headers
Jan Schaumann | 1 Jun 2009 04:20
Favicon
Gravatar

intentionally dropping messages

Hello,

I'm trying to drop a certain set of messages.  Following
http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch07s08.html
I notice that if I do *not* include a 'destination' in the 'log'
statement, then a very large number of messages that should *not* be
dropped are in fact dropped.  As soon as I add a 'destination' to the
log statement, it filters the correct messages.

That is:

destination d_dev_null {
        file("/dev/null" perm(0666) );
};

filter demo_debugfilter { (level(debug..notice) and facility(local0); };
log { source(s_udp); filter(demo_debugfilter); flags(final); };

Appears to falsely drop a number of messages that were of local1.info.
As soon as I change the 'log' directive to be:

log { source(s_udp); filter(demo_debugfilter); destination(d_dev_null); flags(final); };

it correctly filters only level0.{debug,info,notice}.

This happens on a host with a large number of messages per second, but
not on a host that receives very little traffic.

I can't make much sense of this and was hoping somebody on this list
could...
(Continue reading)

Permalink | Reply | 2 comments |
headers
Reaky Rok | 1 Jun 2009 10:14
Picon
Favicon

rotate logs in recursive directories

Hi friends
           I have a problem with syslog-ng in my server, I setup it successfuly in RHEL5 and It waorking without any problems, I make it a central log server for all servers in my company, The problem is that I orgnized it for each server bu date and facility like that $HOST/$YEAR.$MONTH.$DAY/$FACILITY.log  which makes a lot of recursive directory for each server, Now I'm facing a problem to rotate it as I don't know how to make the logrotate rotate all this files in the recursive directories, Could you help me please,
This is my /etc/logrotate.d/syslog-ng

/var/log/syslog-ng {

   daily
   rotate 30
   compress
   missingok
   notifempty
   create 0600 root root
}

Thanks & Best Regards
Bassam Muhammad

Windows Live™: Keep your life in sync. Check it out! 
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 0 comments |
headers
Joe Wood | 1 Jun 2009 10:28
Picon

Help on trying to build syslog-ng 3.0.2 on RHEL AS 4

Hello.

I'm having troubles getting syslog-ng to compile on RHEL AS 4, with
all appropriate libs installed.

The configure script errors out with:

checking pkg-config is at least version 0.14... yes
checking for GLIB - version >= 2.10.1... no
*** Could not run GLIB test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GLIB is incorrectly installed.
configure: error: Cannot find GLIB version >= 2.10.1: is pkg-config in path?

When I examine config.log, I see the following:

configure:8496: gcc -o conftest -g -O2 -Wall    conftest.c   >&5
conftest.c:42:18: glib.h: No such file or directory
conftest.c: In function `main':
conftest.c:48: error: `glib_major_version' undeclared (first use in
this function)
conftest.c:48: error: (Each undeclared identifier is reported only once
conftest.c:48: error: for each function it appears in.)
conftest.c:48: error: `glib_minor_version' undeclared (first use in
this function)
conftest.c:48: error: `glib_micro_version' undeclared (first use in
this function)
configure:8502: $? = 1
configure: failed program was:

However, glib.h and all appropriate glib headers are installed in
/usr/local/include, which even when specified to configure (through
--includedir) it doesn't seem to pick up on....

Anyone encountered this before?

Joe
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 1 comment |
headers
Jan Schaumann | 1 Jun 2009 20:52
Favicon
Gravatar

Re: intentionally dropping messages

Jan Schaumann <jschauma <at> netmeister.org> wrote:

> I'm trying to drop a certain set of messages.  Following
> http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch07s08.html
> I notice that if I do *not* include a 'destination' in the 'log'
> statement, then a very large number of messages that should *not* be
> dropped are in fact dropped.  As soon as I add a 'destination' to the
> log statement, it filters the correct messages.

I opened a bug for this:
https://bugzilla.balabit.com/show_bug.cgi?id=49

-Jan

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 0 comments |
headers
Ralf Heidenreich | 2 Jun 2009 08:40
Picon

Re: iptables logging in a separate logfile works not properly

Hello,

if I use the final flag, postfix loggs to /var/log/messages, not to 
/var/log/maillog.
What I am doing wrong?

regards ralf
Here my config:
options {
         sync (0);
         time_reopen (10);
         log_fifo_size (1000);
         long_hostnames (off);
         use_dns (no);
         use_fqdn (no);
         create_dirs (no);
         keep_hostname (yes);
};

source s_sys {
         file ("/proc/kmsg" log_prefix("kernel: "));
         unix-stream ("/dev/log");
         internal();
         # udp(ip(0.0.0.0) port(514));
};
destination iptables { file("/var/log/firewall.log"); };
filter iptables { match("INPUT:"); };
log { source(s_sys); filter(iptables); 
destination(iptables);flags(final); };
#log { source(s_sys); filter(iptables); destination(iptables); };
filter noiptables { not match("INPUT:"); };
log { source(s_sys); filter(noiptables); destination(d_kern); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/messages"); };
destination d_mlal { usertty("*"); };
# direct iptables logs into /var/log/firewall.log

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                         not (facility(mail)
                         or facility(authpriv)
                         or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                         (facility(news)
                         and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

Ralf Heidenreich schrieb:
> Hello,
> 
> can you give me an example, how to use the final flag?
> thanks in advance.
> 
> regards
> Ralf
> 
> Szalay Attila schrieb:
>> Hi,
>>
>> On Fri, 2009-05-29 at 14:15 +0200, Ralf Heidenreich wrote:
>>> Hello,
>>>
>>> I have the following line in iptables:
>>> iptables -A INPUT -j LOG --log-prefix "INPUT: "
>>> In syslog-ng (/etc/syslog-ng/syslog-ng.conf) I have the following config:
>> [...]
>>> filter iptables { match("INPUT:"); };
>>> log { source(s_sys); filter(iptables); destination(iptables); };
>> [...]
>>> filter f_default    { level(info..emerg) and
>>>                          not (facility(mail)
>>>                          or facility(authpriv)
>>>                          or facility(cron)); };
>> [...]
>>> log { source(s_sys); filter(f_default); destination(d_mesg); };
>> syslog-ng do not stop the evaluation when a destination is found. And
>> because of this and because the second log statement is matching to the
>> line the syslog-ng store it to the message too.
>>
>> If you want to order the syslog-ng to stop you can use the final
>> directive.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 0 comments |
headers
dreamywoman | 2 Jun 2009 09:17
Picon

plz help

Hi All
last week i have installed php-syslog-ng-2.5.1 and it works and i can see all logs in my web but after week i have decided to change the version of php-syslog-ng to php-syslog-ng-2.9.8j.tgz but after web installation i decided to change the perivious version (php-syslog-ng-2.5.1 ) after that i have problems i can get logs in other file like /var/log/catchall but i cant get anything in my php-syslog-ng in my web
i use tcpdump i can get logs but i cant see anything in my web
what should i do?
source s_remote {
unix-stream("/dev/log"); internal(); udp();
};

destination d_mysql { pipe("/tmp/mysql.pipe " template("INSERT INTO logs (host, facility,
priority, level, tag, date, time, program, msg) VALUES ('$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); };

log { source(s_remote); destination(d_mysql); };

what is my problem in installation?


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 0 comments |
headers
Jakub Jankowski | 2 Jun 2009 12:42

Re: db-parser issues

On 2009-06-02, Robert Fekete wrote:

> I think the problem is that you define a pattern in your xml for the program 
> as well:
>>  <program name='logger'>
>>   <pattern>param</pattern>
> The <pattern> tag overrides the <program name>, so instead of logger, 
> syslog-ng thinks this rule applies to messages that have "param" in their 
> PROGRAM field.

In addition to what you've quoted above, I also tried:

1. <program name='logger'>
     <pattern>logger</pattern>

2. <program name='somethingirrelevant'>
     <pattern>logger</pattern>

and even without <pattern>:

3. <program name='logger'>

All of these give me the same result - no match. Any other suggestions?

Cheers,
  Jakub.

--

-- 
Jakub Jankowski|shasta <at> toxcorp.com|http://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 1 comment |
headers
Shashank Vinchurkar | 3 Jun 2009 00:27

Re: Stripping the original hostname /ip from the syslog message

Any ideas on this? Is there any way I can use the filters to solve this problem?

 

-Thanks

 

From: syslog-ng-bounces <at> lists.balabit.hu [mailto:syslog-ng-bounces <at> lists.balabit.hu] On Behalf Of Shashank Vinchurkar
Sent: Friday, May 29, 2009 2:54 PM
To: syslog-ng <at> lists.balabit.hu
Subject: [syslog-ng] Stripping the original hostname /ip from the syslogmessage

 

Hi,

 

We have a setup where multiple syslog-ng servers send logs to a central syslog-ng server. Finally this central syslog-ng server sends the consolidated logs to an outside server. The outside server can be any server accepting standard syslog messages. The first group of servers are running in the internal network and don’t have any hostname associated with them. Also the ip address is internal and does not make sense to outside world. My requirement is that the outside server should only see the ip address of the syslog-ng server which consolidates the messages from these syslog-ng servers. But I always see the ip address of the syslog-ng server which originated the message. Is there anyway to get rid of this? I tried playing with the keep_hostname, long_hostname, chain_hostname and bad_hostname options but I still see the ip address of the originating server.

 

Thanks in advance for the help.

-Shashank

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 3 comments |
headers
Robert Fekete | 3 Jun 2009 10:21
Favicon

Re: Stripping the original hostname /ip from the syslog message

Hi,
I am sure that there are other ways to do it, but if you are using syslog-ng 
3.0, you can use a rewrite rule to change the HOST field of the messages.
See the second example at 
http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s07.html
to create a rewrite rule, then use it in the logpath where your central server 
forwards the messages.

Regards,

Robert Fekete

Shashank Vinchurkar wrote:

> Any ideas on this? Is there any way I can use the filters to solve this
> problem?
> 
>  
> 
> -Thanks
> 
>  
> 
> ________________________________
> 
> From: syslog-ng-bounces <at> lists.balabit.hu
> [mailto:syslog-ng-bounces <at> lists.balabit.hu] On Behalf Of Shashank
> Vinchurkar
> Sent: Friday, May 29, 2009 2:54 PM
> To: syslog-ng <at> lists.balabit.hu
> Subject: [syslog-ng] Stripping the original hostname /ip from the
> syslogmessage
> 
>  
> 
> Hi,
> 
>  
> 
> We have a setup where multiple syslog-ng servers send logs to a central
> syslog-ng server. Finally this central syslog-ng server sends the
> consolidated logs to an outside server. The outside server can be any
> server accepting standard syslog messages. The first group of servers
> are running in the internal network and don't have any hostname
> associated with them. Also the ip address is internal and does not make
> sense to outside world. My requirement is that the outside server should
> only see the ip address of the syslog-ng server which consolidates the
> messages from these syslog-ng servers. But I always see the ip address
> of the syslog-ng server which originated the message. Is there anyway to
> get rid of this? I tried playing with the keep_hostname, long_hostname,
> chain_hostname and bad_hostname options but I still see the ip address
> of the originating server.
> 
>  
> 
> Thanks in advance for the help.
> 
> -Shashank
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 2 comments |
headers
Balazs Scheidler | 3 Jun 2009 10:44
Picon

Roadmap for syslog-ng OSE 4.0

Dear syslog-ng users,

The roadmap for syslog-ng OSE has been updated and published at:

http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/roadmap/

The same page also describes important release policy changes, thus it
is recommended reading for all syslog-ng users. A related blog post can
be found here:

http://bazsi.blogs.balabit.com/2009/05/syslog-ng-40-roadmap-plus-release.html

--

-- 
Bazsi

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
Permalink | Reply | 0 comments |

Gmane