Sandor Geller | 2 Nov 11:41 2010

Re: Statistics -- how do I turn them off?

I'm filtering statistical messages based on the internal source and
the following regexp:

filter f_internal_statistics {
    match("^syslog-ng\[[[:digit:]]+\]: STATS") or match
("^syslog-ng\[[[:digit:]]+\]: Log statistics");
};

(for 3.x only the latter match is needed)

600 seconds is the default setting, the timer gets activated only when
stats_freq > 0 so stats_freq(0) should turn off  the generation of
statistical messages completely. Are the logs generated on the same
host or are you processing remote logs as well?

On Sat, Oct 30, 2010 at 10:17 PM, Liam Kirsher <liamk <at> numenet.com> wrote:
> My log file is filling up with statistics messages from syslog-ng (v.
> 3.1.2) , one message every 10 minutes.
> I tried turning it off by putting stats_freq(0) in the options clause,
> and restarted the syslog-ng daemon but that seems to have no effect.
> There must be something obvious I'm missing.
>
> --
> Liam Kirsher
> PGP: http://liam.numenet.com/pgp/
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
(Continue reading)

sasanka.sahu | 2 Nov 11:54 2010

Re: Statistics -- how do I turn them off?

Hi 

Anybody can tell am using Solaris OS v 10 . Like to install
php-syslog-ng GUI tools . where should I get the same as well as provide
me some documentation for the same.

Sasanka  

-----Original Message-----
From: syslog-ng-bounces <at> lists.balabit.hu
[mailto:syslog-ng-bounces <at> lists.balabit.hu] On Behalf Of Sandor Geller
Sent: Tuesday, November 02, 2010 4:12 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Statistics -- how do I turn them off?

I'm filtering statistical messages based on the internal source and
the following regexp:

filter f_internal_statistics {
    match("^syslog-ng\[[[:digit:]]+\]: STATS") or match
("^syslog-ng\[[[:digit:]]+\]: Log statistics");
};

(for 3.x only the latter match is needed)

600 seconds is the default setting, the timer gets activated only when
stats_freq > 0 so stats_freq(0) should turn off  the generation of
statistical messages completely. Are the logs generated on the same
host or are you processing remote logs as well?

(Continue reading)

Fekete Robert | 2 Nov 13:15 2010
Picon

syslog-ng OSE 3.2 Administrator Guide - beta

Hi,
I have released a beta version of the new administrator guide. I have updated it 
to cover (hopefully) every important change and feature in 3.2beta, but it still 
needs a review. So if something isn't working as written, is missing, or 
contains errors, please let me know.

You can find a summary of new sections here:
http://robert.blogs.balabit.com/2010/11/syslog-ng-open-source-edition-3-2-administrator-guide-draft/

Regards,

Robert
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

sasanka.sahu | 2 Nov 13:15 2010

Re: Statistics -- how do I turn them off?

Hi Anis,

Thanks for giving me INFO.

Actually I want to deploy on solaris 10 OS .

This is the release verion,

bash-3.00# cat /etc/release

                      Solaris 10 10/09 s10s_u8wos_08a SPARC
           Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 16 September 2009 

Am not getting this package "syslog-NG" for solaris OS.

Regds,

Sasanka 

-----Original Message-----
From: Anisur Rehman(IT) [mailto:Rehman <at> bankmuscat.com] 
Sent: Tuesday, November 02, 2010 4:39 PM
To: Sasanka Sekhar Sahu (WI01 - Enterprise Services)
Subject: RE: [syslog-ng] Statistics -- how do I turn them off?

Dear sasanka

I will recommend to use RHEL 5 .5 with MYSQL database with frontend
(Continue reading)

Peter Czanik | 2 Nov 17:07 2010
Picon

Re: login.pdb reworked

On 10/30/2010 12:05 AM, Matthew Hall wrote:
> On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
>   
>> On 10/29/2010 04:32 PM, Martin Holste wrote:
>>     
>>> Won't the user login pattern only catch root logins because of uid=0?
>>>
>>> <pattern>pam_unix(login:session): session opened for user
>>>  <at> ESTRING:usracct.username:  <at> by  <at> ESTRING::( <at> uid=0)</pattern>
>>>
>>> Couldn't it be changed to
>>>
>>> <pattern>pam_unix(login:session): session opened for user
>>>  <at> ESTRING:usracct.username:  <at> by
>>>  <at> ESTRING::( <at> uid= <at> ESTRING:usracct.uid:) <at> </pattern>
>>>   
>>>       
>> No, check my log samples I used to create the patterns. User "czanik"
>> has uid=1000, still all the logs end with (uid=0):
>>
>> Oct  7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session
>> opened for user czanik by (uid=0)
>>     
> The reason for this is because the (uid=0) is indicating the uid of the 
> user who opened the session. Meaning that the login was created by 
> something running as the root user uid 0. So in reality the pattern 
> should capture this other variable somewhere, for people who have 
> daemons which are non-root.
>   
OK. For now I leave it as is, and I'm very interested to see, if it
(Continue reading)

bugzilla | 2 Nov 23:51 2010

[Bug 96] New: pdbtool misleading error message

https://bugzilla.balabit.com/show_bug.cgi?id=96

           Summary: pdbtool misleading error message
           Product: syslog-ng
           Version: 3.2.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi <at> balabit.hu
        ReportedBy: czanik <at> balabit.hu
Type of the Report: ---
   Estimated Hours: 0.0

When trying to test a non-existent file with pdbtool it gives misleading error messages and even calls an
external application before failing.

czanik <at> linux-6y8u:~/patterndb> pdbtool test --validate uw-imapd.ceee
uw-imapd.ceee: Unable to detect patterndb version, please write the <patterndb> tag on a single line
warning: failed to load external entity "/usr/share/syslog-ng/xsd/patterndb-0.xsd"
Schemas parser error : Failed to locate the main schema resource at '/usr/share/syslog-ng/xsd/patterndb-0.xsd'.
WXS schema /usr/share/syslog-ng/xsd/patterndb-0.xsd failed to compile
warning: failed to load external entity "uw-imapd.ceee"
uw-imapd.ceee: xmllint returned an error, the executed command was:
xmllint --noout --nonet --schema /usr/share/syslog-ng/xsd/patterndb-0.xsd uw-imapd.ceeeError
opening classifier configuration file; filename='uw-imapd.ceee',
error='No such file or directory (2)'

(Continue reading)

Liam Kirsher | 3 Nov 06:10 2010

Re: Statistics -- how do I turn them off?

Sandor,

Thanks for you response. 

The logs are generated on the same host.  (Originally there were separate hosts logging to this host, but we consolidated them onto the single server.)

Hmm.  Just noticed that there seem to be two processes running!
On further inspection one of them was reading the /etc/syslog-ng/syslog-ng.conf file and the other must have been reading the one in
/opt/syslog-ng/etc/syslog-ng.conf

I put
SYSLOGNG_OPTIONS="$SYSLOGNG_OPTIONS --cfgfile /etc/syslog-ng/syslog-ng.conf"

in /etc/default/syslog-ng and it seems to be working now. 

Well, actually, every 20 minutes now getting messages saying
Nov  2 21:21:01 domU-12-31-39-07-3D-F1 -- MARK --

And am able to turn it off with mark_freq(0).

Okay, everything's good.

Thanks.

Liam



Sandor Geller wrote:
I'm filtering statistical messages based on the internal source and the following regexp: filter f_internal_statistics { match("^syslog-ng\[[[:digit:]]+\]: STATS") or match ("^syslog-ng\[[[:digit:]]+\]: Log statistics"); }; (for 3.x only the latter match is needed) 600 seconds is the default setting, the timer gets activated only when stats_freq > 0 so stats_freq(0) should turn off the generation of statistical messages completely. Are the logs generated on the same host or are you processing remote logs as well? On Sat, Oct 30, 2010 at 10:17 PM, Liam Kirsher <liamk <at> numenet.com> wrote:
My log file is filling up with statistics messages from syslog-ng (v. 3.1.2) , one message every 10 minutes. I tried turning it off by putting stats_freq(0) in the options clause, and restarted the syslog-ng daemon but that seems to have no effect. There must be something obvious I'm missing. -- Liam Kirsher PGP: http://liam.numenet.com/pgp/ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

-- Liam Kirsher PGP: http://liam.numenet.com/pgp/
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

Yann Forum | 3 Nov 16:50 2010
Picon

patterndb and syslog from cisco

Hello,

 

I'm writing patterndb.xml files to filter syslog messages from servers and CISCO routers. Currently, CISCO sends syslog with that format:

 

Nov  3 15:36:02 srv01.dom.test 36779: .Nov  3 14:50:30.403: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010

Nov  3 15:39:02 srv01.dom.test 36780: .Nov  3 14:53:30.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010

Nov  3 15:42:01 srv01.dom.test 36781: .Nov  3 14:56:30.378: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010

 

The problem comes from the program name which changes for each message: 36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism.

How may I solve my problem? I think it's not allowed to change the program name with the "rewrite" rule.

I have the same problem with switches from Alcatel...

 

Regards,

 

Yann I.

 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

Matthew Hall | 3 Nov 17:40 2010
Picon

Re: patterndb and syslog from cisco

There are ways to enable and disable the message sequence numbering 
and other special components of the messages on the Cisco devices 
themselves. The numbers can be useful for finding out if your devices are 
dropping messages somewhere.

But the more general solution is to send these to a source which has the 
flags(no-parse) set. Then you can parse out the interesting stuff using 
patterndb. Maybe Peter Czanik from Balabit can suggest where to find the 
latest patterns for Cisco devices.

See this for details:

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-
guide-admin-en.html/index.html-single.html#reference_source_tcpudp

Good Luck,
Matthew.

On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
> Hello,
> 
> 
> 
> I'm writing patterndb.xml files to filter syslog messages from servers
> and CISCO routers. Currently, CISCO sends syslog with that format:
> 
> 
> 
> Nov  3 15:36:02 srv01.dom.test 36779: .Nov  3 14:50:30.403:
> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
> 
> Nov  3 15:39:02 srv01.dom.test 36780: .Nov  3 14:53:30.255:
> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
> 
> Nov  3 15:42:01 srv01.dom.test 36781: .Nov  3 14:56:30.378:
> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
> 
> 
> 
> The problem comes from the program name which changes for each 
message:
> 36779, 36780, 36781, etc. For this reason, I can't use patterndb
> mechanism.
> 
> How may I solve my problem? I think it's not allowed to change the
> program name with the "rewrite" rule.
> 
> I have the same problem with switches from Alcatel...
> 
> 
> 
> Regards,
> 
> 
> 
> Yann I.

--

-- 
Matthew Hall
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

Fekete Róbert | 3 Nov 20:28 2010
Picon

Re: patterndb and syslog from cisco

 Hi, 

AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this message format. I am not sure
if this was already ported to OSE 3.2, I'll try to get some info on it if Bazsi does not reply sooner.

Regards, 
Robert

On Wednesday, November 03, 2010 17:40 CET, Matthew Hall <mhall <at> mhcomputing.net> wrote: 

> There are ways to enable and disable the message sequence numbering 
> and other special components of the messages on the Cisco devices 
> themselves. The numbers can be useful for finding out if your devices are 
> dropping messages somewhere.
> 
> But the more general solution is to send these to a source which has the 
> flags(no-parse) set. Then you can parse out the interesting stuff using 
> patterndb. Maybe Peter Czanik from Balabit can suggest where to find the 
> latest patterns for Cisco devices.
> 
> See this for details:
> 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-
> guide-admin-en.html/index.html-single.html#reference_source_tcpudp
> 
> Good Luck,
> Matthew.
> 
> On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
> > Hello,
> > 
> > 
> > 
> > I'm writing patterndb.xml files to filter syslog messages from servers
> > and CISCO routers. Currently, CISCO sends syslog with that format:
> > 
> > 
> > 
> > Nov  3 15:36:02 srv01.dom.test 36779: .Nov  3 14:50:30.403:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
> > 
> > Nov  3 15:39:02 srv01.dom.test 36780: .Nov  3 14:53:30.255:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
> > 
> > Nov  3 15:42:01 srv01.dom.test 36781: .Nov  3 14:56:30.378:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
> > 
> > 
> > 
> > The problem comes from the program name which changes for each 
> message:
> > 36779, 36780, 36781, etc. For this reason, I can't use patterndb
> > mechanism.
> > 
> > How may I solve my problem? I think it's not allowed to change the
> > program name with the "rewrite" rule.
> > 
> > I have the same problem with switches from Alcatel...
> > 
> > 
> > 
> > Regards,
> > 
> > 
> > 
> > Yann I.
> 
> -- 
> Matthew Hall
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html


Gmane