[opensuse] Still having problems with syslog-ng syntax
My simple aim is to listen to UDP 514 on IP/ x /and create a text file. I really don't need to filter or define the file format as the input devise provides all date and time stamping information. I have read the doc pages on syslog-ng and then examples currently existing in syslog-ng.conf and they appear to contradict each other at times. The closest script I can come up with is # source s_udp { udp(ip(192.168.100.10) port(514); destination(d_file) }; destination d_file { file("/var/log/skot" ); }; # Could someone assist me making this work (yes I have opened UDP 514 in the suse firewall as required and can see the info in wireshark) After I can get this part to work I will later look at log rotate. Could someone also give the the command line syntax to stop and re-start the syslog-ng daemon rather than me re-starting a new session. thanks in advance Scott :'(
On 2007-05-19 19:27, Registration Account wrote:
source s_udp { udp(ip(192.168.100.10) port(514); destination(d_file) }; destination d_file { file("/var/log/skot" ); }; # I thought the sample config file was very clear. If not the documentation seems to be.
source s_udp { udp(ip(192.168.100.10) port(514) ); destination d_file { file("/var/log/skot" ); }; log (source(s_udp); destination(d_file)); Make sure you put that into /etc/syslog-ng/syslog-ng.conf.in and run "SuSEconfig --module syslog-ng". Do *not* simply edit /etc/syslog-ng/syslog-ng.conf or your changes will be lost the next time SuSEconfig is run. Finally run "rcsyslog reload". -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2007-05-19 at 19:48 -0600, Darryl Gregorash wrote:
Make sure you put that into /etc/syslog-ng/syslog-ng.conf.in and run "SuSEconfig --module syslog-ng". Do *not* simply edit /etc/syslog-ng/syslog-ng.conf or your changes will be lost the next time SuSEconfig is run.
That's no longer true for 10.2: syslog-ng.conf.in doesn't exist now, we edit directly syslog-ng.conf and don't use SuSEconfig. It seems that both files were so similar that the SuSEconfig step was dropped: # # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGUCJotTMYHG2NR9URAmc+AJsHpuxXH0tJt6PetuqnSbA/lw77IwCfXzQx MEWYD4T4B3siprIV8F8XF34= =x1WM -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
1. rcsyslog reload = failed 2. I performed rcsyslog stop = OK 3. rcsyslog start = multivac-ii:/home/couston # rcsyslog start Starting syslog servicessyntax error at 206 Parse error reading configuration file, exiting. (line 206) startproc: exit status of parent of /sbin/syslog-ng: 1 failed multivac-ii:/home/couston # Line 206 == destination d_file { file("/var/log/skot" ); }; I cannot understand even myself (that not much) why this line is not correct in syntax. Your ideas Scott Darryl Gregorash wrote:
On 2007-05-19 19:27, Registration Account wrote:
source s_udp { udp(ip(192.168.100.10) port(514); destination(d_file) }; destination d_file { file("/var/log/skot" ); }; #
I thought the sample config file was very clear. If not the documentation seems to be.
source s_udp { udp(ip(192.168.100.10) port(514) ); destination d_file { file("/var/log/skot" ); }; log (source(s_udp); destination(d_file));
Make sure you put that into /etc/syslog-ng/syslog-ng.conf.in and run "SuSEconfig --module syslog-ng". Do *not* simply edit /etc/syslog-ng/syslog-ng.conf or your changes will be lost the next time SuSEconfig is run.
Finally run "rcsyslog reload".
On 2007-05-20 19:35, Registration Account wrote:
1. rcsyslog reload = failed 2. I performed rcsyslog stop = OK 3. rcsyslog start = multivac-ii:/home/couston # rcsyslog start Starting syslog servicessyntax error at 206 Parse error reading configuration file, exiting. (line 206) startproc: exit status of parent of /sbin/syslog-ng: 1 failed multivac-ii:/home/couston #
Line 206 ==
destination d_file { file("/var/log/skot" ); };
Mea culpa -- I put parentheses for the outermost delimiters (at least on the right -- it's hard to tell with the fontsize I'm using :-) ). In fact they are braces (ie. capital square brackets). -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I was clear to perform a copy and paste. Sorry the syntax error remains. I can see your equal () and equal {} I have not a clue why the syntax wont parse. Scott Darryl Gregorash wrote:
On 2007-05-20 19:35, Registration Account wrote:
1. rcsyslog reload = failed 2. I performed rcsyslog stop = OK 3. rcsyslog start = multivac-ii:/home/couston # rcsyslog start Starting syslog servicessyntax error at 206 Parse error reading configuration file, exiting. (line 206) startproc: exit status of parent of /sbin/syslog-ng: 1 failed multivac-ii:/home/couston #
Line 206 ==
destination d_file { file("/var/log/skot" ); };
Mea culpa -- I put parentheses for the outermost delimiters (at least on the right -- it's hard to tell with the fontsize I'm using :-) ). In fact they are braces (ie. capital square brackets).
On 2007-05-21 16:06, Registration Account wrote:
I was clear to perform a copy and paste. Sorry the syntax error remains. I can see your equal () and equal {} I have not a clue why the syntax wont parse.
I pasted the line into a console and see I didn't mix up the braces/parentheses after all, as you've noted. All I can think of now is a syntax error in the documentation. The line I quote from there is as follows:
destination d_file { file("/var/log/skot" ); };
The format in the actual syslog-ng.conf file on my system is instead suggestive of the following: destination d_file { file("/var/log/skot"); }; Note the absence of the space following the file name. Yes, I'm really grasping at a rather small straw here. -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Darryl I tested yesterday with the space and there is no difference. I did however make some progress with the following source src { unix-stream("/var/log/skot"); internal(); udp(ip(0.0.0.0) port(514)); }; This script does parse and it does create a file names "skot" and it does bind with UDP 514, however it writes nothing. I think I know need to specify the "facility" =="Local0" to which the sending device defines. With Wireshark I can just listen to UDP514 and see the truncated data, however syslog-ng seems not to be written that easy. It appears that in the case where we want syslog-ng to listen to a port, we cannot use regular source syntax and form. It appears from the manual that the moment the source is a "port" the source logic and syntax changes dramatically. Now I think I only need to specify the correct facility. I dont think (rightfully) syslog-ng has a command that globally listens to 'anything' on a port Your thoughts if you have time. Scott Darryl Gregorash wrote:
On 2007-05-21 16:06, Registration Account wrote:
I was clear to perform a copy and paste. Sorry the syntax error remains. I can see your equal () and equal {} I have not a clue why the syntax wont parse.
I pasted the line into a console and see I didn't mix up the braces/parentheses after all, as you've noted.
All I can think of now is a syntax error in the documentation. The line I quote from there is as follows:
destination d_file { file("/var/log/skot" ); };
The format in the actual syslog-ng.conf file on my system is instead suggestive of the following:
destination d_file { file("/var/log/skot"); };
Note the absence of the space following the file name.
Yes, I'm really grasping at a rather small straw here.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-05-23 at 09:43 +1000, Registration Account wrote:
Darryl I tested yesterday with the space and there is no difference.
I did however make some progress with the following
source src { unix-stream("/var/log/skot"); internal(); udp(ip(0.0.0.0) port(514)); };
This script does parse and it does create a file names "skot" and it does bind with UDP 514, however it writes nothing.
I don't think it would. The "source" definition is for reading, not writing. See the manual: * unix-stream <filename> - reads messages from the given AF_UNIX, SOCK_STREAM socket (Linux style) Where did you got the idea it would write there from?
I think I know need to specify the "facility" =="Local0" to which the sending device defines. With Wireshark I can just listen to UDP514 and see the truncated data, however syslog-ng seems not to be written that easy.
It appears that in the case where we want syslog-ng to listen to a port, we cannot use regular source syntax and form. It appears from the manual that the moment the source is a "port" the source logic and syntax changes dramatically.
No, it doesn't.
Now I think I only need to specify the correct facility. I dont think (rightfully) syslog-ng has a command that globally listens to 'anything' on a port
Your thoughts if you have time.
What I do is this: source src { ... ... ... }; source ext { udp(ip("0.0.0.0") port(514)); }; filter f_router { host("router"); }; destination router { file("/var/log/router"); }; log { source(ext); filter(f_router); destination(router); }; This logs everything from the external host "router" to the file "/var/log/router". Everything, all facilities, all levels - in linux standard format, of course. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGU5cAtTMYHG2NR9URAhojAJwIXJgagYzQu3OIEm54bT4QB/PiFgCfaoZo Q6y2RiG735nl8hHaMwOfg9U= =F0jO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-05-22 17:43, Registration Account wrote:
Darryl I tested yesterday with the space and there is no difference.
I did however make some progress with the following
source src { unix-stream("/var/log/skot"); internal(); udp(ip(0.0.0.0) port(514)); };
That is definitely not right. Your source is the udp port only, and the file /var/log/skot is not a Unix stream. You definitely do not want to include the UDP source in the one that comes in the .conf file, because you wish to have separate output. Make your own source, it is much easier (you don't have to create any filters this way): 1. remove the udp stuff from "source src ....". 2. then add the following three into the .conf file: source my_src { udp(ip(0.0.0.0) port 514); }; (Note here that you can bind this to a specific device, if that device will have a fixed IP.) destination my_dest { file("/var/log/skot" ); }; log { source(my_src); destination(my_dest); }; 3. finally, as root "rcsyslog reload" -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Bugger. Every which way I enter it 1. As is 2. Nominating the IP as either 0.0.0.0 or localhost or (PC to where data is being sent IP) (device IP) The error is always the same on re-start What ever line the source.......etc. is on will not parse and the file will not load. Please don't spend any more time on this. There are so many other than need your help. I have subscribed to support community email for developers syslog-ng at http://www.balabit.com/. If ever I work it out I will send you a quick not as to why what appears perfect in my and your logic - and follows the documentation to the letter does not work as simply as it should - as the doc tells us. Good luck and I keep you in thought and thanks for your time. Scott :-[ Darryl Gregorash wrote:
On 2007-05-22 17:43, Registration Account wrote:
Darryl I tested yesterday with the space and there is no difference.
I did however make some progress with the following
source src { unix-stream("/var/log/skot"); internal(); udp(ip(0.0.0.0) port(514)); };
That is definitely not right. Your source is the udp port only, and the file /var/log/skot is not a Unix stream.
You definitely do not want to include the UDP source in the one that comes in the .conf file, because you wish to have separate output. Make your own source, it is much easier (you don't have to create any filters this way):
1. remove the udp stuff from "source src ....".
2. then add the following three into the .conf file:
source my_src { udp(ip(0.0.0.0) port 514); };
(Note here that you can bind this to a specific device, if that device will have a fixed IP.)
destination my_dest { file("/var/log/skot" ); }; log { source(my_src); destination(my_dest); };
3. finally, as root "rcsyslog reload"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-05-20 at 11:27 +1000, Registration Account wrote:
My simple aim is to listen to UDP 514 on IP/ x /and create a text file. I really don't need to filter or define the file format as the input devise provides all date and time stamping information.
I don't think that's possible. The data is timestamped and formatted locally by the daemon. But I haven't tried, anyway.
Could someone also give the the command line syntax to stop and re-start the syslog-ng daemon rather than me re-starting a new session.
All services in a suse system are managed the same way: rcNAME [stop|start|whatever] Actually, if you type "rc[TAB][TAB]" the shell will produce a list of all available services. If you then complete "rcsyslog" you will be given the exact syntax: nimrodel:~ # rcsyslog Usage: /sbin/rcsyslog {start|stop|status|try-restart|restart|force-reload|reload|probe} - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGUCOdtTMYHG2NR9URAgnwAKCV7w4RZzIB7+tGpeu1m6ZWaxIFlwCfaiGW NBmAOYYn4Az1TV19vCsoq3U= =AHsv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-05-20 04:31, Carlos E. R. wrote:
The Sunday 2007-05-20 at 11:27 +1000, Registration Account wrote:
My simple aim is to listen to UDP 514 on IP/ x /and create a text file. I really don't need to filter or define the file format as the input devise provides all date and time stamping information.
I don't think that's possible. The data is timestamped and formatted locally by the daemon. But I haven't tried, anyway.
Actually, you can format the log file almost any way you want it, otherwise I suspect you get a default format. See /usr/share/doc/packages/syslog-ng/html/x359.html#AEN362. Here is the example from that file: destination d_file { file("/var/log/$YEAR.$MONTH.$DAY/messages" template("$HOUR:$MIN:$SEC $TZ $HOST [$LEVEL] $MSG $MSG\n") template_escape(no) ); }; There is a rather large number of macros that can be used both to name a log file and to format that file. See /usr/share/doc/packages/syslog-ng/html/book1.html for the complete documentation. -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-05-20 at 09:06 -0600, Darryl Gregorash wrote:
I don't think that's possible. The data is timestamped and formatted locally by the daemon. But I haven't tried, anyway. Actually, you can format the log file almost any way you want it, otherwise I suspect you get a default format. See
I wasn't much aware of that, but I understand he wants it "raw", not formatted; or rather, in the format that the remote machine sends the messages. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGUIKytTMYHG2NR9URAojTAJ9IptjAF8nO2R9/uR7blGrHt5in0wCfdP0N +XJ86cbk91fcbL66BBIrA14= =//uu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-05-20 11:17, Carlos E. R. wrote:
The Sunday 2007-05-20 at 09:06 -0600, Darryl Gregorash wrote:
I don't think that's possible. The data is timestamped and formatted locally by the daemon. But I haven't tried, anyway. Actually, you can format the log file almost any way you want it, otherwise I suspect you get a default format. See
I wasn't much aware of that, but I understand he wants it "raw", not formatted; or rather, in the format that the remote machine sends the messages.
I am certain Jan Englehardt or someone posted all that stuff some time ago, perhaps in response to the OP's original query on this. He posted the raw format of one of the messages, but I forget what it was, and am not really inclined to go looking. The thing Scott (OP) needs to do now is just let it run, look at the format of the output log file, and start adjusting his syslog-ng.conf until he gets what he wants. Alternatively, he can use the various commands in the documentation to experiment right from the start, without trying the default format to see if it is what he wants. First things first, though -- he has to get his conf file right. -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Many thanks to all, It is healthy discussion to not how we can alter syslog-ng.conf and apparently not need to run suseconfig in 10.2. Yes the documentation mentions nothing about editing the files content and the need (prior to 10.2) to make the change permanent. It is also difficult to apply logic when you go from the documentation to the default syslog-ng.conf file. In essence the current syslog-ng.conf is syntax inverse to that of the docs. Defining the destination line first before the source as seen in syslog-ng.conf really screws with your logic when you are trying to learn. Hopefully there will be a review of the syslog-ng/docs soon. Its a bit messy in that directory. With respect to data formatting, yes you are correct. I firstly need raw data and I will learn more 1 step at a time. Thanks to all for the commitment in their time - I will let you know how I get on. Once I get the corrected - This will permit me to get rid of my dependants on a MS$ PC, just to view that raw data in real time - more on that later. Cheers and Good Day 11:20 GMT +10 Darryl Gregorash wrote:
On 2007-05-20 11:17, Carlos E. R. wrote:
The Sunday 2007-05-20 at 09:06 -0600, Darryl Gregorash wrote:
I don't think that's possible. The data is timestamped and formatted locally by the daemon. But I haven't tried, anyway.
Actually, you can format the log file almost any way you want it, otherwise I suspect you get a default format. See
I wasn't much aware of that, but I understand he wants it "raw", not formatted; or rather, in the format that the remote machine sends the messages.
I am certain Jan Englehardt or someone posted all that stuff some time ago, perhaps in response to the OP's original query on this.
He posted the raw format of one of the messages, but I forget what it was, and am not really inclined to go looking. The thing Scott (OP) needs to do now is just let it run, look at the format of the output log file, and start adjusting his syslog-ng.conf until he gets what he wants. Alternatively, he can use the various commands in the documentation to experiment right from the start, without trying the default format to see if it is what he wants.
First things first, though -- he has to get his conf file right.
On 2007-05-20 19:20, Registration Account wrote:
Many thanks to all, It is healthy discussion to not how we can alter syslog-ng.conf and apparently not need to run suseconfig in 10.2. Yes
In previous versions, there was a very prominent warning at the top of /etc/syslog-ng/syslog-ng.conf to edit the .conf.in file instead. Since I am still running 9.3 (think I'll wait until 10.3 reaches beta 1 or 2 before changing that), I wasn't aware of this change.
syntax inverse to that of the docs. Defining the destination line first before the source as seen in syslog-ng.conf really screws with your logic when you are trying to learn.
If what you say is true, then for 10.2 the order has changed in syslog-ng.conf too -- everything in the 9.3 config file is in a logical order, and I expect that it remained so up until 10.1. When you do have a chance to test this stuff out and get it working the way you want, we expect a /very/ completel summary of your experience, so we can learn too ;-) -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Darryl Gregorash
If what you say is true, then for 10.2 the order has changed in syslog-ng.conf too -- everything in the 9.3 config file is in a logical order, and I expect that it remained so up until 10.1.
from /etc/syslog-ng/syslog-ng.conf on openSUSE 10.1: # /etc/syslog-ng/syslog-ng.conf # # Automatically generated by SuSEconfig on Thu Mar 22 08:47:05 EDT 2007. # # PLEASE DO NOT EDIT THIS FILE! # # you can modify /etc/syslog-ng/syslog-ng.conf.in instead # # # # File format description can be found in syslog-ng.conf(5) # and /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 OpenSUSE Linux http://en.opensuse.org/ Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-05-20 at 21:44 -0400, Patrick Shanahan wrote:
from /etc/syslog-ng/syslog-ng.conf on openSUSE 10.1:
# PLEASE DO NOT EDIT THIS FILE! # # you can modify /etc/syslog-ng/syslog-ng.conf.in instead
Yes, but this dissapeared in 10.2. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGUW7/tTMYHG2NR9URAvkiAJ9JMY6oJBhzsah+LDnDUQl7wh2cRwCgiZ5v Iy5omAA0NrIaPPzcLCw8LDI= =ESwu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R.
-
Darryl Gregorash
-
Patrick Shanahan
-
Registration Account