[syslog-ng] Windows event logs vs syslog format

Martin Holste mcholste at gmail.com
Thu Oct 14 00:20:08 CEST 2010 

It's the log {} statement that matters for order, and you need a
flags(final) in the statement.

On Wednesday, October 13, 2010, Jerry Riedel <riedel at codylabs.com> wrote:
> Ok, the $SOURCEIP macro solved that problem, but even though I moved that
> section to the top of the list, the remote host messages are still being
> duplicated in the /var/log/messages file.
>
> I've attached the revised conf - what am I missing or doing wrong?
>
> Jerry
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> Sent: Wednesday, October 13, 2010 11:28 AM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>
> It looks to me like logs from other hosts should be logged both to
> /var/log/messages as well as the individual $HOST folder.  If you only want
> them to go to the $HOSTS folders, then you should put that entry first and
> put flags(final) on the log {} statement.  Check the docs for details on
> doing that.
>
> I agree with Matthew--I always use $SOURCEIP as my log host macro because it
> can be trusted to be well-formed.  I spoof forwarded packets to preserve
> that macro if I'm chaining log hosts.
>
> On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel at codylabs.com> wrote:
>> Here is my config:
>>
>> #
>> # /etc/syslog-ng/syslog-ng.conf
>> #
>> # File format description can be found in syslog-ng.conf(5) # and in
>> /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
>> #
>> # NOTE: The SuSEconfig script and its syslog-ng.conf.in #
>> configuration template aren't used any more.
>> #
>> #       Feel free to edit this file directly.
>> #
>> #       Additional log sockets for chroot environments can #       be
>> declared in the /etc/sysconfig/syslog file using #
>> SYSLOGD_ADDITIONAL_SOCKET<NAME> #       variables. This way allows to
>> define a socket from #       RPM scripts and is used by several
>> services, e.g.
>> #       bind and dhcpd.
>> #
>> #       The sockets defined in /etc/sysconfig/syslog file #       are
>> added by the /etc/ini.d/syslog init-script using #       "-a path"
>> command line options while syslog-ng is #       started.
>> #
>> #       This syslog-ng contains an extension and appends the #
>> sockets added by "-a" option to the same source group #       and
>> using the same socket type (unix-dgram) as the #       "/dev/log"
>> socket.
>> #       If one of the sockets added by "-a" option already #
>> exists in any (other) source group in the config file, #       then
>> the socket added by "-a" option is ignored.
>> #
>>
>> #
>> # Global options.
>> #
>> options { long_hostnames(off); sync(0); perm(0640); stats(3600);
>> keep_hostname(yes); };
>>
>> #
>> # 'src' is our main source definition. you can add # more sources
>> driver definitions to it, or define # your own sources, i.e.:
>> #
>> #source my_src { .... };
>> #
>> source src {
>>        #
>>        # include internal syslog-ng messages
>>        # note: the internal() soure is required!
>>        #
>>        internal();
>>
>>        #
>>        # the default log socket for local logging:
>>        #
>>        unix-dgram("/dev/log");
>>
>>        #
>>        # uncomment to process log messages from network:
>>        #
>>        udp(ip("0.0.0.0") port(514));
>>        tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
>>
>> #
>> # Filter definitions
>> #
>> filter f_iptables   { facility(kern) and match("IN=") and
>> match("OUT="); };
>>
>> filter f_console    { level(warn) and facility(kern) and not
>> filter(f_iptables)
>>                      or level(err) and not facility(authpriv); };
>>
>> filter f_newsnotice { level(notice) and facility(news); }; filter
>> f_newscrit   { level(crit)   and facility(news); }; filter f_newserr
>> { level(err)    and facility(news); }; filter f_news       {
>> facility(news); };
>>
>> filter f_mailinfo   { level(info)      and facility(mail); }; fil____________________________________________________________________________
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list