[syslog-ng] Logging only certain logs to a remote syslog server

Paras Fadte plfgoa at gmail.com
Mon Nov 16 16:50:55 CET 2009


That did the trick.  Thank you Joe.

-Paras

On Mon, Nov 16, 2009 at 6:52 PM, Fegan, Joe <Joe.Fegan at hp.com> wrote:
> flags(final) means "if you follow this path don't follow any subsequent ones"
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Paras Fadte
> Sent: 16 November 2009 12:44
> To: Pallagi Zoltán
> Cc: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Logging only certain logs to a remote syslog server
>
> Hi,
>
> Got around that problem of postgres messages  getting logged to
> /var/log/messages . But I have encountered an issues while trying to
> dump logs to remote syslog server . Following explains the same :
>
> Client running syslog-ng version 1.6.8 and OS suse 10.1
> Syslog server runinng syslog version 1.6.12 and OS suse 10.3
>
>
> The problem is postgres logs don't seem to get written to syslog
> server whereas  mail logs are written to it . the "log" directives
> used in syslog-ng config uses the same "destination" definition.
>
>
> Client config:
>
> filter f_postgres { facility(local0) and match('postgres'); };
>
> destination postgres { file("/home/postgres/logs/postgres"); };
>                       # postgres logs are written to local filesystem
> log { source(src); filter(f_postgres);  destination(postgres); flags(final); };
>
> destination postgresloghost {udp("192.68.10.1" port(5140)); };
> log { source(src); filter(f_postgres); destination(postgresloghost);
> };                       # this doesn't write postgres logs to remote
> syslog server
> log { source(src); filter(f_mail); destination(postgresloghost); };
>                          # this writes the mail logs to remote syslog
> server
>
>
> On syslog server I have defined  following in syslog-ng config :
> ----------------------------------------------------------------------------------------
>
>
> filter f_postgres   { facility(local0); };
> filter f_notpostgres { not filter(f_postgres); };
>
>
> destination std { file
> ("/home/logs/HOSTS/$YEAR-$MONTH-$DAY/$HOST/$FACILITY-$YEAR-$MONTH-$DAY-$HOUR"
> owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) );
> };
> log {
>        source(src);
>        filter(f_notpostgres);
>        destination(std);
> };
>
>
> destination postgres { file
> ("/home/logs/HOSTS/$YEAR-$MONTH-$DAY/$HOST/Postgres-$HOUR" owner(root)
> group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); };
> log {
>        source(src);
>        filter(f_postgres);
>        destination(postgres);
> };
>
>
> What could be the issue ? I stopped Apparmor on both the machines and
> checked but the postgres logs are not written to syslog server.  The
> postgres version used is 8.4.1
>
> Thank you.
>
> -Paras
>
>
> On Mon, Nov 9, 2009 at 3:50 PM, Pallagi Zoltán <pzolee at balabit.hu> wrote:
>> Hi,
>>
>> Paras Fadte írta:
>>
>> Hi Bill,
>>
>> Thanks for the response . When I tried the following it didn't seem to
>> work. The remote host doesn't show any logs .
>>
>> source postgreslog {file("/home/postgres/data_log-8_4_1"); };
>> destination postgresloghost { udp("192.168.1.8" port(5140)); };
>> log { source(postgreslog);  destination(postgresloghost); };
>>
>>
>>
>> Are you really sure that your psql logs come from
>> "/home/postgres/data_log-8_4_1"?
>> You can run syslog-ng with "-Fevd" options to watch what syslog-ng reads
>> from this file (to check this just send a plain text line to this file and
>> you should see it on the screen of syslog-ng)
>>
>> But the following works :
>>
>> filter f_postgres { facility(local0) and match('postgres'); };
>> destination postgresloghost { udp("192.168.1.8" port(5140)); };
>> log { source(src); filter(f_postgres);  destination(postgresloghost);
>> flags(final); };
>>
>>
>> Can you show me your full source src{...} line in config? Because your psql
>> logs seem to be coming from /dev/log
>>
>> What could be wrong ? I have also noticed that the remote syslog
>> server logs these messages in its /var/log/messages file also . Can
>> this be prevented ?
>>
>>
>> Yes because your sources also should be splitted to different destinations.
>> For example:
>> source s_net {udp(port(5140));};
>> destination psql_file{file("/var/log/psql.log");};
>> log {source(s_net);destination(psql_file);};
>>
>> Thank you
>>
>> -Paras
>>
>>
>> On Thu, Nov 5, 2009 at 9:12 PM, Bill Nash <billn at billn.net> wrote:
>>
>>
>> Sure, it's very easy. Create a source stanza for the files you want to
>> monitor. Create a destination stanza for the host you want to send to. Add
>> another log stanza containing them both.
>>
>> source mysqllog { file("/var/lib/mysql/mysql.err" log_prefix("mysql: "); };
>> destination mysqlloghost { udp("192.168.1.1" port (514)); };
>> log{ source(mysqllog); destination(mysqlloghost); };
>>
>> - billn
>>
>> On Thu, Nov 5, 2009 at 2:00 AM, Paras Fadte <plfgoa at gmail.com> wrote:
>>
>>
>> Hi,
>>
>> Is it possible to log only a particular logs to a remote syslog server
>> ? For example logging only mysql/postgres logs to a remote host .
>> syslog-ng version used is syslog-ng 1.6.8
>>
>> Thank you.
>>
>> -Paras
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>> --
>>
>> - billn
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list