[syslog-ng] Solaris Syslog-ng install lib error : syslog-ng Digest, Vol 53, Issue 22
Ashish Shrimali
Ashish_Shrimali at infosys.com
Wed Sep 30 06:21:37 CEST 2009
Hi,
You need to install libnet.
Steps are as follows:
1. gunzip and untar the libnet package.
2. cd <libnetdir>
3. ./configure
4. make
5. make install
6. While installing syslog-ng use this command.(with libnet)
./configure -enable-spoof-source -with-libnet=<libnet dir path>/libnet -enable-dynamic-linking
It worked successfully for me.
Thanks & Regards,
Ashish Shrimali
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: Tuesday, September 29, 2009 7:36 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 53, Issue 22
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Syslog-ng 3 (Ashish Shrimali)
2. Re: Syslog-ng 3 (Fegan, Joe)
3. Re: sun solaris syslogng error (Balazs Scheidler)
4. Re: syslog-ng client machine IP address in message header
(Balazs Scheidler)
5. Colon embedded in messages (:) (James Kelly)
6. Re: Colon embedded in messages (:) (Srinivasan Sreenivasan)
----------------------------------------------------------------------
Message: 1
Date: Tue, 29 Sep 2009 16:41:50 +0530
From: Ashish Shrimali <Ashish_Shrimali at infosys.com>
Subject: [syslog-ng] Syslog-ng 3
To: "syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
Message-ID:
<AE1A7E8803F348438B970CCDCA075C77115F917101 at BLRKECMBX07.ad.infosys.com>
Content-Type: text/plain; charset="us-ascii"
Hi All,
My Syslog-ng is running , which I can see by ps -ef command, but still it is not writing to the log file.
I have specified the log file in the conf dir.
Any inputs would be highly appreciated.
Thanks & Regards,
Ashish Shrimali
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: Tuesday, September 29, 2009 3:11 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 53, Issue 21
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Solaris Syslog-ng install lib error (list at net-secured.com)
2. Re: Solaris Syslog-ng install lib error (Srinivasan Sreenivasan)
3. sun solaris syslogng error (list at net-secured.com)
4. syslog-ng client machine IP address in message header
(Jain, Vaibhav (GE Healthcare))
----------------------------------------------------------------------
Message: 1
Date: Mon, 28 Sep 2009 03:52:33 -0700
From: list at net-secured.com
Subject: [syslog-ng] Solaris Syslog-ng install lib error
To: "syslogng " <syslog-ng at lists.balabit.hu>
Message-ID:
<20090928035233.9419518bf8837c8c492fb3b5d9b71733.3b4f820868.wbe at email03.secureserver.net>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090928/9ae9e2ac/attachment-0001.htm
------------------------------
Message: 2
Date: Mon, 28 Sep 2009 08:00:09 -0500
From: Srinivasan Sreenivasan <srinivasan.srinivasan at sabre.com>
Subject: Re: [syslog-ng] Solaris Syslog-ng install lib error
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <C6E61D89.5EF6%srinivasan.srinivasan at sabre.com>
Content-Type: text/plain; charset="us-ascii"
The PKG_CONFIG_PATH should include directories that have .pc files in them.
On 9/28/09 5:52 AM, "list at net-secured.com" <list at net-secured.com> wrote:
> Hi
> I tryed to install on Sparc v. 10 syslog-ng v3.0.4, runnning: ./configure
> --enable-sun-streams, --enable-sun-door gives this warning:
> configure: WARNING: unrecognized options: --enable-sun-streams,
> --enable-sun-door
>
> any ideas?
>
>
>
> furthermore, I get this error:
> checking for GLIB - version >= 2.10.1... no
> *** Could not run GLIB test program, checking why...
> *** The test program failed to compile or link. See the file config.log for
> the
> *** exact error that occured. This usually means GLIB is incorrectly
> installed.
> configure: error: Cannot find GLIB version >= 2.10.1: is pkg-config in path?
>
> ===
> Adding the path below : produces another error
>
> export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/:/usr/lib/pkgconfig/
>
> checking for LIBDBI... Package dbi was not found in the pkg-config search
> path.
> Perhaps you should add the directory containing `dbi.pc'
> to the PKG_CONFIG_PATH environment variable
> No package 'dbi' found
> no
> checking for dbi_initialize in -ldbi... no
> checking pthread.h usability... yes
> checking pthread.h presence... yes
> checking for pthread.h... yes
> checking for pthread_create in -lpthread... yes
> checking for LIBNET... no
> checking whether to enable Sun STREAMS support... yes
> checking whether to enable Sun door support... yes
> checking whether to enable IPv6 support... yes
> checking whether to enable SQL support... no
> checking whether to enable Linux capability support... no
> checking whether to enable PCRE support... yes
> checking for pkg-config... (cached) /usr/bin/pkg-config
> checking pkg-config is at least version 0.14... yes
> checking for GLIB - version >= 2.10.1... yes (version 2.14.1)
> checking for EVTLOG... yes
> checking for LIBNET... configure: error: libnet-config not found
>
>
> thanks
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090928/fc79eb66/attachment-0001.htm
------------------------------
Message: 3
Date: Tue, 29 Sep 2009 02:12:39 -0700
From: list at net-secured.com
Subject: [syslog-ng] sun solaris syslogng error
To: "syslogng " <syslog-ng at lists.balabit.hu>
Message-ID:
<20090929021239.9419518bf8837c8c492fb3b5d9b71733.52c5b2692b.wbe at email03.secureserver.net>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/39b646fe/attachment-0001.htm
------------------------------
Message: 4
Date: Tue, 29 Sep 2009 15:11:05 +0530
From: "Jain, Vaibhav (GE Healthcare)" <Vaibhav.Jain at ge.com>
Subject: [syslog-ng] syslog-ng client machine IP address in message
header
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu>
Message-ID:
<E4A9BE70C73D184D8826C6AE68B197810ECF6C6B at BANMLVEM05.e2k.ad.ge.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
I am using syslog-ng open source (syslog-ng-3.0.3-1.rhel5.amd64) for log
collection. I want to pass the syslog-ng machine ip address in the
message header. in the current configuration I am getting following
header in the log message -->
Sep 29 00:24:20 INBLRECIS2871 ''
In the above message "INBLRECIS2871" is the syslog-ng machine name but I
want the IP address in place of machine name. let me know how to achieve
this ?
Current configurastion -->
1) syslog-ng client config :->
options {
mark_freq(30);
log_msg_size(65530);
}
destination d_messages {
syslog("3.2.20.26" transport("tcp") port(601)
template("$HOST $MSGHDR$MSG ::::$FILE_NAME"));
}
2) syslog-ng server config->
options {
time_reap(30);
mark_freq(10);
log_msg_size(65530);
}
Regards,
Vaibhav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/5da28f57/attachment.htm
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 53, Issue 21
*****************************************
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are not
to copy, disclose, or distribute this e-mail or its contents to any other person and
any such actions are unlawful. This e-mail may contain viruses. Infosys has taken
every reasonable precaution to minimize this risk, but is not liable for any damage
you may sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. Infosys reserves the
right to monitor and review the content of all messages sent to or from this e-mail
address. Messages sent to or from this e-mail address may be stored on the
Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
------------------------------
Message: 2
Date: Tue, 29 Sep 2009 12:59:29 +0000
From: "Fegan, Joe" <Joe.Fegan at hp.com>
Subject: Re: [syslog-ng] Syslog-ng 3
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID:
<0E6222894DE49B40A3A9FD929C630BCB5E28386E94 at GVW1121EXC.americas.hpqcorp.net>
Content-Type: text/plain; charset="us-ascii"
You have not given us anything to work with. Please send a copy of your syslog-ng.conf file for analysis.
------------------------------
Message: 3
Date: Tue, 29 Sep 2009 15:32:30 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] sun solaris syslogng error
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1254231150.5956.112.camel at bzorp.balabit>
Content-Type: text/plain
On Tue, 2009-09-29 at 02:12 -0700, list at net-secured.com wrote:
> Why does sun-streams("/dev/log" door("/var/run/syslog_door")); line
> give the error below on Solaris 10:
>
> Error opening syslog device; filename='/dev/log', error='Operation not
> supported on transport endpoint (122)'
> Error initializing source driver; source='src_local',
> id='src_local#0'
> Error initializing message pipeline;
>
>
> unix-stream("/dev/log"); works but no log gets generated.
> The syslog-ng was downloaded from sunfreeware, Any input would be
> appreciated.
the unix-stream() driver might have overwritten your /dev/log device
with a unix domain socket, instead of being a device node.
check your /dev/log file, it should look like this:
# ls -l /dev/log
lrwxrwxrwx 1 root other 27 Jan 13 2009 /dev/log -> ../devices/pseudo/log at 0:log
And the file under /devices:
crw-r----- 1 root sys 21, 5 Jan 13 2009 /devices/pseudo/log at 0:log
>
> here is my config:
>
>
> @version:3.0
> ###############################################################
> # First, set some global options.
> options {
> chain_hostnames(0);
> time_reopen(10);
> time_reap(360);
> log_fifo_size(2048);
> create_dirs(yes);
> group(adm);
> perm(0640);
> dir_perm(0755);
> use_dns(yes);
> stats_freq(0);
> };
> ###############################################################
> #
> # This is the default behavior of sysklogd package
> # Logs may come from unix stream, but not from another machine.
> #
> source src_local {
> sun-streams("/dev/log"
> door("/var/run/syslog_door"));
> internal();
> };
> source s_dev {
> udp(ip("0.0.0.0") port(514));
> };
> ###############################################################
> # Some `catch-all' logfiles.
> destination d_src_local { file("/appl/232/data/syslog-ng/messages"
> owner(root) group(root) perm(0600) dir_perm(0700) cr
> eate_dirs(yes) ); };
> destination d_dev { file("/appl/232/data/syslog-ng/fillit" owner(root)
> group(root) perm(0600) dir_perm(0700) create_dirs(y
> es) ); };
> log { source(src_local); destination(d_src_local);};
> log { source(s_dev); destination(d_dev);};
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
--
Bazsi
------------------------------
Message: 4
Date: Tue, 29 Sep 2009 13:34:39 +0000
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] syslog-ng client machine IP address in
message header
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1254231279.5956.114.camel at bzorp.balabit>
Content-Type: text/plain
On Tue, 2009-09-29 at 15:11 +0530, Jain, Vaibhav (GE Healthcare) wrote:
> Hi,
>
> I am using syslog-ng open source (syslog-ng-3.0.3-1.rhel5.amd64) for
> log collection. I want to pass the syslog-ng machine ip address in the
> message header. in the current configuration I am getting following
> header in the log message -->
>
> Sep 29 00:24:20 INBLRECIS2871 ''
>
> In the above message "INBLRECIS2871" is the syslog-ng machine name
> but I want the IP address in place of machine name. let me know how to
> achieve this ?
>
>
>
> Current configurastion -->
> 1) syslog-ng client config :->
>
> options {
> mark_freq(30);
> log_msg_size(65530);
> }
>
> destination d_messages {
> syslog("3.2.20.26" transport("tcp") port(601)
> template("$HOST $MSGHDR$MSG ::::$FILE_NAME"));
> }
>
>
> 2) syslog-ng server config->
>
> options {
> time_reap(30);
> mark_freq(10);
> log_msg_size(65530);
> }
>
Well, you can control the name resolution behaviour with:
keep_hostname(yes or no) and use_dns(yes or no)
If you use keep_hostname(no) and use_dns(no), you'll make syslog-ng to
always replace the HOST field of the message with the IP address of the
sender host.
If you have multiple hops (e.g. relays), you might want to use the
settings above only on the first hop, and then keep_hostname(yes) on the
central syslog server, because otherwise you'd always see the relay ip
address.
--
Bazsi
------------------------------
Message: 5
Date: Tue, 29 Sep 2009 09:57:34 -0400
From: James Kelly <james.kelly at hmsinc.com>
Subject: [syslog-ng] Colon embedded in messages (:)
To: syslog-ng at lists.balabit.hu
Message-ID:
<6d52e8e0909290657r506ed5fl202d21a2a51410f7 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
I am attempting to implement syslog-ng on our servers hosting postgresql
databases. The general idea is to log "too much" at the database level and
then, using syslog filters, reduce it to the information we want to actually
hold in the syslog and send to the log server. So far I am extremely
pleased with how easy it is to implement and well documented. However, I do
have one problem that is making it difficult to use.
The problem is for each message that the filter matches, it does not
completely drop the message.. rather, it logs the date / server / and a
colon:
For example, this is what I get for a message that is matched by a filter:
"Sep 29 09:43:29 hcdb1-rep2 :"
I notice that even with the unmatched statements, there is a colon. For
example, in the postgresql log, I see:
insert into "public"."table"(blah,blah,blah) values (blah,blah,blah);
but the same message once captured from syslog shows the following in the
log and logserver:
Sep 29 09:43:29 hcdb1-rep2 insert: into
"public"."table"(blah,blah,blah) values (blah,blah,blah);
*Note the colon after "insert".* I can't seem to figure out where this is
coming from or how to avoid it. It also causes some filtering problems that
I won't go into here so as to not confuse the issues, but safe to say it is
also related to the colon.
I have spent a lot of time trying to figure this out and am at a dead-end.
Due to the amount of messages I need to filter out (below is just one of the
many filters I need to put in and have tested with the same result), not
being able to completely filter these out is a killer.
I am using the 3.0.4 open-source edition on Ubuntu 8. Here is my config:
******************************************************************************************
@version: 3.0
options {
};
######
# sources
source s_local {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" program_override("kernel: "));
file("/var/log/postgresql/postgresql-8.3-main.log");
};
######
# destinations
destination d_messages { file("/var/log/messages"); };
#####
# filters
filter f_inserts2 {
not match("_health_central" value("MESSAGE"));
};
destination d_logserver { tcp("internal.host.com"); };
log {
source(s_local);
filter(f_inserts2);
destination(d_messages);
#destination(d_logserver);
};
******************************************************************************************
Thanks!
James Kelly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/02575c25/attachment-0001.htm
------------------------------
Message: 6
Date: Tue, 29 Sep 2009 09:05:35 -0500
From: Srinivasan Sreenivasan <srinivasan.srinivasan at sabre.com>
Subject: Re: [syslog-ng] Colon embedded in messages (:)
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <C6E77E5F.6030%srinivasan.srinivasan at sabre.com>
Content-Type: text/plain; charset="iso-8859-1"
I think Syslog-ng thinks insert is a program name. Use a template with
$PROGRAM in it to see if it prints ?insert? to confirm this.
Solution:
Send a program name before your sql statement using a template.
On 9/29/09 8:57 AM, "James Kelly" <james.kelly at hmsinc.com> wrote:
> Hello,
>
> I am attempting to implement syslog-ng on our servers hosting postgresql
> databases.? The general idea is to log "too much" at the database level and
> then, using syslog filters, reduce it to the information we want to actually
> hold in the syslog and send to the log server.? So far I am extremely pleased
> with how easy it is to implement and well documented.? However, I do have one
> problem that is making it difficult to use.
>
> The problem is for each message that the filter matches, it does not
> completely drop the message.. rather, it logs the date / server / and a colon:
>
> For example, this is what I get for a message that is matched by a filter:
>
> "Sep 29 09:43:29 hcdb1-rep2????? :"
>
> I notice that even with the unmatched statements, there is a colon.? For
> example, in the postgresql log, I see:
>
> insert into "public"."table"(blah,blah,blah) values (blah,blah,blah);
>
> but the same message once captured from syslog shows the following in the log
> and logserver:
>
> Sep 29 09:43:29 hcdb1-rep2????? insert: into "public"."table"(blah,blah,blah)
> values (blah,blah,blah);
>
> *Note the colon after "insert".*? I can't seem to figure out where this is
> coming from or how to avoid it.? It also causes some filtering problems that I
> won't go into here so as to not confuse the issues, but safe to say it is also
> related to the colon.
>
> I have spent a lot of time trying to figure this out and am at a dead-end.?
> Due to the amount of messages I need to filter out (below is just one of the
> many filters I need to put in and have tested with the same result), not being
> able to completely filter these out is a killer.
>
> I am using the 3.0.4 open-source edition on Ubuntu 8.? Here is my config:
>
> ******************************************************************************
> ************
> @version: 3.0
>
> options {
> };
>
> ######
> # sources
> source s_local {
> # message generated by Syslog-NG
> internal();
> # standard Linux log source (this is the default place for the syslog()
> # function to send logs to)
> unix-stream("/dev/log");
> # messages from the kernel
> file("/proc/kmsg" program_override("kernel: "));
> file("/var/log/postgresql/postgresql-8.3-main.log");
> };
>
>
> ######
> # destinations
> destination d_messages { file("/var/log/messages"); };
>
> #####
> # filters
>
> filter f_inserts2 {
> ??????? not match("_health_central" value("MESSAGE"));
> };
>
>
> destination d_logserver { tcp("internal.host.com <http://internal.host.com>
> "); };
>
>
> log {
> source(s_local);
> filter(f_inserts2);
> destination(d_messages);
> #destination(d_logserver);
> };
> ******************************************************************************
> ************
>
> Thanks!
> James Kelly
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/1dde33dd/attachment.htm
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 53, Issue 22
*****************************************
More information about the syslog-ng
mailing list