[syslog-ng] Syslog-ng beginners guide
Cosmin Neagu
cosmin.neagu at omnilogic.ro
Wed Jul 1 14:15:13 CEST 2009
Hello again,
Things are evolving a little bit.
Now the syslog-ng conf is configured like this:
/source s_router_udp { udp (); };
destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO
syslog_incoming (facility, priority, date, time, host, message, seq)
VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY',
'$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes));
};
log { source (s_router_udp); destination (d_mysql); };
log { source (s_sys); destination(d_mysql); };/
The second log statement is working, because i can see in the
syslog_incoming tables, entries and also i see the log in Cacti:
/mysql> select * from syslog_incoming;
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
| facility | priority | date | time | host |
message | seq |
status |
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
| syslog | info | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[20083]: Termination requested via signal, terminating; | 22
| 0 |
| syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[20083]: syslog-ng shutting down; version='2.0.10' | 23
| 0 |
| syslog | notice | 2009-07-01 | 14:56:45 | monitorizare1 |
syslog-ng[21587]: syslog-ng starting up; version='2.0.10' | 24
| 0 |
| authpriv | info | 2009-07-01 | 11:56:06 | monitorizare1 |
sshd[21567]: Connection closed by 127.0.0.1 | 21
| 0 |
+----------+----------+------------+----------+---------------+------------------------------------------------------------------+-----+--------+
4 rows in set (0.00 sec)/
But i don't know what is the problem and how to fix with the first log
statement. Can anyone help a little? Maybe with some documentation,
maybe someone encountered a similar problem?
PS: something else that i noticed and i don't know what it means.
One of the syslog-ng messages is like this:
/syslog-ng[20083]: Log statistics; *dropped='pipe(/tmp/mysql.pipe)=0*',
processed='center(queued)=30', processed='center(received)=15',
processed='destination(d_boot)=0', processed='destination(d_auth)=4',
processed='destination(d_cron)=9', processed='destination(d_mysql)=15',
processed='destination(d_mlal)=0', processed='destination(d_mesg)=2',
processed='destination(d_cons)=0', processed='destination(d_spol)=0',
processed='destination(d_mail)=0', processed='source(s_sys)=15',
processed='source(s_router_udp)=0'/
What could be the cause for that "dropped" there? Should'nt be processed?
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro
Cosmin Neagu wrote:
> Thanks allot Ulrich, that site contains great documentation, i'm
> starting to understand how syslog-ng works.
> But, let me tell you the problem with wich i'm stuck right now.
>
> A router is sending syslog messages to a linux box (Fedora) from
> 10.0.0.1. I can see the messages arriving at the server.
> /[root at monitorizare1 ~]# tcpdump -v src 10.0.0.1
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 96 bytes
> 10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none],
> proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog:
> SYSLOG, length: 87
> Facility local7 (23), Severity error (3)
> Msg: 81: *Jul 1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]
> 10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none],
> proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog:
> SYSLOG, length: 110
> Facility local7 (23), Severity info (6)
> Msg: 82: *Jul 1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]
> 10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none],
> proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog:
> SYSLOG, length: 109
> Facility local7 (23), Severity notice (5)/
>
>
> I have configured syslog-ng.conf like this:
> /source s_router_udp {
> internal();
> file ("/proc/kmsg" log_prefix("kernel: "));
> udp (ip(0.0.0.0) port ( 514 ) );
> #unix-stream ("/dev/log");
> };
> destination d_localfile {
> file ("/root/testlog");
> };
> log {
> source (s_router_udp);
> destination (d_localfile);
> };/
>
> The problem is that in /root/testlog i can't see any log, except those
> internal generated by syslog-ng:
> /Jul 1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting
> up; version='2.0.10'
> Jul 1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested
> via signal, terminating;
> Jul 1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting up;
> version='2.0.10'
> Jul 1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics;
> processed='center(queued)=6', processed='center(received)=6',
> processed='destination(d_boot)=0', processed='destination(d_auth)=2',
> processed='des
> tination(d_cron)=2', processed='destination(d_mlal)=0',
> processed='destination(d_localfile)=1',
> processed='destination(d_mesg)=1', processed='destination(d_cons)=0',
> processed='destination(d_spol)=0', processed
> ='destination(d_mail)=0', processed='source(s_sys)=5',
> processed='source(s_router_udp)=1'
> Jul 1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested
> via signal, terminating;
> Jul 1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting up;
> version='2.0.10'
> Jul 1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested
> via signal, terminating;
> Jul 1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting up;
> version='2.0.10'/
>
> I can't find anything in the syslog-ng guide admin about how can
> messages received from remote hosts can be inserted into files.
>
> Can anyone help me? I feel that i'm close to a solution.
>
>
>
> Ulrich.Wiemers at t-systems.com wrote:
>> Hi,
>> I was in a similar situation some weeks ago.
>> Admin Guide found at http://www.balabit.com/support/documentation/?product=syslog-ng was of great help to me.
>> And, of course, Google ,-)
>>
>> hth
>>
>> Ulli
>>
>> -----Ursprüngliche Nachricht-----
>> Von: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] Im Auftrag von Cosmin Neagu
>> Gesendet: Dienstag, 30. Juni 2009 14:49
>> An: syslog-ng at lists.balabit.hu
>> Betreff: [syslog-ng] Syslog-ng beginners guide
>>
>> Hello everybody,
>> Sorry for bothering you with a beginners question.
>> I have a cacti implementation in my network and a want to integrate it with syslog-ng. I have mostly cisco routers, all configured to sent syslog messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have installed syslog-ng.
>>
>> I'm not able to find where the logs are kept, so this drives me crazy.
>> Do you know any site or resource where i can find some beginners guide about using syslog-ng with cisco routers? I mean, a guide for someone who never used syslog-ng before.
>> Thanks.
>>
>> --
>> Cosmin Neagu
>> NOC Team Leader
>> Str. I. G. Duca nr 36
>> Otopeni, Judetul Ilfov, 075100 Romania
>> Tel: 021 303 3159 / 0732 669 193
>> www.omnilogic.ro
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090701/5598f46b/attachment.htm
More information about the syslog-ng
mailing list