[syslog-ng] Syslog-ng beginners guide

Siem Korteweg Siem.Korteweg at qnh.nl
Wed Jul 1 14:55:35 CEST 2009


Hi,

try to split the sources. The following works for me (tcp in stead of udp)
for OSE 3.0.2. All syslog-ng clients (and server) have the following sources
and destinations:

source s_internal { internal(); };

destination d_syslogng_log { file("/var/log/syslog-ng.log"); };

source s_local  {
                        unix-dgram("/dev/log");
                        file("/proc/kmsg" program_override("kernel:"));
                };

destination d_remote { tcp("logserver.f.q.d.n" port(514) ) ; };

destination d_local { file("/var/log/messages"); };

log { source( s_internal );     destination( d_remote ); };
log { source( s_internal );     destination( d_syslogng_log ); };
log { source( s_local );        destination( d_remote ); };
log { source( s_local );        destination( d_local ); };

All messages are logged in the local file /var/log/messages or in
/var/log/syslog-ng.log and forwarded to the logserver.
The syslog-ng server has the following additional sources and destinations:

source s_network { tcp (ip("logserver.f.q.d.n") port(514)); };

destination d_network   {
                                file    (
 
"/var/log/syslog-ng/hosts/$HOST_FROM/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY
"
                                                create_dirs(yes)
                                        );
                        };

log { source( s_network );      destination( d_network ); };

Change tcp to udp and change the fqdn to 0.0.0.0. Check
/var/log/syslog-ng.log for errors during the processing of messages.

regards,

Siem Korteweg

-----Oorspronkelijk bericht-----
Van: syslog-ng-bounces at lists.balabit.hu namens Cosmin Neagu
Verzonden: wo 1-7-2009 14:25
Aan: Syslog-ng users' and developers' mailing list
Onderwerp: Re: [syslog-ng] Syslog-ng beginners guide
 
Yes, that was the first thing i have checked, even now i have checked it 
again, and the logs are still comming to the linux box where syslog is 
installed.

/tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
96 bytes
15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none], 
proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 145
        Facility local7 (23), Severity notice (5)
        Msg: 126: *Jul  1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog]
15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none], 
proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 110
        Facility local7 (23), Severity notice (5)
        Msg: 127: *Jul  1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog]
15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none], 
proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 108
        Facility local7 (23), Severity notice (5)
        Msg: 128: *Jul  1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog]
15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none], 
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 112
        Facility local7 (23), Severity info (6)
        Msg: 129: *Jul  1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog]
15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none], 
proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: 
SYSLOG, length: 112
        Facility local7 (23), Severity notice (5)
        Msg: 130: *Jul  1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog]

And unfortunattely, i'm the only person in the company that knows a 
little bit of linux so i don't have anybody to ask...
/

Ulrich.Wiemers at t-systems.com wrote:
> Hi,
> I don't see anything in your config...
> Are you sure your syslog messages are sent to the UDP port syslog-ng 
> is listing at (normally: 514)?
> Did you proof the with one of snoop, ethereal, wireshark and the like?
> Just an idea... hth
> Ulli
>
> ------------------------------------------------------------------------
> *Von:* syslog-ng-bounces at lists.balabit.hu 
> [mailto:syslog-ng-bounces at lists.balabit.hu] *Im Auftrag von *Cosmin Neagu
> *Gesendet:* Mittwoch, 1. Juli 2009 14:15
> *An:* Syslog-ng users' and developers' mailing list
> *Betreff:* Re: [syslog-ng] Syslog-ng beginners guide
>
> Hello again,
> Things are evolving a little bit.
>
> Now the syslog-ng conf is configured like this:
>
> /source s_router_udp { udp (); };
> destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO 
> syslog_incoming (facility, priority, date, time, host, message, seq) 
> VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', 
> '$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes));
> };
> log { source (s_router_udp); destination (d_mysql); };
> log { source (s_sys); destination(d_mysql); };/
>
> The second log statement is working, because i can see in the 
> syslog_incoming tables, entries and also i see the log in Cacti:
> /mysql> select * from syslog_incoming;
>
+----------+----------+------------+----------+---------------+--------------
----------------------------------------------------+-----+--------+
> | facility | priority | date       | time     | host          | 
> message                                                          | seq 
> | status |
>
+----------+----------+------------+----------+---------------+--------------
----------------------------------------------------+-----+--------+
> | syslog   | info     | 2009-07-01 | 14:56:45 | monitorizare1 | 
> syslog-ng[20083]: Termination requested via signal, terminating; |  22 
> |      0 |
> | syslog   | notice   | 2009-07-01 | 14:56:45 | monitorizare1 | 
> syslog-ng[20083]: syslog-ng shutting down; version='2.0.10'      |  23 
> |      0 |
> | syslog   | notice   | 2009-07-01 | 14:56:45 | monitorizare1 | 
> syslog-ng[21587]: syslog-ng starting up; version='2.0.10'        |  24 
> |      0 |
> | authpriv | info     | 2009-07-01 | 11:56:06 | monitorizare1 | 
> sshd[21567]: Connection closed by 127.0.0.1                      |  21 
> |      0 |
>
+----------+----------+------------+----------+---------------+--------------
----------------------------------------------------+-----+--------+
> 4 rows in set (0.00 sec)/
>
> But i don't know what is the problem and how to fix with the first log 
> statement. Can anyone help a little? Maybe with some documentation, 
> maybe someone encountered a similar problem?
>
>
>
> PS: something else that i noticed and i don't know what it means.
> One of the syslog-ng messages is like this:
> /syslog-ng[20083]: Log statistics; 
> *dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30', 
> processed='center(received)=15', processed='destination(d_boot)=0', 
> processed='destination(d_auth)=4', processed='destination(d_cron)=9', 
> processed='destination(d_mysql)=15', 
> processed='destination(d_mlal)=0', processed='destination(d_mesg)=2', 
> processed='destination(d_cons)=0', processed='destination(d_spol)=0', 
> processed='destination(d_mail)=0', processed='source(s_sys)=15', 
> processed='source(s_router_udp)=0'/
>
> What could be the cause for that "dropped" there? Should'nt be processed?
>
> Cosmin Neagu
> NOC Team Leader
> Str. I. G. Duca nr 36
> Otopeni, Judetul Ilfov, 075100 Romania
> Tel: 021 303 3159 / 0732 669 193
> www.omnilogic.ro
>   
>
>
> Cosmin Neagu wrote:
>>     Thanks allot Ulrich, that site contains great documentation, i'm 
>> starting to understand how syslog-ng works.
>> But, let me tell you the problem with wich i'm stuck right now.
>>
>>     A router is sending syslog messages to a linux box (Fedora) from 
>> 10.0.0.1. I can see the messages arriving at the server.
>> /[root at monitorizare1 ~]# tcpdump -v src 10.0.0.1
>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
>> 96 bytes
>> 10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none], 
>> proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog: 
>> SYSLOG, length: 87
>>         Facility local7 (23), Severity error (3)
>>         Msg: 81: *Jul  1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]
>> 10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], 
>> proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: 
>> SYSLOG, length: 110
>>         Facility local7 (23), Severity info (6)
>>         Msg: 82: *Jul  1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]
>> 10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], 
>> proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog: 
>> SYSLOG, length: 109
>>         Facility local7 (23), Severity notice (5)/
>>
>>
>> I have configured syslog-ng.conf like this:
>> /source s_router_udp {
>>         internal();
>>         file ("/proc/kmsg" log_prefix("kernel: "));
>>         udp (ip(0.0.0.0) port ( 514 ) );
>>         #unix-stream ("/dev/log");
>> };
>> destination d_localfile {
>> file ("/root/testlog");
>> };
>> log {
>>         source (s_router_udp);
>>         destination (d_localfile);
>> };/
>>
>> The problem is that in /root/testlog i can't see any log, except 
>> those internal generated by syslog-ng:
>> /Jul  1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting 
>> up; version='2.0.10'
>> Jul  1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested 
>> via signal, terminating;
>> Jul  1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting 
>> up; version='2.0.10'
>> Jul  1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics; 
>> processed='center(queued)=6', processed='center(received)=6', 
>> processed='destination(d_boot)=0', processed='destination(d_auth)=2', 
>> processed='des
>> tination(d_cron)=2', processed='destination(d_mlal)=0', 
>> processed='destination(d_localfile)=1', 
>> processed='destination(d_mesg)=1', processed='destination(d_cons)=0', 
>> processed='destination(d_spol)=0', processed
>> ='destination(d_mail)=0', processed='source(s_sys)=5', 
>> processed='source(s_router_udp)=1'
>> Jul  1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested 
>> via signal, terminating;
>> Jul  1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting 
>> up; version='2.0.10'
>> Jul  1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested 
>> via signal, terminating;
>> Jul  1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting 
>> up; version='2.0.10'/
>>
>> I can't find anything in the syslog-ng guide admin about how can 
>> messages received from remote hosts can be inserted into files.
>>
>> Can anyone help me? I feel that i'm close to a solution.
>>
>>
>>
>> Ulrich.Wiemers at t-systems.com wrote:
>>> Hi,
>>> I was in a similar situation some weeks ago.
>>> Admin Guide found at
http://www.balabit.com/support/documentation/?product=syslog-ng was of great
help to me.
>>> And, of course, Google ,-)
>>>
>>> hth
>>>
>>> Ulli
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] Im Auftrag von Cosmin Neagu
>>> Gesendet: Dienstag, 30. Juni 2009 14:49
>>> An: syslog-ng at lists.balabit.hu
>>> Betreff: [syslog-ng] Syslog-ng beginners guide
>>>
>>> Hello everybody,
>>> Sorry for bothering you with a beginners question.
>>> I have a cacti implementation in my network and a want to integrate it
with syslog-ng. I have mostly cisco routers, all configured to sent syslog
messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have
installed syslog-ng.
>>>
>>> I'm not able to find where the logs are kept, so this drives me crazy.
>>> Do you know any site or resource where i can find some beginners guide
about using syslog-ng with cisco routers? I mean, a guide for someone who
never used syslog-ng before.
>>> Thanks.
>>>
>>> --
>>> Cosmin Neagu
>>> NOC Team Leader
>>> Str. I. G. Duca nr 36
>>> Otopeni, Judetul Ilfov, 075100 Romania
>>> Tel: 021 303 3159 / 0732 669 193
>>> www.omnilogic.ro
>>>
>>>
_____________________________________________________________________________
_
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
_____________________________________________________________________________
_
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>   
>> ------------------------------------------------------------------------
>>
>>
_____________________________________________________________________________
_
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>   
> ------------------------------------------------------------------------
>
>
_____________________________________________________________________________
_
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 8466 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090701/69a4b854/attachment-0001.bin 


More information about the syslog-ng mailing list