[syslog-ng] Windows event logs vs syslog format

Jerry Riedel riedel at codylabs.com
Fri Oct 15 19:43:58 CEST 2010 

Ok, thanks. That did the trick.

Jerry 
 
 

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
Sent: Wednesday, October 13, 2010 4:20 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Windows event logs vs syslog format

It's the log {} statement that matters for order, and you need a
flags(final) in the statement.

On Wednesday, October 13, 2010, Jerry Riedel <riedel at codylabs.com> wrote:
> Ok, the $SOURCEIP macro solved that problem, but even though I moved 
> that section to the top of the list, the remote host messages are 
> still being duplicated in the /var/log/messages file.
>
> I've attached the revised conf - what am I missing or doing wrong?
>
> Jerry
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
> Sent: Wednesday, October 13, 2010 11:28 AM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Windows event logs vs syslog format
>
> It looks to me like logs from other hosts should be logged both to 
> /var/log/messages as well as the individual $HOST folder.  If you only 
> want them to go to the $HOSTS folders, then you should put that entry 
> first and put flags(final) on the log {} statement.  Check the docs 
> for details on doing that.
>
> I agree with Matthew--I always use $SOURCEIP as my log host macro 
> because it can be trusted to be well-formed.  I spoof forwarded 
> packets to preserve that macro if I'm chaining log hosts.
>
> On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel at codylabs.com>
wrote:
>> Here is my config:
>>
>> #
>> # /etc/syslog-ng/syslog-ng.conf
>> #
>> # File format description can be found in syslog-ng.conf(5) # and in 
>> /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
>> #
>> # NOTE: The SuSEconfig script and its syslog-ng.conf.in # 
>> configuration template aren't used any more.
>> #
>> #       Feel free to edit this file directly.
>> #
>> #       Additional log sockets for chroot environments can #       be 
>> declared in the /etc/sysconfig/syslog file using # 
>> SYSLOGD_ADDITIONAL_SOCKET<NAME> #       variables. This way allows to 
>> define a socket from #       RPM scripts and is used by several 
>> services, e.g.
>> #       bind and dhcpd.
>> #
>> #       The sockets defined in /etc/sysconfig/syslog file #       are 
>> added by the /etc/ini.d/syslog init-script using #       "-a path"
>> command line options while syslog-ng is #       started.
>> #
>> #       This syslog-ng contains an extension and appends the # 
>> sockets added by "-a" option to the same source group #       and 
>> using the same socket type (unix-dgram) as the #       "/dev/log"
>> socket.
>> #       If one of the sockets added by "-a" option already # exists 
>> in any (other) source group in the config file, #       then the 
>> socket added by "-a" option is ignored.
>> #
>>
>> #
>> # Global options.
>> #
>> options { long_hostnames(off); sync(0); perm(0640); stats(3600); 
>> keep_hostname(yes); };
>>
>> #
>> # 'src' is our main source definition. you can add # more sources 
>> driver definitions to it, or define # your own sources, i.e.:
>> #
>> #source my_src { .... };
>> #
>> source src {
>>        #
>>        # include internal syslog-ng messages
>>        # note: the internal() soure is required!
>>        #
>>        internal();
>>
>>        #
>>        # the default log socket for local logging:
>>        #
>>        unix-dgram("/dev/log");
>>
>>        #
>>        # uncomment to process log messages from network:
>>        #
>>        udp(ip("0.0.0.0") port(514));
>>        tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
>>
>> #
>> # Filter definitions
>> #
>> filter f_iptables   { facility(kern) and match("IN=") and 
>> match("OUT="); };
>>
>> filter f_console    { level(warn) and facility(kern) and not
>> filter(f_iptables)
>>                      or level(err) and not facility(authpriv); };
>>
>> filter f_newsnotice { level(notice) and facility(news); }; filter 
>> f_newscrit   { level(crit)   and facility(news); }; filter f_newserr 
>> { level(err)    and facility(news); }; filter f_news       { 
>> facility(news); };
>>
>> filter f_mailinfo   { level(info)      and facility(mail); }; 
>> fil__________________________________________________________________
>> __________
> __
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list