[syslog-ng] Syslog-ng beginners guide

Cosmin Neagu cosmin.neagu at omnilogic.ro
Tue Jul 7 08:49:42 CEST 2009 

Sorry for answering so late.
You were right guys about the firewall, on the Fedora server iptables 
was on, and as soon as I turned it off, everything worked great.
Know i have to learn how to configure iptables, cause i don't want to 
leave it off.
Anyone knows a good starting point for iptables?



And another thing that bothers me...why the hell does the cpu stays most 
of the time at 100% because of the syslog-ng process?

/top - 09:42:37 up 55 min,  2 users,  load average: 1.10, 1.07, 0.98
Tasks: 134 total,   3 running, 131 sleeping,   0 stopped,   0 zombie
Cpu(s): 12.3%us, 39.0%sy,  0.0%ni, 48.6%id,  0.0%wa,  0.0%hi,  0.2%si,  
0.0%st
Mem:   2060488k total,   850036k used,  1210452k free,    77172k buffers
Swap:  2931820k total,        0k used,  2931820k free,   460408k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  
COMMAND                                                                                         

 2527 root      20   0  3344 1268  848 R  *100*  0.1  32:13.86 
syslog-ng                                                                                       

 3028 root      20   0  305m  34m  11m S    2  1.7   1:04.90 
Xorg                                                                                            

   22 root      15  -5     0    0    0 S    0  0.0   0:00.12 
ata/1                                                                                           

 3788 cosmin    20   0  221m 102m  26m S    0  5.1   1:12.27 firefox    

/I have a dual core processor, and either CPU1 or CPU2 stays at 100% 
utilization...

Cosmin Neagu
NOC Team Leader
Str. I. G. Duca nr 36
Otopeni, Judetul Ilfov, 075100 Romania
Tel: 021 303 3159 / 0732 669 193
www.omnilogic.ro



Dave Edelman wrote:
> The problem might be in this line: " Actually i don't know yet how to
> configure iptables"
>
> They might be enabled by default so you might want to try this:
>
> # iptables -L
>
> If it shows anything but a bunch of lines saying policy accept and some
> header lines, then you (at your own risk) need to tell it to stop by issuing
> the magical incantation
>
> # iptables -F
>
> To keep the pesky safe guards off on a full time basis, you might want to do
> something like:
>
> # chkconfig iptables off
> # service iptables stop
>
> You need to do this with root access so sudo is your friend unless you are
> really brave and are logging on as root directly :)
>
>
> --Dave
>
> "I insist that my car has good brakes, they allow me to go faster"
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
> Sent: Friday, July 03, 2009 10:03 AM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Syslog-ng beginners guide
>
> On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:
>   
>> I have tryed like this:
>>
>>     On a remote linux host (Ubuntu 9.04) i have configured syslog-ng
>> like this:
>>
>> source s_internal {internal();};
>> source s_local {
>> file ("/proc/kmsg" log_prefix("kernel: "));
>> unix-stream ("/dev/log");
>> };
>>
>> destination d_localfile { file ("/home/cosmin/syslog.log"); };
>> destination d_remote {tcp ("192.168.53.248" port(514)); };         //i
>> have tried with udp also
>>
>> log { source(s_local);          destination(d_localfile); };
>> log { source(s_internal);       destination(d_localfile); };
>> log { source(s_local);          destination(d_remote);    };
>>
>>     On the syslog server (Fedora c10), the configuration is:
>>
>> source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); };
>>    //i have tried with udp also.
>> destination d_localfile {file ("/root/syslog.log"); };
>> log {   source (s_remote_tcp);          destination (d_localfile); }; 
>>
>>     After a few tests, i have noticed (with the help of wireshark) the
>> folowing:
>> 1. In UDP case, it sends the logs, i can see the packets arriving on
>> the server with tcpdump, but the the server returns an icmp error
>> Destination Unreachable, with a code "Host Administrately Prohibited"
>> 2. The same thing in TCP case, only that the message is not send, only
>> the first syn pachet trying to establish the tcp connection and it
>> receives the same icmp error from the server.
>>
>>
>> On the server i have fedora core 10, with selinux disabled. No
>> firewall at all. Actually i don't know yet how to configure iptables.
>>
>> I have noticed that on the server, if i try to define a source like
>> this:
>> source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };
>> it will give an error:
>> Starting syslog-ng: Error binding socket;
>> addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested
>> address (99)'
>> Error initializing source driver; source='s_remote_tcp'
>>
>> Pls, can someone help me with this problem? I dont know what could be
>> blocking the packets, if it is because of the OS or because of
>> syslog-ng configuration.
>>     
>
> ICMP admin prohibited is probably generated by the packet filter. It
> cannot be generated by an application (unless it'd be injecting ICMP
> packets of its own, which syslog-ng doesn't do).
>
> Also, I wanted to point out that starting with 2.1, syslog-ng has its
> own SQL destination, no need to mess with named pipes. But if you decide
> to use a newer version, I would recommend 3.0.3, the current stable
> version.
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090707/1a6e9761/attachment-0001.htm

More information about the syslog-ng mailing list