[syslog-ng] Syslog-ng beginners guide

Charles Jennings jennings.charles.e.security at gmail.com
Tue Jul 7 19:49:34 CEST 2009 

I use vuurmuur as an IP tables front-end - IMHO - Greatest thing since
sliced bread for iptables.

  _____  

From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Cosmin Neagu
Sent: Tuesday, July 07, 2009 1:50 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-ng beginners guide


Sorry for answering so late.
You were right guys about the firewall, on the Fedora server iptables was
on, and as soon as I turned it off, everything worked great. 
Know i have to learn how to configure iptables, cause i don't want to leave
it off.
Anyone knows a good starting point for iptables?



And another thing that bothers me...why the hell does the cpu stays most of
the time at 100% because of the syslog-ng process?

top - 09:42:37 up 55 min,  2 users,  load average: 1.10, 1.07, 0.98
Tasks: 134 total,   3 running, 131 sleeping,   0 stopped,   0 zombie
Cpu(s): 12.3%us, 39.0%sy,  0.0%ni, 48.6%id,  0.0%wa,  0.0%hi,  0.2%si,
0.0%st
Mem:   2060488k total,   850036k used,  1210452k free,    77172k buffers
Swap:  2931820k total,        0k used,  2931820k free,   460408k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

 2527 root      20   0  3344 1268  848 R  100  0.1  32:13.86 syslog-ng

 3028 root      20   0  305m  34m  11m S    2  1.7   1:04.90 Xorg

   22 root      15  -5     0    0    0 S    0  0.0   0:00.12 ata/1

 3788 cosmin    20   0  221m 102m  26m S    0  5.1   1:12.27 firefox     

I have a dual core processor, and either CPU1 or CPU2 stays at 100%
utilization...

Cosmin Neagu

NOC Team Leader

Str. I. G. Duca nr 36

Otopeni, Judetul Ilfov, 075100 Romania

Tel: 021 303 3159 / 0732 669 193

www.omnilogic.ro


Dave Edelman wrote: 

The problem might be in this line: " Actually i don't know yet how to

configure iptables"



They might be enabled by default so you might want to try this:



# iptables -L



If it shows anything but a bunch of lines saying policy accept and some

header lines, then you (at your own risk) need to tell it to stop by issuing

the magical incantation



# iptables -F



To keep the pesky safe guards off on a full time basis, you might want to do

something like:



# chkconfig iptables off

# service iptables stop



You need to do this with root access so sudo is your friend unless you are

really brave and are logging on as root directly :)





--Dave



"I insist that my car has good brakes, they allow me to go faster"





-----Original Message-----

From: syslog-ng-bounces at lists.balabit.hu

[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler

Sent: Friday, July 03, 2009 10:03 AM

To: Syslog-ng users' and developers' mailing list

Subject: Re: [syslog-ng] Syslog-ng beginners guide



On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:

  

I have tryed like this:



    On a remote linux host (Ubuntu 9.04) i have configured syslog-ng

like this:



source s_internal {internal();};

source s_local {

file ("/proc/kmsg" log_prefix("kernel: "));

unix-stream ("/dev/log");

};



destination d_localfile { file ("/home/cosmin/syslog.log"); };

destination d_remote {tcp ("192.168.53.248" port(514)); };         //i

have tried with udp also



log { source(s_local);          destination(d_localfile); };

log { source(s_internal);       destination(d_localfile); };

log { source(s_local);          destination(d_remote);    };



    On the syslog server (Fedora c10), the configuration is:



source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); };

   //i have tried with udp also.

destination d_localfile {file ("/root/syslog.log"); };

log {   source (s_remote_tcp);          destination (d_localfile); }; 



    After a few tests, i have noticed (with the help of wireshark) the

folowing:

1. In UDP case, it sends the logs, i can see the packets arriving on

the server with tcpdump, but the the server returns an icmp error

Destination Unreachable, with a code "Host Administrately Prohibited"

2. The same thing in TCP case, only that the message is not send, only

the first syn pachet trying to establish the tcp connection and it

receives the same icmp error from the server.





On the server i have fedora core 10, with selinux disabled. No

firewall at all. Actually i don't know yet how to configure iptables.



I have noticed that on the server, if i try to define a source like

this:

source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };

it will give an error:

Starting syslog-ng: Error binding socket;

addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested

address (99)'

Error initializing source driver; source='s_remote_tcp'



Pls, can someone help me with this problem? I dont know what could be

blocking the packets, if it is because of the OS or because of

syslog-ng configuration.

    



ICMP admin prohibited is probably generated by the packet filter. It

cannot be generated by an application (unless it'd be injecting ICMP

packets of its own, which syslog-ng doesn't do).



Also, I wanted to point out that starting with 2.1, syslog-ng has its

own SQL destination, no need to mess with named pipes. But if you decide

to use a newer version, I would recommend 3.0.3, the current stable

version.



  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090707/3f8f65af/attachment-0001.htm

More information about the syslog-ng mailing list