syslog-ng.conf - SUN Solaris

Tornado · #1 03-05-2008

Has anyone here configured a central syslog server using syslog-ng ?

I have set one up and I'm trying to tune the syslog-ng.conf file, both for the server and the client. I have found lots of linux example files, but not much on Solaris which is slightly different.

So if you have a Solaris syslog-ng.conf or have any links to some I would love to see them.

This is what I have:
Server:

Code:

#
# syslog-ng server configuration:
#

options
  {
    sync (0);
    stats (0);
    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0755);
    dns_cache(yes);
    keep_hostname(yes);
    log_fifo_size(2048);
    long_hostnames(on);
    perm(0644);
    time_reopen (10);
    use_dns(yes);
  };

source s_local  { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };
source s_remote { tcp(); };

#----------------------------------------------------------------------
#  Standard Log file locations
#----------------------------------------------------------------------
destination d_cons      { file("/dev/console"); };
destination d_mesg      { file("/var/adm/messages"); };
destination d_mail      { file("/var/log/syslog"); };
destination d_auth      { file("/var/log/authlog"); };
destination d_mlop      { usertty("operator"); };
destination d_mlrt      { usertty("root"); };
destination d_mlal      { usertty("*"); };

#----------------------------------------------------------------------
#  Remote logs sorting by host
#----------------------------------------------------------------------
destination d_clients       { file("/var/log/HOSTS/$HOST/$R_YEAR/$R_MONTH/$R_DAY/$FACILITY"); };

#----------------------------------------------------------------------
#  Standard filters for the standard destinations.
#----------------------------------------------------------------------
filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

#----------------------------------------------------------------------
#  Standard logging
#----------------------------------------------------------------------
log { source(s_local); filter(f_filter1); destination(d_cons); };
log { source(s_local); filter(f_filter2); destination(d_mesg); };
log { source(s_local); filter(f_filter3); destination(d_mlop); };
log { source(s_local); filter(f_filter4); destination(d_mlrt); };
log { source(s_local); filter(f_filter5); destination(d_mlal); };
log { source(s_local); filter(f_filter6); destination(d_auth); };
log { source(s_local); filter(f_filter7); destination(d_mail); };
log { source(s_local); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };
log { source(s_local); filter(f_filter9); destination(d_mlop);
                                        destination(d_mlrt); };

#----------------------------------------------------------------------
#  Remote logging
#----------------------------------------------------------------------
log { source(s_remote); destination(d_clients); };

##########################################
##        NOT SURE IF I NEED THIS       ##
##########################################
#----------------------------------------------------------------------
#  Special catch all destination sorting by host
#----------------------------------------------------------------------
log { source(s_local); source(s_remote); destination(d_clients); };

Client:

Code:

#
# syslog-ng client configuration: some local logs, in addition to TCP
# logging to central loghost.
#

options
  {
    sync (0);
    stats (0);
    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0755);
    dns_cache(yes);
    keep_hostname(yes);
    log_fifo_size(2048);
    long_hostnames(on);
    perm(0644);
    time_reopen (10);
    use_dns(yes);
  };

source s_local  { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };

#----------------------------------------------------------------------
#  Standard Log file locations
#----------------------------------------------------------------------
destination d_cons      { file("/dev/console"); };
destination d_mesg      { file("/var/adm/messages"); };
destination d_mail      { file("/var/log/syslog"); };
destination d_auth      { file("/var/log/authlog"); };
destination d_mlop      { usertty("operator"); };
destination d_mlrt      { usertty("root"); };
destination d_mlal      { usertty("*"); };

#----------------------------------------------------------------------
#  Forward to a loghost server
#----------------------------------------------------------------------
destination d_loghostdr   { tcp("loghostdr" port(514)); };

#----------------------------------------------------------------------
#  Standard filters for the standard destinations.
#----------------------------------------------------------------------
filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

#----------------------------------------------------------------------
#  Standard logging
#----------------------------------------------------------------------
log { source(s_local); filter(f_filter1); destination(d_cons); };
log { source(s_local); filter(f_filter2); destination(d_mesg); };
log { source(s_local); filter(f_filter3); destination(d_mlop); };
log { source(s_local); filter(f_filter4); destination(d_mlrt); };
log { source(s_local); filter(f_filter5); destination(d_mlal); };
log { source(s_local); filter(f_filter6); destination(d_auth); };
log { source(s_local); filter(f_filter7); destination(d_mail); };
log { source(s_local); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };
log { source(s_local); filter(f_filter9); destination(d_mlop);
                                        destination(d_mlrt); };

#----------------------------------------------------------------------
#  Send to a remote loghost
#----------------------------------------------------------------------
log { source(s_local); destination(d_loghostdr); };

sixty_nine · #2 10-09-2008

I think the last line of the server conf file is redundant. You don't need this. Another thing: you can add the flag(final); statement to each of the log entries so that no log will be stored more than once if it matches multiple filters.

Thanks

Tornado · #3 2 Weeks Ago

I am getting this error now..

On Client:

Quote:

syslog-ng[22409]: Connection broken; time_reopen='10'
syslog-ng[22409]: EOF occurred while idle; fd='10'

On Server:

Quote:

syslog-ng[880]: Number of allowed concurrent connections exceeded; num='10', max='10'

All I can find is this solution.

Quote:

source s_local {
unix-streams ("/dev/log" max-connections(20));
internal();
pipe("/proc/kmsg");
};

The problem is that I am not using unix-streams and max-connections(20) is an option for unix-streams. This is what my source line looks like.

Quote:

source s_local { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };

Anyone know how I can fix this error in my config(using sun-streams) ?

Here is the definition from the config file:

Quote:

# unix-stream
# unix-dgram - These two drivers behave similarly:
# they open the given AF_UNIX socket, and start
# listening on them for messages. unix-stream() is
# primarily used on Linux, and uses SOCK_STREAM
# semantics (connection oriented, no messages are
# lost), unix-dgram() is used on BSDs, and uses
# SOCK_DGRAM semantics, this may result in lost
# local messages, if the system is overloaded.
#
# To avoid denial of service attacks when using
# connection-oriented protocols, the number of
# simultaneously accepted connections should be
# limited. This can be achieved using the
# max-connections() parameter. The default value of
# this parameter is quite strict, you might have to
# increase it on a busy system.
#
# Both unix-stream and unix-dgram has a single
# required positional argument, specifying the
# filename of the socket to create, and several
# optional parameters.

# sun-streams
# Solaris uses its STREAMS API to send messages to
# the syslogd process. You'll have to compile
# syslog-ng with this driver compiled in (see
# ./configure --help).
#
# Newer versions of Solaris (2.5.1 and above), uses a
# new IPC in addition to STREAMS, called door to
# confirm delivery of a message. Syslog-ng supports
# this new IPC mechanism with the door() option.
#
# The sun-streams() driver has a single required
# argument, specifying the STREAMS device to open and
# a single option.

Tornado · #4 2 Weeks Ago

I have added this line and it has fixed the problem..

Quote:

source s_remote { tcp(max-connections(20)); };

When required I will increase this value..

Diabolist · #5 2 Weeks Ago

Your file and directory perms are way too open.

They shouldn't exceed 0750 for the directory, and 0640 for the files. You might want to expicitly set the owner() and group() for both the file and directories as well.

If you limit access to root, set the group so others can view the file, ie:

destination d_auth { file("/var/log/authlog") owner(root) group(sysadmin); };

I don't know how large your deployment is, how important you feel the remote logging is or what nanny alerts you have in place... but you could use udp instead of tcp.

Tornado · #6 1 Week Ago

At the moment it is being used in a lab on about 13 systems..

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Configuring snmpd.conf and snmptrapd.conf	jagdish.machhi@	UNIX for Advanced & Expert Users	2	04-17-2008 12:01 PM
Configuring syslog.conf in a TRU64 UNIX machine	adak2010	UNIX for Dummies Questions & Answers	0	04-11-2008 01:45 AM
syslog.conf	soliberus	Linux	1	08-11-2006 04:44 AM
syslog.conf file and syslogd daemon	VeroL	UNIX for Dummies Questions & Answers	1	01-09-2004 07:05 AM
Severity Level in syslog.conf	dookeobih	UNIX for Dummies Questions & Answers	3	12-12-2001 01:02 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode