[syslog-ng] changing incoming facility.level -> kern.emerg
Charlie Reddington
charlie.reddington at gmail.com
Wed Sep 1 23:17:05 CEST 2010
I'm having some funky behavior where my central syslog-ng server is
marking all forwarded events as facility kern, level emerg.
The remote hosts, are CentOS 5 x86_64. They are using the system
install syslog. The ones I started with, have nginx web server,
patched to send it's log messages under local5.crit for errors, and
local5.notice for access logs.
It's syslog.conf looks like so.
Code:
# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# nginx local logs
local5.notice /usr/
local/logs/access.log
local5.crit /usr/
local/logs/error.log
# Syslog-ng
*.* @remoteIP
They are logging locally as expected, and things are coming into the
remote host as expected.
(from a strace)
32443 recvfrom(3, "<173>nginx: ScrubbedIP www.fa"..., 8192, 0,
{sa_family=AF_INET, sin_port=htons(514),
sin_addr=inet_addr("ScrubbedIP")}, [16]) = 412
What I can't tell is how they are actually coming in (meaning what
level / facility).
My central logging server is running the latest syslog-ng. My configs
look like...
Code:
# cat /etc/syslog-ng/syslog-ng.conf
# Syslog-ng config
options {
use_dns(no);
keep_hostname(yes);
long_hostnames(off);
chain_hostnames(off);
sync(1);
log_fifo_size(1024);
create_dirs(yes);
perm(0644);
stats_freq(3600);
mark_freq(600);
};
#
# Data Sources
#
# External Syslog
source s_external {
# udp();
udp(ip("0.0.0.0") port(514) flags(no_parse));
};
#
# Where to put Data
#
# Access Logs
destination d_access_log { file("/syslog-ng/$HOST/access.log"); };
# Error Logs
destination d_error_log { file("/syslog-ng/$HOST/error.log"); };
# Everything else
destination d_log { file("/syslog-ng/$HOST/$FACILITY.$LEVEL"); };
#
# Data Filters
#
# Facility local5
filter f_local5 { facility(local5); };
# Level info
filter f_info { level(info); };
# Level notice
filter f_notice { level(notice); };
# Level warn
filter f_warn { level(warn); };
# Level crit
filter f_crit { level(crit); };
# Level err
filter f_err { level(err); };
#
# Data Logging Locations
#
# Access Log
log { source(s_external); filter(f_local5); filter(f_notice);
destination(d_access_log); };
# Error Log
log { source(s_external); filter(f_local5); filter(f_crit);
destination(d_error_log); };
log { source(s_external); destination(d_log); };
The only problem here is that I'm not getting any access.log or
error.log. I'm only getting kern.emerg log with EVERYTHING in it (the
last log rule).
I have verified that events are coming in correctly as I expect.
Code:
tcpdump port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:47:33.128579 IP scrubbed.syslog > scrubbed.syslog: SYSLOG
local5.notice, length: 409
15:47:33.145029 IP scrubbed.syslog > scrubbed.syslog: SYSLOG
local5.notice, length: 233
So I'm not sure what syslog-ng is doing to convert this to kern.emerg
instead of leaving it local5.notice.
At this point, I'm pretty sure the config is sane, but maybe I'm
missing something.
Syslog-NG / central server stats
# /sbin/syslog-ng -V
syslog-ng 2.1.4
# cat /etc/redhat-release
CentOS release 5.5 (Final)
Fetched with GIT.
syslog / remote server stats
# /sbin/syslogd -v
syslogd 1.4.1
# cat /etc/redhat-release
CentOS release 5.5 (Final)
Any help is appreciated.
Charlie
More information about the syslog-ng
mailing list