[SOLVED] Problem with Syslog-ng

[DrekAlots]

I emerged syslog-ng and was following the page here http://www.gentoo.org/doc/en/security/s ... #doc_chap4 on how to set it up to save into different files. After copying and pasting the text out I attempted to restart syslo-ng and got this error:

derek@tuxserver ~ $ sudo /etc/init.d/syslog-ng restart
Password:
WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
* Starting syslog-ng ...
WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
Error in configuration, unresolved source reference; source='kernsrc'
* Failed to start syslog-ng [ !! ]

Any ideas? I'm new to syslog but have a need for my log files to be separated.

EDIT TO ADD CONFIG:

Code: Select all

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gent                                              oo.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux

options {
        chain_hostnames(no);

        # The default action of syslog-ng is to log a STATS line
        # to the file every 10 minutes.  That's pretty ugly after a while.
        # Change it to every 12 hours so you get a nice daily update of
        # how many messages syslog-ng missed (0).
        stats_freq(43200);
};

source src {
    unix-stream("/dev/log" max-connections(256));
    internal();
    file("/proc/kmsg");
};

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };
log { source(src); destination(console_all); };

#define destinations
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination mail { file("/var/log/mail.log"); };#
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };

#create filters
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
        and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };

#connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
#log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

#default log
log { source(src); destination(console_all); };

[massimo]

The following line is wrong since there is no such source defined:

Code: Select all

log { source(kernsrc); filter(f_kern); destination(kern); }; 

Instead of kernsrc put src. Now you can restart syslog-ng.

Take a look at the man page and/or the online manual regarding the other warnings.

[DrekAlots]

Ok. I nuked the old config file and wrote a new one. The new one works, meaning it starts with no errors. But I'm not sure if it's correct. Here's the config:

Code: Select all

@version: 3.0
#
# Syslog NG Config File
# Created 1/21/10
#

options
{
	create_dirs(yes);
	dir_perm(0700);
	perm(0600);
	owner(root);
	group("syslog");
	keep_hostname(yes);
	long_hostnames(on);
};

# Sources
source s_local { unix-stream("/dev/log" max-connections(256)); internal(); };
source s_rtr    { udp(ip(192.168.1.3) port(514)); };

# Destinations
destination d_rtr 	{ file("/var/log/rtr-$YEAR$MONTH$DAY.log"); };
destination d_auth	{ file("/var/log/auth.log"); };

# Filters
filter f_rtr	        { host("TheDarkSide"); };
filter f_auth	{ program(sshd); };

# Logs
log { source(s_rtr); filter(f_rtr); destination(d_rtr); };
log { source(s_local); filter(f_auth); destination(d_auth); };

My questions are these:

1. I logged into the router (Cisco 871w) and forced an entry in the log; the log on the gentoo box running syslog-ng doesn't exist.
2. The auth.log file is also empty after logging in and out with ssh.
3. Do I need anything else to log all other info to the default file "messages" in the /var/log directory?

[massimo]

Did you restart syslog-ng after the final change to your syslog-ng?

1. I logged into the router (Cisco 871w) and forced an entry in the log; the log on the gentoo box running syslog-ng doesn't exist.

Whose IP address is 192.168.1.3? You could do a tcpdump or use wireshark to check if this message does arrive at your syslog server (gentoo box). Maybe you are missing something in the Cisco configuration too. Is your gentoo system able to resolve TheDarkSide?

2. The auth.log file is also empty after logging in and out with ssh.

Should work as far as I can tell from your configuration.

3. Do I need anything else to log all other info to the default file "messages" in the /var/log directory?

Yes, you need a log directive which writes everything else into messages. You have no rule which covers that. When you really want "everything else" in messages, then you have to make sure that the other two log directives are the final ones for the given filters.

[DrekAlots]

I made some changes from the previous configuration and am now receiving logs form my Cisco router. Also, the auth.log is populating correctly. I am unsure how to specify a log rule for "everything else" though.

Code: Select all

@version: 3.0
#
# Syslog NG Config File
# Created 1/21/10
#

options
{
	create_dirs(yes);
	dir_perm(0700);
	perm(0600);
	owner(root);
	group("syslog");
	keep_hostname(yes);
	long_hostnames(on);
};

# Sources
source s_local { unix-stream("/dev/log" max-connections(256)); internal(); };
source s_rtr    { udp(ip(192.168.1.3) port(514)); };

# Destinations
destination d_rtr	        { file("/var/log/rtr.log"); };
destination d_auth	{ file("/var/log/auth.log"); };
destination d_sftp	{ file("/var/log/sftp.log"); };

# Filters
filter f_rtr	        { facility(23); };
filter f_auth	{ program(sshd); };
filter f_sftp	        { program(vsftpd); };

# Logs
log { source(s_rtr); filter(f_rtr); destination(d_rtr); };
log { source(s_local); filter(f_auth); destination(d_auth); };
log { source(s_local); filter(f_sftp); destination(d_sftp); };

[massimo]

Everything else (everything but the log entries that have already been written to another log file):

Code: Select all

# added
destination d_messages { file("/var/log/messages"); }; 

# modified
log { source(s_rtr); filter(f_rtr); destination(d_rtr); flags(final); };
log { source(s_local); filter(f_auth); destination(d_auth); flags(final); };
log { source(s_local); filter(f_sftp); destination(d_sftp); flags(final); }; 

# added
log { source(s_local); destination(d_messages); }; 

[DrekAlots]

Thanks!! It's working good now!