[syslog-ng] How to turn logging into the .log files
Wagner Pereira
wpereira at pop-sp.rnp.br
Mon May 10 15:14:21 CEST 2010
Dukes,
I implemented your changes and I can say that almost everything came
back to work correctly, but...
At the beginning, I had seven .log files been incremented by the syslog
and now I have only one .log file been incremented.
What can be still wrong?
Hugs,
--
Wagner Pereira
PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
Tel. (11) 3091-8901
Em 7/5/2010 12:28, Clayton Dukes escreveu:
> Hi Wagner,
> A couple of problems with your config:
> 1. I believe that prior to syslog-ng v3.x, you could only have one
> source defined.
> try removing your source net definition, it's a duplicate of "s_all"
> and there's no need for it.
> - be sure to update any reference to "net" and change them to "s_all"
>
> 2. You have destinations and filters with the same name, I'm pretty
> sure this is not allowed.
>
> Try something like this:
>
> source s_all {
> # message generated by Syslog-NG
> internal();
> # standard Linux log source (this is the default place for the
> syslog()
> # function to send logs to)
> unix-stream("/dev/log");
> # messages from the kernel
> file("/proc/kmsg" log_prefix("kernel: "));
> # use the following line if you want to receive remote UDP
> logging messages
> # (this is equivalent to the "-r" syslogd flag)
> udp();
> };
>
> destination d_Cisco7206 {
> file("/var/log/routers/cisco7206.log"
> create_dirs(yes) );
> };
>
> destination d_Metrosampa-USP_CCE {
> file("/var/log/routers/uspcce.log"
> create_dirs(yes) );
> };
>
> filter f_Cisco7206 {
> host("10.0.0.2");
> };
>
> filter f_Metrosampa-USP_CCE {
> host("10.0.0.3");
> };
>
>
> log {
> source(s_all);
> filter(f_Cisco7206);
> destination(d_Cisco7206);
> };
>
> log {
> source(s_all);
> filter(f_Metrosampa-USP_CCE);
> destination(d_Metrosampa-USP_CCE);
> };
>
>
>
>
> On Fri, May 7, 2010 at 10:06 AM, Wagner Pereira
> <wpereira at pop-sp.rnp.br <mailto:wpereira at pop-sp.rnp.br>> wrote:
>
> Hi, Dukes. Thanks for your reply.
>
> At this moment, I must to turn back to log into the .log files, at
> the same way of the beginning. This is urgent for now. (Below is
> my syslog-ng.conf file)
>
> Next, my boss is asking me to test the Syslog plugin for Cacti.
>
> Finally, if this solution doesn't solve our demand, I will
> consider to re-install and test the Logzilla.
>
> ---------------------
> #
> # Configuration file for syslog-ng under Debian
> #
> # attempts at reproducing default syslog behavior
>
> # the standard syslog levels are (in descending order of priority):
> # emerg alert crit err warning notice info debug
> # the aliases "error", "panic", and "warn" are deprecated
> # the "none" priority found in the original syslogd configuration is
> # only used in internal messages created by syslogd
>
>
> ######
> # options
>
> options {
> # disable the chained hostname format in logs
> # (default is enabled)
> chain_hostnames(0);
>
> # the time to wait before a died connection is re-established
> # (default is 60)
> time_reopen(10);
>
> # the time to wait before an idle destination file is closed
> # (default is 60)
> time_reap(360);
>
> # the number of lines buffered before written to file
> # you might want to increase this if your disk isn't
> catching with
> # all the log messages you get or if you want less disk
> activity
> # (say on a laptop)
> # (default is 0)
> #sync(0);
>
> # the number of lines fitting in the output queue
> log_fifo_size(2048);
>
> # enable or disable directory creation for destination files
> create_dirs(yes);
>
> # default owner, group, and permissions for log files
> # (defaults are 0, 0, 0600)
> #owner(root);
> group(adm);
> perm(0640);
>
> # default owner, group, and permissions for created
> directories
> # (defaults are 0, 0, 0700)
> #dir_owner(root);
> #dir_group(root);
> dir_perm(0755);
>
> # enable or disable DNS usage
> # syslog-ng blocks on DNS queries, so enabling DNS may lead to
> # a Denial of Service attack
> # (default is yes)
> use_dns(yes);
>
> # maximum length of message in bytes
> # this is only limited by the program listening on the
> /dev/log Unix
> # socket, glibc can handle arbitrary length log messages,
> but -- for
> # example -- syslogd accepts only 1024 bytes
> # (default is 2048)
> #log_msg_size(2048);
>
> #Disable statistic log messages.
> stats_freq(0);
>
> # Some program send log messages through a private implementation.
> # and sometimes that implementation is bad. If this happen
> syslog-ng
> # may recognise the program name as hostname. Whit this option
> # we tell the syslog-ng that if a hostname match this regexp
> than that
> # is not a real hostname.
> bad_hostname("^gconfd$");
> };
>
>
> ######
> # sources
>
> # all known message sources
> source s_all {
> # message generated by Syslog-NG
> internal();
> # standard Linux log source (this is the default place for
> the syslog()
> # function to send logs to)
> unix-stream("/dev/log");
> # messages from the kernel
> file("/proc/kmsg" log_prefix("kernel: "));
> # use the following line if you want to receive remote UDP
> logging messages
> # (this is equivalent to the "-r" syslogd flag)
> udp();
> };
>
> source net {
> unix-stream("/dev/log");
> internal();
> udp(ip(0.0.0.0) port(514));
> };
>
>
>
> ######
> # destinations
>
> # some standard log files
> destination df_auth { file("/var/log/auth.log"); };
> destination df_syslog { file("/var/log/syslog"); };
> destination df_cron { file("/var/log/cron.log"); };
> destination df_daemon { file("/var/log/daemon.log"); };
> destination df_kern { file("/var/log/kern.log"); };
> destination df_lpr { file("/var/log/lpr.log"); };
> destination df_mail { file("/var/log/mail.log"); };
> destination df_user { file("/var/log/user.log"); };
> destination df_uucp { file("/var/log/uucp.log"); };
>
> # these files are meant for the mail system log files
> # and provide re-usable destinations for {mail,cron,...}.info,
> # {mail,cron,...}.notice, etc.
> destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
> destination df_facility_dot_notice {
> file("/var/log/$FACILITY.notice"); };
> destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
> destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
> destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
>
> # these files are meant for the news system, and are kept separated
> # because they should be owned by "news" instead of "root"
> destination df_news_dot_notice { file("/var/log/news/news.notice"
> owner("news")); };
> destination df_news_dot_err { file("/var/log/news/news.err"
> owner("news")); };
> destination df_news_dot_crit { file("/var/log/news/news.crit"
> owner("news")); };
>
> # some more classical and useful files found in standard syslog
> configurations
> destination df_debug { file("/var/log/debug"); };
> destination df_messages { file("/var/log/messages"); };
>
> # pipes
> # a console to view log messages under X
> destination dp_xconsole { pipe("/dev/xconsole"); };
>
> # consoles
> # this will send messages to everyone logged in
> destination du_all { usertty("*"); };
>
> destination Cisco7206 {
> file("/var/log/routers/cisco7206.log" create_dirs(yes) );
> };
>
> destination Metrosampa-USP_CCE {
> file("/var/log/routers/uspcce.log" create_dirs(yes) );
> };
>
>
> ######
> # filters
>
> # all messages from the auth and authpriv facilities
> filter f_auth { facility(auth, authpriv); };
>
> # all messages except from the auth and authpriv facilities
> filter f_syslog { not facility(auth, authpriv); };
>
> # respectively: messages from the cron, daemon, kern, lpr, mail,
> news, user,
> # and uucp facilities
> filter f_cron { facility(cron); };
> filter f_daemon { facility(daemon); };
> filter f_kern { facility(kern); };
> filter f_lpr { facility(lpr); };
> filter f_mail { facility(mail); };
> filter f_news { facility(news); };
> filter f_user { facility(user); };
> filter f_uucp { facility(uucp); };
>
> # some filters to select messages of priority greater or equal to
> info, warn,
> # and err
> # (equivalents of syslogd's *.info, *.warn, and *.err)
> filter f_at_least_info { level(info..emerg); };
> filter f_at_least_notice { level(notice..emerg); };
> filter f_at_least_warn { level(warn..emerg); };
> filter f_at_least_err { level(err..emerg); };
> filter f_at_least_crit { level(crit..emerg); };
>
> # all messages of priority debug not coming from the auth,
> authpriv, news, and
> # mail facilities
> filter f_debug { level(debug) and not facility(auth, authpriv,
> news, mail); };
>
> # all messages of info, notice, or warn priority not coming form
> the auth,
> # authpriv, cron, daemon, mail, and news facilities
> filter f_messages {
> level(info,notice,warn)
> and not facility(auth,authpriv,cron,daemon,mail,news);
> };
>
> # messages with priority emerg
> filter f_emerg { level(emerg); };
>
> # complex filter for messages usually sent to the xconsole
> filter f_xconsole {
> facility(daemon,mail)
> or level(debug,info,notice,warn)
> or (facility(news)
> and level(crit,err,notice));
> };
>
> filter Cisco7206 {
> host("10.0.0.2");
> };
>
> filter Metrosampa-USP_CCE {
> host("10.0.0.3");
> };
>
> ######
> # logs
> # order matters if you use "flags(final);" to mark the end of
> processing in a
> # "log" statement
>
> # these rules provide the same behavior as the commented original
> syslogd rules
>
> # auth,authpriv.* /var/log/auth.log
> log {
> source(s_all);
> filter(f_auth);
> destination(df_auth);
> };
>
> # *.*;auth,authpriv.none -/var/log/syslog
> log {
> source(s_all);
> filter(f_syslog);
> destination(df_syslog);
> };
>
> # this is commented out in the default syslog.conf
> # cron.* /var/log/cron.log
> #log {
> # source(s_all);
> # filter(f_cron);
> # destination(df_cron);
> #};
>
> # daemon.* -/var/log/daemon.log
> log {
> source(s_all);
> filter(f_daemon);
> destination(df_daemon);
> };
>
> # kern.* -/var/log/kern.log
> log {
> source(s_all);
> filter(f_kern);
> destination(df_kern);
> };
>
> # lpr.* -/var/log/lpr.log
> log {
> source(s_all);
> filter(f_lpr);
> destination(df_lpr);
> };
>
> # mail.* -/var/log/mail.log
> log {
> source(s_all);
> filter(f_mail);
> destination(df_mail);
> };
>
> # user.* -/var/log/user.log
> log {
> source(s_all);
> filter(f_user);
> destination(df_user);
> };
>
> # uucp.* /var/log/uucp.log
> log {
> source(s_all);
> filter(f_uucp);
> destination(df_uucp);
> };
>
> # mail.info <http://mail.info>
> -/var/log/mail.info <http://mail.info>
> log {
> source(s_all);
> filter(f_mail);
> filter(f_at_least_info);
> destination(df_facility_dot_info);
> };
>
> # mail.warn -/var/log/mail.warn
> log {
> source(s_all);
> filter(f_mail);
> filter(f_at_least_warn);
> destination(df_facility_dot_warn);
> };
>
> # mail.err /var/log/mail.err
> log {
> source(s_all);
> filter(f_mail);
> filter(f_at_least_err);
> destination(df_facility_dot_err);
> };
>
> # news.crit /var/log/news/news.crit
> log {
> source(s_all);
> filter(f_news);
> filter(f_at_least_crit);
> destination(df_news_dot_crit);
> };
>
> # news.err /var/log/news/news.err
> log {
> source(s_all);
> filter(f_news);
> filter(f_at_least_err);
> destination(df_news_dot_err);
> };
>
> # news.notice /var/log/news/news.notice
> log {
> source(s_all);
> filter(f_news);
> filter(f_at_least_notice);
> destination(df_news_dot_notice);
> };
>
>
> # *.=debug;\
> # auth,authpriv.none;\
> # news.none;mail.none -/var/log/debug
> log {
> source(s_all);
> filter(f_debug);
> destination(df_debug);
> };
>
>
> # *.=info;*.=notice;*.=warn;\
> # auth,authpriv.none;\
> # cron,daemon.none;\
> # mail,news.none -/var/log/messages
> log {
> source(s_all);
> filter(f_messages);
> destination(df_messages);
> };
>
> # *.emerg *
> log {
> source(s_all);
> filter(f_emerg);
> destination(du_all);
> };
>
>
> # daemon.*;mail.*;\
> # news.crit;news.err;news.notice;\
> # *.=debug;*.=info;\
> # *.=notice;*.=warn |/dev/xconsole
> log {
> source(s_all);
> filter(f_xconsole);
> destination(dp_xconsole);
> };
>
> log {
> source(net);
> filter(Cisco7206);
> destination(Cisco7206);
> };
>
> log {
> source(net);
> filter(Metrosampa-USP_CCE);
> destination(Metrosampa-USP_CCE);
> };
> ---------------------------------
>
> --
>
> Wagner Pereira
>
> PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
> CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
> http://www.pop-sp.rnp.br Tel. (11) 3091-8901
>
>
> Em 7/5/2010 10:19, Clayton Dukes escreveu:
>> Hi Wagner,
>> If you need help with LogZilla, please let me know.
>> For syslog-ng, it would help if you posted your syslog-ng.conf file.
>>
>>
>> On Fri, May 7, 2010 at 9:08 AM, Wagner Pereira
>> <wpereira at pop-sp.rnp.br <mailto:wpereira at pop-sp.rnp.br>> wrote:
>>
>> Hi, all.
>>
>> When I installed Syslog-ng, I configured it to log all the
>> device's
>> activities into the .log files. It worked well for some weeks.
>>
>> In the last week, I tried to use Logzilla ( former
>> PhP-Syslog-ng) but I
>> can't successful, then I removed Logzilla yesterday.
>>
>> After I removed Logzilla, I noticed that all the activities
>> are been
>> recorded into the /var/log/messages file and no longer into
>> the .log
>> files I've created for this purpose, originally.
>>
>> What should I configure to turn logging in those .log files?
>> I already
>> have the syslog-ng.conf configured properly.
>>
>> Thanks in advance.
>>
>> --
>>
>> Wagner Pereira
>>
>> PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
>> CCE/USP - Centro de Computação Eletrônica da Universidade de
>> São Paulo
>> http://www.pop-sp.rnp.br
>> Tel. (11) 3091-8901
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>>
>> --
>> ______________________________________________________________
>>
>> Clayton Dukes
>> ______________________________________________________________
>>
>>
>> ______________________________________________________________________________
>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ:http://www.campin.net/syslog-ng/faq.html
>>
>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>
>
> --
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100510/7b62367a/attachment-0001.htm
More information about the syslog-ng
mailing list