syslog-ng.conf


 
Thread Tools Search this Thread
Operating Systems Solaris syslog-ng.conf
# 1  
Old 03-05-2008
syslog-ng.conf

Has anyone here configured a central syslog server using syslog-ng ?

I have set one up and I'm trying to tune the syslog-ng.conf file, both for the server and the client. I have found lots of linux example files, but not much on Solaris which is slightly different.

So if you have a Solaris syslog-ng.conf or have any links to some I would love to see them.

This is what I have:
Server:
Code:
#
# syslog-ng server configuration:
#

options
  {
    sync (0);
    stats (0);
    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0755);
    dns_cache(yes);
    keep_hostname(yes);
    log_fifo_size(2048);
    long_hostnames(on);
    perm(0644);
    time_reopen (10);
    use_dns(yes);
  };

source s_local  { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };
source s_remote { tcp(); };

#----------------------------------------------------------------------
#  Standard Log file locations
#----------------------------------------------------------------------
destination d_cons      { file("/dev/console"); };
destination d_mesg      { file("/var/adm/messages"); };
destination d_mail      { file("/var/log/syslog"); };
destination d_auth      { file("/var/log/authlog"); };
destination d_mlop      { usertty("operator"); };
destination d_mlrt      { usertty("root"); };
destination d_mlal      { usertty("*"); };

#----------------------------------------------------------------------
#  Remote logs sorting by host
#----------------------------------------------------------------------
destination d_clients       { file("/var/log/HOSTS/$HOST/$R_YEAR/$R_MONTH/$R_DAY/$FACILITY"); };

#----------------------------------------------------------------------
#  Standard filters for the standard destinations.
#----------------------------------------------------------------------
filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

#----------------------------------------------------------------------
#  Standard logging
#----------------------------------------------------------------------
log { source(s_local); filter(f_filter1); destination(d_cons); };
log { source(s_local); filter(f_filter2); destination(d_mesg); };
log { source(s_local); filter(f_filter3); destination(d_mlop); };
log { source(s_local); filter(f_filter4); destination(d_mlrt); };
log { source(s_local); filter(f_filter5); destination(d_mlal); };
log { source(s_local); filter(f_filter6); destination(d_auth); };
log { source(s_local); filter(f_filter7); destination(d_mail); };
log { source(s_local); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };
log { source(s_local); filter(f_filter9); destination(d_mlop);
                                        destination(d_mlrt); };

#----------------------------------------------------------------------
#  Remote logging
#----------------------------------------------------------------------
log { source(s_remote); destination(d_clients); };

##########################################
##        NOT SURE IF I NEED THIS       ##
##########################################
#----------------------------------------------------------------------
#  Special catch all destination sorting by host
#----------------------------------------------------------------------
log { source(s_local); source(s_remote); destination(d_clients); };

Client:
Code:
#
# syslog-ng client configuration: some local logs, in addition to TCP
# logging to central loghost.
#

options
  {
    sync (0);
    stats (0);
    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0755);
    dns_cache(yes);
    keep_hostname(yes);
    log_fifo_size(2048);
    long_hostnames(on);
    perm(0644);
    time_reopen (10);
    use_dns(yes);
  };

source s_local  { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };

#----------------------------------------------------------------------
#  Standard Log file locations
#----------------------------------------------------------------------
destination d_cons      { file("/dev/console"); };
destination d_mesg      { file("/var/adm/messages"); };
destination d_mail      { file("/var/log/syslog"); };
destination d_auth      { file("/var/log/authlog"); };
destination d_mlop      { usertty("operator"); };
destination d_mlrt      { usertty("root"); };
destination d_mlal      { usertty("*"); };

#----------------------------------------------------------------------
#  Forward to a loghost server
#----------------------------------------------------------------------
destination d_loghostdr   { tcp("loghostdr" port(514)); };

#----------------------------------------------------------------------
#  Standard filters for the standard destinations.
#----------------------------------------------------------------------
filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

#----------------------------------------------------------------------
#  Standard logging
#----------------------------------------------------------------------
log { source(s_local); filter(f_filter1); destination(d_cons); };
log { source(s_local); filter(f_filter2); destination(d_mesg); };
log { source(s_local); filter(f_filter3); destination(d_mlop); };
log { source(s_local); filter(f_filter4); destination(d_mlrt); };
log { source(s_local); filter(f_filter5); destination(d_mlal); };
log { source(s_local); filter(f_filter6); destination(d_auth); };
log { source(s_local); filter(f_filter7); destination(d_mail); };
log { source(s_local); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };
log { source(s_local); filter(f_filter9); destination(d_mlop);
                                        destination(d_mlrt); };

#----------------------------------------------------------------------
#  Send to a remote loghost
#----------------------------------------------------------------------
log { source(s_local); destination(d_loghostdr); };

Tornado
# 2  
Old 10-09-2008
I think the last line of the server conf file is redundant. You don't need this. Another thing: you can add the flag(final); statement to each of the log entries so that no log will be stored more than once if it matches multiple filters.

Thanks
# 3  
Old 11-16-2008
I am getting this error now..

On Client:
Quote:
syslog-ng[22409]: Connection broken; time_reopen='10'
syslog-ng[22409]: EOF occurred while idle; fd='10'
On Server:
Quote:
syslog-ng[880]: Number of allowed concurrent connections exceeded; num='10', max='10'
All I can find is this solution.
Quote:
source s_local {
unix-streams ("/dev/log" max-connections(20));
internal();
pipe("/proc/kmsg");
};
The problem is that I am not using unix-streams and max-connections(20) is an option for unix-streams. This is what my source line looks like.
Quote:
source s_local { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };
Anyone know how I can fix this error in my config(using sun-streams) ?


Here is the definition from the config file:
Quote:
# unix-stream
# unix-dgram - These two drivers behave similarly:
# they open the given AF_UNIX socket, and start
# listening on them for messages. unix-stream() is
# primarily used on Linux, and uses SOCK_STREAM
# semantics (connection oriented, no messages are
# lost), unix-dgram() is used on BSDs, and uses
# SOCK_DGRAM semantics, this may result in lost
# local messages, if the system is overloaded.
#
# To avoid denial of service attacks when using
# connection-oriented protocols, the number of
# simultaneously accepted connections should be
# limited. This can be achieved using the
# max-connections() parameter. The default value of
# this parameter is quite strict, you might have to
# increase it on a busy system.
#
# Both unix-stream and unix-dgram has a single
# required positional argument, specifying the
# filename of the socket to create, and several
# optional parameters.


# sun-streams
# Solaris uses its STREAMS API to send messages to
# the syslogd process. You'll have to compile
# syslog-ng with this driver compiled in (see
# ./configure --help).
#
# Newer versions of Solaris (2.5.1 and above), uses a
# new IPC in addition to STREAMS, called door to
# confirm delivery of a message. Syslog-ng supports
# this new IPC mechanism with the door() option.
#
# The sun-streams() driver has a single required
# argument, specifying the STREAMS device to open and
# a single option.
Tornado
# 4  
Old 11-16-2008
I have added this line and it has fixed the problem..
Quote:
source s_remote { tcp(max-connections(20)); };
When required I will increase this value..
Tornado
# 5  
Old 11-18-2008
Your file and directory perms are way too open.

They shouldn't exceed 0750 for the directory, and 0640 for the files. You might want to expicitly set the owner() and group() for both the file and directories as well.

If you limit access to root, set the group so others can view the file, ie:

destination d_auth { file("/var/log/authlog") owner(root) group(sysadmin); };

I don't know how large your deployment is, how important you feel the remote logging is or what nanny alerts you have in place... but you could use udp instead of tcp.
# 6  
Old 11-18-2008
At the moment it is being used in a lab on about 13 systems..
Tornado
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

Which are the available entries to forward syslog in syslog.conf?

Hi Community Which are the available entries to forward syslog in syslog.conf i have put *.err;kern.debug;daemon.notice;mail.crit;user.alert;user.emerg;kern.notice;auth.notice;kern.warning @172.16.200.50 and it's not going through.giving error message like below: syslogd:... (2 Replies)
Discussion started by: bentech4u
2 Replies

2. BSD

Syslog.conf issue

I'm trying to get all ipfw logs going to ipfw.log I've managed that, but ipfw.log is also getting stuff that shows up in system.log !-ipfw *.notice;authpriv,remoteauth,ftp,install,internal.none /var/log/system.log kern.* /var/log/kernel.log... (5 Replies)
Discussion started by: jnojr
5 Replies

3. Red Hat

Configuring syslog.conf

Hi, I would like to configure syslog linux client, syslog server is windows server. so adding on linux client in /etc/syslog.conf @hostname will work in the place of directory location. example of /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up... (2 Replies)
Discussion started by: manoj.solaris
2 Replies

4. Solaris

best configuration for syslog.conf

I would like to configure the syslog.conf to have a good monitoring information about my system. do you have any idea about best configuration from your experience in your Data Centers BR, (5 Replies)
Discussion started by: maxim42
5 Replies

5. Shell Programming and Scripting

syslog.conf

How can i configure messages with warn priority to be logged in /var/log/mywarnings.log ? (1 Reply)
Discussion started by: g0dlik3
1 Replies

6. UNIX for Advanced & Expert Users

Modifying syslog.conf

I have a RHEL box that I want to be the loghost for all of the other systems on my network and have set up a /logs partitions to hold all of the logs. I've also created a file called current.log that will contain daily logs and created it using the following command: cp /dev/null current.log. ... (4 Replies)
Discussion started by: goose25
4 Replies

7. Solaris

Want to know about a entry in syslog.conf

Hi Everyone, I just wanted to know about the below entry in syslog.conf in Solaris 10: kern.notice @destserver Now the log will be redirected to destserver. But I want to know the location on the destserver where this log will be thrown. Thanks in Advance, Deepak (4 Replies)
Discussion started by: naw_deepak
4 Replies

8. UNIX for Dummies Questions & Answers

Help confiuring syslog.conf

Hi, We had a hardware problem at work and none of the kernel problems outputted to the log file, just the screen. How can I configure the syslogd.conf file to record kernel events (ie hardware problems) to /dev/console and/var/log/messages. Can I just put: /dev/console /var/log/messages on... (5 Replies)
Discussion started by: mojoman
5 Replies

9. Linux

SYSLOG.CONF another port

Hi everybody, i have a little problem... I have two server srv01 and srv02. srv02 have a syslogd server onboard and listen on 515... not on 514 (it's busy). How i configure the syslog.conf of srv01 for send logs on srv02:515 ??? Now i have on srv01: *.* @srv02 if i write: *.* ... (0 Replies)
Discussion started by: Zio Bill
0 Replies

10. Red Hat

syslog.conf

Hi all I have a RedHat Linux AS2.1 server that keep crashing/rebooting and there are no messages in the /var/log/messages file pointing to any problems. I had a look at the /etc/syslog.conf file to see what gets logged to /var/log/messages, but I don't know what else to add. Can anyone tell me... (1 Reply)
Discussion started by: soliberus
1 Replies
Login or Register to Ask a Question