[syslog-ng] syslog-ng issue

anushri kannu svanushri0514 at gmail.com
Wed Oct 6 11:27:33 CEST 2010 

Please correct me if i am wrong.

Centralized log server forward logs to tcim server,

As per the below mail.  udp (....Template) need to be removed in *Tcim
server*, also need to check for closing bracket for the source in tcim
server config.".

Thank you
your friend




On Thu, Sep 30, 2010 at 7:03 PM, PATRICK HEMMER <syslogng at feystorm.net>wrote:

>  You are rewriting the outgoing destination format from the 'central'
> server "udp(... template(...))". The receiving end probably does not like
> this. Take out the template and see if it works. Also might just be a
> copy-paste error, but you have no closing bracket for the source in your
> 'tcim server' config.
> The easiest way to figure whats going on would probably be to just launch
> syslog-ng in debug mode and look at all the messages it spits out to see
> where the lines are getting dropped.
>
> -Patrick
>
> Sent: Wed Sep 29 2010 21:43:37 GMT-0600 (Mountain Daylight Time)
> From: anushri kannu <svanushri0514 at gmail.com> <svanushri0514 at gmail.com>
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] syslog-ng issue
>
> Hi Every one,
>
>
> I am new to concept of syslog-ng configuration.
>
> Already syslog-ng configured in linux server
>
>
> We have 6 syslog-ng server
>
> 4  location syslog-ng server receives logs from all the syslog client ..
> working fine
> 1 centralized syslog-ng (server receives log from 4 locations .......
> working fine
> 1 we have tcim syslog-ng server receives logs from centralized syslog-ng
> server... it was working before for both solaris and linux . Now suddenly
> not collecting logs only for linux. No changes were made.
>
>
>
> Centalized syslog-ng configuration file
>
> options {
>   log_fifo_size(8192);
>   create_dirs(yes);
>   group(sysgrp);
>   dir_group(sysgrp);
>   dir_perm(0750);
>   perm(0440);
>   chain_hostnames(no);
>   keep_hostname(yes);
>   stats(3600);
>   use_fqdn(yes);
>   use_time_recvd(yes);
> };
>
>
> Standard filters
> # Level Filters
> filter f_emerg   { level (emerg);            };
> filter f_alert   { level (alert .. emerg);   };
> filter f_crit    { level (crit .. emerg);    };
> filter f_err     { level (err .. emerg);     };
> filter f_warning { level (warning .. emerg); };
> filter f_notice  { level (notice .. emerg);  };
> filter f_info    { level (info .. emerg);    };
> filter f_debug   { level (debug .. emerg);   };
>
> # Facility Filters
> filter f_kern      { facility (kern);     };
> filter f_user      { facility (user);     };
> filter f_mail      { facility (mail);     };
> filter f_daemon    { facility (daemon);   };
> filter f_auth      { facility (auth);     };
> filter f_authpriv  { facility (authpriv); };
> filter f_syslog    { facility (syslog); };
> filter f_lpr    { facility (lpr);    };
> filter f_news   { facility (news);   };
> filter f_uucp   { facility (uucp);   };
>
>
> filter f_os_unix        {
>         not program(EvntSLog)
>         and not program(NetScreen)
>         and not match ("NetScreen device_id")
>         and not match ("%AAA-")
>         and not match ("%AUTH-")
>         and not match ("%AUTHPRIV-")
>         and not match ("%CALLHOME-")
>         and not match ("%CDP-")
>         and not match ("%EARL-")
>         and not match ("%FILESYS-")
>         and not match ("%IMAGE_DNLD-SLOT")
>         and not match ("%IP-")
>         and not match ("%KERN-")
>         and not match ("%LICMGR-")
>      and not match ("%LINEPROTO-")
>         and not match ("%LINK-")
>         and not match ("%MCAST-")
>         and not match ("%MODULE-")
>         and not match ("%OSPF-")
>         and not match ("%PLATFORM-")
>         and not match ("%PRUNING-")
>         and not match ("%PORT-")
>         and not match ("%SPANTREE-")
>         and not match ("%SYS-")
>         and not match ("%UDLD-")
>         and not match ("%VSHD-")
> source s_local {
>   unix-stream("/dev/log");
>   udp(ip(0.0.0.0) port(514));
>   tcp(ip(0.0.0.0) port(5149) max-connections(333));
>   internal();
>   pipe("/proc/kmsg");
> };
>
> destination dl_hosts-unix {
>
> file("/var/log/syslog-ng/hosts-unix/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.$LEVEL");
>   };
>
>   log {
>         source(s_local);
>         filter(f_os_unix);
>         ###not filter(f_os_switch);
>         destination(dl_hosts-unix);
>   };
>
> destination dl_tcim {
>    udp("10.230.148.18" port(514) template("<$PRI> $DATE $HOST
> $MESSAGE\r\n"));
>   };
>   log {
>         source(s_local);
>         destination(dl_tcim);
>   };
>
>
>
>
> tcim server configurarion file.
>
> options {
>         sync (0);
>         time_reopen (10);
>         log_fifo_size (1000);
>         long_hostnames (off);
> #       use_dns (no);
>         use_dns (yes);
>         use_fqdn (no);
>         create_dirs (no);
>         keep_hostname (yes);
> };
>
> source src {
>         udp();
>         tcp(port(514) keep-alive(yes));
>
>
> filter f_lnx_hosts {
> host("amex") or
> host("green") or
> host("sa") or
> host("yellow") or
> host("urinf01") or
> etc..;
> ..
> ..
> .
> };
> destination d_lnx {
>         file("/var/log/tcim/$HOST/syslog-$YEAR-$MONTH-$DAY.log"
>                 template("<$PRI>$DATE $HOST $MSG\n")
>                 create_dirs(yes)
>                 owner(svc-tcim)
>                 group(users)
>                 perm(0660)
>                 dir_owner(svc-tcim)
>                 dir_group(users)
>                 dir_perm(0770)
>         );
> };
>
> log { source(src); filter(f_lnx_hosts); destination(d_lnx); };
>
>
>
>
>
>
> I did try below command in TCIM server to check the comunication between
> centralized syslog-ng serer and tcim server
>
> tcpdump -nn -tp -port 514..
>
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 375
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 193
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638
>
> 1740 packets captured
> 1740 packets received by filter
> 0 packets dropped by kernel
>
> Packets are getting from centralised log server.
>
> Do not know where the mistake is.
>
> Please help to resolve this issue.
>
>
>
> ------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101006/d16ccc3e/attachment-0001.htm

More information about the syslog-ng mailing list