[syslog-ng] Problem sending logs to central log server..
Patrick H.
syslogng at feystorm.net
Mon Sep 19 23:04:44 CEST 2011
Dont forget to leave the mailing list on the list of recips :-)
Anyway, its still commented out in your log {} block. If the log block
has no source, it wont log anything.
log {
# source(src_eventdb);
filter(f_at_least_warn);
# filter(f_syslog);
destination(d_eventdb);
};
-Patrick
Sent: Mon Sep 19 2011 14:43:08 GMT-0600 (MST)
From: rek2 <rek2gnulinux at gmail.com>
To: Patrick H. <syslogng at feystorm.net>
Subject: Re: [syslog-ng] Problem sending logs to central log server..
> Hi Patrick, thanks for your reply, yes you right sorry I did the copy
> and paste before I uncomented some lines since Im testing here and
> there..
>
> this is how I have it now.. the last part:
>
> #syslog-ng2mysql destinations
>
> source src_eventdb {
> unix-stream("/dev/log");
> udp(ip(0.0.0.0) port(514));
> };
>
> destination d_eventdb {
> pipe(
> "/usr/local/icinga/var/rw/syslog-ng.pipe",
>
> template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")
> template_escape(no)
> );
> };
>
> filter f_at_least_warn {
> # level(warn..emerg);
> # level(notice..emerg);
> level(info, notice, warn, crit, err, debug);
> };
>
> log {
> # source(src_eventdb);
> filter(f_at_least_warn);
> # filter(f_syslog);
> destination(d_eventdb);
> };
>
> #log {
> # source(src_eventdb);
> # filter(f_auth);
> # destination(d_eventdb);
> #};
>
>
> 2011/9/19 Patrick H. <syslogng at feystorm.net
> <mailto:syslogng at feystorm.net>>
>
> In your server config, the only listener you have on udp port 514
> is defined in src_eventdb, and all src_eventdb entries are
> commented out.
>
> -Patrick
>
>
> Sent: Mon Sep 19 2011 11:40:15 GMT-0600 (MST)
> From: rek2 <rek2gnulinux at gmail.com> <mailto:rek2gnulinux at gmail.com>
> To: syslog-ng at lists.balabit.hu <mailto:syslog-ng at lists.balabit.hu>
> Subject: [syslog-ng] Problem sending logs to central log server..
>> Hello, I'm trying to sent all my logs from one openbsd server
>> with syslog-ng to a linux ubuntu central log server also with
>> syslog-ng of course but only the syslog-ng logs are been logged..
>> also when I do a "logger test" for example it gets log locally
>> but not remotely to the log server...
>> here are my configs:
>>
>> for the log server is basically the defaul of ubuntu with my
>> addtions at the end.. you will see
>> some commented is me trying to fix this issue.
>>
>>
>> cat syslog-ng/syslog-ng.conf
>> #
>> # Configuration file for syslog-ng under Debian
>> #
>> # attempts at reproducing default syslog behavior
>>
>> # the standard syslog levels are (in descending order of priority):
>> # emerg alert crit err warning notice info debug
>> # the aliases "error", "panic", and "warn" are deprecated
>> # the "none" priority found in the original syslogd configuration is
>> # only used in internal messages created by syslogd
>>
>>
>> ######
>> # options
>>
>> options {
>> # disable the chained hostname format in logs
>> # (default is enabled)
>> chain_hostnames(0);
>>
>> # the time to wait before a died connection is re-established
>> # (default is 60)
>> time_reopen(10);
>>
>> # the time to wait before an idle destination file is closed
>> # (default is 60)
>> time_reap(360);
>>
>> # the number of lines buffered before written to file
>> # you might want to increase this if your disk isn't
>> catching with
>> # all the log messages you get or if you want less disk
>> activity
>> # (say on a laptop)
>> # (default is 0)
>> #sync(0);
>>
>> # the number of lines fitting in the output queue
>> log_fifo_size(2048);
>>
>> # enable or disable directory creation for destination files
>> create_dirs(yes);
>>
>> # default owner, group, and permissions for log files
>> # (defaults are 0, 0, 0600)
>> #owner(root);
>> group(adm);
>> perm(0640);
>>
>> # default owner, group, and permissions for created
>> directories
>> # (defaults are 0, 0, 0700)
>> #dir_owner(root);
>> #dir_group(root);
>> dir_perm(0755);
>>
>> # enable or disable DNS usage
>> # syslog-ng blocks on DNS queries, so enabling DNS may
>> lead to
>> # a Denial of Service attack
>> # (default is yes)
>> use_dns(yes);
>>
>> # maximum length of message in bytes
>> # this is only limited by the program listening on the
>> /dev/log Unix
>> # socket, glibc can handle arbitrary length log messages,
>> but -- for
>> # example -- syslogd accepts only 1024 bytes
>> # (default is 2048)
>> #log_msg_size(2048);
>>
>> #Disable statistic log messages.
>> stats_freq(0);
>>
>> # Some program send log messages through a private
>> implementation.
>> # and sometimes that implementation is bad. If this
>> happen syslog-ng
>> # may recognise the program name as hostname. Whit this
>> option
>> # we tell the syslog-ng that if a hostname match this
>> regexp than that
>> # is not a real hostname.
>> bad_hostname("^gconfd$");
>> keep_hostname (yes);
>>
>> };
>>
>>
>> ######
>> # sources
>>
>> # all known message sources
>> source s_all {
>> # message generated by Syslog-NG
>> internal();
>> # standard Linux log source (this is the default place
>> for the syslog()
>> # function to send logs to)
>> unix-stream("/dev/log");
>> # messages from the kernel
>> file("/proc/kmsg" log_prefix("kernel: "));
>> # use the following line if you want to receive remote
>> UDP logging messages
>> # (this is equivalent to the "-r" syslogd flag)
>> # udp();
>> };
>>
>>
>> ######
>> # destinations
>>
>> # some standard log files
>> destination df_auth { file("/var/log/auth.log"); };
>> destination df_syslog { file("/var/log/syslog"); };
>> destination df_cron { file("/var/log/cron.log"); };
>> destination df_daemon { file("/var/log/daemon.log"); };
>> destination df_kern { file("/var/log/kern.log"); };
>> destination df_lpr { file("/var/log/lpr.log"); };
>> destination df_mail { file("/var/log/mail.log"); };
>> destination df_user { file("/var/log/user.log"); };
>> destination df_uucp { file("/var/log/uucp.log"); };
>>
>> # these files are meant for the mail system log files
>> # and provide re-usable destinations for {mail,cron,...}.info,
>> # {mail,cron,...}.notice, etc.
>> destination df_facility_dot_info {
>> file("/var/log/$FACILITY.info"); };
>> destination df_facility_dot_notice {
>> file("/var/log/$FACILITY.notice"); };
>> destination df_facility_dot_warn {
>> file("/var/log/$FACILITY.warn"); };
>> destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
>> destination df_facility_dot_crit {
>> file("/var/log/$FACILITY.crit"); };
>>
>> # these files are meant for the news system, and are kept separated
>> # because they should be owned by "news" instead of "root"
>> destination df_news_dot_notice { file("/var/log/news/news.notice"
>> owner("news")); };
>> destination df_news_dot_err { file("/var/log/news/news.err"
>> owner("news")); };
>> destination df_news_dot_crit { file("/var/log/news/news.crit"
>> owner("news")); };
>>
>> # some more classical and useful files found in standard syslog
>> configurations
>> destination df_debug { file("/var/log/debug"); };
>> destination df_messages { file("/var/log/messages"); };
>>
>> # pipes
>> # a console to view log messages under X
>> destination dp_xconsole { pipe("/dev/xconsole"); };
>>
>> # consoles
>> # this will send messages to everyone logged in
>> destination du_all { usertty("*"); };
>>
>>
>> ######
>> # filters
>>
>> # all messages from the auth and authpriv facilities
>> filter f_auth { facility(auth, authpriv); };
>>
>> # all messages except from the auth and authpriv facilities
>> filter f_syslog { not facility(auth, authpriv); };
>>
>> # respectively: messages from the cron, daemon, kern, lpr, mail,
>> news, user,
>> # and uucp facilities
>> filter f_cron { facility(cron); };
>> filter f_daemon { facility(daemon); };
>> filter f_kern { facility(kern); };
>> filter f_lpr { facility(lpr); };
>> filter f_mail { facility(mail); };
>> filter f_news { facility(news); };
>> filter f_user { facility(user); };
>> filter f_uucp { facility(uucp); };
>>
>> # some filters to select messages of priority greater or equal to
>> info, warn,
>> # and err
>> # (equivalents of syslogd's *.info, *.warn, and *.err)
>> filter f_at_least_info { level(info..emerg); };
>> filter f_at_least_notice { level(notice..emerg); };
>> filter f_at_least_warn { level(warn..emerg); };
>> filter f_at_least_err { level(err..emerg); };
>> filter f_at_least_crit { level(crit..emerg); };
>>
>> # all messages of priority debug not coming from the auth,
>> authpriv, news, and
>> # mail facilities
>> filter f_debug { level(debug) and not facility(auth, authpriv,
>> news, mail); };
>>
>> # all messages of info, notice, or warn priority not coming form
>> the auth,
>> # authpriv, cron, daemon, mail, and news facilities
>> filter f_messages {
>> level(info,notice,warn)
>> and not facility(auth,authpriv,cron,daemon,mail,news);
>> };
>>
>> # messages with priority emerg
>> filter f_emerg { level(emerg); };
>>
>> # complex filter for messages usually sent to the xconsole
>> filter f_xconsole {
>> facility(daemon,mail)
>> or level(debug,info,notice,warn)
>> or (facility(news)
>> and level(crit,err,notice));
>> };
>>
>>
>> ######
>> # logs
>> # order matters if you use "flags(final);" to mark the end of
>> processing in a
>> # "log" statement
>>
>> # these rules provide the same behavior as the commented original
>> syslogd rules
>>
>> # auth,authpriv.* /var/log/auth.log
>> log {
>> source(s_all);
>> filter(f_auth);
>> destination(df_auth);
>> };
>>
>> # *.*;auth,authpriv.none -/var/log/syslog
>> log {
>> source(s_all);
>> filter(f_syslog);
>> destination(df_syslog);
>> };
>>
>> # this is commented out in the default syslog.conf
>> # cron.* /var/log/cron.log
>> #log {
>> # source(s_all);
>> # filter(f_cron);
>> # destination(df_cron);
>> #};
>>
>> # daemon.* -/var/log/daemon.log
>> log {
>> source(s_all);
>> filter(f_daemon);
>> destination(df_daemon);
>> };
>>
>> # kern.* -/var/log/kern.log
>> log {
>> source(s_all);
>> filter(f_kern);
>> destination(df_kern);
>> };
>>
>> # lpr.* -/var/log/lpr.log
>> log {
>> source(s_all);
>> filter(f_lpr);
>> destination(df_lpr);
>> };
>>
>> # mail.* -/var/log/mail.log
>> log {
>> source(s_all);
>> filter(f_mail);
>> destination(df_mail);
>> };
>>
>> # user.* -/var/log/user.log
>> log {
>> source(s_all);
>> filter(f_user);
>> destination(df_user);
>> };
>>
>> # uucp.* /var/log/uucp.log
>> log {
>> source(s_all);
>> filter(f_uucp);
>> destination(df_uucp);
>> };
>>
>> # mail.info <http://mail.info>
>> -/var/log/mail.info <http://mail.info>
>> log {
>> source(s_all);
>> filter(f_mail);
>> filter(f_at_least_info);
>> destination(df_facility_dot_info);
>> };
>>
>> # mail.warn -/var/log/mail.warn
>> log {
>> source(s_all);
>> filter(f_mail);
>> filter(f_at_least_warn);
>> destination(df_facility_dot_warn);
>> };
>>
>> # mail.err /var/log/mail.err
>> log {
>> source(s_all);
>> filter(f_mail);
>> filter(f_at_least_err);
>> destination(df_facility_dot_err);
>> };
>>
>> # news.crit /var/log/news/news.crit
>> log {
>> source(s_all);
>> filter(f_news);
>> filter(f_at_least_crit);
>> destination(df_news_dot_crit);
>> };
>>
>> # news.err /var/log/news/news.err
>> log {
>> source(s_all);
>> filter(f_news);
>> filter(f_at_least_err);
>> destination(df_news_dot_err);
>> };
>>
>> # news.notice /var/log/news/news.notice
>> log {
>> source(s_all);
>> filter(f_news);
>> filter(f_at_least_notice);
>> destination(df_news_dot_notice);
>> };
>>
>>
>> # *.=debug;\
>> # auth,authpriv.none;\
>> # news.none;mail.none -/var/log/debug
>> log {
>> source(s_all);
>> filter(f_debug);
>> destination(df_debug);
>> };
>>
>>
>> # *.=info;*.=notice;*.=warn;\
>> # auth,authpriv.none;\
>> # cron,daemon.none;\
>> # mail,news.none -/var/log/messages
>> log {
>> source(s_all);
>> filter(f_messages);
>> destination(d_eventdb);
>> };
>>
>> # *.emerg *
>> log {
>> source(s_all);
>> filter(f_emerg);
>> destination(du_all);
>> };
>>
>>
>> # daemon.*;mail.*;\
>> # news.crit;news.err;news.notice;\
>> # *.=debug;*.=info;\
>> # *.=notice;*.=warn |/dev/xconsole
>> log {
>> source(s_all);
>> filter(f_xconsole);
>> destination(dp_xconsole);
>> };
>> #syslog-ng2mysql destinations
>>
>> source src_eventdb {
>> unix-stream("/dev/log");
>> udp(ip(0.0.0.0) port(514));
>> };
>>
>> destination d_eventdb {
>> pipe(
>> "/usr/local/icinga/var/rw/syslog-ng.pipe",
>>
>> template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")
>> template_escape(no)
>> );
>> };
>>
>> filter f_at_least_warn {
>> # level(warn..emerg);
>> level(notice..emerg);
>> };
>>
>> log {
>> # source(src_eventdb);
>> filter(f_at_least_warn);
>> # filter(f_syslog);
>> destination(d_eventdb);
>> };
>>
>> #log {
>> # source(src_eventdb);
>> # filter(f_auth);
>> # destination(d_eventdb);
>> #};
>>
>>
>>
>> HERE FOR THE BSD/CLIENT SIDE: same here is the default with
>> openbsd syslog-ng install
>> with my additions at the end.
>>
>> cat /etc/syslog-ng.conf
>> #
>> # Syslog-ng example configuration for for Debian GNU/Linux
>> #
>> # Copyright (c) 1999 anonymous
>> # Copyright (c) 1999 Balazs Scheidler
>> # $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $
>> #
>> # Syslog-ng configuration file, compatible with default Debian
>> syslogd
>> # installation.
>> #
>>
>> options { long_hostnames(off); sync(0); keep_hostname(yes);
>> use_dns(yes); stats (3600); };
>>
>> #source src { unix-stream("/dev/log"); internal(); };
>> source src { unix-dgram("/dev/log"); internal(); };
>> source net { udp(); };
>>
>> destination authlog { file("/var/log/auth.log"); };
>> destination syslog { file("/var/log/syslog"); };
>> destination cron { file("/var/log/cron.log"); };
>> destination daemon { file("/var/log/daemon.log"); };
>> destination kern { file("/var/log/kern.log"); };
>> destination lpr { file("/var/log/lpr.log"); };
>> destination user { file("/var/log/user.log"); };
>> destination uucp { file("/var/log/uucp.log"); };
>> destination ppp { file("/var/log/ppp.log"); };
>> destination mail { file("/var/log/mail.log"); };
>>
>> destination mailinfo { file("/var/log/mail.info
>> <http://mail.info>"); };
>> destination mailwarn { file("/var/log/mail.warn"); };
>> destination mailerr { file("/var/log/mail.err"); };
>>
>> destination newscrit { file("/var/log/news/news.crit"); };
>> destination newserr { file("/var/log/news/news.err"); };
>> destination newsnotice { file("/var/log/news/news.notice"); };
>>
>> destination debug { file("/var/log/debug"); };
>> destination messages { file("/var/log/messages"); };
>> destination console { usertty("root"); };
>> destination console_all { file("/dev/tty12"); };
>> #destination loghost { udp("loghost" port(999)); };
>>
>>
>> destination xconsole { pipe("/dev/xconsole"); };
>>
>>
>> #ssh filter
>> filter f_sshderr { match('^sshd\[[0-9]+\]: error:'); };
>> filter f_sshd { match('^sshd\[[0-9]+\]:'); };
>> #
>> filter f_auth { facility(auth); };
>> filter f_authpriv { facility(auth, authpriv); };
>> filter f_syslog { not facility(authpriv, mail); };
>> filter f_cron { facility(cron); };
>> filter f_daemon { facility(daemon); };
>> filter f_kern { facility(kern); };
>> filter f_lpr { facility(lpr); };
>> filter f_mail { facility(mail); };
>> filter f_user { facility(user); };
>> filter f_uucp { facility(cron); };
>> filter f_ppp { facility(local2); };
>> filter f_news { facility(news); };
>> filter f_debug { not facility(auth, authpriv, news, mail); };
>> filter f_messages { level(info..warn)
>> and not facility(auth, authpriv, mail, news); };
>> filter f_emergency { level(emerg); };
>>
>> filter f_info { level(info); };
>> filter f_notice { level(notice); };
>> filter f_warn { level(warn); };
>> filter f_crit { level(crit); };
>> filter f_err { level(err); };
>>
>> log { source(src); filter(f_authpriv); destination(authlog); };
>> log { source(src); filter(f_syslog); destination(syslog); };
>> log { source(src); filter(f_cron); destination(cron); };
>> log { source(src); filter(f_daemon); destination(daemon); };
>> log { source(src); filter(f_kern); destination(kern); };
>> log { source(src); filter(f_lpr); destination(lpr); };
>> log { source(src); filter(f_mail); destination(mail); };
>> log { source(src); filter(f_user); destination(user); };
>> log { source(src); filter(f_uucp); destination(uucp); };
>> log { source(src); filter(f_mail); filter(f_info);
>> destination(mailinfo); };
>> log { source(src); filter(f_mail); filter(f_warn);
>> destination(mailwarn); };
>> log { source(src); filter(f_mail); filter(f_err);
>> destination(mailerr); };
>> log { source(src); filter(f_news); filter(f_crit);
>> destination(newscrit); };
>> log { source(src); filter(f_news); filter(f_err);
>> destination(newserr); };
>> log { source(src); filter(f_news); filter(f_notice);
>> destination(newsnotice); };
>> log { source(src); filter(f_debug); destination(debug); };
>> log { source(src); filter(f_messages); destination(messages); };
>> log { source(src); filter(f_emergency); destination(console); };
>> log { source(src); filter(f_ppp); destination(ppp); };
>> log { source(src); destination(console_all); };
>>
>> #sent to our central log server running eventdb
>> destination loghost { udp("192.168.xxx.xxx" port(514)); };
>> log { source(src); filter(f_info); destination(loghost); };
>> log { source(src); filter(f_syslog); destination(loghost); };
>> log { source(src); filter(f_authpriv); destination(loghost); };
>> log { source(src); filter(f_user); destination(loghost); };
>> log { source(src); filter(f_emergency); destination(loghost); };
>> log { source(src); filter(f_sshd); destination(loghost); };
>> log { source(src); filter(f_sshderr); destination(loghost); };
>> log { source(src); filter(f_kern); destination(loghost); };
>>
>>
>> ______________________________________________________________________________
>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110919/d37a2a85/attachment-0001.htm
More information about the syslog-ng
mailing list