[syslog-ng] Syslog-ng beginners guide
Cosmin Neagu
cosmin.neagu at omnilogic.ro
Fri Jul 3 16:07:33 CEST 2009
ok, thanks, i will eventually try the newer version, but will still need
to use my own sql tables, cause they are part of a biger implementation.
I never thought that syslog will be such a pain in the ...
Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro
Balazs Scheidler wrote:
> On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:
>
>> I have tryed like this:
>>
>> On a remote linux host (Ubuntu 9.04) i have configured syslog-ng
>> like this:
>>
>> source s_internal {internal();};
>> source s_local {
>> file ("/proc/kmsg" log_prefix("kernel: "));
>> unix-stream ("/dev/log");
>> };
>>
>> destination d_localfile { file ("/home/cosmin/syslog.log"); };
>> destination d_remote {tcp ("192.168.53.248" port(514)); }; //i
>> have tried with udp also
>>
>> log { source(s_local); destination(d_localfile); };
>> log { source(s_internal); destination(d_localfile); };
>> log { source(s_local); destination(d_remote); };
>>
>> On the syslog server (Fedora c10), the configuration is:
>>
>> source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); };
>> //i have tried with udp also.
>> destination d_localfile {file ("/root/syslog.log"); };
>> log { source (s_remote_tcp); destination (d_localfile); };
>>
>> After a few tests, i have noticed (with the help of wireshark) the
>> folowing:
>> 1. In UDP case, it sends the logs, i can see the packets arriving on
>> the server with tcpdump, but the the server returns an icmp error
>> Destination Unreachable, with a code "Host Administrately Prohibited"
>> 2. The same thing in TCP case, only that the message is not send, only
>> the first syn pachet trying to establish the tcp connection and it
>> receives the same icmp error from the server.
>>
>>
>> On the server i have fedora core 10, with selinux disabled. No
>> firewall at all. Actually i don't know yet how to configure iptables.
>>
>> I have noticed that on the server, if i try to define a source like
>> this:
>> source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };
>> it will give an error:
>> Starting syslog-ng: Error binding socket;
>> addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested
>> address (99)'
>> Error initializing source driver; source='s_remote_tcp'
>>
>> Pls, can someone help me with this problem? I dont know what could be
>> blocking the packets, if it is because of the OS or because of
>> syslog-ng configuration.
>>
>
> ICMP admin prohibited is probably generated by the packet filter. It
> cannot be generated by an application (unless it'd be injecting ICMP
> packets of its own, which syslog-ng doesn't do).
>
> Also, I wanted to point out that starting with 2.1, syslog-ng has its
> own SQL destination, no need to mess with named pipes. But if you decide
> to use a newer version, I would recommend 3.0.3, the current stable
> version.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090703/a7b9775d/attachment-0001.htm
More information about the syslog-ng
mailing list