[syslog-ng] Send a specific log by email

Reaky Rok reakyrok at hotmail.com
Mon Jul 6 09:43:16 CEST 2009 

Ok this woked successfuly now
Thanks for help

From: reakyrok at hotmail.com
To: syslog-ng at lists.balabit.hu
Date: Sun, 5 Jul 2009 23:38:04 +0300
Subject: Re: [syslog-ng] Send a specific log by email








Dear 
   I don't know if the problem in me or what :)
As I understood you send me configration related with which interface I'll use to receive logs, But this's  not the problem, The problem is that I want when I receive logs from the remote server that It's IP is 163.121.189.131 to send the logs of this server to my email,I's sorry if I used a configration in wronge way make you not understand me.
Any way , I'm trying now some kind of solution , I don't know if it can be a way to do what I want or not,
I did the following:
========================================================================================
 source sme {file (/var/log/syslog-ng/servers/163.121.189.131/local7.log); };


 destination maillog { program ("/usr/local/bin/syslog-mail-perl" );
 };
log {source(sme); destination(maillog); };
========================================================================================
As you see I try to make the sourse is the file that contain the logs of the remote server 163.121.189.131
And try to send it to a script that mail it to me, But When I try nothing happened.
I'll attache the full configuration file to you and the mail script, I make it send to root for example in the first


configuaration file:
=================================================================
# configuration file for syslog-ng, customized for remote logging
#

source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };

# Remote logging
source s_remote {
        tcp(ip(0.0.0.0) port(514));
        udp(ip(0.0.0.0) port(514));
};

destination d_separatedbyhosts {
        file("/var/log/syslog-ng/servers/$HOST/$FACILITY.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
};

log { source(s_remote); destination(d_separatedbyhosts); };

# This is the new part that I did
 source sme {file (/var/log/syslog-ng/servers/172.31.250.68/local7.log); };


 destination maillog { program ("/usr/local/bin/syslog-mail-perl" );
 };
log {source(sme); destination(maillog); };

options {

          # Number of syslog lines stored in memory before being written to files
          flush_lines (0);

          # Syslog-ng uses queues
          log_fifo_size (1000);

          # Create log directories as needed
          create_dirs (yes);

          # Make the group "logs" own the log files and directories
          group (logs);
          dir_group (logs);

          # Set the file and directory permissions
          perm (0640);
          dir_perm (0750);

          # Check client hostnames for valid DNS characters
          check_hostname (yes);

          # Specify whether to trust hostname in the log message.
          # If "yes", then it is left unchanged, if "no" the server replaces
          # it with client's DNS lookup value.
          keep_hostname (yes);

          # Use DNS fully qualified domain names (FQDN)
          # for the names of log file folders
          use_fqdn (yes);
          use_dns (yes);

          # Cache DNS entries for up to 1000 hosts for 12 hours
          dns_cache (yes);
          dns_cache_size (1000);
          dns_cache_expire (43200);

        };
# Define all the source
source s_localhost {
          pipe ("/proc/kmsg" program_override("kernel: "));
          unix-stream ("/dev/log");
          internal();
};

# Define the destination "d_localhost" log directory
destination d_localhost {
           file ("/var/log/syslog-ng/localhost/$FACILITY.log");
};

#================================
#================================
# Define all the sources of network generated syslog
# messages and label it "d_network"
source s_network {
          tcp(max-connections(5000));
          udp();
};

# Define the destination "d_network" log directory
destination d_network {
          file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};

#=======================
#=======================
# Any logs that match the "s_localhost" source should be logged
# in the "d_localhost" directory

log { source(s_localhost);
      destination(d_localhost);
};
#=======================
===========================================================================

and the following is the mail script

++++++++++++++++++++++++++++++++++++++++=====
#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.

$TO = 'root';
$FROM = $TO;

s/^<\d{1,2}>//;

open(MAIL, "|/usr/sbin/sendmail -t");

print MAIL <<"EOT";
To: $TO
From: $FROM
Subject: SME Log Alert: $_

$_

EOT

close(MAIL);
+++++++++++++++++++++++++++++++++++++++++++++++

Thanks for your patience and help
Reaky




> Date: Sat, 4 Jul 2009 13:02:37 +0200
> From: Sandor.Geller at morganstanley.com
> To: syslog-ng at lists.balabit.hu
> Subject: Re: [syslog-ng] Send a specific log by email
> 
> ...and to provide actual help: use filters based on hostname or the IP address
> 
> filter f_myhostname {
>   host("^myhostname$"); # this is a regexp, not a simple string
> }
> 
> filter f_myipaddress {
>   netmask("127.0.0.1/32");
> }
> 
> later in your log definitions just use the filters:
> 
> log {
>   source(...);
>   filter(...);
>   destination(...);
>   flags(final); # so the logs won't get processed by further log definitions
> }
> 
> In the admin guide you can find more details about the configuration
> possibilities.
> 
> hth,
> 
> Sandor
> 
> On Sat, Jul 4, 2009 at 12:48 PM, Sandor Geller<sandorg at morganstanley.com> wrote:
> > Hi,
> >
> > Local means that the host syslog-ng is running on has the IP address
> > configured on one of the network interfaces. Apps can bind only to
> > 0.0.0.0 or to local IP addresses, not to remote addresses. I think
> > you're after filtering based on the remote host's IP address, not
> > binding to the IP address.
> >
> > Regards,
> >
> > Sandor
> >
> > 2009/7/4 Reaky Rok <reakyrok at hotmail.com>:
> >> Dear What u mean of local IP ? DO u mean It's in the same subbnet ? Any way
> >> IT's routed IP not in the same subnet of the syslog server,
> >> But any way what the right option to filter the requests fom this IP only
> >> ???
> >>
> >>
> >>> From: bazsi at balabit.hu
> >>> To: syslog-ng at lists.balabit.hu
> >>> Date: Fri, 3 Jul 2009 15:57:08 +0200
> >>> Subject: Re: [syslog-ng] Send a specific log by email
> >>>
> >>> On Thu, 2009-07-02 at 11:34 +0300, Reaky Rok wrote:
> >>> > I modefied it and it gave me the following result after restarting :
> >>> >
> >>> > Error binding socket; addr='AF_INET(163.121.189.131:514)',
> >>> > error='Cannot assign requested address (99)'
> >>> > Error initializing source driver; source='s_remote', id='s_remote#0'
> >>> > Error initializing message pipeline;
> >>> > [FAILED]
> >>> >
> >>> > I s it possible that this's becuese I used the same source name in the
> >>> > first part of configuration ?
> >>> >
> >>>
> >>> Is 163.121.189.131 a local IP address? The ip() option of source drivers
> >>> specify the bind address, not the address to accept messages from.
> >>>
> >>> --
> >>> Bazs i
> >>>
> >>>
> >>>
> >>> ______________________________________________________________________________
> >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>> Documentation:
> >>> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>>
> >>
> >> ________________________________
> >> Windows Live™: Keep your life in sync. Check it out!
> >> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation:
> >> http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>
> >>
> >>
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 

See all the ways you can stay connected to friends and family
_________________________________________________________________
Windows Live™: Keep your life in sync. Check it out!
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090706/62789b17/attachment.htm

More information about the syslog-ng mailing list