Hmm -- from 9.1 to 9.3 syslog has morphed into syslog-ng. I have my gateway/router set to send syslog info to my SuSE system. This worked fine on 9.1 but I can't figure out how todo it on 9.3. There are two levels of configuration one can deal with -- the individual package's config file (syslog-ng.conf) or the /etc/sysconfig/syslog file. All the documentation addresses the first, but comments in that file say to leave it alone and use the second. But there is nothing in that file that seems appropriate for enabling external connections. Anyone have experience with this?
On Wednesday 25 May 2005 01:02, Robert Paulsen wrote:
Hmm -- from 9.1 to 9.3 syslog has morphed into syslog-ng.
I have my gateway/router set to send syslog info to my SuSE system. This worked fine on 9.1 but I can't figure out how todo it on 9.3.
There are two levels of configuration one can deal with -- the individual package's config file (syslog-ng.conf) or the /etc/sysconfig/syslog file. All the documentation addresses the first, but comments in that file say to leave it alone and use the second. But there is nothing in that file that seems appropriate for enabling external connections.
Anyone have experience with this?
What is it you want to configure? To enable syslog to listen to the network you need to add "-r" to the syslogd parameters. This is mentioned in the docs, and in sysconfig/syslog you have SYSLOGD_PARAMS
On Tuesday 24 May 2005 18:16, Anders Johansson wrote:
On Wednesday 25 May 2005 01:02, Robert Paulsen wrote:
Hmm -- from 9.1 to 9.3 syslog has morphed into syslog-ng.
I have my gateway/router set to send syslog info to my SuSE system. This worked fine on 9.1 but I can't figure out how todo it on 9.3.
There are two levels of configuration one can deal with -- the individual package's config file (syslog-ng.conf) or the /etc/sysconfig/syslog file. All the documentation addresses the first, but comments in that file say to leave it alone and use the second. But there is nothing in that file that seems appropriate for enabling external connections.
Anyone have experience with this?
What is it you want to configure? To enable syslog to listen to the network you need to add "-r" to the syslogd parameters. This is mentioned in the docs, and in sysconfig/syslog you have SYSLOGD_PARAMS
Well, I don't think that works: # /sbin/syslog-ng -r /sbin/syslog-ng: invalid option -- r Usage: syslog-ng [options] Accept and manage system log messages Options: -s, --syntax-only Only read and parse config file -d, --debug Turn on debugging messages -v, --verbose Be a bit more verbose -F, --foreground Don't fork into background -f <fname>, --cfgfile=<fname> Set config file name, default=/etc/syslog-ng/syslog-ng.conf -V, --version Display version number (syslog-ng 1.6.5) -p <fname>, --pidfile=<fname> Set pid file name, default=/var/run/syslog-ng.pid -C <dir>, --chroot=<dir> Chroot to directory -u <user>, --user=<user> Switch to user -g <group>, --group=<group> Switch to group
On Wednesday 25 May 2005 01:31, Robert Paulsen wrote:
Well, I don't think that works:
You're right, I got confused. It's all so new :) To get syslog-ng to listen to the network, edit /etc/syslog-ng/syslog-ng.conf.in and uncomment the line #udp(ip("0.0.0.0") port(514)); by removing the # mark. Then save and run SuSEconfig --module syslog-ng Then tell syslog-ng to reload the config with killall -HUP syslog-ng
On Tuesday 24 May 2005 18:35, Anders Johansson wrote:
On Wednesday 25 May 2005 01:31, Robert Paulsen wrote:
Well, I don't think that works:
You're right, I got confused. It's all so new :)
To get syslog-ng to listen to the network, edit /etc/syslog-ng/syslog-ng.conf.in and uncomment the line
#udp(ip("0.0.0.0") port(514));
by removing the # mark. Then save and run
SuSEconfig --module syslog-ng
Then tell syslog-ng to reload the config with
killall -HUP syslog-ng
Thanks! I didn't think to look at the ".in" version of the file. I did what you suggested and also opened UDP port 514 in the firewall.
On Tue, 2005-05-24 at 18:02 -0500, Robert Paulsen wrote:
Hmm -- from 9.1 to 9.3 syslog has morphed into syslog-ng.
I have my gateway/router set to send syslog info to my SuSE system. This worked fine on 9.1 but I can't figure out how todo it on 9.3.
There are two levels of configuration one can deal with -- the individual package's config file (syslog-ng.conf) or the /etc/sysconfig/syslog file. All the documentation addresses the first, but comments in that file say to leave it alone and use the second. But there is nothing in that file that seems appropriate for enabling external connections.
Anyone have experience with this?
You can unload syslog-ng and go back to syslog (on the DVD) or try using /etc/syslog-ng/syslog-ng.conf.in to configure network logs. <RANT> Another one of those "better" updates to a program (syslog) that used to be fairly easy to configure and now requires six programing classes to understand the conf syntax. This is sure to win over a hole slew of windows converts isn't it. What the f**k does this provide that is any better than plain old syslog? syslog-ng is supposed to allow you to create/write your own filters (if you know "c" programming that is). But whether or not is does depends on whether or not you can define your own facility/level which I cannot see how. And if you can't why change something that just plain works? </RANT> -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
On Tuesday 24 May 2005 18:21, Ken Schneider wrote:
<RANT> Another one of those "better" updates to a program (syslog) that used to be fairly easy to configure and now requires six programing classes to understand the conf syntax. This is sure to win over a hole slew of windows converts isn't it. What the f**k does this provide that is any better than plain old syslog?
syslog-ng is supposed to allow you to create/write your own filters (if you know "c" programming that is). But whether or not is does depends on whether or not you can define your own facility/level which I cannot see how. And if you can't why change something that just plain works? </RANT>
I'm with you on that one! The documentation looks pretty detailed and is probably quite complete, but using it is like learning to speak English by reading a dictionary -- lots of disconnected facts.
On Tue, 2005-05-24 at 18:33 -0500, Robert Paulsen wrote:
On Tuesday 24 May 2005 18:21, Ken Schneider wrote:
<RANT> Another one of those "better" updates to a program (syslog) that used to be fairly easy to configure and now requires six programing classes to understand the conf syntax. This is sure to win over a hole slew of windows converts isn't it. What the f**k does this provide that is any better than plain old syslog?
syslog-ng is supposed to allow you to create/write your own filters (if you know "c" programming that is). But whether or not is does depends on whether or not you can define your own facility/level which I cannot see how. And if you can't why change something that just plain works? </RANT>
I'm with you on that one! The documentation looks pretty detailed and is probably quite complete, but using it is like learning to speak English by reading a dictionary -- lots of disconnected facts.
As Anders suggested, vi /etc/sysconfig/syslog and change the appropiate line to allow network logging. Look at line 18 (example) and apply to line 20. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
The Tuesday 2005-05-24 at 19:21 -0400, Ken Schneider wrote:
Another one of those "better" updates to a program (syslog) that used to be fairly easy to configure and now requires six programing classes to understand the conf syntax. This is sure to win over a hole slew of windows converts isn't it. What the f**k does this provide that is any better than plain old syslog?
For example, firewall log entries used to fill up the /var/log/warn file. By using the new daemon it is possible to filter them out and send then to a new separate file of their own. For example, my mail.info file was being filled with stupid debug messages from amavis-new. No longer, I filtered them out. I learned how to do that in less than two hours on my own. If you don't like the new daemon, you can easily enough revert to the old one. -- Cheers, Carlos Robinson
On Tue, 24 May, 2005 at 19:21:24 -0400, Ken Schneider wrote: <snip>
<RANT> Another one of those "better" updates to a program (syslog) that used to be fairly easy to configure and now requires six programing classes to understand the conf syntax.
Granted, it's different, takes some getting used to, and maybe not worth it for single hosts.
This is sure to win over a hole slew of windows converts isn't it.
I fail to see what windows converts have to do with this. By the time they get around to being interested in alternative syslogging daemons... well...
What the f**k does this provide that is any better than plain old syslog?
Free text matching/redirection? Lets you specify different destinations for (un)interesting stuff. Saves a lot of grepping.
syslog-ng is supposed to allow you to create/write your own filters (if you know "c" programming that is). But whether or not is does depends on whether or not you can define your own facility/level which I cannot see how.
No. The point is that the whole facility/level concept is very limited. Sure you can have syslog-ng match/filter using facility/level, but it's ability to match/filter on free text is so much more flexible. That's how I get Shorewall messages from remote routers into /remote-log/$host-ip.d/shorewall.log And besides, not all devices that you might want to remote log are equipped with practical facilities/levels.
And if you can't why change something that just plain works?
If you like it, use it. If you don't, don't.
</RANT>
Yeah. I just felt like countering. :) Cheers, Jon -- YMMV
On Wed, 2005-05-25 at 07:09 +0200, Jon Clausen wrote:
On Tue, 24 May, 2005 at 19:21:24 -0400, Ken Schneider wrote:
<snip>
<RANT> Another one of those "better" updates to a program (syslog) that used to be fairly easy to configure and now requires six programing classes to understand the conf syntax.
Granted, it's different, takes some getting used to, and maybe not worth it for single hosts.
The programmers should supply docs for the layman to understand and use.
This is sure to win over a hole slew of windows converts isn't it.
I fail to see what windows converts have to do with this. By the time they get around to being interested in alternative syslogging daemons... well...
It's called ease of use. If it isn't easy to use they won't use it (they won't leave the darkside). This applies to every package used with linux, not just syslog-ng. How many server packages are there that require editing the conf file by hand? A few are easier this way but not for the un-informed.
What the f**k does this provide that is any better than plain old syslog?
Free text matching/redirection?
Great, this is a good thing, just supply some docs for the non-programmer to understand so they can use it. Remember a picture is worth a thousand words, provide a working sample.
Lets you specify different destinations for (un)interesting stuff. Saves a lot of grepping.
syslog-ng is supposed to allow you to create/write your own filters (if you know "c" programming that is). But whether or not is does depends on whether or not you can define your own facility/level which I cannot see how.
No.
The point is that the whole facility/level concept is very limited.
Agreed.
Sure you can have syslog-ng match/filter using facility/level, but it's ability to match/filter on free text is so much more flexible.
That's how I get Shorewall messages from remote routers into
/remote-log/$host-ip.d/shorewall.log
And besides, not all devices that you might want to remote log are equipped with practical facilities/levels.
And if you can't why change something that just plain works?
If you like it, use it. If you don't, don't.
</RANT>
Yeah. I just felt like countering. :)
Cheers, Jon
Thanks. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
On Wednesday 25 May 2005 13:59, Ken Schneider wrote:
Great, this is a good thing, just supply some docs for the non-programmer to understand so they can use it.
Why do you keep saying that. The format has nothing do with programming. It's not even close to C
On Wed, 2005-05-25 at 14:40 +0200, Anders Johansson wrote:
On Wednesday 25 May 2005 13:59, Ken Schneider wrote:
Great, this is a good thing, just supply some docs for the non-programmer to understand so they can use it.
Why do you keep saying that. The format has nothing do with programming. It's not even close to C
I meant layman. This is not documentation meant for the layman: You can declare source statements using the "source" keyword: source <sourcename> { sourcedriver params; sourcedriver params; ... }; and... destination newsnotice { file("/var/log/news/news.notice"); }; log { source(src); filter(f_newsnotice); destination(newserr); }; My whole point is that it isn't easy even for someone -wanting- to learn it. And yes this isn't close to C but then I never mentioned any particular language. Many conf files are starting to take on the appearance of html syntax. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
The Wednesday 2005-05-25 at 07:59 -0400, Ken Schneider wrote:
The programmers should supply docs for the layman to understand and use.
You have them: file:///usr/share/doc/packages/syslog-ng/html/book1.html But a layman does not need to touch any of it.
Great, this is a good thing, just supply some docs for the non-programmer to understand so they can use it. Remember a picture is worth a thousand words, provide a working sample.
There are 14 examples in that documentation. And some more in "/usr/share/doc/packages/syslog-ng/", not forgetting that yast sets a working configuration. Granted, that documentation is not perfect, it could be made more readable; but as far as documentations go in Linux, it is not bad. -- Cheers, Carlos Robinson
participants (5)
-
Anders Johansson -
Carlos E. R. -
Jon Clausen -
Ken Schneider -
Robert Paulsen