[syslog-ng] Syslogd and syslog-ng

Robert Fekete frobert at balabit.com
Thu Dec 10 09:31:30 CET 2009 

Hi,

Try it without using the filter on the logserver, and see if the mail logs are 
processed by syslog-ng, and what do they look like. Maybe it is a parsing issue, 
or something related to the missing timestamp/host you mentioned.

Regards,

Robert

Rocco Scappatura wrote:

> Hello,
> 
> I'm configuring a centralized loghost (SLES 10 SP3) based on syslog-ng,
> for collecting mail log of different clients.
> 
> Several machine which are entitled to log its mail logs on the central
> loghost (Debian), still use old syslogd as logger system.
> 
> I configured one of this to send its mail logs to the loghost putting:
> 
> mail.*  @syslogmi01.local
> 
> in /etc/syslog.conf file and restarted the service. Moreover on the
> loghost I set:
> 
> source mail_gateway_src {
>         udp(ip("0.0.0.0") port(514));
> };
> 
> filter ernesto_mail_f { facility(mail); };
> 
> destination d_ernesto_mail { file("/var/log/ernesto_mail"); };
> 
> log {
> source(mail_gateway_src);
> filter(ernesto_mail_f);
> destination(d_ernesto_mail);
> };
> 
> And restarted it.
> 
> But no file are created and so no log are saved on the loghost. 
> 
> With tcpdump I see the the log comes on the loghost, but syslog doesn't
> want to catch them.
> 
> # tcpdump -vvv host 192.168.252.107 and port 514
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
> bytes
> 18:04:57.046952 IP (tos 0x0, ttl  64, id 3157, offset 0, flags [DF],
> proto: UDP (17), length: 358) 192.168.252.107.syslog >
> syslogmi01.local.syslog: SYSLOG, length: 330
>         Facility mail (2), Severity info (6)
>         Msg: postfix/smtpd[30946]: NOQUEUE: reject: RCPT from u[|syslog]
> 18:04:57.046962 IP (tos 0x0, ttl  64, id 3158, offset 0, flags [DF],
> proto: UDP (17), length: 360) 192.168.252.107.syslog >
> syslogmi01.local.syslog: SYSLOG, length: 332
> 
> I saw that the logs coming from Debian machine (so using syslogd) miss
> of timestamp and host name that generates host. Could be this a source
> of incompatibility between syslogd and syslog-ng? Or there is something
> that I'm wrong?
> 
> Thanks in advance,
> 
> rocsca
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list