I'm having some funky behavior where my central syslog-ng server is marking all forwarded events as facility kern, level emerg.
The remote hosts, are CentOS 5 x86_64. They are using the system install syslog. The ones I started with, have nginx web server, patched to send it's log messages under local5.crit for errors, and local5.notice for access logs.
It's syslog.conf looks like so.
Code:
# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# nginx local logs
local5.notice /usr/local/logs/access.log
local5.crit /usr/local/logs/error.log
# Syslog-ng
*.* @remoteIP
They are logging locally as expected, and things are coming into the remote host as expected.
(from a strace)
32443 recvfrom(3, "<173>nginx: ScrubbedIP www.fa"..., 8192, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("ScrubbedIP")}, [16]) = 412
What I can't tell is how they are actually coming in (meaning what level / facility).
My central logging server is running the latest syslog-ng. My configs look like...
Code:
# cat /etc/syslog-ng/syslog-ng.conf
# Syslog-ng config
options {
use_dns(no);
keep_hostname(yes);
long_hostnames(off);
chain_hostnames(off);
sync(1);
log_fifo_size(1024);
create_dirs(yes);
perm(0644);
stats_freq(3600);
mark_freq(600);
};
#
# Data Sources
#
# External Syslog
source s_external {
# udp();
udp(ip("0.0.0.0") port(514) flags(no_parse));
};
#
# Where to put Data
#
# Access Logs
destination d_access_log { file("/syslog-ng/$HOST/access.log"); };
# Error Logs
destination d_error_log { file("/syslog-ng/$HOST/error.log"); };
# Everything else
destination d_log { file("/syslog-ng/$HOST/$FACILITY.$LEVEL"); };
#
# Data Filters
#
# Facility local5
filter f_local5 { facility(local5); };
# Level info
filter f_info { level(info); };
# Level notice
filter f_notice { level(notice); };
# Level warn
filter f_warn { level(warn); };
# Level crit
filter f_crit { level(crit); };
# Level err
filter f_err { level(err); };
#
# Data Logging Locations
#
# Access Log
log { source(s_external); filter(f_local5); filter(f_notice); destination(d_access_log); };
# Error Log
log { source(s_external); filter(f_local5); filter(f_crit); destination(d_error_log); };
log { source(s_external); destination(d_log); };
The only problem here is that I'm not getting any access.log or error.log. I'm only getting kern.emerg log with EVERYTHING in it (the last log rule).
At this point, I'm pretty sure the config is sane, but maybe I'm missing something.
Any help appreciated.
