[syslog-ng] Syslog-ng3 : syslog-ng Digest, Vol 53, Issue 25
Ashish Shrimali
Ashish_Shrimali at infosys.com
Wed Sep 30 06:24:34 CEST 2009
Hi,
The syslog-ng conf file is
@version:3.0
options {
use_dns(persist_only);
dns_cache_hosts(/etc/hosts);
#chain_hostnames(yes);
keep_hostname(yes);
keep_timestamp(yes);
};
source all_sources {
# Solaris used streams to send msgs to Syslogd process, replicate for syslog-ng
sun-streams("/dev/log" door("/etc/.syslog_door"));
# sun-streams( door("/etc/.syslog_door"));
# Messages generated internally by Syslog-ng
internal();
# Listens on the specified udp port for incoming messages
udp(ip(0.0.0.0) port(514));
};
destination local7apm { file("/var/log/syslog" template("$DATE $HOST $MSGHDR $MSGONLY\n")); };
#destination local7apm { udp("smarts5" port(514) spoof-source(yes)); };
#destination d_tcp { tcp("10.1.2.3" port(1999); localport(999)); };
#destination messages { file("/var/adm/messages" template("$DATE $HOST $MSG\n")); };
# Below 5 lines taken from existing configuration
#destination sysmsg { file("/dev/sysmsg" template("$DATE $HOST $MSG\n")); };
#destination operator { usertty("operator" template("$DATE $HOST $MSG\n")); };
destination operator { usertty("operator"); };
#destination all_alerts { usertty("operator" template("$DATE $HOST $MSG\n")); };
destination all_alerts { usertty("operator"); };
#destination all_alerts1 { usertty("root" template("$DATE $HOST $MSG\n")); };
destination all_alerts1 { usertty("root"); };
#destination emergency { usertty("*" template("$DATE $HOST $MSG\n")); };
destination emergency { usertty("*"); };
#
filter local7msgs { facility(local7) and level(info..emerg); };
filter messages { facility(kern, daemon, mail) and level(debug, info, notice, warning, err, crit alert, emerg); };
filter f_sysmsg { facility(kern, auth) and level(notice); };
filter f_all_errors { level(err); };
filter f_operator { facility(kern, daemon) and level(err); };
filter f_all_alerts { level(alert); };
filter f_all_alerts1 { level(alert); };
filter f_emergency { level(emerg); };
Thanks & Regards,
Ashish Shrimali
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: Wednesday, September 30, 2009 9:52 AM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 53, Issue 25
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: Colon embedded in messages (:) (chris packham)
2. Re: Colon embedded in messages (:) (Evan Rempel)
3. Solaris Syslog-ng install lib error : syslog-ng Digest, Vol
53, Issue 22 (Ashish Shrimali)
----------------------------------------------------------------------
Message: 1
Date: Wed, 30 Sep 2009 09:49:59 +1300
From: "chris packham" <chris.packham at alliedtelesis.co.nz>
Subject: Re: [syslog-ng] Colon embedded in messages (:)
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu>
Message-ID: <4AC329C7020000680001703F at gwia.alliedtelesyn.co.nz>
Content-Type: text/plain; charset=US-ASCII
>>> On 9/30/2009 at 9:26 AM, James Kelly <james.kelly at hmsinc.com> wrote:
> Thanks a lot. That seems to have worked a lot better but has introduced
> another problem. The messages are split up into too many lines and, when
> there is a match, the first of N lines are removed, still creating unwanted
> messages.
>
> For example, a pretty small insert spans 3 lines... There was a match on the
> 2nd line, so it is not printed. However, the 1st and 3rd were.
>
> 2009-09-29T16:21:16-04:00 blahh-rep2 postgres [10440-1]
> postgres-blahh-10.100.10.34(15779)-4690-2009-09-29 16:21:16 EDT-LOG:
> statement: insert into
> 2009-09-29T16:21:16-04:00 blahh-rep2 postgres [10440-3] '1000000000000000');
I think you'll find is a postgres thing. syslog-ng does not split messages up based on size (at least as far as I've seen). I think there is some behaviour to do with carriage returns "\n" embedded in your log data but there are some config options to help with that, search the mailing list/admin guide for that if it turns out to be the case.
------------------------------
Message: 2
Date: Tue, 29 Sep 2009 14:19:46 -0700
From: Evan Rempel <erempel at uvic.ca>
Subject: Re: [syslog-ng] Colon embedded in messages (:)
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu>
Message-ID: <4AC279F2.50205 at uvic.ca>
Content-Type: text/plain; charset=windows-1252; format=flowed
As far as I know, the messages will always be split on multiple lines by postgresql,
and you will need to match on the process number.
In your example, the 10440 is the process number, and the -1, -2, -3 are the line numers of
the messages that the single process creates. A single connection that runs multiple queries can
create many messages, with ever increasing line number counts.
Evan.
James Kelly wrote:
> Thanks a lot. That seems to have worked a lot better but has introduced
> another problem. The messages are split up into too many lines and,
> when there is a match, the first of N lines are removed, still creating
> unwanted messages.
>
> For example, a pretty small insert spans 3 lines... There was a match on
> the 2nd line, so it is not printed. However, the 1st and 3rd were.
>
> 2009-09-29T16:21:16-04:00 blahh-rep2 postgres [10440-1]
> postgres-blahh-10.100.10.34(15779)-4690-2009-09-29 16:21:16 EDT-LOG:
> statement: insert into
> 2009-09-29T16:21:16-04:00 blahh-rep2 postgres [10440-3]
> '1000000000000000');
>
> I played around with log_msg_size thinking I could control how much is
> on each line, but it didn't help. Am I missing something obvious? If a
> "fragment" of the message is matched, I would want the entire message to
> not be logged.
>
> Honestly, I have not spent nearly as much time on this most recent
> problem, so if it is an RTFM situation, just let me know. I did do some
> reading and searching on this though and came up empty handed.
>
> Thanks again for this great help,
> James
>
> On Tue, Sep 29, 2009 at 3:43 PM, Evan Rempel <erempel at uvic.ca
> <mailto:erempel at uvic.ca>> wrote:
>
> PostgeSQL can log to syslog using appropriately formated messages.
> Configure your postgresql.conf file to include the line
>
> log_destination = 'syslog'
>
> and then you will get lines in syslog like;
>
> 2009-09-29T12:42:10-07:00 hostname facility.level postgres[20288]:
> [32-1] postgresql statement
>
> then all of the syslog-ng parsing, macros and templates will work
> correctly.
>
> Evan.
>
> James Kelly wrote:
> > Thanks. This is exactly what is happening. If, using a template, I
> > just use $PROGRAM, I get a bunch of lines with just "insert".
> >
> > If I use something like the following:
> >
> > template t_postgres_msgs {
> > template("$ISODATE $HOST $PROGRAM $MSG \n"); };
> >
> > I no longer see the colons. However, if something is matched by the
> > filter, it still prints a blank message (hence, wasting a ton of
> space
> > and clogging up the logs). For example, this is what I get
> instead of
> > the matched sql statement:
> >
> > 2009-09-29T10:30:30-04:00 hcdb1-rep2
> >
> > I thought the filter would just "trash" or not record the message at
> > all, not print the host and timestamp for each filtered message.
> >
> > Thanks a lot... I appreciate this help a lot.
> > James
> >
> > On Tue, Sep 29, 2009 at 10:05 AM, Srinivasan Sreenivasan
> > <srinivasan.srinivasan at sabre.com
> <mailto:srinivasan.srinivasan at sabre.com>
> > <mailto:srinivasan.srinivasan at sabre.com
> <mailto:srinivasan.srinivasan at sabre.com>>> wrote:
> >
> > I think Syslog-ng thinks insert is a program name. Use a template
> > with $PROGRAM in it to see if it prints ?insert? to confirm this.
> >
> > Solution:
> > Send a program name before your sql statement using a template.
> >
> >
> >
> > On 9/29/09 8:57 AM, "James Kelly" <james.kelly at hmsinc.com
> <mailto:james.kelly at hmsinc.com>
> > <mailto:james.kelly at hmsinc.com
> <mailto:james.kelly at hmsinc.com>>> wrote:
> >
> > Hello,
> >
> > I am attempting to implement syslog-ng on our servers hosting
> > postgresql databases. The general idea is to log "too
> much" at
> > the database level and then, using syslog filters, reduce
> it to
> > the information we want to actually hold in the syslog
> and send
> > to the log server. So far I am extremely pleased with
> how easy
> > it is to implement and well documented. However, I do
> have one
> > problem that is making it difficult to use.
> >
> > The problem is for each message that the filter matches,
> it does
> > not completely drop the message.. rather, it logs the date /
> > server / and a colon:
> >
> > For example, this is what I get for a message that is
> matched by
> > a filter:
> >
> > "Sep 29 09:43:29 hcdb1-rep2 :"
> >
> > I notice that even with the unmatched statements, there is a
> > colon. For example, in the postgresql log, I see:
> >
> > insert into "public"."table"(blah,blah,blah) values
> > (blah,blah,blah);
> >
> > but the same message once captured from syslog shows the
> > following in the log and logserver:
> >
> > Sep 29 09:43:29 hcdb1-rep2 insert: into
> > "public"."table"(blah,blah,blah) values (blah,blah,blah);
> >
> > *Note the colon after "insert".* I can't seem to figure out
> > where this is coming from or how to avoid it. It also causes
> > some filtering problems that I won't go into here so as
> to not
> > confuse the issues, but safe to say it is also related to
> the colon.
> >
> > I have spent a lot of time trying to figure this out and
> am at a
> > dead-end. Due to the amount of messages I need to filter out
> > (below is just one of the many filters I need to put in
> and have
> > tested with the same result), not being able to completely
> > filter these out is a killer.
> >
> > I am using the 3.0.4 open-source edition on Ubuntu 8.
> Here is
> > my config:
> >
> >
> ******************************************************************************************
> > @version: 3.0
> >
> > options {
> > };
> >
> > ######
> > # sources
> > source s_local {
> > # message generated by Syslog-NG
> > internal();
> > # standard Linux log source (this is the default place
> for the
> > syslog()
> > # function to send logs to)
> > unix-stream("/dev/log");
> > # messages from the kernel
> > file("/proc/kmsg" program_override("kernel: "));
> > file("/var/log/postgresql/postgresql-8.3-main.log");
> > };
> >
> >
> > ######
> > # destinations
> > destination d_messages { file("/var/log/messages"); };
> >
> > #####
> > # filters
> >
> > filter f_inserts2 {
> > not match("_health_central" value("MESSAGE"));
> > };
> >
> >
> > destination d_logserver { tcp("internal.host.com
> <http://internal.host.com>
> > <http://internal.host.com> <http://internal.host.com> "); };
> >
> >
> >
> > log {
> > source(s_local);
> > filter(f_inserts2);
> > destination(d_messages);
> > #destination(d_logserver);
> > };
> >
> ******************************************************************************************
> >
> > Thanks!
> > James Kelly
> >
> >
> ------------------------------------------------------------------------
> >
> ______________________________________________________________________________
> > Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> >
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
>
>
> --
> Evan Rempel erempel at uvic.ca
> <mailto:erempel at uvic.ca>
> Senior Programmer Analyst 250.721.7691
> Unix Services, University Systems, University of Victoria
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
--
Evan Rempel erempel at uvic.ca
Senior Programmer Analyst 250.721.7691
Unix Services, University Systems, University of Victoria
------------------------------
Message: 3
Date: Wed, 30 Sep 2009 09:51:37 +0530
From: Ashish Shrimali <Ashish_Shrimali at infosys.com>
Subject: [syslog-ng] Solaris Syslog-ng install lib error : syslog-ng
Digest, Vol 53, Issue 22
To: "syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
Message-ID:
<AE1A7E8803F348438B970CCDCA075C77115F91731A at BLRKECMBX07.ad.infosys.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
You need to install libnet.
Steps are as follows:
1. gunzip and untar the libnet package.
2. cd <libnetdir>
3. ./configure
4. make
5. make install
6. While installing syslog-ng use this command.(with libnet)
./configure -enable-spoof-source -with-libnet=<libnet dir path>/libnet -enable-dynamic-linking
It worked successfully for me.
Thanks & Regards,
Ashish Shrimali
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: Tuesday, September 29, 2009 7:36 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 53, Issue 22
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Syslog-ng 3 (Ashish Shrimali)
2. Re: Syslog-ng 3 (Fegan, Joe)
3. Re: sun solaris syslogng error (Balazs Scheidler)
4. Re: syslog-ng client machine IP address in message header
(Balazs Scheidler)
5. Colon embedded in messages (:) (James Kelly)
6. Re: Colon embedded in messages (:) (Srinivasan Sreenivasan)
----------------------------------------------------------------------
Message: 1
Date: Tue, 29 Sep 2009 16:41:50 +0530
From: Ashish Shrimali <Ashish_Shrimali at infosys.com>
Subject: [syslog-ng] Syslog-ng 3
To: "syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
Message-ID:
<AE1A7E8803F348438B970CCDCA075C77115F917101 at BLRKECMBX07.ad.infosys.com>
Content-Type: text/plain; charset="us-ascii"
Hi All,
My Syslog-ng is running , which I can see by ps -ef command, but still it is not writing to the log file.
I have specified the log file in the conf dir.
Any inputs would be highly appreciated.
Thanks & Regards,
Ashish Shrimali
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: Tuesday, September 29, 2009 3:11 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 53, Issue 21
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Solaris Syslog-ng install lib error (list at net-secured.com)
2. Re: Solaris Syslog-ng install lib error (Srinivasan Sreenivasan)
3. sun solaris syslogng error (list at net-secured.com)
4. syslog-ng client machine IP address in message header
(Jain, Vaibhav (GE Healthcare))
----------------------------------------------------------------------
Message: 1
Date: Mon, 28 Sep 2009 03:52:33 -0700
From: list at net-secured.com
Subject: [syslog-ng] Solaris Syslog-ng install lib error
To: "syslogng " <syslog-ng at lists.balabit.hu>
Message-ID:
<20090928035233.9419518bf8837c8c492fb3b5d9b71733.3b4f820868.wbe at email03.secureserver.net>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090928/9ae9e2ac/attachment-0001.htm
------------------------------
Message: 2
Date: Mon, 28 Sep 2009 08:00:09 -0500
From: Srinivasan Sreenivasan <srinivasan.srinivasan at sabre.com>
Subject: Re: [syslog-ng] Solaris Syslog-ng install lib error
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <C6E61D89.5EF6%srinivasan.srinivasan at sabre.com>
Content-Type: text/plain; charset="us-ascii"
The PKG_CONFIG_PATH should include directories that have .pc files in them.
On 9/28/09 5:52 AM, "list at net-secured.com" <list at net-secured.com> wrote:
> Hi
> I tryed to install on Sparc v. 10 syslog-ng v3.0.4, runnning: ./configure
> --enable-sun-streams, --enable-sun-door gives this warning:
> configure: WARNING: unrecognized options: --enable-sun-streams,
> --enable-sun-door
>
> any ideas?
>
>
>
> furthermore, I get this error:
> checking for GLIB - version >= 2.10.1... no
> *** Could not run GLIB test program, checking why...
> *** The test program failed to compile or link. See the file config.log for
> the
> *** exact error that occured. This usually means GLIB is incorrectly
> installed.
> configure: error: Cannot find GLIB version >= 2.10.1: is pkg-config in path?
>
> ===
> Adding the path below : produces another error
>
> export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/:/usr/lib/pkgconfig/
>
> checking for LIBDBI... Package dbi was not found in the pkg-config search
> path.
> Perhaps you should add the directory containing `dbi.pc'
> to the PKG_CONFIG_PATH environment variable
> No package 'dbi' found
> no
> checking for dbi_initialize in -ldbi... no
> checking pthread.h usability... yes
> checking pthread.h presence... yes
> checking for pthread.h... yes
> checking for pthread_create in -lpthread... yes
> checking for LIBNET... no
> checking whether to enable Sun STREAMS support... yes
> checking whether to enable Sun door support... yes
> checking whether to enable IPv6 support... yes
> checking whether to enable SQL support... no
> checking whether to enable Linux capability support... no
> checking whether to enable PCRE support... yes
> checking for pkg-config... (cached) /usr/bin/pkg-config
> checking pkg-config is at least version 0.14... yes
> checking for GLIB - version >= 2.10.1... yes (version 2.14.1)
> checking for EVTLOG... yes
> checking for LIBNET... configure: error: libnet-config not found
>
>
> thanks
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090928/fc79eb66/attachment-0001.htm
------------------------------
Message: 3
Date: Tue, 29 Sep 2009 02:12:39 -0700
From: list at net-secured.com
Subject: [syslog-ng] sun solaris syslogng error
To: "syslogng " <syslog-ng at lists.balabit.hu>
Message-ID:
<20090929021239.9419518bf8837c8c492fb3b5d9b71733.52c5b2692b.wbe at email03.secureserver.net>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/39b646fe/attachment-0001.htm
------------------------------
Message: 4
Date: Tue, 29 Sep 2009 15:11:05 +0530
From: "Jain, Vaibhav (GE Healthcare)" <Vaibhav.Jain at ge.com>
Subject: [syslog-ng] syslog-ng client machine IP address in message
header
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu>
Message-ID:
<E4A9BE70C73D184D8826C6AE68B197810ECF6C6B at BANMLVEM05.e2k.ad.ge.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
I am using syslog-ng open source (syslog-ng-3.0.3-1.rhel5.amd64) for log
collection. I want to pass the syslog-ng machine ip address in the
message header. in the current configuration I am getting following
header in the log message -->
Sep 29 00:24:20 INBLRECIS2871 ''
In the above message "INBLRECIS2871" is the syslog-ng machine name but I
want the IP address in place of machine name. let me know how to achieve
this ?
Current configurastion -->
1) syslog-ng client config :->
options {
mark_freq(30);
log_msg_size(65530);
}
destination d_messages {
syslog("3.2.20.26" transport("tcp") port(601)
template("$HOST $MSGHDR$MSG ::::$FILE_NAME"));
}
2) syslog-ng server config->
options {
time_reap(30);
mark_freq(10);
log_msg_size(65530);
}
Regards,
Vaibhav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/5da28f57/attachment.htm
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 53, Issue 21
*****************************************
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are not
to copy, disclose, or distribute this e-mail or its contents to any other person and
any such actions are unlawful. This e-mail may contain viruses. Infosys has taken
every reasonable precaution to minimize this risk, but is not liable for any damage
you may sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. Infosys reserves the
right to monitor and review the content of all messages sent to or from this e-mail
address. Messages sent to or from this e-mail address may be stored on the
Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
------------------------------
Message: 2
Date: Tue, 29 Sep 2009 12:59:29 +0000
From: "Fegan, Joe" <Joe.Fegan at hp.com>
Subject: Re: [syslog-ng] Syslog-ng 3
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID:
<0E6222894DE49B40A3A9FD929C630BCB5E28386E94 at GVW1121EXC.americas.hpqcorp.net>
Content-Type: text/plain; charset="us-ascii"
You have not given us anything to work with. Please send a copy of your syslog-ng.conf file for analysis.
------------------------------
Message: 3
Date: Tue, 29 Sep 2009 15:32:30 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] sun solaris syslogng error
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1254231150.5956.112.camel at bzorp.balabit>
Content-Type: text/plain
On Tue, 2009-09-29 at 02:12 -0700, list at net-secured.com wrote:
> Why does sun-streams("/dev/log" door("/var/run/syslog_door")); line
> give the error below on Solaris 10:
>
> Error opening syslog device; filename='/dev/log', error='Operation not
> supported on transport endpoint (122)'
> Error initializing source driver; source='src_local',
> id='src_local#0'
> Error initializing message pipeline;
>
>
> unix-stream("/dev/log"); works but no log gets generated.
> The syslog-ng was downloaded from sunfreeware, Any input would be
> appreciated.
the unix-stream() driver might have overwritten your /dev/log device
with a unix domain socket, instead of being a device node.
check your /dev/log file, it should look like this:
# ls -l /dev/log
lrwxrwxrwx 1 root other 27 Jan 13 2009 /dev/log -> ../devices/pseudo/log at 0:log
And the file under /devices:
crw-r----- 1 root sys 21, 5 Jan 13 2009 /devices/pseudo/log at 0:log
>
> here is my config:
>
>
> @version:3.0
> ###############################################################
> # First, set some global options.
> options {
> chain_hostnames(0);
> time_reopen(10);
> time_reap(360);
> log_fifo_size(2048);
> create_dirs(yes);
> group(adm);
> perm(0640);
> dir_perm(0755);
> use_dns(yes);
> stats_freq(0);
> };
> ###############################################################
> #
> # This is the default behavior of sysklogd package
> # Logs may come from unix stream, but not from another machine.
> #
> source src_local {
> sun-streams("/dev/log"
> door("/var/run/syslog_door"));
> internal();
> };
> source s_dev {
> udp(ip("0.0.0.0") port(514));
> };
> ###############################################################
> # Some `catch-all' logfiles.
> destination d_src_local { file("/appl/232/data/syslog-ng/messages"
> owner(root) group(root) perm(0600) dir_perm(0700) cr
> eate_dirs(yes) ); };
> destination d_dev { file("/appl/232/data/syslog-ng/fillit" owner(root)
> group(root) perm(0600) dir_perm(0700) create_dirs(y
> es) ); };
> log { source(src_local); destination(d_src_local);};
> log { source(s_dev); destination(d_dev);};
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
--
Bazsi
------------------------------
Message: 4
Date: Tue, 29 Sep 2009 13:34:39 +0000
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] syslog-ng client machine IP address in
message header
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1254231279.5956.114.camel at bzorp.balabit>
Content-Type: text/plain
On Tue, 2009-09-29 at 15:11 +0530, Jain, Vaibhav (GE Healthcare) wrote:
> Hi,
>
> I am using syslog-ng open source (syslog-ng-3.0.3-1.rhel5.amd64) for
> log collection. I want to pass the syslog-ng machine ip address in the
> message header. in the current configuration I am getting following
> header in the log message -->
>
> Sep 29 00:24:20 INBLRECIS2871 ''
>
> In the above message "INBLRECIS2871" is the syslog-ng machine name
> but I want the IP address in place of machine name. let me know how to
> achieve this ?
>
>
>
> Current configurastion -->
> 1) syslog-ng client config :->
>
> options {
> mark_freq(30);
> log_msg_size(65530);
> }
>
> destination d_messages {
> syslog("3.2.20.26" transport("tcp") port(601)
> template("$HOST $MSGHDR$MSG ::::$FILE_NAME"));
> }
>
>
> 2) syslog-ng server config->
>
> options {
> time_reap(30);
> mark_freq(10);
> log_msg_size(65530);
> }
>
Well, you can control the name resolution behaviour with:
keep_hostname(yes or no) and use_dns(yes or no)
If you use keep_hostname(no) and use_dns(no), you'll make syslog-ng to
always replace the HOST field of the message with the IP address of the
sender host.
If you have multiple hops (e.g. relays), you might want to use the
settings above only on the first hop, and then keep_hostname(yes) on the
central syslog server, because otherwise you'd always see the relay ip
address.
--
Bazsi
------------------------------
Message: 5
Date: Tue, 29 Sep 2009 09:57:34 -0400
From: James Kelly <james.kelly at hmsinc.com>
Subject: [syslog-ng] Colon embedded in messages (:)
To: syslog-ng at lists.balabit.hu
Message-ID:
<6d52e8e0909290657r506ed5fl202d21a2a51410f7 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
I am attempting to implement syslog-ng on our servers hosting postgresql
databases. The general idea is to log "too much" at the database level and
then, using syslog filters, reduce it to the information we want to actually
hold in the syslog and send to the log server. So far I am extremely
pleased with how easy it is to implement and well documented. However, I do
have one problem that is making it difficult to use.
The problem is for each message that the filter matches, it does not
completely drop the message.. rather, it logs the date / server / and a
colon:
For example, this is what I get for a message that is matched by a filter:
"Sep 29 09:43:29 hcdb1-rep2 :"
I notice that even with the unmatched statements, there is a colon. For
example, in the postgresql log, I see:
insert into "public"."table"(blah,blah,blah) values (blah,blah,blah);
but the same message once captured from syslog shows the following in the
log and logserver:
Sep 29 09:43:29 hcdb1-rep2 insert: into
"public"."table"(blah,blah,blah) values (blah,blah,blah);
*Note the colon after "insert".* I can't seem to figure out where this is
coming from or how to avoid it. It also causes some filtering problems that
I won't go into here so as to not confuse the issues, but safe to say it is
also related to the colon.
I have spent a lot of time trying to figure this out and am at a dead-end.
Due to the amount of messages I need to filter out (below is just one of the
many filters I need to put in and have tested with the same result), not
being able to completely filter these out is a killer.
I am using the 3.0.4 open-source edition on Ubuntu 8. Here is my config:
******************************************************************************************
@version: 3.0
options {
};
######
# sources
source s_local {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" program_override("kernel: "));
file("/var/log/postgresql/postgresql-8.3-main.log");
};
######
# destinations
destination d_messages { file("/var/log/messages"); };
#####
# filters
filter f_inserts2 {
not match("_health_central" value("MESSAGE"));
};
destination d_logserver { tcp("internal.host.com"); };
log {
source(s_local);
filter(f_inserts2);
destination(d_messages);
#destination(d_logserver);
};
******************************************************************************************
Thanks!
James Kelly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/02575c25/attachment-0001.htm
------------------------------
Message: 6
Date: Tue, 29 Sep 2009 09:05:35 -0500
From: Srinivasan Sreenivasan <srinivasan.srinivasan at sabre.com>
Subject: Re: [syslog-ng] Colon embedded in messages (:)
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <C6E77E5F.6030%srinivasan.srinivasan at sabre.com>
Content-Type: text/plain; charset="iso-8859-1"
I think Syslog-ng thinks insert is a program name. Use a template with
$PROGRAM in it to see if it prints ?insert? to confirm this.
Solution:
Send a program name before your sql statement using a template.
On 9/29/09 8:57 AM, "James Kelly" <james.kelly at hmsinc.com> wrote:
> Hello,
>
> I am attempting to implement syslog-ng on our servers hosting postgresql
> databases.? The general idea is to log "too much" at the database level and
> then, using syslog filters, reduce it to the information we want to actually
> hold in the syslog and send to the log server.? So far I am extremely pleased
> with how easy it is to implement and well documented.? However, I do have one
> problem that is making it difficult to use.
>
> The problem is for each message that the filter matches, it does not
> completely drop the message.. rather, it logs the date / server / and a colon:
>
> For example, this is what I get for a message that is matched by a filter:
>
> "Sep 29 09:43:29 hcdb1-rep2????? :"
>
> I notice that even with the unmatched statements, there is a colon.? For
> example, in the postgresql log, I see:
>
> insert into "public"."table"(blah,blah,blah) values (blah,blah,blah);
>
> but the same message once captured from syslog shows the following in the log
> and logserver:
>
> Sep 29 09:43:29 hcdb1-rep2????? insert: into "public"."table"(blah,blah,blah)
> values (blah,blah,blah);
>
> *Note the colon after "insert".*? I can't seem to figure out where this is
> coming from or how to avoid it.? It also causes some filtering problems that I
> won't go into here so as to not confuse the issues, but safe to say it is also
> related to the colon.
>
> I have spent a lot of time trying to figure this out and am at a dead-end.?
> Due to the amount of messages I need to filter out (below is just one of the
> many filters I need to put in and have tested with the same result), not being
> able to completely filter these out is a killer.
>
> I am using the 3.0.4 open-source edition on Ubuntu 8.? Here is my config:
>
> ******************************************************************************
> ************
> @version: 3.0
>
> options {
> };
>
> ######
> # sources
> source s_local {
> # message generated by Syslog-NG
> internal();
> # standard Linux log source (this is the default place for the syslog()
> # function to send logs to)
> unix-stream("/dev/log");
> # messages from the kernel
> file("/proc/kmsg" program_override("kernel: "));
> file("/var/log/postgresql/postgresql-8.3-main.log");
> };
>
>
> ######
> # destinations
> destination d_messages { file("/var/log/messages"); };
>
> #####
> # filters
>
> filter f_inserts2 {
> ??????? not match("_health_central" value("MESSAGE"));
> };
>
>
> destination d_logserver { tcp("internal.host.com <http://internal.host.com>
> "); };
>
>
> log {
> source(s_local);
> filter(f_inserts2);
> destination(d_messages);
> #destination(d_logserver);
> };
> ******************************************************************************
> ************
>
> Thanks!
> James Kelly
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090929/1dde33dd/attachment.htm
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 53, Issue 22
*****************************************
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 53, Issue 25
*****************************************
More information about the syslog-ng
mailing list