Find the answer to your Linux question:
Results 1 to 5 of 5
Dear All As per our company policy , we need to have centralised logging server, we have choosen syslog-ng. Configured everything, but the logs are not capturing in syslog-ng from ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2007
    Posts
    4

    syslog - ng --- Centralised logging Server


    Dear All

    As per our company policy , we need to have centralised logging server, we have choosen syslog-ng. Configured everything, but the logs are not capturing in syslog-ng from other hosts like win2k3 server , linux clients, cisco routers etc.

    But the local logs are getting captured, I am clueless. Enclosed syslog-ng.conf file,

    * Already disabled the default syslog service.
    * syslog-ng service is running

    Pls. help me.

    Regards
    Sakthi

    #
    # Syslog-ng example configuration for for Debian GNU/Linux
    #
    # Copyright (c) 1999 anonymous
    # Copyright (c) 1999 Balazs Scheidler
    # $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $
    #
    # Syslog-ng configuration file, compatible with default Debian syslogd
    # installation.
    #

    options {
    long_hostnames(off);
    sync(0);
    time_reopen(10);
    log_fifo_size(1000);
    use_dns(no);
    use_fqdn(no);
    create_dirs(no)
    keep_hostnames(yes);
    stats(3600);
    };

    source src { unix-stream("/dev/log"); internal(); };
    source net { udp(); };

    destination authlog { file("/var/log/auth.log"); };
    destination syslog { file("/var/log/syslog"); };
    destination cron { file("/var/log/cron.log"); };
    destination daemon { file("/var/log/daemon.log"); };
    destination kern { file("/var/log/kern.log"); };
    destination lpr { file("/var/log/lpr.log"); };
    destination user { file("/var/log/user.log"); };
    destination uucp { file("/var/log/uucp.log"); };
    destination ppp { file("/var/log/ppp.log"); };
    destination mail { file("/var/log/mail.log"); };

    destination mailinfo { file("/var/log/mail.info"); };
    destination mailwarn { file("/var/log/mail.warn"); };
    destination mailerr { file("/var/log/mail.err"); };

    destination newscrit { file("/var/log/news/news.crit"); };
    destination newserr { file("/var/log/news/news.err"); };
    destination newsnotice { file("/var/log/news/news.notice"); };

    destination debug { file("/var/log/debug"); };
    destination messages { file("/var/log/messages"); };
    destination console { usertty("root"); };
    destination console_all { file("/dev/tty12"); };
    #destination loghost { udp("loghost" port(999)); };
    destination xconsole { pipe("/dev/xconsole"); };

    destination remote_logs {
    file ("/var/log/syslog-ng/$FULLHOST/$YEAR/$MONTH/$DAY/$FULLHOST-$YEAR-$MONTH-$DAY.log"
    owner(root) group(root) perm(0777) dir_perm(0777) create_dirs(yes)
    template("$DATE $FULLHOST $PROGRAM $STAG [$FACILITY.$LEVEL] $MESSAGE\n"));
    };

    filter f_auth { facility(auth); };
    filter f_authpriv { facility(auth, authpriv); };
    filter f_syslog { not facility(authpriv, mail); };
    filter f_cron { facility(cron); };
    filter f_daemon { facility(daemon); };
    filter f_kern { facility(kern); };
    filter f_lpr { facility(lpr); };
    filter f_mail { facility(mail); };
    filter f_user { facility(user); };
    filter f_uucp { facility(cron); };
    filter f_ppp { facility(local2); };
    filter f_news { facility(news); };
    filter f_debug { not facility(auth, authpriv, news, mail); };
    filter f_messages { level(info..warn)
    and not facility(auth, authpriv, mail, news); };
    filter f_emergency { level(emerg); };

    filter f_info { level(info); };
    filter f_notice { level(notice); };
    filter f_warn { level(warn); };
    filter f_crit { level(crit); };
    filter f_err { level(err); };

    log { source(src); filter(f_authpriv); destination(authlog); };
    log { source(src); filter(f_syslog); destination(syslog); };
    log { source(src); filter(f_cron); destination(cron); };
    log { source(src); filter(f_daemon); destination(daemon); };
    log { source(src); filter(f_kern); destination(kern); };
    log { source(src); filter(f_lpr); destination(lpr); };
    log { source(src); filter(f_mail); destination(mail); };
    log { source(src); filter(f_user); destination(user); };
    log { source(src); filter(f_uucp); destination(uucp); };
    log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
    log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
    log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
    log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
    log { source(src); filter(f_news); filter(f_err); destination(newserr); };
    log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
    log { source(src); filter(f_debug); destination(debug); };
    log { source(src); filter(f_messages); destination(messages); };
    log { source(src); filter(f_emergency); destination(console); };
    log { source(src); filter(f_ppp); destination(ppp); };
    log { source(src); destination(console_all); };

    log { source (src); destination (remote_logs);};
    log { source (net); destination (remote_logs};};

  2. #2
    Just Joined!
    Join Date
    Dec 2007
    Posts
    4
    Can anyone helps me to solve this, I have to complete it at any cost. enclosed the netstat command output of my central syslog-ng server

    [root@Logserver log]# netstat -an |grep 514
    udp 0 0 0.0.0.0:514 0.0.0.0:*
    unix 3 [ ] STREAM CONNECTED 9514

    Contend of /var/log/messages

    cat messages
    Dec 30 12:38:12 Logserver syslog-ng[8885]: syslog-ng starting up; version='2.0.6'
    Dec 30 12:38:12 Logserver syslog-ng: syslog-ng startup succeeded
    Dec 30 12:39:57 Logserver syslog-ng[8885]: Termination requested via signal, terminating;
    Dec 30 12:39:57 Logserver syslog-ng[8885]: syslog-ng shutting down; version='2.0.6'
    Dec 30 12:39:57 Logserver syslog-ng[8950]: syslog-ng starting up; version='2.0.6'
    Dec 30 12:39:57 Logserver syslog-ng: syslog-ng startup succeeded
    Dec 30 12:49:57 Logserver syslog-ng[8950]: Log statistics; processed='center(queued)=8', processed='center(received)=4', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=2', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=2', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=2', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=2', processed='source(net)=2', processed='source(src)=2'

  3. #3
    Just Joined!
    Join Date
    Dec 2007
    Posts
    4
    my tcpdump output shows below lines 172.16.0.2 is my syslog client . 172.16.0.7 is syslog-ng server.


    13:27:15.157041 IP (tos 0x0, ttl 64, id 19716, offset 0, flags [DF], proto 6, length: 62) syslog-nghost.32887 > 172.16.0.2.5901: P [bad tcp cksum 585a (->ef4f)!] 30:40(10) ack 1 win 16022 <nop,nop,timestamp 419319163 419238498>
    13:27:15.157151 IP (tos 0x0, ttl 64, id 40564, offset 0, flags [DF], proto 6, length: 52) 172.16.0.2.5901 > syslog-nghost.32887: . [tcp sum ok] ack 40 win 1448 <nop,nop,timestamp 419246500 419319163>


    Kindly help me

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    not to change the subject, but have you looked at splunk Splunk > The IT Search Engine

    its a very nice product and free up to a certain point.

  6. #5
    Just Joined!
    Join Date
    Dec 2007
    Posts
    4
    Anybody is there in the world to help me in this....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •