[syslog-ng] Syslogd and syslog-ng
Rocco Scappatura
Rocco.Scappatura at infracom.it
Thu Dec 10 09:52:49 CET 2009
Hello,
> Try it without using the filter on the logserver, and see if the mail
logs are
> processed by syslog-ng, and what do they look like. Maybe it is a
parsing
> issue,
> or something related to the missing timestamp/host you mentioned.
I have disable filter, but nothing of interesting happen. I always see
the UDP packet for port 514 arriving from the mail server, but it seems
that they are not threated by the loghost.
I have already turn off the firewall..
OPS.. I have found something in /var/log/messages...
Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on
special fil
e /dev/xconsole
Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Changing permissions on
special fil
e /dev/tty10
Dec 10 09:42:23 syslogmi01 syslog-ng[13788]: Cannot open file
/data/tmp-backup/e
rnesto_mail for writing (Permission denied)
but:
syslogmi01:~ # ls -la /data/
total 8
drwxr-xr-x 3 root root 4096 Dec 2 17:05 .
drwxr-xr-x 21 root root 4096 Dec 2 17:05 ..
drwxr-xr-x 2 root root 80 Dec 10 09:46 tmp-backup
and
syslogmi01:~ # mount
..
192.168.252.180:/fs_repository_unico_logs_nfs/syslogmi01 on
/data/tmp-backup type nfs (rw,addr=192.168.252.180)
..
Why it can't create log file?
rocsca
> Rocco Scappatura wrote:
>
> > Hello,
> >
> > I'm configuring a centralized loghost (SLES 10 SP3) based on
syslog-ng,
> > for collecting mail log of different clients.
> >
> > Several machine which are entitled to log its mail logs on the
central
> > loghost (Debian), still use old syslogd as logger system.
> >
> > I configured one of this to send its mail logs to the loghost
putting:
> >
> > mail.* @syslogmi01.local
> >
> > in /etc/syslog.conf file and restarted the service. Moreover on the
> > loghost I set:
> >
> > source mail_gateway_src {
> > udp(ip("0.0.0.0") port(514));
> > };
> >
> > filter ernesto_mail_f { facility(mail); };
> >
> > destination d_ernesto_mail { file("/var/log/ernesto_mail"); };
> >
> > log {
> > source(mail_gateway_src);
> > filter(ernesto_mail_f);
> > destination(d_ernesto_mail);
> > };
> >
> > And restarted it.
> >
> > But no file are created and so no log are saved on the loghost.
> >
> > With tcpdump I see the the log comes on the loghost, but syslog
doesn't
> > want to catch them.
> >
> > # tcpdump -vvv host 192.168.252.107 and port 514
> > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture
size 96
> > bytes
> > 18:04:57.046952 IP (tos 0x0, ttl 64, id 3157, offset 0, flags [DF],
> > proto: UDP (17), length: 358) 192.168.252.107.syslog >
> > syslogmi01.local.syslog: SYSLOG, length: 330
> > Facility mail (2), Severity info (6)
> > Msg: postfix/smtpd[30946]: NOQUEUE: reject: RCPT from
u[|syslog]
> > 18:04:57.046962 IP (tos 0x0, ttl 64, id 3158, offset 0, flags [DF],
> > proto: UDP (17), length: 360) 192.168.252.107.syslog >
> > syslogmi01.local.syslog: SYSLOG, length: 332
> >
> > I saw that the logs coming from Debian machine (so using syslogd)
miss
> > of timestamp and host name that generates host. Could be this a
source
> > of incompatibility between syslogd and syslog-ng? Or there is
something
> > that I'm wrong?
> >
> > Thanks in advance,
> >
> > rocsca
> >
> >
> >
>
________________________________________________________________________
______
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
http://www.balabit.com/support/documentation/?product=syslog-
> ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
>
>
________________________________________________________________________
______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list