[syslog-ng] Problem sending logs to central log server..
Patrick H.
syslogng at feystorm.net
Tue Sep 20 00:11:29 CEST 2011
(Resending, msg was too big for mailing list)
No, you dont have to have similar filter in each. Just saying the
message would have gotten to the server, then been filterd. But with
that new setting, it should be working.The line should end up in
/usr/local/icinga/var/rw/syslog-ng.pipe. With all the changes, maybe you
could repost the configs again, but as it is, I'm out of ideas (as far
as it being syslog-ng, could still be firewall, network, or whatever it
is that reads that pipe).
-Patrick
Sent: Mon Sep 19 2011 16:03:31 GMT-0600 (MST)
From: rek2 <rek2gnulinux at gmail.com>
To: Patrick H. <syslogng at feystorm.net> syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] Problem sending logs to central log server..
> I have this on my server that included "notice"
>
>
> filter f_at_least_warn {
> # level(warn..emerg);
> # level(notice..emerg);
> level(info, notice, warn, crit, err, debug);
> };
>
>
> and this on my client:
>
> #sent to our central log server running eventdb #cfernandez
> destination loghost { udp("192.168.xxx.xxx" port(514)); };
> log { source(src); filter(f_info); destination(loghost); };
> log { source(src); filter(f_emergency); destination(loghost); };
> log { source(src); filter(f_notice); destination(loghost); };
> log { source(src); filter(f_warn); destination(loghost); };
> log { source(src); filter(f_crit); destination(loghost); };
> log { source(src); filter(f_err); destination(loghost); };
>
> that also includes notice..
>
>
> 2011/9/19 rek2 <rek2gnulinux at gmail.com <mailto:rek2gnulinux at gmail.com>>
>
> oh sorry Im used to list that will reply by defaul to the list.
> sorry about that..
> I think I get what you mean..
> so in the clients and in the server log I have to have similar
> filters ?
>
> Thanks
>
>
> 2011/9/19 Patrick H. <syslogng at feystorm.net
> <mailto:syslogng at feystorm.net>>
>
> Seriously, dont remove the mailing list from the recipients.
> Others may catch things I miss, or I might be gone for a
> while, but someone else is around.
>
> That filter you have only logs warning through emerg, while by
> default logger uses notice, which is below warning.
>
>
> -Patrick
>
>
>
> Sent: Mon Sep 19 2011 15:26:05 GMT-0600 (MST)
>
> From: rek2 <rek2gnulinux at gmail.com>
> <mailto:rek2gnulinux at gmail.com>
> To: Patrick H. <syslogng at feystorm.net>
> <mailto:syslogng at feystorm.net>
> Subject: Re: [syslog-ng] Problem sending logs to central log
> server..
>> ops! I forgot to uncoment that as well sorry.. so basically
>> do I have everything else ok?
>> the thing is also that after I migrated to syslog-ng in the
>> BSD things are not logging to their place
>> in /var/log either Im getting most of the stuff on the
>> /var/log/syslog even tho as you can see in my other emails
>> the default config already define the destinations for auth
>> etc...
>>
>> 2011/9/19 Patrick H. <syslogng at feystorm.net
>> <mailto:syslogng at feystorm.net>>
>>
>> Dont forget to leave the mailing list on the list of
>> recips :-)
>>
>> Anyway, its still commented out in your log {} block. If
>> the log block has no source, it wont log anything.
>>
>> log {
>> # source(src_eventdb);
>> filter(f_at_least_warn);
>> # filter(f_syslog);
>> destination(d_eventdb);
>> };
>>
>>
>> -Patrick
>>
>>
>>
>> Sent: Mon Sep 19 2011 14:43:08 GMT-0600 (MST)
>>
>> From: rek2 <rek2gnulinux at gmail.com>
>> <mailto:rek2gnulinux at gmail.com>
>> To: Patrick H. <syslogng at feystorm.net>
>> <mailto:syslogng at feystorm.net>
>> Subject: Re: [syslog-ng] Problem sending logs to central
>> log server..
>>> Hi Patrick, thanks for your reply, yes you right sorry I
>>> did the copy and paste before I uncomented some lines
>>> since Im testing here and there..
>>>
>>> this is how I have it now.. the last part:
>>>
>>> #syslog-ng2mysql destinations
>>>
>>> source src_eventdb {
>>> unix-stream("/dev/log");
>>> udp(ip(0.0.0.0) port(514));
>>> };
>>>
>>> destination d_eventdb {
>>> pipe(
>>> "/usr/local/icinga/var/rw/syslog-ng.pipe",
>>>
>>> template("$HOST\t$SOURCEIP\t$PRI\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")
>>> template_escape(no)
>>> );
>>> };
>>>
>>> filter f_at_least_warn {
>>> # level(warn..emerg);
>>> # level(notice..emerg);
>>> level(info, notice, warn, crit, err, debug);
>>> };
>>>
>>> log {
>>> # source(src_eventdb);
>>> filter(f_at_least_warn);
>>> # filter(f_syslog);
>>> destination(d_eventdb);
>>> };
>>>
>>> #log {
>>> # source(src_eventdb);
>>> # filter(f_auth);
>>> # destination(d_eventdb);
>>> #};
>>>
>>>
>>> 2011/9/19 Patrick H. <syslogng at feystorm.net
>>> <mailto:syslogng at feystorm.net>>
>>>
>>> In your server config, the only listener you have on
>>> udp port 514 is defined in src_eventdb, and all
>>> src_eventdb entries are commented out.
>>>
>>> -Patrick
>>>
>>>
>>> Sent: Mon Sep 19 2011 11:40:15 GMT-0600 (MST)
>>> From: rek2 <rek2gnulinux at gmail.com>
>>> <mailto:rek2gnulinux at gmail.com>
>>> To: syslog-ng at lists.balabit.hu
>>> <mailto:syslog-ng at lists.balabit.hu>
>>> Subject: [syslog-ng] Problem sending logs to central
>>> log server..
>>>> Hello, I'm trying to sent all my logs from one
>>>> openbsd server with syslog-ng to a linux ubuntu
>>>> central log server also with syslog-ng of course
>>>> but only the syslog-ng logs are been logged..
>>>> also when I do a "logger test" for example it gets
>>>> log locally but not remotely to the log server...
>>>> here are my configs:
>>>>
>>>> for the log server is basically the defaul of
>>>> ubuntu with my addtions at the end.. you will see
>>>> some commented is me trying to fix this issue.
>>>> <SNIP>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110919/8486f36b/attachment-0001.htm
More information about the syslog-ng
mailing list