LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   syslog-ng -> syslog-ng logging, how to troubleshoot (http://www.linuxquestions.org/questions/linux-server-73/syslog-ng-syslog-ng-logging-how-to-troubleshoot-699400/)

sir-lancealot 01-23-2009 11:58 AM

syslog-ng -> syslog-ng logging, how to troubleshoot
 
Well now both the client and server are running syslog-ng. I don't see anything on the server side who is going to collect from a few servers, but not sure how to debug or just test/watch the connection, etc. to try and see why there is no file creation/update.

The server config looks like;
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
udp(ip(0.0.0.0) port(514));
};

destination send_http_logs { file("/var/log/web.log"); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};


The client looks like;
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};

destination send_http_logs { udp("192.168.2.54" port(514)); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

Both servers are running syslog-ng (I assume syslog can still run as well). I would figure the server would have a file /var/log/web.log but nothing. I did create one, add perm's but still nothing, and I don't see anything jumping out in messages either.

Thanks.

acid_kewpie 01-24-2009 06:07 AM

you certainly *CAN'T* run them both at the same time. stop and uninstall sysklogd / syslogd & klogd and restart syslog-ng. if there are no obvious problems in general, use wireshark / tcpdump to watch for the actual netwrok traffic to find if it's a client or server issue. I wouldn't rely on program details in a filter on a remote server, only the local client. you should really use basic string matching or syslog prio / facility fields once your going across a network.


All times are GMT -5. The time now is 10:56 AM.