[syslog-ng] Logging with db-parser issue
Nate Hausrath
hausrath at gmail.com
Fri May 8 16:23:40 CEST 2009
Thanks for the response.
It looks like there may be a problem with my install or a bug
somewhere. With the config file below, I'm still not getting messages
in my /var/log/remote/parsed.log file. However, when I comment out
"parser(p_db);" in the log section of the config, messages begin
showing up.
After a bit more investigations, when I receive the first remote log
message over UDP, the following appears in my /var/log/messages:
kernel: : [89941.138626] syslog-ng[16473]: segfault at 00000010 eip
08063e49 esp bfa1a490 error 4
Even after this, the process is still running and the ports are still
open. At this point, I'm not really sure how to diagnose the problem.
-Nate
>>
>> Other than that, here is my syslog-ng.conf file:
>>
>> @version: 3.0
>> #Default configuration file for syslog-ng.
>> #
>> # For a description of syslog-ng configuration file directives, please read
>> # the syslog-ng Administrator's guide at:
>> #
>> # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
>> #
>>
>> options {
>> };
>>
>> ######
>> # sources
>> source s_local {
>> # message generated by Syslog-NG
>> internal();
>> # standard Linux log source (this is the default place for the syslog()
>> # function to send logs to)
>> unix-stream("/dev/log");
>> # messages from the kernel
>> file("/proc/kmsg" program_override("kernel: "));
>> };
>>
>> source s_net {
>> udp();
>> tcp();
>> };
>>
>> parser p_db { db-parser(); };
>>
>> ######
>> # destinations
>> destination d_messages { file("/var/log/messages"); };
>> destination d_parsed { file("/var/log/remote/parsed.log"); };
>>
>> log {
>> source(s_local);
>> destination(d_messages);
>> };
>>
>> log {
>> source(s_net);
>> destination(d_parsed);
>> parser(p_db);
>> };
>
> the log statements define a 'pipeline', thus your messages will reach
> the db-parser() only after having been written to the d_parsed
> destination.
>
>
>>
>> And here is my windows.xml file:
>>
>> <?xml version='1.0' encoding='UTF-8'?>
>> <patterndb version='2' pub_date='2009-05-07'>
>> <ruleset name='windows'>
>> <pattern>MSWinEventLog</pattern>
>> <rules>
>> <rule provider='nate' id='1' class='system'>
>> <patterns>
>> <pattern>540</pattern>
>> </patterns>
>> <description>This is a terrible terrible message to receive.
>> Game over man! Game over!</description>
>> </rule>
>> </rules>
>> </ruleset>
>> </patterndb>
>>
>>
>> As you see, to test I just want to match on the number '540' and put
>> that log message in /var/log/remote/parsed.log. I have verified that
>> messages that should match this are arriving at the machine when I
>> send them. If i turn off the db-parser, the messages appear in the
>> parsed.log file.
>
> All messages should end up in your parsed.log file anyway. In order to
> only match those which matched any of the patterns, you need to put
> filters into your log statement.
>
>>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list