Re: syslog-ng 1.6.8 and dns cache issue

On Fri, 30 Sep 2005 15:33:27 EDT, Ketan Vankawala said:
> I have currently installed Syslog-ng ver 1.6.8. Here is a snippet of my
> syslog-ng config file.So accordingly when a syslog message comes in, 
> depending on the ip address, it does a lookup in /etc/hosts, creates an 
> appropriate host name folder and forwards the message there. If the 
> hostname does not exists, it creates a folder named with the ip address. 

Updating /etc/hosts *should* provide fast response.  I'm wondering if your
/etc/nsswitch.conf specifies 'hosts: NIS files dns', and the NIS query functions
are being too clever about caching..

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: Ver 1.9.5 problems with facility/level filtering

Thanks. Applied a fix.

On Fri, 2005-09-30 at 16:26 -0400, Peter Nahas wrote:
> I too have experienced this problem and decided to investigate the 
> source code.  Unless I'm missing something, it appears that 1.9.5 simply 
> does not set the correct variable internally, regardless of 
> configuration.  The following patch solved the problem for me:

--

-- 
Bazsi

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: syslog-ng 1.6.8 and dns cache issue

I appreciate your response. Here is a snippet from /etc/nsswitch.conf.

As I said in my previous email, as soon as I make the change in 
/etc/hosts file and after that when I do a tcpdump it shows me the 
/etc/hosts change has taken place. I see the ips getting translated into 
the new corrected hostname but for some reason syslog-ng keeps logging 
under the old hostname. Sometimes I have to wait for almost an hour 
until it recognizes the hostname change. If I restart the syslog-ng 
daemon, it immediately recognizes the hostname change but restarting the 
service is not always a practical solution.

Any help will be highly appreciated.

Ketan

passwd:     files
shadow:     files
group:      files

#hosts:     db files nisplus nis dns
*hosts:      files dns*

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files    

Re: How does regex work with HOST definitions?

catenate wrote:

>
>     Has anyone any idea about this? It looks to me that regex don't
>     work on
>     the "host()" options at all. I have mine set to a regex, and it's
>     capturing all sorts of traffic from other syslog clients that don't
>     match 
>
>
> Remove the backslashes before the hyphens - you'd only need to do that
> inside a character class, e.g. [a-z\-] to match any of a through z and
> hyphen. Outside a character class it means itself (or if it's the
> first character in a character class and not escaped, like this [-a-z]).

Didn't help I'm afraid. I've got

host ("-ids-")

and it's still picking up data from boxes who don't contain "-ids-" in
their hostname.

One thing I didn't mention is that all the incorrect hosts being picked
up have their syslogs "routed" through another syslog-ng server running
on a host that does match "-ids-", could that be a cause?

ie.

hostname.my.network -- syslog-ng ---> host-ids-01.my.network --
syslog-ng --> my.central.syslog.server

Re: syslog-ng not logging

Hi Catenate/All,

My syslog-ng is from freebsd port version syslog-ng-1.6.6 .
Right now the logs are not separated by their hostname - year  - month
- day .Instead they are going into one which is the localhost logs
which is /var/log/host/localhost/year/month/date/local7 (local7 is
from the routers)

I wonder why its not creating the remote hosts directory.

Hope its clear now.

regards
fico

On 9/30/05, catenate <infosec <at> gmail.com> wrote:
> Frowarding to the list, wish gmail used the reply-to header. :(
>
>
> ---------- Forwarded message ----------
> From: catenate < infosec <at> gmail.com>
> Date: Sep 29, 2005 7:54 PM
> Subject: Re: [syslog-ng] syslog-ng not logging
> To: fico gid <ficohertz <at> gmail.com>
>
>  On 9/29/05, fico gid <ficohertz <at> gmail.com> wrote:
>
> > Hi Again,
> >
> > Below is the whole syslog-ng.conf file . Yes, it is not separating as

Re: How does regex work with HOST definitions?

On Mon, 03 Oct 2005 10:41:22 +1300, Jason Haar said:

> One thing I didn't mention is that all the incorrect hosts being picked
> up have their syslogs "routed" through another syslog-ng server running
> on a host that does match "-ids-", could that be a cause?

This is the exact reason that 'options { keep_hostname(yes); }' exists.

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: How does regex work with HOST definitions?

On Mon, Oct 03, 2005 at 10:41:22AM +1300, Jason Haar wrote:
> catenate wrote:
> 
> >
> >     Has anyone any idea about this? It looks to me that regex don't
> >     work on
> >     the "host()" options at all. I have mine set to a regex, and it's
> >     capturing all sorts of traffic from other syslog clients that don't
> >     match 
> >
> >
> > Remove the backslashes before the hyphens - you'd only need to do that
> > inside a character class, e.g. [a-z\-] to match any of a through z and
> > hyphen. Outside a character class it means itself (or if it's the
> > first character in a character class and not escaped, like this [-a-z]).
> 
> Didn't help I'm afraid. I've got

But it was still an incorrect regexp.

> host ("-ids-")
> 
> and it's still picking up data from boxes who don't contain "-ids-" in
> their hostname.
> 
> One thing I didn't mention is that all the incorrect hosts being picked
> up have their syslogs "routed" through another syslog-ng server running
> on a host that does match "-ids-", could that be a cause?

So what do the log entries look like, do you have chained hostnames or

Re: syslog-ng not logging

On Mon, Oct 03, 2005 at 08:31:55AM +0800, fico gid wrote:
> Hi Catenate/All,
> 
> My syslog-ng is from freebsd port version syslog-ng-1.6.6 .
> Right now the logs are not separated by their hostname - year  - month
> - day .Instead they are going into one which is the localhost logs
> which is /var/log/host/localhost/year/month/date/local7 (local7 is
> from the routers)
> 
> I wonder why its not creating the remote hosts directory.

Please paste in a couple log entries that are logged incorrectly.

Thanks.
--

-- 
Nate

"Don't let school interfere with your education." - Samuel Clemens

_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Re: syslog-ng not logging

HI Cate,

below is the logs from 3 different router but in one local7 file.

%tail -f local7
Oct  3 13:58:34 syslog/syslog 177: Oct  3 14:01:03: %SYS-5-CONFIG_I:
Configured from console by sr_sr on vty0 (157.174.9.4)
Oct  3 14:01:49 syslog/syslog 178: Oct  3 14:04:18: %SYS-5-CONFIG_I:
Configured from console by sr_sr on vty0 (157.174.9.8)
Oct  3 14:07:29 syslog/syslog 11: Oct  3 14:09:50: %SYS-5-CONFIG_I:
Configured from console by sr_sr on vty0 (157.174.9.12)

%pwd
/var/log/hosts/syslog/2005/10/03  ; syslog is the hostname of the syslog server.

regards
fico

On 10/3/05, Nate Campi <nate <at> campin.net> wrote:
> On Mon, Oct 03, 2005 at 08:31:55AM +0800, fico gid wrote:
> > Hi Catenate/All,
> >
> > My syslog-ng is from freebsd port version syslog-ng-1.6.6 .
> > Right now the logs are not separated by their hostname - year  - month
> > - day .Instead they are going into one which is the localhost logs
> > which is /var/log/host/localhost/year/month/date/local7 (local7 is
> > from the routers)
> >
> > I wonder why its not creating the remote hosts directory.
>

Re: bugreport for 1.9.5 on solaris

Nate Campi wrote:
> I built 1.9.5 and eventlog-0.2.3+20050116+1856 on Solaris 8. It wouldn't
> start with command line arguments like "--pidfile=/foo/syslog-ng.pid", I
> had to change it to "-p /foo/syslog-ng.pid". The usage message it spits
> out claims that the --long syntax is supported.

Funny, what's the exact error message, if there is any? And do other
long options work? The needed code (unless I'm interpreting it in a
wrong way) is there. It could only be that popt is not linked into your
binary.

Just my 2 cents ...

Have a nice day,
Roberto Nibali, ratz
--

-- 
-------------------------------------------------------------
addr://Kasinostrasse 30, CH-5001 Aarau tel://++41 62 823 9355
http://www.terreactive.com             fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG                       Wir sichern Ihren Erfolg
-------------------------------------------------------------
_______________________________________________
syslog-ng maillist  -  syslog-ng <at> lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html