[syslog-ng] Syslog-ng beginners guide

Cosmin Neagu cosmin.neagu at omnilogic.ro
Thu Jul 2 16:50:52 CEST 2009


I have tryed like this:

    On a remote linux host (Ubuntu 9.04) i have configured syslog-ng 
like this:

/source s_internal {internal();};
source s_local {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
};

destination d_localfile { file ("/home/cosmin/syslog.log"); };
*destination d_remote {tcp ("192.168.53.248" port(514)); };*         //i 
have tried with udp also

log { source(s_local);          destination(d_localfile); };
log { source(s_internal);       destination(d_localfile); };
*log { source(s_local);          destination(d_remote);    };*/

    On the syslog server (Fedora c10), the configuration is:

/*source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); }; *              
   //i have tried with udp also.
destination d_localfile {file ("/root/syslog.log"); };
log {   source (s_remote_tcp);          destination (d_localfile); };/

    After a few tests, i have noticed (with the help of wireshark) the 
folowing:
1. In UDP case, it sends the logs, i can see the packets arriving on the 
server with tcpdump, but the the server returns an icmp error 
Destination Unreachable, with a code "Host Administrately Prohibited"
2. The same thing in TCP case, only that the message is not send, only 
the first syn pachet trying to establish the tcp connection and it 
receives the same icmp error from the server.


On the server i have fedora core 10, with selinux disabled. No firewall 
at all. Actually i don't know yet how to configure iptables.

I have noticed that on the server, if i try to define a source like this:
/source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };/
it will give an error:
/Starting syslog-ng: Error binding socket; 
addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested 
address (99)'
Error initializing source driver; source='s_remote_tcp'/

Pls, can someone help me with this problem? I dont know what could be 
blocking the packets, if it is because of the OS or because of syslog-ng 
configuration.

Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro



Siem Korteweg wrote:
> Hi,
>
> try to split the sources. The following works for me (tcp in stead of udp)
> for OSE 3.0.2. All syslog-ng clients (and server) have the following sources
> and destinations:
>
> source s_internal { internal(); };
>
> destination d_syslogng_log { file("/var/log/syslog-ng.log"); };
>
> source s_local  {
>                         unix-dgram("/dev/log");
>                         file("/proc/kmsg" program_override("kernel:"));
>                 };
>
> destination d_remote { tcp("logserver.f.q.d.n" port(514) ) ; };
>
> destination d_local { file("/var/log/messages"); };
>
> log { source( s_internal );     destination( d_remote ); };
> log { source( s_internal );     destination( d_syslogng_log ); };
> log { source( s_local );        destination( d_remote ); };
> log { source( s_local );        destination( d_local ); };
>
> All messages are logged in the local file /var/log/messages or in
> /var/log/syslog-ng.log and forwarded to the logserver.
> The syslog-ng server has the following additional sources and destinations:
>
> source s_network { tcp (ip("logserver.f.q.d.n") port(514)); };
>
> destination d_network   {
>                                 file    (
>  
> "/var/log/syslog-ng/hosts/$HOST_FROM/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY
> "
>                                                 create_dirs(yes)
>                                         );
>                         };
>
> log { source( s_network );      destination( d_network ); };
>
> Change tcp to udp and change the fqdn to 0.0.0.0. Check
> /var/log/syslog-ng.log for errors during the processing of messages.
>
> regards,
>
> Siem Korteweg
>
> -----Oorspronkelijk bericht-----
> Van: syslog-ng-bounces at lists.balabit.hu namens Cosmin Neagu
> Verzonden: wo 1-7-2009 14:25
> Aan: Syslog-ng users' and developers' mailing list
> Onderwerp: Re: [syslog-ng] Syslog-ng beginners guide
>  
> Yes, that was the first thing i have checked, even now i have checked it 
> again, and the logs are still comming to the linux box where syslog is 
> installed.
>
> /tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
> 96 bytes
> 15:23:16.916213 IP (tos 0x0, ttl 255, id 125, offset 0, flags [none], 
> proto UDP (17), length 173) 10.0.0.1.65150 > 192.168.53.248.syslog: 
> SYSLOG, length: 145
>         Facility local7 (23), Severity notice (5)
>         Msg: 126: *Jul  1 15:23:18.030: %OSPF-5-ADJCHG: Proces[|syslog]
> 15:23:16.918286 IP (tos 0x0, ttl 255, id 126, offset 0, flags [none], 
> proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: 
> SYSLOG, length: 110
>         Facility local7 (23), Severity notice (5)
>         Msg: 127: *Jul  1 15:23:18.110: %LDP-5-NBRCHG: LDP Nei[|syslog]
> 15:23:17.876055 IP (tos 0x0, ttl 255, id 127, offset 0, flags [none], 
> proto UDP (17), length 136) 10.0.0.1.65150 > 192.168.53.248.syslog: 
> SYSLOG, length: 108
>         Facility local7 (23), Severity notice (5)
>         Msg: 128: *Jul  1 15:23:19.954: %LINK-5-CHANGED: Inter[|syslog]
> 15:23:18.979640 IP (tos 0x0, ttl 255, id 128, offset 0, flags [none], 
> proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: 
> SYSLOG, length: 112
>         Facility local7 (23), Severity info (6)
>         Msg: 129: *Jul  1 15:23:19.958: %ENTITY_ALARM-6-INFO: [|syslog]
> 15:23:19.859450 IP (tos 0x0, ttl 255, id 129, offset 0, flags [none], 
> proto UDP (17), length 140) 10.0.0.1.65150 > 192.168.53.248.syslog: 
> SYSLOG, length: 112
>         Facility local7 (23), Severity notice (5)
>         Msg: 130: *Jul  1 15:23:20.954: %LINEPROTO-5-UPDOWN: L[|syslog]
>
> And unfortunattely, i'm the only person in the company that knows a 
> little bit of linux so i don't have anybody to ask...
> /
>
> Ulrich.Wiemers at t-systems.com wrote:
>   
>> Hi,
>> I don't see anything in your config...
>> Are you sure your syslog messages are sent to the UDP port syslog-ng 
>> is listing at (normally: 514)?
>> Did you proof the with one of snoop, ethereal, wireshark and the like?
>> Just an idea... hth
>> Ulli
>>
>> ------------------------------------------------------------------------
>> *Von:* syslog-ng-bounces at lists.balabit.hu 
>> [mailto:syslog-ng-bounces at lists.balabit.hu] *Im Auftrag von *Cosmin Neagu
>> *Gesendet:* Mittwoch, 1. Juli 2009 14:15
>> *An:* Syslog-ng users' and developers' mailing list
>> *Betreff:* Re: [syslog-ng] Syslog-ng beginners guide
>>
>> Hello again,
>> Things are evolving a little bit.
>>
>> Now the syslog-ng conf is configured like this:
>>
>> /source s_router_udp { udp (); };
>> destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO 
>> syslog_incoming (facility, priority, date, time, host, message, seq) 
>> VALUES ( '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', 
>> '$HOUR:$MIN:$SEC', '$HOST', '$MSG', '$SEQ' );\n") template-escape(yes));
>> };
>> log { source (s_router_udp); destination (d_mysql); };
>> log { source (s_sys); destination(d_mysql); };/
>>
>> The second log statement is working, because i can see in the 
>> syslog_incoming tables, entries and also i see the log in Cacti:
>> /mysql> select * from syslog_incoming;
>>
>>     
> +----------+----------+------------+----------+---------------+--------------
> ----------------------------------------------------+-----+--------+
>   
>> | facility | priority | date       | time     | host          | 
>> message                                                          | seq 
>> | status |
>>
>>     
> +----------+----------+------------+----------+---------------+--------------
> ----------------------------------------------------+-----+--------+
>   
>> | syslog   | info     | 2009-07-01 | 14:56:45 | monitorizare1 | 
>> syslog-ng[20083]: Termination requested via signal, terminating; |  22 
>> |      0 |
>> | syslog   | notice   | 2009-07-01 | 14:56:45 | monitorizare1 | 
>> syslog-ng[20083]: syslog-ng shutting down; version='2.0.10'      |  23 
>> |      0 |
>> | syslog   | notice   | 2009-07-01 | 14:56:45 | monitorizare1 | 
>> syslog-ng[21587]: syslog-ng starting up; version='2.0.10'        |  24 
>> |      0 |
>> | authpriv | info     | 2009-07-01 | 11:56:06 | monitorizare1 | 
>> sshd[21567]: Connection closed by 127.0.0.1                      |  21 
>> |      0 |
>>
>>     
> +----------+----------+------------+----------+---------------+--------------
> ----------------------------------------------------+-----+--------+
>   
>> 4 rows in set (0.00 sec)/
>>
>> But i don't know what is the problem and how to fix with the first log 
>> statement. Can anyone help a little? Maybe with some documentation, 
>> maybe someone encountered a similar problem?
>>
>>
>>
>> PS: something else that i noticed and i don't know what it means.
>> One of the syslog-ng messages is like this:
>> /syslog-ng[20083]: Log statistics; 
>> *dropped='pipe(/tmp/mysql.pipe)=0*', processed='center(queued)=30', 
>> processed='center(received)=15', processed='destination(d_boot)=0', 
>> processed='destination(d_auth)=4', processed='destination(d_cron)=9', 
>> processed='destination(d_mysql)=15', 
>> processed='destination(d_mlal)=0', processed='destination(d_mesg)=2', 
>> processed='destination(d_cons)=0', processed='destination(d_spol)=0', 
>> processed='destination(d_mail)=0', processed='source(s_sys)=15', 
>> processed='source(s_router_udp)=0'/
>>
>> What could be the cause for that "dropped" there? Should'nt be processed?
>>
>> Cosmin Neagu
>> NOC Team Leader
>> Str. I. G. Duca nr 36
>> Otopeni, Judetul Ilfov, 075100 Romania
>> Tel: 021 303 3159 / 0732 669 193
>> www.omnilogic.ro
>>   
>>
>>
>> Cosmin Neagu wrote:
>>     
>>>     Thanks allot Ulrich, that site contains great documentation, i'm 
>>> starting to understand how syslog-ng works.
>>> But, let me tell you the problem with wich i'm stuck right now.
>>>
>>>     A router is sending syslog messages to a linux box (Fedora) from 
>>> 10.0.0.1. I can see the messages arriving at the server.
>>> /[root at monitorizare1 ~]# tcpdump -v src 10.0.0.1
>>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
>>> 96 bytes
>>> 10:09:07.941254 IP (tos 0x0, ttl 255, id 80, offset 0, flags [none], 
>>> proto UDP (17), length 115) 10.0.0.1.65150 > 192.168.53.248.syslog: 
>>> SYSLOG, length: 87
>>>         Facility local7 (23), Severity error (3)
>>>         Msg: 81: *Jul  1 10:09:10.027: %LINK-3-UPDOWN: Interfa[|syslog]
>>> 10:09:08.760267 IP (tos 0x0, ttl 255, id 81, offset 0, flags [none], 
>>> proto UDP (17), length 138) 10.0.0.1.65150 > 192.168.53.248.syslog: 
>>> SYSLOG, length: 110
>>>         Facility local7 (23), Severity info (6)
>>>         Msg: 82: *Jul  1 10:09:10.031: %ENTITY_ALARM-6-INFO: C[|syslog]
>>> 10:09:09.755868 IP (tos 0x0, ttl 255, id 82, offset 0, flags [none], 
>>> proto UDP (17), length 137) 10.0.0.1.65150 > 192.168.53.248.syslog: 
>>> SYSLOG, length: 109
>>>         Facility local7 (23), Severity notice (5)/
>>>
>>>
>>> I have configured syslog-ng.conf like this:
>>> /source s_router_udp {
>>>         internal();
>>>         file ("/proc/kmsg" log_prefix("kernel: "));
>>>         udp (ip(0.0.0.0) port ( 514 ) );
>>>         #unix-stream ("/dev/log");
>>> };
>>> destination d_localfile {
>>> file ("/root/testlog");
>>> };
>>> log {
>>>         source (s_router_udp);
>>>         destination (d_localfile);
>>> };/
>>>
>>> The problem is that in /root/testlog i can't see any log, except 
>>> those internal generated by syslog-ng:
>>> /Jul  1 09:31:36 monitorizare1 syslog-ng[17787]: syslog-ng starting 
>>> up; version='2.0.10'
>>> Jul  1 09:32:49 monitorizare1 syslog-ng[17787]: Termination requested 
>>> via signal, terminating;
>>> Jul  1 09:32:50 monitorizare1 syslog-ng[17812]: syslog-ng starting 
>>> up; version='2.0.10'
>>> Jul  1 09:42:50 monitorizare1 syslog-ng[17812]: Log statistics; 
>>> processed='center(queued)=6', processed='center(received)=6', 
>>> processed='destination(d_boot)=0', processed='destination(d_auth)=2', 
>>> processed='des
>>> tination(d_cron)=2', processed='destination(d_mlal)=0', 
>>> processed='destination(d_localfile)=1', 
>>> processed='destination(d_mesg)=1', processed='destination(d_cons)=0', 
>>> processed='destination(d_spol)=0', processed
>>> ='destination(d_mail)=0', processed='source(s_sys)=5', 
>>> processed='source(s_router_udp)=1'
>>> Jul  1 09:45:11 monitorizare1 syslog-ng[17812]: Termination requested 
>>> via signal, terminating;
>>> Jul  1 09:45:11 monitorizare1 syslog-ng[18840]: syslog-ng starting 
>>> up; version='2.0.10'
>>> Jul  1 09:47:43 monitorizare1 syslog-ng[18840]: Termination requested 
>>> via signal, terminating;
>>> Jul  1 09:47:43 monitorizare1 syslog-ng[19009]: syslog-ng starting 
>>> up; version='2.0.10'/
>>>
>>> I can't find anything in the syslog-ng guide admin about how can 
>>> messages received from remote hosts can be inserted into files.
>>>
>>> Can anyone help me? I feel that i'm close to a solution.
>>>
>>>
>>>
>>> Ulrich.Wiemers at t-systems.com wrote:
>>>       
>>>> Hi,
>>>> I was in a similar situation some weeks ago.
>>>> Admin Guide found at
>>>>         
> http://www.balabit.com/support/documentation/?product=syslog-ng was of great
> help to me.
>   
>>>> And, of course, Google ,-)
>>>>
>>>> hth
>>>>
>>>> Ulli
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: syslog-ng-bounces at lists.balabit.hu
>>>>         
> [mailto:syslog-ng-bounces at lists.balabit.hu] Im Auftrag von Cosmin Neagu
>   
>>>> Gesendet: Dienstag, 30. Juni 2009 14:49
>>>> An: syslog-ng at lists.balabit.hu
>>>> Betreff: [syslog-ng] Syslog-ng beginners guide
>>>>
>>>> Hello everybody,
>>>> Sorry for bothering you with a beginners question.
>>>> I have a cacti implementation in my network and a want to integrate it
>>>>         
> with syslog-ng. I have mostly cisco routers, all configured to sent syslog
> messages to two linux boxes (Ubuntu 9.04 and FedoraCore 10) where i have
> installed syslog-ng.
>   
>>>> I'm not able to find where the logs are kept, so this drives me crazy.
>>>> Do you know any site or resource where i can find some beginners guide
>>>>         
> about using syslog-ng with cisco routers? I mean, a guide for someone who
> never used syslog-ng before.
>   
>>>> Thanks.
>>>>
>>>> --
>>>> Cosmin Neagu
>>>> NOC Team Leader
>>>> Str. I. G. Duca nr 36
>>>> Otopeni, Judetul Ilfov, 075100 Romania
>>>> Tel: 021 303 3159 / 0732 669 193
>>>> www.omnilogic.ro
>>>>
>>>>
>>>>         
> _____________________________________________________________________________
> _
>   
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>>         
> http://www.balabit.com/support/documentation/?product=syslog-ng
>   
>>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>>
>>>>
>>>>         
> _____________________________________________________________________________
> _
>   
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>>         
> http://www.balabit.com/support/documentation/?product=syslog-ng
>   
>>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>>
>>>>   
>>>>         
>>> ------------------------------------------------------------------------
>>>
>>>
>>>       
> _____________________________________________________________________________
> _
>   
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>>       
> http://www.balabit.com/support/documentation/?product=syslog-ng
>   
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>   
>>>       
>> ------------------------------------------------------------------------
>>
>>
>>     
> _____________________________________________________________________________
> _
>   
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>>     
> http://www.balabit.com/support/documentation/?product=syslog-ng
>   
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>   
>>     
>
>   
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090702/dfb9f9f6/attachment-0001.htm 


More information about the syslog-ng mailing list