[syslog-ng] Stats on destinations with macro's ?
Scot Needy
scotrn at gmail.com
Tue Feb 18 20:50:17 CET 2014
Ok I must have something wrong with my conf then.
options { long_hostnames (off);
flush_lines (0);
use_dns(no);
dns_cache(no);
use_fqdn(no);
# dns_cache_size(2014);
check_hostname(no);
chain_hostnames(no);
keep_hostname(no);
};
######
# sources
source src {
unix-dgram("/var/run/log");
unix-dgram("/var/run/logpriv" perm(0600));
internal();
file("/dev/klog");
};
### Local sources
source s_local {
internal();
unix-stream("/dev/log" max-connections(20));
file("/proc/kmsg" program_override("kernel")); };
### External Network sources
source s_net { udp(); tcp(max-connections(50)); };
# Relay external sources
log { source(s_net);
destination (d_mysql); destination (d_fifo); destination (d_file);
};
#######################################################################
destination d_file { file("/data/syslog-ng/$R_YEAR/$R_MONTH/$R_DAY/$R_HOUR/$HOST.log"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
….
# /opt/syslog-ng/sbin/syslog-ng-ctl stats
SourceName;SourceId;SourceInstance;State;Type;Number
global;payload_reallocs;;a;processed;1441
source;s_net;;a;processed;44079304
source;s_local;;a;processed;1035
global;msg_clones;;a;processed;0
destination;d_mysql;;a;processed;44079304
src.internal;s_local#0;;a;processed;737
src.internal;s_local#0;;a;stamp;1392752561
global;sdata_updates;;a;processed;0
center;;received;a;processed;0
destination;d_fifo;;a;processed;44079304
destination;d_file;;a;processed;44080339
center;;queued;a;processed;0
On Feb 18, 2014, at 1:33 PM, Evan Rempel <erempel at uvic.ca> wrote:
> That certainly is not the way it works on 3.4
>
> I have a file destinations that contain date stamps etc and when I run the
>
> sudo syslog-ng-ctl stats
>
> I get each destination as a separate statistic.
>
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/Windows_Server_Update_Services.unknown.20140218.000000;o;dropped;0
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/Windows_Server_Update_Services.unknown.20140218.000000;o;processed;5
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/Windows_Server_Update_Services.unknown.20140218.000000;o;stored;0
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/flare-event.unknown.20140218.000000;o;dropped;0
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/flare-event.unknown.20140218.000000;o;processed;200
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/flare-event.unknown.20140218.000000;o;stored;0
> ...
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/runaway.unknown.20140217.000000;o;dropped;0
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/runaway.unknown.20140217.000000;o;processed;156
> dst.file;d_authorized_unknown#0;/var/syslog/unknown/runaway.unknown.20140217.000000;o;stored;0
> ...
>
>
> so that should be what you are loooking for.
>
> the "o" in the last three lines indicates that the destination is old (closed due to idle timeout)
>
>
>
> On 02/18/2014 04:33 AM, Scot wrote:
>>
>> I realized my problem, if a destination contains a macro it’s still defined as one destination.
>>
>> Looking for direction here….
>>
>> My intention is to get syslog-ng-ctl to report stats on each VLAN in our environment while logging to a destination such as /var/log//$YYYY/$MM/$DD/$VLAN-Name-$SEVERITY.log . VLAN’s in our environment are defined in a IPAM database with a name and subnet.
>>
>> I can drive a include file for syslog-ng.conf with a script, I just need guidence on the format of the config file.
>>
>> I would like to define a unique destination per subnet+severity so syslog-ng-ctl will give me counters if a subnet start sending large numbers of critical messages for example.
>>
>> I also feel I need a catch all for any message that does not match a defined destination. These would be malformed messages from hosts which would need to be corrected so they get to the proper destination.
>>
>> I think the subnet destinations would be be driven by matching subnet filters something like so…. but how would one create a filter that defines everything NOT matched by another filter ?
>>
>> if VLAN...
>> or VLAN…
>> or VLAN…
>> else everything_else..
>>
>>
>> NOTE: Syntax may be off, this is just from memory.
>>
>> destination VLAN_NAME_HIGH_des { file(“/var/log/$YYYY/$MM/$DD/$VLAN_NAME.log”)};
>> filter VLAN_NAME_HIGH_des { netmask(“192.168.1.0/255.255.255.0”); level(warn..emerg)};
>>
>> destination VLAN_NAME_LOW_des { file(“/var/log/$YYYY/$MM/$DD/$VLAN_NAME.info”)};
>> filter VLAN_NAME_LOW_des { netmask(“192.168.1.0/255.255.255.0”); level(info..notice)};
>>
>> Sent from my iPad
>>
>>> On Feb 14, 2014, at 8:40 AM, Jakub Jankowski <shasta at toxcorp.com> wrote:
>>>
>>>> On 14.02.2014 02:55, Scot wrote:
>>>> Is there a trick to get stats on destinations with macros ?
>>>>
>>>> I get stats on my FIFO, local, net work destinations but not on the destinations with macros.
>>>
>>> What do you mean by 'destinations with macros'? Does local file()
>>> destination (with macros) count? Then it works for me (on 3.5.3):
>>>
>>> # syslog-ng-ctl stats | grep d_net_test
>>> destination;d_net_test;;a;processed;888891
>>> # grep 'destination d_net_test' /etc/syslog-ng/syslog-ng.conf
>>> destination d_net_test { file("/var/log/$HOST/$R_YEAR-$R_MONTH.log"); };
>>> #
>>>
>>>
>>> Regards,
>>>
>>> --
>>> Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
>>> GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
> --
> Evan Rempel erempel at uvic.ca
> Senior Systems Administrator 250.721.7691
> Data Centre Services, University Systems, University of Victoria
More information about the syslog-ng
mailing list