[syslog-ng] Still not working at the most basic level

[lance raymond]

Thanks for the update.  I did try that and still not getting anything.  I
did try both tcp and udp and just wondering one other thing (not sure if it
works.)

*1.*
up top it shows the following on the server conf file;
## This will create seprate file for each client on central log server and
log http messages
destination d_clients { file("/var/log/web.$HOST.log"); };
log { source(s_remote); destination(d_clients); };

then below in the same file shows;
destination send_http_logs { file("/var/log/web.log"); };

So, first I am not sure what exactly this is or should be doing.  If there
are 5 vhosts, according to the top it will have 5 diff log files 1 for each
vhost, yet the lower section shows only one file name.

ps on the server now only shows;
root     32758  0.0  0.0   7368   568 ?        Ss   13:17   0:00
/sbin/syslog-ng -p /var/run/syslogd.pid

*2.*
Client side I have;
   unix-stream ("/dev/log");
but (again not sure if this matters), but ALL apache logs goto the following
folder;
 /home/mcp/local/apache2/logs nothing get's written to /dev/logs

ps on the client only shows;
root      5612  0.0  0.0   7236   424 ?        Ss   13:31   0:00
/sbin/syslog-ng -p /var/run/syslogd.pid

I have changed both not to run at startup (via chkconfig) but haven't
restarted the box's as they are in use.  The other odd thing, I stopped
syslog-ng, there was nothing running yet the local logs kept writing to the
local files (didn't think they would if syslog and syslog-ng were stopped).

Thanks again, I will keep trying anything suggested till this thing works!

On Mon, Feb 9, 2009 at 11:44 AM, Fegan, Joe <Joe.Fegan at hp.com> wrote:

>  On the client:
>
> source s_sys {
>    file ("/proc/kmsg" log_prefix("kernel: "));
>    unix-stream ("/dev/log");
>    internal();
> };
>
> and the running process are;
> root      1607  0.0  0.0   6216   904 ?        Ss    2008   0:48 syslogd -m
> 0
> root     28374  0.0  0.0   7368   564 ?        Ss   11:24   0:00
> /sbin/syslog-ng -p /var/run/syslogd.pid
>
> The standard syslogd daemon is running and almost certainly owns the
> /dev/log socket and the kernel output pseudo-file /proc/kmsg. This means
> that syslog-ng (which starts later) will receive nothing from those sources
> and will forward everything it receives (i.e. nothing) to the server.
>
> You need to chkconfig syslogd off (or the equivalent on your distro) to
> stop standard syslogd from running.
>
> Joe.
>
>  ------------------------------
>  *From:* syslog-ng-bounces at lists.balabit.hu [mailto:
> syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *lance raymond
> *Sent:* 09 February 2009 16:34
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* [syslog-ng] Still not working at the most basic level
>
> ok, so can anyone say how to troubleshoot the most basic scenario to
> start.  1 server, 1 client, have client write logs to server?  I will show
> both config files, please note tI have tried both UDP and TCP and neither
> work.  I did notice doing an lsof |grep syslog that the port does change
> from udp to tcp so I know it's reading the config file, I just don't know
> how to turn on some debugging or another way to trace the log as it's still
> being written to the client.
>
> ok, so *server config is;*
> #source s_remote  { udp(); };
> source s_remote  { tcp(); };
> ## This will create seprate file for each client on central log server and
> log http messages
> destination d_clients { file("/var/log/web.$HOST.log"); };
> log { source(s_remote); destination(d_clients); };
> #################################################################
>
> options {
> sync (0);
> time_reopen (10);
> log_fifo_size (1000);
> long_hostnames (off);
> use_dns (no);
> use_fqdn (no);
> create_dirs (no);
> keep_hostname (yes);
> };
>
> source s_sys {
> file ("/proc/kmsg" log_prefix("kernel: "));
> unix-stream ("/dev/log");
> internal();
> #udp(ip(0.0.0.0) port(514));
> };
>
> ## This will log local http messages to defined file
>
> destination send_http_logs { file("/var/log/web.log"); };
>
> filter send_http_logs {
> program("httpd.*");
> };
>
> log {
> source(s_sys);
> filter(send_http_logs);
> destination(send_http_logs);
> };
>
> and the server shows the following running process;
> root     30945  0.0  0.0   7240   636 ?        Ss   11:24   0:00
> /sbin/syslog-ng -p /var/run/syslogd.pid
>
> *Client side:*
>
> options {
>            sync (0);
>          time_reopen (10);
>
>           log_fifo_size (1000);
>           long_hostnames(on);
>           use_dns(yes);
>           dns_cache(yes);
>           use_fqdn(no);
>           create_dirs (yes);
>           keep_hostname (yes);
>           perm(0640);
>           dir_perm(0750);
>
> };
>
> source s_sys {
>    file ("/proc/kmsg" log_prefix("kernel: "));
>    unix-stream ("/dev/log");
>    internal();
> };
> #destination send_http_logs { udp("192.168.2.54" port(514)); };
> destination send_http_logs { tcp("192.168.2.54" port(514)); };
>
>
> filter send_http_logs {
> program("httpd.*");
> };
>
> log {
> source(s_sys);
> filter(send_http_logs);
> destination(send_http_logs);
> };
>
> and the running process are;
> root      1607  0.0  0.0   6216   904 ?        Ss    2008   0:48 syslogd -m
> 0
> root     28374  0.0  0.0   7368   564 ?        Ss   11:24   0:00
> /sbin/syslog-ng -p /var/run/syslogd.pid
>
> Not sure if the client is supposed to have 2 processes or not, but any help
> is really appreciated.
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090209/5add0c2d/attachment.htm