[SOLVED]logs from network

o1da · 2009-02-03 21:54:25

Hi,
I am trying to configure syslog-ng on the server to read a logs from various network's devices. I don't now how I should make syslog-ng daemon to listen on network interface on port 514. I can't find anything appropriate in syslog-ng.conf. There is something about sources and destinations, but I think that it is for making rules for logging.

Can anybody help me?

Thanks O1da

Last edited by o1da (2009-02-04 21:11:00)

quarkup · 2009-02-03 22:14:16

Im interested in this topic, nice question. (bump)

Last edited by quarkup (2009-02-03 22:14:34)

PinkFloydYoshi · 2009-02-03 22:58:14

I've recently been studying remote logging (or more specifically, getting syslog-ng to store it's nonsense in MySQL so I can generate reports) so you're in luck.

We have a Barracuda Web Filter at work, and needed the syslog daemon on it to output all web usage to the Arch box I have running. Using a rule called "bwf", I did it using:

source bwf {
  udp();
  tcp(max_connections(100));
};

This is useless without a destination and log rule, so, you'll also want to add...

# destination <destination name> { options };
destination bwflog { file("/var/log/bwf.log"); };

...to log to a file, to a console...

destination bwfconsole { file("/dev/vc/12"); };

... or, like I needed, to MySQL ...

destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n ") template-escape(yes));
};

... then making a little script which created the pipe.

This is absolutely needed though, so include a log rule similar to this...

log { source(bwf); destination(d_mysql); };

This will direct anything received by the source "bwf" to the destination defined using "d_mysql". If you're going down the syslog to MySQL route, and get a copy of php-syslog-ng, then the table structure for the above query is installed during php-syslog-ng's install.

Hope this helps.

fukawi2 · 2009-02-04 00:23:58

AFAIK, syslog-ng will listen on all interfaces when told to accept remote connections... If you want to restrict it to a specific interface and/or address, you'll need to firewall it (ie, iptables)

Edit: Yes it does listen to 0.0.0.0

# lsof -i|grep sysl
syslog-ng  5685     root    4u  IPv4 678532      0t0  UDP *:syslog 
syslog-ng  5685     root    5r  IPv4 681244      0t0  TCP *:shell (LISTEN)

Last edited by fukawi2 (2009-02-04 00:26:25)

o1da · 2009-02-04 21:10:02

It works! Thanks to all, especially to PinkFloydYoshi

Arch Linux

#1 2009-02-03 21:54:25

[SOLVED]logs from network

#2 2009-02-03 22:14:16

Re: [SOLVED]logs from network

#3 2009-02-03 22:58:14

Re: [SOLVED]logs from network

#4 2009-02-04 00:23:58

Re: [SOLVED]logs from network

#5 2009-02-04 21:10:02

Re: [SOLVED]logs from network

Board footer