[syslog-ng] syslog-ng and "program" function(was:RE:Troublewith logging to mysql)
Stallmann, Andreas
AStallmann at CONET.DE
Thu Sep 18 16:45:09 CEST 2008
Hi!
> 1. you full configuration. you can mask proprietary information
For the full config, have a look at the end of this message.
> 2. a capture of the network traffic which proves that the logs
> arrive to your host
Network traffic is definetly arriving at my host, because *this*
works:
##############################################################
source net {
udp(ip("0.0.0.0") port(514));
};
destination netlog {
file("/var/log/netlog/net.log"
template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] '$HOST'
'$PRIORITY' $MESSAGE\n"));
};
log { source(net); destination(netlog); };
##############################################################
The file /var/log/netlog/net.log is written and has the following
content:
[2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302013: Built
outbound TCP connection 1296007 for proxy
:192.168.xx.xx/8080 (192.168.xx.xx/8080) to inside:192.168.xx.xx/39564
(192.168.xx.xx.1/39564)
[2008/09/18 16:24:44] '192.168.xx.xx' 'info' %ASA-6-302014: Teardown TCP
connection 1296007 for proxy:192.1
68.xxx.xxx/8080 to inside:192.168.xxx.xxx/39564 duration 0:00:00 bytes
1343 TCP FINs
etc.
> 3. a strace output of the syslog-ng daemon which proves that it
> did receive the packets
Ahem... how many lines of output from strace would you like to see? :-)
I have over 2000 in less than a minute... :-)
I think you're looking for something like the following:
recvfrom(3, "<166>%ASA-6-302016: Teardown UDP"..., 2048, 0,
{sa_family=AF_INET, sin_port=htons(514),
sin_addr=inet_addr("192.168.xx.xx")}, [16]) = 125
I can also see my logfile being opened:
open("/var/log/netlog/net.log",
O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0644) = 6
chown32("/var/log/netlog/net.log", 0, 0) = 0
chmod("/var/log/netlog/net.log", 0644) = 0
No hints of any mysql activity, though.
> 4. the resources your syslog-ng daemon is actually using, like
> `ls -l /proc/[PID]/fd`, netstat output, etc.
srv-kon-log:/var/log # ls -l /proc/26666/fd/*
lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/0 -> /dev/null
lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/1 -> /dev/null
lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/2 -> /dev/null
lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/3 ->
socket:[15236977]
l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/4 ->
/var/log/messages
lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/5 ->
socket:[15236978]
l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/6 ->
/var/log/netlog/net.log
l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/7 -> /var/log/warn
lrwx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/8 -> /dev/xconsole
l-wx------ 1 root root 64 Sep 18 16:27 /proc/26666/fd/9 -> /dev/tty10
srv-kon-log:/var/log # netstat -an | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
And now for the full config. Here it comes:
########################################################################
#####
options {
long_hostnames(off);
sync(1);
log_fifo_size(16384);
time_reopen(10);
dns_cache(yes);
perm(0644);
stats(43200);
use_fqdn(yes);
use_dns(yes);
chain_hostnames(no);
keep_hostname(yes);
};
source src {
internal();
unix-dgram("/dev/log");
};
source net {
udp(ip("0.0.0.0") port(514));
};
filter f_iptables { facility(kern) and match("IN=") and match("OUT=");
};
filter f_console { level(warn) and facility(kern) and not
filter(f_iptables)
filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_local { facility(local0, local1, local2, local3,
filter f_acpid { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not
filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables);
};
filter f_alert { level(alert); };
destination console { file("/dev/tty10" group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };
destination newscrit { file("/var/log/news/news.crit"
log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err"
log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice"
log { source(src); filter(f_newsnotice); destination(newsnotice); };
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };
destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };
destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final);
};
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };
destination netlog {
file("/var/log/netlog/net.log"
template( "[$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC] '$HOST'
'$PRIORITY' $MESSAGE\n"));
};
log { source(net); destination(netlog); };
destination mysql {
#file("/var/log/mysqltest.log"
program("/usr/bin/mysql --reconnect -f -T --user=syslogadmin
--password=xxxxx syslog >> /var/log/db_log.log 2>&1"
template("INSERT INTO logs (host, facility, priority, level,
tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY',
'$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG'
);\n")
template-escape(yes));
};
log { source(net); destination(mysql); };
########################################################################
#######
By the way, I also tried
destination mysql {
program("/usr/bin/mysql -u=syslogadmin -p=xxxxx syslog"
template("INSERT INTO logs (host, facility, priority, level,
tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY',
'$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG'
);\n")
template-escape(yes));
};
with the same (=no) effect.
Please let me know, if and where I made any mistakes.
Thanks a lot for your help!
Andreas
--
CONET Solutions GmbH
Andreas Stallmann, Senior Berater
Theodor-Heuss-Allee 19, 53773 Hennef
Tel.: +49 2242-939-677, Fax: +49 2242-939-393
Internet: http://www.conet.de, mailto: astallmann at conet.de
-----------------------------------
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef
Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
Geschaftsfuhrer/Managing Directors: Dipl.-Inform. Rudiger Zeyen (Sprecher/Chairman),
Dipl.-Betriebsw. Wilfried Putz und Dipl.-Inform. Jurgen Zender
Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dipl.-Math. Hans-Jurgen Niemeier
More information about the syslog-ng
mailing list