[syslog-ng] Logging only certain logs to a remote syslog server
Fegan, Joe
Joe.Fegan at hp.com
Mon Nov 16 14:22:58 CET 2009
flags(final) means "if you follow this path don't follow any subsequent ones"
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Paras Fadte
Sent: 16 November 2009 12:44
To: Pallagi Zoltán
Cc: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Logging only certain logs to a remote syslog server
Hi,
Got around that problem of postgres messages getting logged to
/var/log/messages . But I have encountered an issues while trying to
dump logs to remote syslog server . Following explains the same :
Client running syslog-ng version 1.6.8 and OS suse 10.1
Syslog server runinng syslog version 1.6.12 and OS suse 10.3
The problem is postgres logs don't seem to get written to syslog
server whereas mail logs are written to it . the "log" directives
used in syslog-ng config uses the same "destination" definition.
Client config:
filter f_postgres { facility(local0) and match('postgres'); };
destination postgres { file("/home/postgres/logs/postgres"); };
# postgres logs are written to local filesystem
log { source(src); filter(f_postgres); destination(postgres); flags(final); };
destination postgresloghost {udp("192.68.10.1" port(5140)); };
log { source(src); filter(f_postgres); destination(postgresloghost);
}; # this doesn't write postgres logs to remote
syslog server
log { source(src); filter(f_mail); destination(postgresloghost); };
# this writes the mail logs to remote syslog
server
On syslog server I have defined following in syslog-ng config :
----------------------------------------------------------------------------------------
filter f_postgres { facility(local0); };
filter f_notpostgres { not filter(f_postgres); };
destination std { file
("/home/logs/HOSTS/$YEAR-$MONTH-$DAY/$HOST/$FACILITY-$YEAR-$MONTH-$DAY-$HOUR"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) );
};
log {
source(src);
filter(f_notpostgres);
destination(std);
};
destination postgres { file
("/home/logs/HOSTS/$YEAR-$MONTH-$DAY/$HOST/Postgres-$HOUR" owner(root)
group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); };
log {
source(src);
filter(f_postgres);
destination(postgres);
};
What could be the issue ? I stopped Apparmor on both the machines and
checked but the postgres logs are not written to syslog server. The
postgres version used is 8.4.1
Thank you.
-Paras
On Mon, Nov 9, 2009 at 3:50 PM, Pallagi Zoltán <pzolee at balabit.hu> wrote:
> Hi,
>
> Paras Fadte írta:
>
> Hi Bill,
>
> Thanks for the response . When I tried the following it didn't seem to
> work. The remote host doesn't show any logs .
>
> source postgreslog {file("/home/postgres/data_log-8_4_1"); };
> destination postgresloghost { udp("192.168.1.8" port(5140)); };
> log { source(postgreslog); destination(postgresloghost); };
>
>
>
> Are you really sure that your psql logs come from
> "/home/postgres/data_log-8_4_1"?
> You can run syslog-ng with "-Fevd" options to watch what syslog-ng reads
> from this file (to check this just send a plain text line to this file and
> you should see it on the screen of syslog-ng)
>
> But the following works :
>
> filter f_postgres { facility(local0) and match('postgres'); };
> destination postgresloghost { udp("192.168.1.8" port(5140)); };
> log { source(src); filter(f_postgres); destination(postgresloghost);
> flags(final); };
>
>
> Can you show me your full source src{...} line in config? Because your psql
> logs seem to be coming from /dev/log
>
> What could be wrong ? I have also noticed that the remote syslog
> server logs these messages in its /var/log/messages file also . Can
> this be prevented ?
>
>
> Yes because your sources also should be splitted to different destinations.
> For example:
> source s_net {udp(port(5140));};
> destination psql_file{file("/var/log/psql.log");};
> log {source(s_net);destination(psql_file);};
>
> Thank you
>
> -Paras
>
>
> On Thu, Nov 5, 2009 at 9:12 PM, Bill Nash <billn at billn.net> wrote:
>
>
> Sure, it's very easy. Create a source stanza for the files you want to
> monitor. Create a destination stanza for the host you want to send to. Add
> another log stanza containing them both.
>
> source mysqllog { file("/var/lib/mysql/mysql.err" log_prefix("mysql: "); };
> destination mysqlloghost { udp("192.168.1.1" port (514)); };
> log{ source(mysqllog); destination(mysqlloghost); };
>
> - billn
>
> On Thu, Nov 5, 2009 at 2:00 AM, Paras Fadte <plfgoa at gmail.com> wrote:
>
>
> Hi,
>
> Is it possible to log only a particular logs to a remote syslog server
> ? For example logging only mysql/postgres logs to a remote host .
> syslog-ng version used is syslog-ng 1.6.8
>
> Thank you.
>
> -Paras
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
> --
>
> - billn
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list