syslog - ng --- Centralised logging Server

[bubloob_13]

Dear All

As per our company policy , we need to have centralised logging server, we have choosen syslog-ng. Configured everything, but the logs are not capturing in syslog-ng from other hosts like win2k3 server , linux clients, cisco routers etc.

But the local logs are getting captured, I am clueless. Enclosed syslog-ng.conf file,

* Already disabled the default syslog service.
* syslog-ng service is running

Pls. help me.

Regards
Sakthi

#
# Syslog-ng example configuration for for Debian GNU/Linux
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.
#

options {
long_hostnames(off);
sync(0);
time_reopen(10);
log_fifo_size(1000);
use_dns(no);
use_fqdn(no);
create_dirs(no)
keep_hostnames(yes);
stats(3600);
};

source src { unix-stream("/dev/log"); internal(); };
source net { udp(); };

destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination mail { file("/var/log/mail.log"); };

destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination loghost { udp("loghost" port(999)); };
destination xconsole { pipe("/dev/xconsole"); };

destination remote_logs {
file ("/var/log/syslog-ng/$FULLHOST/$YEAR/$MONTH/$DAY/$FULLHOST-$YEAR-$MONTH-$DAY.log"
owner(root) group(root) perm(0777) dir_perm(0777) create_dirs(yes)
template("$DATE $FULLHOST $PROGRAM $STAG [$FACILITY.$LEVEL] $MESSAGE\n"));
};

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_ppp { facility(local2); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); destination(console_all); };

log { source (src); destination (remote_logs);};
log { source (net); destination (remote_logs};};

[bubloob_13]

Can anyone helps me to solve this, I have to complete it at any cost. enclosed the netstat command output of my central syslog-ng server

[root@Logserver log]# netstat -an |grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
unix 3 [ ] STREAM CONNECTED 9514

Contend of /var/log/messages

cat messages
Dec 30 12:38:12 Logserver syslog-ng[8885]: syslog-ng starting up; version='2.0.6'
Dec 30 12:38:12 Logserver syslog-ng: syslog-ng startup succeeded
Dec 30 12:39:57 Logserver syslog-ng[8885]: Termination requested via signal, terminating;
Dec 30 12:39:57 Logserver syslog-ng[8885]: syslog-ng shutting down; version='2.0.6'
Dec 30 12:39:57 Logserver syslog-ng[8950]: syslog-ng starting up; version='2.0.6'
Dec 30 12:39:57 Logserver syslog-ng: syslog-ng startup succeeded
Dec 30 12:49:57 Logserver syslog-ng[8950]: Log statistics; processed='center(queued)=8', processed='center(received)=4', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=2', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=2', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=2', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=2', processed='source(net)=2', processed='source(src)=2'

[bubloob_13]

my tcpdump output shows below lines 172.16.0.2 is my syslog client . 172.16.0.7 is syslog-ng server.


13:27:15.157041 IP (tos 0x0, ttl 64, id 19716, offset 0, flags [DF], proto 6, length: 62) syslog-nghost.32887 > 172.16.0.2.5901: P [bad tcp cksum 585a (->ef4f)!] 30:40(10) ack 1 win 16022 <nop,nop,timestamp 419319163 419238498>
13:27:15.157151 IP (tos 0x0, ttl 64, id 40564, offset 0, flags [DF], proto 6, length: 52) 172.16.0.2.5901 > syslog-nghost.32887: . [tcp sum ok] ack 40 win 1448 <nop,nop,timestamp 419246500 419319163>


Kindly help me

[jledhead]

not to change the subject, but have you looked at splunk Splunk > The IT Search Engine

its a very nice product and free up to a certain point.

[bubloob_13]

Anybody is there in the world to help me in this....