[syslog-ng] syslog-ng issue
PATRICK HEMMER
syslogng at feystorm.net
Thu Sep 30 15:33:51 CEST 2010
You are rewriting the outgoing destination format from the 'central'
server "udp(... template(...))". The receiving end probably does not
like this. Take out the template and see if it works. Also might just be
a copy-paste error, but you have no closing bracket for the source in
your 'tcim server' config.
The easiest way to figure whats going on would probably be to just
launch syslog-ng in debug mode and look at all the messages it spits out
to see where the lines are getting dropped.
-Patrick
Sent: Wed Sep 29 2010 21:43:37 GMT-0600 (Mountain Daylight Time)
From: anushri kannu <svanushri0514 at gmail.com>
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] syslog-ng issue
> Hi Every one,
>
>
> I am new to concept of syslog-ng configuration.
>
> Already syslog-ng configured in linux server
>
>
> We have 6 syslog-ng server
>
> 4 location syslog-ng server receives logs from all the syslog client
> .. working fine
> 1 centralized syslog-ng (server receives log from 4 locations .......
> working fine
> 1 we have tcim syslog-ng server receives logs from centralized
> syslog-ng server... it was working before for both solaris and linux .
> Now suddenly not collecting logs only for linux. No changes were made.
>
>
>
> Centalized syslog-ng configuration file
>
> options {
> log_fifo_size(8192);
> create_dirs(yes);
> group(sysgrp);
> dir_group(sysgrp);
> dir_perm(0750);
> perm(0440);
> chain_hostnames(no);
> keep_hostname(yes);
> stats(3600);
> use_fqdn(yes);
> use_time_recvd(yes);
> };
>
>
> Standard filters
> # Level Filters
> filter f_emerg { level (emerg); };
> filter f_alert { level (alert .. emerg); };
> filter f_crit { level (crit .. emerg); };
> filter f_err { level (err .. emerg); };
> filter f_warning { level (warning .. emerg); };
> filter f_notice { level (notice .. emerg); };
> filter f_info { level (info .. emerg); };
> filter f_debug { level (debug .. emerg); };
>
> # Facility Filters
> filter f_kern { facility (kern); };
> filter f_user { facility (user); };
> filter f_mail { facility (mail); };
> filter f_daemon { facility (daemon); };
> filter f_auth { facility (auth); };
> filter f_authpriv { facility (authpriv); };
> filter f_syslog { facility (syslog); };
> filter f_lpr { facility (lpr); };
> filter f_news { facility (news); };
> filter f_uucp { facility (uucp); };
>
>
> filter f_os_unix {
> not program(EvntSLog)
> and not program(NetScreen)
> and not match ("NetScreen device_id")
> and not match ("%AAA-")
> and not match ("%AUTH-")
> and not match ("%AUTHPRIV-")
> and not match ("%CALLHOME-")
> and not match ("%CDP-")
> and not match ("%EARL-")
> and not match ("%FILESYS-")
> and not match ("%IMAGE_DNLD-SLOT")
> and not match ("%IP-")
> and not match ("%KERN-")
> and not match ("%LICMGR-")
> and not match ("%LINEPROTO-")
> and not match ("%LINK-")
> and not match ("%MCAST-")
> and not match ("%MODULE-")
> and not match ("%OSPF-")
> and not match ("%PLATFORM-")
> and not match ("%PRUNING-")
> and not match ("%PORT-")
> and not match ("%SPANTREE-")
> and not match ("%SYS-")
> and not match ("%UDLD-")
> and not match ("%VSHD-")
> source s_local {
> unix-stream("/dev/log");
> udp(ip(0.0.0.0) port(514));
> tcp(ip(0.0.0.0) port(5149) max-connections(333));
> internal();
> pipe("/proc/kmsg");
> };
>
> destination dl_hosts-unix {
>
> file("/var/log/syslog-ng/hosts-unix/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.$LEVEL");
> };
>
> log {
> source(s_local);
> filter(f_os_unix);
> ###not filter(f_os_switch);
> destination(dl_hosts-unix);
> };
>
> destination dl_tcim {
> udp("10.230.148.18" port(514) template("<$PRI> $DATE $HOST
> $MESSAGE\r\n"));
> };
> log {
> source(s_local);
> destination(dl_tcim);
> };
>
>
>
>
> tcim server configurarion file.
>
> options {
> sync (0);
> time_reopen (10);
> log_fifo_size (1000);
> long_hostnames (off);
> # use_dns (no);
> use_dns (yes);
> use_fqdn (no);
> create_dirs (no);
> keep_hostname (yes);
> };
>
> source src {
> udp();
> tcp(port(514) keep-alive(yes));
>
>
> filter f_lnx_hosts {
> host("amex") or
> host("green") or
> host("sa") or
> host("yellow") or
> host("urinf01") or
> etc..;
> ..
> ..
> .
> };
> destination d_lnx {
> file("/var/log/tcim/$HOST/syslog-$YEAR-$MONTH-$DAY.log"
> template("<$PRI>$DATE $HOST $MSG\n")
> create_dirs(yes)
> owner(svc-tcim)
> group(users)
> perm(0660)
> dir_owner(svc-tcim)
> dir_group(users)
> dir_perm(0770)
> );
> };
>
> log { source(src); filter(f_lnx_hosts); destination(d_lnx); };
>
>
>
>
>
>
> I did try below command in TCIM server to check the comunication
> between centralized syslog-ng serer and tcim server
>
> tcpdump -nn -tp -port 514..
>
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 375
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 193
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638
> IP 10.180.40.83.59535 > 10.230.148.18.514: UDP, length 638
>
> 1740 packets captured
> 1740 packets received by filter
> 0 packets dropped by kernel
>
> Packets are getting from centralised log server.
>
> Do not know where the mistake is.
>
> Please help to resolve this issue.
>
>
>
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100930/bc0218b8/attachment.htm
More information about the syslog-ng
mailing list