Login or Register to Ask a Question and Join Our Community


SuSE

another time help with syslog-ng

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux SuSE another time help with syslog-ng
# 1  
Old 09-11-2012
another time help with syslog-ng
Hi @ all,
there´s another problem which I have with syslog-ng, perhaps somebody have a solution:
We´ve a server which sent his messages-log to another Server - worked well with ... destination logserver ... and so on.
in the /var/log/messages there´s every 5 minutes an entry like this
HTML Code:
...
Sep 10 16:20:01 Servername sshd[25721]: Accepted publickey for user from 123.12.123.123 port 47936 ssh2
...
Because I get rid of these messages I tried to filter it out with syslog-ng.

What I want:
the messages above should be written in a seperate logfile, and the 1-hourly-syslog-status-message from syslog himself
HTML Code:
Sep 11 12:12:26 Servername syslog-ng[18531]: Log statistics; dropped='udp(AF_INET(123.12.123.12:514))=0', processed='ce
nter(queued)=71', processed='center(received)=30', processed='destination(messages)=24', processed='destination(mailinfo)=0
', processed='destination(mailwarn)=0', processed='destination(logserver)=30', processed='destination(localmessages)=0', pr
ocessed='destination(mailerr)=0', processed='destination(newserr)=0', processed='destination(netmgm)=0', processed='destina
tion(warn)=0', processed='destination(console)=0', processed='destination(null)=0', processed='destination(mail)=0', proces
sed='destination(xconsole)=0', processed='destination(firewall)=0', processed='destination(f_publickey)=17', processed='des
tination(acpid)=0', processed='destination(newscrit)=0', processed='destination(newsnotice)=0', processed='source(src)=30'
should be written still in /var/log/messages;
furthermore the Server should sent his messages to a Log-Server but of course without the "publickey" messages, but within the syslog-ng-status-messages
I tried many versions of configuring the syslog-ng.conf but none of them worked well.
Here´re the lines in my syslog-ng.conf:
HTML Code:
...
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter("publickey"); };
...
#Filter f_publickey
filter f_publickey { match("publickey"); };
...
# Logfile for publickey-messages
destination publickey { file("/var/log/publickey"); };
log { source(src); filter(f_publickey); destination(publickey); };
but unfortunately it didn´t work -
either the "publickey"-messages will be written together with the syslog-status-message in my defined file or the seperate file keeps empty.

Could anybody told me, where´s my mistake or is there perhaps another solution possible?
Thanks for answers
# 2  
Old 09-11-2012
Hi!

Quote:
Originally Posted by jackcracker
Code:
Sep 10 16:20:01 Servername sshd[25721]: Accepted publickey for user from 123.12.123.123 port 47936 ssh2

Because I get rid of these messages I tried to filter it out with syslog-ng.
The best way to achieve this, in my opinion, is something along these lines:

Code:
filter f_sshd_accepted { program("sshd") and match("publickey"); }
destination publickey { file("/var/log/publickey"); };

log { 
 source(src); filter(f_sshd_accepted); destination(publickey);
 flags(final);
};

The extra tick is the flags(final) part, which tells syslog-ng that if a message ends up routed to that logpath, it will not arrive to others. Without this, a message will end up on all logpaths that do not filter it out.

Hope that helps!
# 3  
Old 09-12-2012
Quote:
Originally Posted by algernone
Hi!



The best way to achieve this, in my opinion, is something along these lines:

Code:
filter f_sshd_accepted { program("sshd") and match("publickey"); }
destination publickey { file("/var/log/publickey"); };

log { 
 source(src); filter(f_sshd_accepted); destination(publickey);
 flags(final);
};

The extra tick is the flags(final) part, which tells syslog-ng that if a message ends up routed to that logpath, it will not arrive to others. Without this, a message will end up on all logpaths that do not filter it out.

Hope that helps!

Hi,
thanks a lot for this ... it works, for the "publickey"-messages .- they´ll be filtered out,
but unfortunately the syslog-status-messages will not be forwarded to the Log-Server.
Do you have an idea why not?
# 4  
Old 09-12-2012
Quote:
Originally Posted by jackcracker
Hi,
thanks a lot for this ... it works, for the "publickey"-messages .- they´ll be filtered out,
but unfortunately the syslog-status-messages will not be forwarded to the Log-Server.
Do you have an idea why not?
Probably because it's not in the appropriate log path. Can you show the whole config?
# 5  
Old 09-12-2012
Hi,

here´s the full conf-file
syslog-ng.conf (7.2 KB) 
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Calculate Time diff in milli milliseconds(Time format : HH:MM:SS,NNN)

Hi All, I have one file which contains time for request and response. I want to calculate time difference in milliseconds for each line. This file can contain 10K lines. Sample file with 4 lines. for first line. Request Time: 15:23:45,255 Response Time: 15:23:45,258 Time diff... (6 Replies)
Discussion started by: Raza Ali
6 Replies

2. Programming

Find gaps in time data and replace missing time value and column 2 value by interpolation in awk

Dear all, I am kindly seeking assistance on the following issue. I am working with data that is sampled every 0.05 hours (that is 3 minutes intervals) here is a sample data from the file 5.00000 15.5030 5.05000 15.6680 5.10000 16.0100 5.15000 16.3450 5.20000 16.7120 5.25000... (4 Replies)
Discussion started by: malandisa
4 Replies

3. Shell Programming and Scripting

Convert UTC time into current UNIX sever time zone

Hi guys thanks for the help for my previous posts.Now i have a requirement that i download a XMl file which has UTC time stamp.I need to convert UTC time into Unix server timezone. For ex if the time zone of unix server is CDT then i need to convert into CDT.whatever may be the system time... (5 Replies)
Discussion started by: mohanalakshmi
5 Replies

4. Shell Programming and Scripting

Adding time to date time in UNIX shell scipting

I needed some help in adding a duration (in seconds) to a start time (in hhmmss format) and a start date (in mmddyy format) in order to get an end date and end time. The concept of a leap year is also to be considered while incrementing the day. The code/ function that I have formed so far is as... (3 Replies)
Discussion started by: codehelp04
3 Replies

5. Solaris

modifying date and time and time zone on solaris 5.10 with (redundant server) veritas

I have a cluster of two Solaris server (veritas cluster). one working and the other is standby I am going to change the date on them , and am looking for a secure solution as it is giving an important service. my opinion is that the active one doesn't need to be restarted (if I don't change the... (1 Reply)
Discussion started by: barry1946
1 Replies

6. UNIX for Dummies Questions & Answers

Extracting a Time Span from Syslog Messages File

Hi all, I need your help to explain how I can extract a time span from the syslog messages file on a Solaris 10 system. Here is an example extract of the syslog messages: Dec 4 11:51:38 hajap141-0107.nls.jlrint.com 267938: Dec 4 11:51:36: %DOT11-6-DISASSOC: Interface Dot11Radio0,... (4 Replies)
Discussion started by: wthomas
4 Replies

7. Shell Programming and Scripting

Convert Epoch Time to Standard Date and Time & Vice Versa

Hi guys, I know that this topic has been discuss numerous times, and I have search the net and this forum for it. However, non able to address the problem I faced so far. I am on Solaris Platform and unable to install additional packages like the GNU date and gawk to make use of their... (5 Replies)
Discussion started by: DrivesMeCrazy
5 Replies

8. Shell Programming and Scripting

Merging last and syslog data on time

This is on a HP-UX system. I need to merge the 2 reports, for each line in syslog I need to lookup who was logged in to the pts/# based on the time from the last.txt report. Here is what I get from sulog.log cat syslog | grep "su:" | grep "Jun 14" Jul 14 08:02:48 server1 su: - 2 ... (8 Replies)
Discussion started by: Ikon
8 Replies

9. UNIX for Advanced & Expert Users

How To Provide Time Sync Using Nts-150 Time Server On Unix Network?

can anybody tel lme,how to instal NTS -150 on a unix network,it needs some patch to fetch time frm serve,,?? (2 Replies)
Discussion started by: pesty
2 Replies
Login or Register to Ask a Question