[syslog-ng] syslog-ng issue

anushri kannu svanushri0514 at gmail.com
Thu Sep 30 05:43:37 CEST 2010 

Hi Every one,


I am new to concept of syslog-ng configuration.

Already syslog-ng configured in linux server


We have 6 syslog-ng server

4  location syslog-ng server receives logs from all the syslog client ..
working fine
1 centralized syslog-ng (server receives log from 4 locations .......
working fine
1 we have tcim syslog-ng server receives logs from centralized syslog-ng
server... it was working before for both solaris and linux . Now suddenly
not collecting logs only for linux. No changes were made.



Centalized syslog-ng configuration file

options {
  log_fifo_size(8192);
  create_dirs(yes);
  group(sysgrp);
  dir_group(sysgrp);
  dir_perm(0750);
  perm(0440);
  chain_hostnames(no);
  keep_hostname(yes);
  stats(3600);
  use_fqdn(yes);
  use_time_recvd(yes);
};


Standard filters
# Level Filters
filter f_emerg   { level (emerg);            };
filter f_alert   { level (alert .. emerg);   };
filter f_crit    { level (crit .. emerg);    };
filter f_err     { level (err .. emerg);     };
filter f_warning { level (warning .. emerg); };
filter f_notice  { level (notice .. emerg);  };
filter f_info    { level (info .. emerg);    };
filter f_debug   { level (debug .. emerg);   };

# Facility Filters
filter f_kern      { facility (kern);     };
filter f_user      { facility (user);     };
filter f_mail      { facility (mail);     };
filter f_daemon    { facility (daemon);   };
filter f_auth      { facility (auth);     };
filter f_authpriv  { facility (authpriv); };
filter f_syslog    { facility (syslog); };
filter f_lpr    { facility (lpr);    };
filter f_news   { facility (news);   };
filter f_uucp   { facility (uucp);   };


filter f_os_unix        {
        not program(EvntSLog)
        and not program(NetScreen)
        and not match ("NetScreen device_id")
        and not match ("%AAA-")
        and not match ("%AUTH-")
        and not match ("%AUTHPRIV-")
        and not match ("%CALLHOME-")
        and not match ("%CDP-")
        and not match ("%EARL-")
        and not match ("%FILESYS-")
        and not match ("%IMAGE_DNLD-SLOT")
        and not match ("%IP-")
        and not match ("%KERN-")
        and not match ("%LICMGR-")
     and not match ("%LINEPROTO-")
        and not match ("%LINK-")
        and not match ("%MCAST-")
        and not match ("%MODULE-")
        and not match ("%OSPF-")
        and not match ("%PLATFORM-")
        and not match ("%PRUNING-")
        and not match ("%PORT-")
        and not match ("%SPANTREE-")
        and not match ("%SYS-")
        and not match ("%UDLD-")
        and not match ("%VSHD-")
source s_local {
  unix-stream("/dev/log");
  udp(ip(0.0.0.0) port(514));
  tcp(ip(0.0.0.0) port(5149) max-connections(333));
  internal();
  pipe("/proc/kmsg");
};

destination dl_hosts-unix {

file("/var/log/syslog-ng/hosts-unix/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.$LEVEL");
  };

  log {
        source(s_local);
        filter(f_os_unix);
        ###not filter(f_os_switch);
        destination(dl_hosts-unix);
  };

destination dl_tcim {
   udp("10.230.148.18" port(514) template("<$PRI> $DATE $HOST
$MESSAGE\r\n"));
  };
  log {
        source(s_local);
        destination(dl_tcim);
  };




tcim server configurarion file.

options {
        sync (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
#       use_dns (no);
        use_dns (yes);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};

source src {
        udp();
        tcp(port(514) keep-alive(yes));


filter f_lnx_hosts {
host("amex") or
host("green") or
host("sa") or
host("yellow") or
host("urinf01") or
etc..;
..
..
.
};
destination d_lnx {
        file("/var/log/tcim/$HOST/syslog-$YEAR-$MONTH-$DAY.log"
                template("<$PRI>$DATE $HOST $MSG\n")
                create_dirs(yes)
                owner(svc-tcim)
                group(users)
                perm(0660)
                dir_owner(svc-tcim)
                dir_group(users)
                dir_perm(0770)
        );
};

log { source(src); filter(f_lnx_hosts); destination(d_lnx); };






I did try below command in TCIM server to check the comunication between
centralized syslog-ng serer and tcim server

tcpdump -nn -tp -port 514..

IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 375
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 193
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638
IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638

1740 packets captured
1740 packets received by filter
0 packets dropped by kernel

Packets are getting from centralised log server.

Do not know where the mistake is.

Please help to resolve this issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100930/9e7fe349/attachment.htm

More information about the syslog-ng mailing list