[syslog-ng] Issue regarding the configurations of syslog-ng application on Centos
Tomáš Novosad
tomas.novosad at linuxbox.cz
Fri May 9 06:32:25 CEST 2014
Hello,
i just had a brief look at the config.
In first case, i guess there is a typo in destination definition name.
It starts like this:
destination db_mysql{sql(type(mysq....
the name is "db_mysql"
but later in config You refer to destination:
destination(d_mysql);
where name id "d_mysql" - so these two names are different
In second case, the pipe destination is IMHO used to send messages to
STDIN of some program, or something similar.
I guess it will not work sending messages to the MySQL socket.
So i think second approach is completely wrong.
The first is correct way to achieve things (i'm using DB storage as well, it works pretty fine).
I guess the misspelled name of the destination name is the only problem
in the firt case.
Hope this helps.
Have a nice day
--
Tomáš Novosad
LinuxBox.cz, s.r.o.
www.linuxbox.cz
On 9. 5. 03:00, Christian Hangi wrote:
> Hello Guys,
>
> I am new in Syslog-ng application and also Linux and I need your help regarding the functionality of syslog-ng on Linux. I am building a syslog-ng server capable of receiving syslog messages from syslog-ng clients. In doing so, I would like to those syslog messages to be received and stored inside the Syslog MySQL database of the server inside the syslog_incoming table so that I can be able view those messages. I am using the Centos 6.5 of Redhat distributions and the Syslog-ng application running on that PC acts as a Syslog-ng server. This is my first attempt to allow the syslog messages storage on the database:
> @version:3.2
>
> # syslog-ng configuration file.
> #
> # This should behave pretty much like the original syslog on RedHat. But
> # it could be configured a lot smarter.
> #
> # See syslog-ng(8) and syslog-ng.conf(5) for more information.
> #
>
> options {
> flush_lines (0);
> time_reopen (10);
> log_fifo_size (1000);
> long_hostnames (off);
> use_dns (no);
> use_fqdn (no);
> create_dirs (no);
> keep_hostname (yes);
> };
>
>
> #source s_sys {
> #file ("/proc/kmsg" program_override("kernel: "));
> # unix-stream ("/dev/log");
> # internal();
> # udp(ip(0.0.0.0) port(514));
> #};
>
> #A change was made here!
> source network { syslog(ip(0.0.0.0) port(514) transport(udp));};
>
> destination db_mysql{sql(type(mysql) host("localhost") username("cacti") password("P at ssw0rd") database("syslog")
> table("syslog_incoming")
> columns("host", "facility", "priority", "date", "time", "message")
> values("$HOST","$FACILITY","$PRIORITY","$YEAR-$MONTH-$DAY","$HOUR:$MIN:$SEC","$MSG")
> indexes("host", "facility", "priority", "date", "time", "message")
> );};
>
> destination d_cons { file("/dev/console"); };
> destination d_mesg { file("/var/log/messages"); };
> destination d_auth { file("/var/log/secure"); };
> destination d_mail { file("/var/log/maillog" flush_lines(10)); };
> destination d_spol { file("/var/log/spooler"); };
> destination d_boot { file("/var/log/boot.log"); };
> destination d_cron { file("/var/log/cron"); };
> destination d_kern { file("/var/log/kern"); };
> destination d_mlal { usertty("*"); };
>
> filter f_kernel { facility(kern); };
> filter f_default { level(info..emerg) and
> not (facility(mail)
> or facility(authpriv)
> or facility(cron)); };
> filter f_auth { facility(authpriv); };
> filter f_mail { facility(mail); };
> filter f_emergency { level(emerg); };
> filter f_news { facility(uucp) or
> (facility(news)
> and level(crit..emerg)); };
> filter f_boot { facility(local7); };
> filter f_cron { facility(cron); };
>
> #A change was made here!
>
> log { source(s_sys);source(network); destination(d_mysql);};
> #log { source(network); destination(d_mysql);};
>
>
> #log { source(s_sys); filter(f_kernel); destination(d_cons); };
> #log { source(s_sys); filter(f_kernel); destination(d_kern); };
> #log { source(s_sys); filter(f_default); destination(d_mesg); };
> #log { source(s_sys); filter(f_auth); destination(d_auth); };
> #log { source(s_sys); filter(f_mail); destination(d_mail); };
> #log { source(s_sys); filter(f_emergency); destination(d_mlal); };
> #log { source(s_sys); filter(f_news); destination(d_spol); };
> #log { source(s_sys); filter(f_boot); destination(d_boot); };
> #log { source(s_sys); filter(f_cron); destination(d_cron); };
>
> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
>
> destination d_cons { file("/dev/console"); };
> destination d_mesg { file("/var/log/messages"); };
> destination d_auth { file("/var/log/secure"); };
> destination d_mail { file("/var/log/maillog" flush_lines(10)); };
> destination d_spol { file("/var/log/spooler"); };
> destination d_boot { file("/var/log/boot.log"); };
> destination d_cron { file("/var/log/cron"); };
> destination d_kern { file("/var/log/kern"); };
> destination d_mlal { usertty("*"); };
>
> filter f_kernel { facility(kern); };
> filter f_default { level(info..emerg) and
> not (facility(mail)
> or facility(authpriv)
> or facility(cron)); };
> filter f_auth { facility(authpriv); };
> filter f_mail { facility(mail); };
> filter f_emergency { level(emerg); };
> filter f_news { facility(uucp) or
> (facility(news)
> and level(crit..emerg)); };
> filter f_boot { facility(local7); };
> filter f_cron { facility(cron); };
>
> #A change was made here!
>
> log { source(network); destination(d_mysql);};
>
>
>
> #log { source(s_sys); filter(f_kernel); destination(d_cons); };
> #log { source(s_sys); filter(f_kernel); destination(d_kern); };
> #log { source(s_sys); filter(f_default); destination(d_mesg); };
> #log { source(s_sys); filter(f_auth); destination(d_auth); };
> #log { source(s_sys); filter(f_mail); destination(d_mail); };
> #log { source(s_sys); filter(f_emergency); destination(d_mlal); };
> #log { source(s_sys); filter(f_news); destination(d_spol); };
> #log { source(s_sys); filter(f_boot); destination(d_boot); };
> #log { source(s_sys); filter(f_cron); destination(d_cron); };
>
> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
>
>
> And this is the message I got when I tried to restart the application :
> Stopping syslog-ng: [FAILED]
> Starting syslog-ng: Error in configuration, unresolved destination reference; destination='d_mysql'
> [FAILED]
> Then I tried to use a named pipe to accept and send thoses messages to the syslog_incoming table of the Syslog MySQL database through a template:
>
> @version:3.2
>
> # syslog-ng configuration file.
> #
> # This should behave pretty much like the original syslog on RedHat. But
> # it could be configured a lot smarter.
> #
> # See syslog-ng(8) and syslog-ng.conf(5) for more information.
> #
>
> options {
> flush_lines (0);
> time_reopen (10);
> log_fifo_size (1000);
> long_hostnames (off);
> use_dns (no);
> use_fqdn (no);
> create_dirs (no);
> keep_hostname (yes);
> };
>
>
> #source s_sys {
> # file ("/proc/kmsg" program_override("kernel: "));
> # unix-stream ("/dev/log");
> # internal();
> # udp(ip(0.0.0.0) port(514));
> #};
> destination d_mysql{ pipe("/var/log/mysql.pipe"
> template("INSERT INTO syslog_incoming(host, facility, priority, date, time, message)
> VALUES('$HOST', '$FACILITY', '$PRIORITY', '$ YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$MSG');\n")
> template-escape(yes));
> };
> destination d_cons { file("/dev/console"); };
> destination d_mesg { file("/var/log/messages"); };
> destination d_auth { file("/var/log/secure"); };
> destination d_mail { file("/var/log/maillog" flush_lines(10)); };
> destination d_spol { file("/var/log/spooler"); };
> destination d_boot { file("/var/log/boot.log"); };
> destination d_cron { file("/var/log/cron"); };
> destination d_kern { file("/var/log/kern"); };
> destination d_mlal { usertty("*"); };
>
> filter f_kernel { facility(kern); };
> filter f_default { level(info..emerg) and
> not (facility(mail)
> or facility(authpriv)
> or facility(cron)); };
> filter f_auth { facility(authpriv); };
> filter f_mail { facility(mail); };
> filter f_emergency { level(emerg); };
> filter f_news { facility(uucp) or
> (facility(news)
> and level(crit..emerg)); };
> filter f_boot { facility(local7); };
> filter f_cron { facility(cron); };
>
> #A change was made here!
>
> log { source(network); destination(d_mysql);};
> #log { source(network); destination(d_mysql);};
>
>
> #log { source(s_sys); filter(f_kernel); destination(d_cons); };
> #log { source(s_sys); filter(f_kernel); destination(d_kern); };
> #log { source(s_sys); filter(f_default); destination(d_mesg); };
> #log { source(s_sys); filter(f_auth); destination(d_auth); };
> #log { source(s_sys); filter(f_mail); destination(d_mail); };
> #log { source(s_sys); filter(f_emergency); destination(d_mlal); };
> #log { source(s_sys); filter(f_news); destination(d_spol); };
> #log { source(s_sys); filter(f_boot); destination(d_boot); };
> #log { source(s_sys); filter(f_cron); destination(d_cron); };
>
> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
> And I got this message assuming that the syslog-ng server is working
> Stopping syslog-ng: [ OK ]
> Starting syslog-ng: [ OK ]
>
> But when I checked to the table of the database it was empty.
>
> So, I would like to know, do you miss something on the first attempt to allow the syslog-server to work perfectly or should I just not to uncomment the source system (s_sys) to accept the syslog messages from the Syslog-clients? On the 2nd attempt, what needs to be done to acctually see those messages?
>
> Please I need some advice on those two attempts.
>
> Kindly regards,
> Chris Hangi
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list