[syslog-ng] [Bug 218] To include local*.* facility.level in the source of syslog-ng

[bugzilla at bugzilla.balabit.com]

https://bugzilla.balabit.com/show_bug.cgi?id=218





--- Comment #4 from Balazs Scheidler <bazsi at balabit.hu>  2013-02-03 06:49:55 ---
(In reply to comment #3)
> Sorry if i omitted the entire syslog-ng.conf in my earlier mail , the log statement is there
> The issue is syslog-ng is not capturing the local6.info facility messages. So even if I give the filter it is of no use
>
> This is my syslog-ng conf
> 
> source s_local { system(); sun-streams("/dev/log" door("/etc/.syslog_door")); };
> destination d_messages { file("/var/adm/messages"); };
> log { source(s_local); destination(d_messages); };
> 
> Same issue in another system where the websphere logs are written using local0.info , syslog-ng is not able to capture that.
> 
> I was of the view  that system() in the source line should capture all the messages including local6 . but it is not so.
> Is there any other keyword to be included  in the source section that can capture local*.* as well
>

your impression is correct, everything including local* should be 
included, assuming the applications are indeed using the 
local /dev/log interface (eg the syslog API) to submit messages.

It may happen that they use some kind of network transport 
instead and send messages to localhost, port 514.

To validate either, you can use tcpdump to check for
network packets, or truss on the application as they 
submit new messsages.

In any case you shouldn't need the sun-streams() part 
in your source as system() should be expanded to exactly that.

To confirm that, you should run syslog-ng with --preprocess-into=/tmp/foo.conf
argument and check what the preprocessed config looks like 
(there system is already expanded)

hth


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.