08-29-2006
Many thanks for the help (apologies for the delayed response). I think I will go with syslogd option. I have drafted a syslog-ng.conf file but I am not getting the logs I would expect.
At present I have approx 10 clients which are using syslogd - I have centralised syslog server which is now using syslog-ng. In each client I have line in the syslog.conf file which sends everthing to the central server like this
*.* @loghost
loghost is defined in /etc/hosts and prior to switching to syslog-ng logs were sent as expected to loghost. Now I dont see any evidence of remote logs on the syslog server. I even configured 1 client with syslog-ng and switched to tcp but still nothing
On the server the syslog-ng.conf looks like this
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};
#source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
source s_remote {udp(); };
source s_sys{ internal(); unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_kernel { file("/var/log/kern.log"); };
destination d_clients { file("/var/log/HOSTS/$HOST/"); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv)
or facility(cron)
or program("kernel")); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_kernel { level(info) and program("kernel"); };
log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys); filter(f_kernel); destination(d_kernel); };
log { source(s_remote); destination(d_clients); };
# vim: syntax=syslog-ng
the client config looks like this
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_kernel { file("/var/log/kern.log"); };
destination d_loghost {udp("loghost" port(514));};
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv)
or facility(cron)
or program("kernel")); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_kernel { level(info) and program("kernel"); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys); filter(f_kernel); destination(d_kernel); };
log { source(s_sys); destination(d_loghost); };
so far I am not seeing any remote or local logs - any pointers ??
Cheers
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Working out of AIX 4.3.
All logs that were written via application suddenly stopped. executing a tail -f <logfile> was not producing any results.
Tried to refresh the syslogd (daemon). When executing "refresh -s syslogd" system would display
<<0513-036 The request could not be passed to... (2 Replies)
Discussion started by: buRst
2 Replies
2. Cybersecurity
Hi all
My system logger has been down for the past 3 days... I am not able to get it to start from the terminal... /etc/init.d/syslogd start
I am unable to find a log as to why it is failing!!
Please advice where to look!!! I am totally lost here!
Thanks in advance...
KS (5 Replies)
Discussion started by: skotapal
5 Replies
3. UNIX for Advanced & Expert Users
I would like to start up multiple instances of syslog daemon. I am having a little difficulty. Is this at all possible?
I have separate syslog.conf1.... syslog.conf5 files.
I have linked the daemon to separate files syslogd1 ... syslogd5
I have arranged the rcd.2 start/stop scripts for... (9 Replies)
Discussion started by: Gary Dunn
9 Replies
4. Solaris
Hi friends,
is it possible to ignore special messages with syslogd? we have some errors that are firmware issues an no real faults. we serach for a way to ignore ONLY these messages... OS is solaris 10...
any ideas?
tia,
DN2 (1 Reply)
Discussion started by: DukeNuke2
1 Replies
5. AIX
Hi,
I wanted to log some authentication information, so I added following line to /etc/syslog.conf:
auth.info /home/vilius/dir1/eeerrr.log
After that I refreshed syslogd subsystem:
refresh -s syslogd
To check my logging I made few unsuccessfull attempts to login as root using ssh and... (1 Reply)
Discussion started by: vilius
1 Replies
6. Solaris
Hi All,
I can seem to find the syslog daemon in the /etc/init.d/ dir. i have made change to the syslog.conf i need to restart the daemon. am using solaris 10. i have no problem on version 9
Anyone with a template i can use for log review for auditing purposes. (1 Reply)
Discussion started by: lottiem
1 Replies
7. Linux
I'm recieving from time to time such messages:
Message from syslogd@localhost at Sat Jul 8 18:29:58 2006 ...
localhost kernel: Disabling IRQ #17
What could cause such messages? How can I at least disable these messages which are posted on all terminals?
Note:
$ uname -a
Linux... (19 Replies)
Discussion started by: Hitori
19 Replies
8. AIX
Hi Guys,
I am configuring syslogd for Message broker.
I know that we have to add a line user.* /var/log/wmb.log
to the /etc/syslog.conf file.
I want to know what userid does the user in user.* take?
Thanks (1 Reply)
Discussion started by: vandi
1 Replies
9. Solaris
Hi ,
Iam using Solaris8 and as I checked I found syslogd process not running
can please somebody suggest me the way to start it. (2 Replies)
Discussion started by: Laxxi
2 Replies
10. Solaris
Where do I configure where syslogd writes to log files?
I've got open files in an archive directory called errlog.131017 and audlog.131017 and, having run an fuser, it appears that syslogd is writing to these files. (3 Replies)
Discussion started by: psychocandy
3 Replies