destination ppp { file("/var/log/remote/ppp.log"); };
> > destination console { file("/dev/console"); };
> > destination allusers { usertty("*"); };
> > #destination loghost { udp("loghost" port(514)); };
> > #destination local0 { file("/var/log/remote/pflog.txt"); };
> > destination local0 { file("/var/log/remote/local0.log"); };
> > #destination local1 { file("/var/log/remote/alert"); };
> > destination local1 { file("/var/log/remote/local1.log"); };
> >
> > #log {
> > # source(tcp); source(internal); source(udp); source(unix);
> > # source(s_tcp); source(s_internal); source(s_udp);
> > source(s_unix);
> > # filter(f_local0); filter(f_local1);
> > # destination(df_local1);
> > # };
>
> In this commented part you have two filters which mutually exclude
> each other. As syslog-ng uses logical and operation this log section
> won't work.
>
>
> > #
> > # log facility filters
> > #
> > filter f_auth { facility(auth); };
> > filter f_authpriv { facility(authpriv); };
> > filter f_not_authpriv { not facility(authpriv); };
> > filter f_console { facility(console); };
> > filter f_cron { facility(cron); };
> > filter f_daemon { facility(daemon); };
> > filter f_ftp { facility(ftp); };
> > filter f_kern { facility(kern); };
> > filter f_lpr { facility(lpr); };
> > filter f_mail { facility(mail); };
> > filter f_news { facility(news); };
> > filter f_security { facility(security); };
>
> You should remove security. It's just an alias to auth
>
> > filter f_user { facility(user); };
> > filter f_uucp { facility(uucp); };
> > #filter f_local0 { facility(local0); };
> > #filter f_local00 { facility(local0); };
> > #filter f_local1 { facility(local1); };
> > #filter f_local01 { facility(local1) or facility(local1); };
> > filter f_local2 { facility(local2); };
> > filter f_local3 { facility(local3); };
> > filter f_local4 { facility(local4); };
> > filter f_local5 { facility(local5); };
> > filter f_local6 { facility(local6); };
> > filter f_local7 { facility(local7); };
> >
> > #
> > # log level filters
> > #
> > filter f_emerg { level(emerg); };
> > filter f_alert { level(alert..emerg); };
> > filter f_crit { level(crit..emerg); };
> > filter f_err { level(err..emerg); };
> > filter f_warning { level(warning..emerg); };
> > filter f_notice { level(notice..emerg); };
> > filter f_info { level(info..emerg); };
> > filter f_debug { level(debug..emerg); };
> > filter f_is_debug { level(debug); };
> >
> > #
> > # program filters
> > #
> > filter f_ppp { program("ppp"); };
> > filter f_slip { program("startslip"); };
>
> Better to use anchors to avoid false matches: program("^ppp$")
>
> > #
> > # *.err;kern.warning;auth.notice;mail.crit /dev/console
> > #
> > log { source(src); filter(f_err); destination(console); };
> > log { source(src); filter(f_kern); filter(f_warning);
> > destination(console); };
> > log { source(src); filter(f_auth); filter(f_notice);
> > destination(console); };
> > log { source(src); filter(f_mail); filter(f_crit);
> > destination(console); };
> >
> > #
> > #
> > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
> > /var/log/messages
> > #
> > log { source(src); filter(f_notice); filter(f_not_authpriv);
> > destination(messages); };
> > log { source(src); filter(f_kern); filter(f_debug);
> > destination(messages); };
> > log { source(src); filter(f_lpr); filter(f_info);
> > destination(messages); };
> > log { source(src); filter(f_mail); filter(f_crit);
> > destination(messages); };
> > log { source(src); filter(f_news); filter(f_err);
> > destination(messages); };
> >
> > #
> > # security.* /var/log/security
> > #
> > log { source(src); filter(f_security); destination(security); };
> >
> > #
> > # auth.info;authpriv.info /var/log/auth.log
> > log { source(src); filter(f_auth); filter(f_info);
> > destination(authlog); };
> > log { source(src); filter(f_authpriv); filter(f_info);
> > destination(authlog); };
> >
> > #
> > # mail.info /var/log/maillog
> > #
> > log { source(src); filter(f_mail); filter(f_info);
> > destination(maillog); };
> >
> > #
> > # lpr.info /var/log/lpd-errs
> > #
> > log { source(src); filter(f_lpr); filter(f_info);
> > destination(lpd-errs); };
> >
> > #
> > # ftp.info /var/log/xferlog
> > #
> > log { source(src); filter(f_ftp); filter(f_info);
> > destination(xferlog); };
> >
> > #
> > # cron.* /var/log/cron
> > #
> > log { source(src); filter(f_cron); destination(cron); };
> >
> > #
> > # *.=debug /var/log/debug.log
> > #
> > log { source(src); filter(f_is_debug); destination(debuglog); };
> >
> > #
> > # *.emerg *
> > #
> > log { source(src); filter(f_emerg); destination(allusers); };
> >
> > #
> > # uncomment this to log all writes to /dev/console to
> > /var/log/console.log
> > # console.info /var/log/console.log
> > #
> > #log { source(src); filter(f_console); filter(f_info);
> > destination(consolelog); };
> >
> > #
> > # uncomment this to enable logging of all log messages to
> > /var/log/all.log
> > # touch /var/log/all.log and chmod it to mode 600 before it will work
> > # *.* /var/log/all.log
> > #
> > #log { source(src); destination(all); };
> >
> > #
> > # uncomment this to enable logging to a remote loghost named loghost
> > # *.* @loghost
> > #
> > #log { source(src); destination(loghost); };
> >
> > #
> > # uncomment these if you're running inn
> > # news.crit /var/log/news/news.crit
> > # news.err /var/log/news/news.err
> > # news.notice /var/log/news/news.notice
> > #
> > #log { source(src); filter(f_news); filter(f_crit);
> > destination(newscrit); };
> > #log { source(src); filter(f_news); filter(f_err);
> > destination(newserr); };
> > #log { source(src); filter(f_news); filter(f_notice);
> > destination(newsnotice); };
> >
> > #
> > # !startslip
> > # *.* /var/log/slip.log
> > #
> > log { source(src); filter(f_slip); destination(slip); };
> >
> > #
> > # !ppp
> > # *.* /var/log/ppp.log
> > #
> > log { source(src); filter(f_ppp); destination(ppp); };
>
> As you're not logging local0 or local1, the config needs to be
> extended. First uncomment the f_local0 and f_local1 filters
> above, and add something like this to your config:
>
> # local0.info
>
> log {
> source(src);
> filter(f_local0);
> filter(f_info);
> destination(local0);
> };
>
> # local1.info
>
> log {
> source(src);
> filter(f_local1);
> filter(f_info);
> destination(local1);
> };
>
> Before making any changes I'd think about whether I need to separate
> the local and remote logs, and when yes then I'd update the log{}
> sections to refer to the appropriate source definition.
>
> Regards,
>
> Sandor
> --------------------------------------------------------
>
> NOTICE: If received in error, please destroy and notify sender. Sender does
> not intend to waive confidentiality or privilege. Use of this email is
> prohibited when received in error.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
--
MUHAMMAD AZIZUL DARUS
http://www.foodmalaysia.net
http://www.myfelis.com
http://yourubuntulinux.blogspot.com
http://opensource-2u.blogspot.com
http://photograph2u.blogspot.com
http://malaysiataste.blogspot.com
http://jomshopping.blogspot.com
http://jahitan-manik.blogspot.com
http://nissan-maniac.blogspot.com
http://narutoslash.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080914/cc66c67a/attachment.htm
More information about the syslog-ng
mailing list