LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-04-2016, 04:38 PM   #1
gwaugh@graceland.edu
LQ Newbie
 
Registered: Jan 2016
Posts: 2

Rep: Reputation: Disabled
Our syslog-ng was logging and after update it stopped


After an update our syslog-ng quit logging. we also built a new syslog server.
I am trying to get it to log to the firewall and then I will set it to log other items. It has worked intermittently. Below is the code dealing with the firewall.

#
source src {
#
# use system() for local logs
#
system();
#
# syslog-ng's internal messages
#
internal();
# FROM -
# <<unresolved question from version 3.3>>
# read kernel messages directly (12.x) or
# does klogd forward them via /dev/log?
#
file ("/proc/kmsg" program_override("kernel"));

#
# the default log socket for local logging:
#
unix-dgram("/dev/log");
# HERE---
# uncomment to process log messages from network:
#udp(ip("0.0.0.0") port(514));
};

source net { udp(ip("0.0.0.0") port(514)); };
#source net_tcp { tcp(ip("0.0.0.0") port(514)); };
#added var to include
include "/var/run/syslog-ng/additional-log-sockets.conf";

#Network Filters
filter f_firewall { host("^fortress"); };

# Firewall (iptables) messages in one file:
#
#destination firewall { file("/var/log/firewall" suppress(30)); };
#log { source(src); source(chroots); filter(f_iptables); destination(firewall); };
destination firewall { file("/var/log/network/firewall/$HOST-$YEAR-$MONTH-$DAY-$HOUR"); };
log { source(net); filter(f_firewall); destination(firewall); };

Can anyone help?
 
Old 01-04-2016, 05:00 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Please:
- check what the update contained / changed,
- clean up what you post (unnecessary comments also tend to cloud things),
- post full configs plus any includes,
- test local logging with 'logger' (unclear if that's working or not),
- check the firewall for ACLs,
- run debug mode like 'syslog-ng -Fevd' for clues,
- run tcpdump or tshark to ensure you get messages over the network,
- test remotely with 'loggen' which comes with syslog-ng >= 3.
 
Old 01-05-2016, 08:57 AM   #3
gwaugh@graceland.edu
LQ Newbie
 
Registered: Jan 2016
Posts: 2

Original Poster
Rep: Reputation: Disabled
The syslog server was rebuilt so we do not have that info.
I only posted what dealt with the firewall.
We already tested and it is getting to the syslog server but syslog is not logging it.
The Firewall ACL's have not changed.

Bellow is the full config file:
I have only been working with the firewall at this time. Ounce I get that working I will setup the rest.
I am new to setting this up!

@version:3.5
@include "scl.conf"

#
# /etc/syslog-ng/syslog-ng.conf
#
# File format description can be found in syslog-ng.conf(5)
# and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#
# NOTE: The SuSEconfig script and its syslog-ng.conf.in
# configuration template aren't used any more.
#
# Feel free to edit this file directly.
#

#
# Global options.
#
options { chain_hostnames(off); flush_lines(100); perm(0640); stats_freq(3600); threaded(yes); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
#
# use system() for local logs
#
system();
#
# syslog-ng's internal messages
#
internal();
# FROM -
# <<unresolved question from version 3.3>>
# read kernel messages directly (12.x) or
# does klogd forward them via /dev/log?
#
file ("/proc/kmsg" program_override("kernel"));

#
# the default log socket for local logging:
#
unix-dgram("/dev/log");
# HERE---
# uncomment to process log messages from network:
#udp(ip("0.0.0.0") port(514));
};

source net { udp(ip("0.0.0.0") port(514)); };
#source net_tcp { tcp(ip("0.0.0.0") port(514)); };
#added var to include
include "/var/run/syslog-ng/additional-log-sockets.conf";

#
# Filter definitions
#
filter f_iptables { facility(kern) and message("IN=") and message("OUT="); };

filter f_console { level(warn) and facility(kern) and not filter(f_iptables)
or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };

filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };

filter f_cron { facility(cron); };

filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };

#
# acpid messages
#
filter f_acpid_full { program('acpid'); };
filter f_acpid { level(emerg..notice) and program('acpid'); };

# this is for the old acpid < 1.0.6
filter f_acpid_old { program('^\[acpid\]$'); };

filter f_netmgm { program('NetworkManager') or program('nm-dispatcher'); };

filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };

#Network Filters
filter f_firewall { host("^fortress"); };

#
# Enable this and adopt IP to send log messages to a log server.
#
#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { file("/dev/tty10" suppress(30) owner(-1) group(-1) perm(-1)); };
log { source(src); source(chroots); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" suppress(30) owner(-1) group(-1) perm(-1)); };
log { source(src); source(chroots); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); source(chroots); filter(f_alert); destination(root); };


#
# News-messages in separate files:
#
destination newscrit { file("/var/log/news/news.crit"
suppress(30) owner(news) group(news)); };
log { source(src); source(chroots); filter(f_newscrit); destination(newscrit); };

destination newserr { file("/var/log/news/news.err"
suppress(30) owner(news) group(news)); };
log { source(src); source(chroots); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
suppress(30) owner(news) group(news)); };
log { source(src); source(chroots); filter(f_newsnotice); destination(newsnotice); };

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); source(chroots); filter(f_news); destination(news); };


#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info" suppress(30)); };
log { source(src); source(chroots); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn" suppress(30)); };
log { source(src); source(chroots); filter(f_mailwarn); destination(mailwarn); };

destination mailerr { file("/var/log/mail.err" suppress(30) fsync(yes)); };
log { source(src); source(chroots); filter(f_mailerr); destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail" suppress(30)); };
log { source(src); source(chroots); filter(f_mail); destination(mail); };


#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid" suppress(30)); };
destination devnull { };
log { source(src); source(chroots); filter(f_acpid); destination(acpid); flags(final); };
#
# if you want more verbose acpid logging, comment the destination(null)
# line and uncomment the destination(acpid) line
#
log { source(src); source(chroots); filter(f_acpid_full); destination(devnull); flags(final); };
# log { source(src); source(chroots); filter(f_acpid_full); destination(acpid); flags(final); };
#
# old acpid < 1.0.6
log { source(src); source(chroots); filter(f_acpid_old); destination(acpid); flags(final); };

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager" suppress(30)); };
log { source(src); source(chroots); filter(f_netmgm); destination(netmgm); flags(final); };


#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron" suppress(30)); };
#log { source(src); source(chroots); filter(f_cron); destination(cron); };


#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages" suppress(30)); };
log { source(src); source(chroots); filter(f_local); destination(localmessages); };


#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages" suppress(30) owner(-1) group(-1) perm(-1)); };
log { source(src); source(chroots); filter(f_messages); destination(messages); };


#
# Firewall (iptables) messages in one file:
#
#destination firewall { file("/var/log/firewall" suppress(30)); };
#log { source(src); source(chroots); filter(f_iptables); destination(firewall); };
destination firewall { file("/var/log/network/firewall/$HOST-$YEAR-$MONTH-$DAY-$HOUR"); };
log { source(net); filter(f_firewall); destination(firewall); };


#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" suppress(30) fsync(yes)); };
log { source(src); source(chroots); filter(f_warn); destination(warn); };


###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include "/etc/syslog-ng/conf.d/"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
syslog-ng -> syslog-ng logging, how to troubleshoot sir-lancealot Linux - Server 1 01-24-2009 06:07 AM
LXer: OpenLDAP Quick Tips: Using syslog or syslog-ng with slapd for OpenLDAP logging LXer Syndicated Linux News 0 11-14-2008 08:41 PM
syslog-ng is not logging coreno Linux - Software 4 09-08-2007 01:13 PM
Logging/syslog s0n|k Linux - Newbie 2 03-13-2006 07:36 PM
syslog stopped! tarballedtux Linux - Software 2 08-04-2003 01:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration