S O L V E D ! Thanks to all who participated especially Darryl - The answer was staring me in the face all the time. At the very top of the file gives the clue All that is required is simply source src {internal(); udp(ip(0.0.0.0) port(514)); }; This line is present in PC IP that receives the data and without a destination will default to the system log "messages" Open KSystem Log - Default log is the system or messages file - The data is all present and changes before my eyes. We all did it and personally I would like to know if anyone has success in creating an additional source. I really don't believe its possible. Good Night All 00:27 Scott Registration Account wrote:
I want to build a Syslog Server. I have a Linux Log file viewer so most of the work is done. http://www.kiwisyslog.com/log-viewer-v2-beta-info.htm I needs syslog-ng to listen to UDP/514 and write a continuous file on the information it hears. Fortunately I do not need any log rotation as the file is only text base and although it has the potential to reach large sizes I can deal with a lot of space. Syslog-ng appears to have many config files and I am not sure which to modify. Can anyone assist me with this short line of syntax, given the above Linux Log file's ability to display the file as it changes and the various parameters it uses, some of which I understand but not all. The ability to NOT have to maintain a M$ PC just to be a Syslog +daemon would be a breakthrough for so many sysop's who require real time syslog data. Data from my multiple IDS's is sent to my current M$ Windows Syslog+Daemon, however I do have a large Linux IDS Management Module that does number crunching, provides warnings and reports but cannot display the data in realtime. Syslog data is sent to UDP/514 to Facility's numbering Local 0-7. The text stream looks something like
[2007-04-21 17:31:55] <6>EFW: ALG: prio=1 algmod=http algsesid=70500 action=close reason=backlisted_url url="www.download.windowsupdate.com/msdownload/update/v3-19990518/ca" peer=client connipproto=TCP connrecvif=LAN connsrcip=192.168.100.40 connsrcport=3767 conndestif=core conndestip=202.158.212.136 conndestport=80 origsent=364 termsent=84
Where the number enclosed by < > is equal to
0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level message
If anyone is really board and wants to learn about the convention there is a short war and piece version at http://www.faqs.org/rfcs/rfc3164.html
Dont worry about understand the text, thats my job. I just offer it as an example for delineation purposes.
I know this is a big ask, but no one but no one currently produces as Linux Syslog Daemon + Log Viewer. In my reading of my 2000 page into to C++, I have only got to page 95 and I know this is a 3 line entry into a config. Please tell me if I ask too much.
Many thanks if anyone can assist.
Scott :'(