[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1152
  • Last Modified:

Syslog-ng Remote logging won't work

I've got syslog-ng running on my server. I set the client to log tot my server by editing the /etc/syslog.conf and add *.* @ip
Now i'm trying to configure my server where syslog-ng is running but i can't seem to get it working

my configfile of syslog-ng on the server

source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
source s_test { udp( ip("xxx.xxx.xxx.xxx"); port("514");); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_hosts {file("/var/log/$HOST" owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes)); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };


#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_test); destination(d_hosts); };

end syslog-ng config

So i added 2 lines to the standerd config file:

source s_test { udp( ip("xxx.xxx.xxx.xxx"); port("514");); };
destination d_hosts {file("/var/log/$HOST" owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes)); };
log { source(s_test); destination(d_hosts); };

So what i'm trying to reach is that all syslog messages from the source machine xxx.xxx.xxx.xxx(client side wich is running basis syslog configured to log remotely) are logged in the folder /var/logl/$host ($host is going to be the name of the source machine).

after configuring it like this i'll get the error there is a error in line 40, and that would be this line:
source s_test { udp( ip("xxx.xxx.xxx.xxx"); port("514");); };


can you guys help me out please

0
Mr-sark
Asked:
Mr-sark
  • 3
  • 2
2 Solutions
 
byttaCommented:
No ";" are allowed inside (), try:
source s_test { udp( ip("xxx.xxx.xxx.xxx") port("514")); };

But usually it's like:
source r_src { tcp(ip("192.168.0.2") port(5140)); };
so I'm not sure if "514" is correct
0
 
Mr-sarkAuthor Commented:
i know it's that is TCP, but on the client side i run SYSLOGD the basic syslog daemon and that one is using UDP. Should i also install syslog-ng on the client side to get it to use TCP?

thnx in advance
0
 
Mr-sarkAuthor Commented:
after applying your line i'll get this error

Error finding port for service 514.  Falling back to default
io.c: bind_inet_socket() bind failed 131.211.151.178:514 Cannot assign requested address
Error initializing configuration, exiting.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
byttaCommented:
The syslog port is
port(5140)
not
port(514)

I thought I had made that clear
0
 
byttaCommented:
my bad - udp port 514 is the default.

But according to the error message, port("514") seems to be looking for the service "514", not port number 514 - so changing that would reduce the errors to 2.
But the fallback tries port 514, and fails...

Are you sure that machine 131.211.151.178 is set up correctly?
from man syslogd:
 To have this work correctly the services(5)
       files (typically found in /etc) must have the following entry:

                   syslog          514/udp

       If this entry is missing syslogd neither can  receive  remote  messages
       nor  send  them,  because the UDP port cant be opened.

Otherwise, I'm stumped...



0
 
jojuCommented:
Hi,

In file
/etc/sysconfig/syslog

By default following option will be there
SYSLOGD_OPTIONS="-m 0"

add "-r" to list to look like

SYSLOGD_OPTIONS="-m 0 -r"

-r will allow remote login

restart syslogd service...

thats it..

Thanxs
Joju.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now