[syslog-ng] Server conf for syslog-ng.conf

Zoltán Pallagi pzolee at balabit.hu
Fri Mar 19 10:51:31 CET 2010 

I hope, in fact your full config looks like this one, doesn't it?:

source s_tcp {

#       syslog(transport(tcp));

        udp(ip(10.13.6.83) port(514));

        tcp(ip(10.13.6.83) port(5149) max-connections(333));

};

 

destination d_tcp {

        file("/var/log/messages_tcp" owner("root") group("adm") perm(0640));

};

*log {
source(s_tcp);
destination(d_tcp);
};*

If it is true, you can try the following things:
-listening on the all addresses of this host: udp(port(514));
-start syslog-ng in debug mode (syslog-ng -Fevd) and you should see the 
incoming syslogd logs. For example:

/root at thor:/opt/syslog-ng# sbin/syslog-ng -Fevd
Server license found, starting in server mode; customer='BalaBit IT 
Kft.', serial='708005-000000-2c8926', limit='-1'
Running application hooks; hook='1'
Running application hooks; hook='3'
syslog-ng starting up; version='3.1.0', 
cfg-fingerprint='5b1cb89509fcbe41d22634f2bce20323d2c87a55', 
cfg-nonce-ndx='0', cfg-signature='866ce1c9eac64d70356b90b0b4da411ae323c73b'
Incoming log entry; line='<46>syslogd 1.5.0#5ubuntu4: restart.'
Initializing destination file writer; template='/var/log/messages', 
filename='/var/log/messages'
/
If no "Incoming log entry..:" line is here, then syslogd doesn't send 
logs to syslog-ng, and probably the reason for this behaviour will be on 
client side or at least (I hope) you will see what the problem is.

If these solutions don't help you, please send me the version of your 
syslog-ng (syslog-ng -V) and the above debug output of syslog-ng.

Lozada, Agustin T wrote:
>
> I got that part fixed thanks Zoltan. My next question is I set up this 
> box (AIX 5.3) to be the central server and configure a client to 
> forward syslog and it looks like the client is doing it:
>
>  
>
> # /usr/sbin/syslogd -d
>
> 0821-600 /usr/sbin/syslogd: continuing without SRC support
>
> syslogd: bind: errno = 67
>
> logmsg: pri 53, flags 8, from t01labax08, msg syslogd: bind: errno = 67
>
> off & running....
>
> init
>
> cfline(*.debug  @10.13.6.83)
>
> cfline(*.debug;mail.none        @10.13.6.83)
>
> cfline(*.crit   @10.13.6.83)
>
> cfline(mail.debug       @10.13.6.83     )
>
> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FORW: 10.13.6.83
>
> 7 7 X 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FORW: 10.13.6.83
>
> 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 X FORW: 10.13.6.83
>
> X X 7 X X X X X X X X X X X X X X X X X X X X X X FORW: 10.13.6.83
>
> logmsg: pri 56, flags 8, from t01labax08, msg syslogd: restart
>
> Logging to FORW 10.13.6.83
>
> Logging to FORW 10.13.6.83
>
> syslogd: restarted
>
> readfds = 0x10
>
> got a message (-1, 0x10)
>
> readfds = 0x10
>
> got a message (-1, 0x10)
>
>  
>
> 10.13.6.83 is my designated server and its seems it is not getting the 
> forwarded log messages, here is how my syslog.conf for remote logging:
>
>  
>
> source s_tcp {
>
> #       syslog(transport(tcp));
>
>         udp(ip(10.13.6.83) port(514));
>
>         tcp(ip(10.13.6.83) port(5149) max-connections(333));
>
> };
>
>  
>
> destination d_tcp {
>
>         file("/var/log/messages_tcp" owner("root") group("adm") 
> perm(0640));
>
> };
>
>  
>
> I do not see any traffic coming to my client t01labax08 going to my 
> syslog server and /var/log/messages_tcp not even been created. Again 
> what am I missing here? Sorry I'm syslog-ng newbie here....
>
>  
>
>  
>
> Thanks and regards,
>
>  
>
> Agustin Lozada
>
> UNIX System Admin
>
> 713-207-2474
>
>  
>
> *From:* Zoltán Pallagi [mailto:pzolee at balabit.hu]
> *Sent:* Thursday, March 18, 2010 1:42 PM
> *To:* Syslog-ng users' and developers' mailing list; Lozada, Agustin T
> *Subject:* Re: [syslog-ng] Server conf for syslog-ng.conf
>
>  
>
> Hi,
> replace this line:
> source s_network { syslog(transport(tcp))};
> with this one(missing semicolon at the end of last bracket):
> source s_network { syslog(transport(tcp));};
> 2010.03.18. 19:29 keltezéssel, Lozada, Agustin T írta:
>
> @version:3.0
>
> options {
>
> time_reap(30);
>
> mark_freq(10);
>
> keep_hostname(yes);
>
> };
>
> source s_local { unix-stream("/dev/log"); internal();};
>
> source s_network { syslog(transport(tcp))};
>
> destination d_logs {
>
> file(
>
> "/var/log/syslog-ng/logs.txt"
>
> owner("root")
>
> group("root")
>
> perm(0777)
>
> ); };
>
> log { source(s_local); source(s_network); destination(d_logs); };
>
>  
>
>  
>
> -- 
> pzolee
>
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   


-- 
pzolee

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100319/bf39429e/attachment-0001.htm

More information about the syslog-ng mailing list