[syslog-ng] Still not working at the most basic level
Fegan, Joe
Joe.Fegan at hp.com
Mon Feb 9 17:44:35 CET 2009
On the client:
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
};
and the running process are;
root 1607 0.0 0.0 6216 904 ? Ss 2008 0:48 syslogd -m 0
root 28374 0.0 0.0 7368 564 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid
The standard syslogd daemon is running and almost certainly owns the /dev/log socket and the kernel output pseudo-file /proc/kmsg. This means that syslog-ng (which starts later) will receive nothing from those sources and will forward everything it receives (i.e. nothing) to the server.
You need to chkconfig syslogd off (or the equivalent on your distro) to stop standard syslogd from running.
Joe.
________________________________
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of lance raymond
Sent: 09 February 2009 16:34
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] Still not working at the most basic level
ok, so can anyone say how to troubleshoot the most basic scenario to start. 1 server, 1 client, have client write logs to server? I will show both config files, please note tI have tried both UDP and TCP and neither work. I did notice doing an lsof |grep syslog that the port does change from udp to tcp so I know it's reading the config file, I just don't know how to turn on some debugging or another way to trace the log as it's still being written to the client.
ok, so server config is;
#source s_remote { udp(); };
source s_remote { tcp(); };
## This will create seprate file for each client on central log server and log http messages
destination d_clients { file("/var/log/web.$HOST.log"); };
log { source(s_remote); destination(d_clients); };
#################################################################
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
};
## This will log local http messages to defined file
destination send_http_logs { file("/var/log/web.log"); };
filter send_http_logs {
program("httpd.*");
};
log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};
and the server shows the following running process;
root 30945 0.0 0.0 7240 636 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid
Client side:
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames(on);
use_dns(yes);
dns_cache(yes);
use_fqdn(no);
create_dirs (yes);
keep_hostname (yes);
perm(0640);
dir_perm(0750);
};
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
};
#destination send_http_logs { udp("192.168.2.54" port(514)); };
destination send_http_logs { tcp("192.168.2.54" port(514)); };
filter send_http_logs {
program("httpd.*");
};
log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};
and the running process are;
root 1607 0.0 0.0 6216 904 ? Ss 2008 0:48 syslogd -m 0
root 28374 0.0 0.0 7368 564 ? Ss 11:24 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid
Not sure if the client is supposed to have 2 processes or not, but any help is really appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090209/2c98faae/attachment-0001.htm
More information about the syslog-ng
mailing list