Have you checked to see if the SYSLOG traffic is hitting the server? A
tcpdump should show the traffic.
Other then the MySQL logging, I'm not doing that much different with my
config - I've used remote logging in the past.
Try running syslog-ng in debug mode (syslog -d) to see if the traffic
comes through and gets filtered.
Jamie
On Tue, February 21, 2006 3:42 pm, Ben Ruset wrote:
> I am trying to get my firewall to log to a Syslog-NG box I have setup. I
> have local services logging to the appropriate files, and also have them
> going to a MySQL database.
>
> I have configured TCP and UDP sources and verified that Syslog-NG is
> listening on those ports.
>
> For some reason I am not seeing any entries from my Firewall on my
> syslog box. Here's my config. Any help is much appreciated!
>
> options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames
> (off);
> use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); };
>
>
> source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream
> ("/dev/log"); internal(); };
>
>
> source s_tcp { tcp(ip(10.100.3.121) port(5140) max-connections(100)); };
> source s_udp { udp(ip(10.100.3.121) port(514)); };
>
> destination d_cons { file("/dev/console"); }; destination d_mesg {
> file("/var/log/messages"); }; destination d_auth {
> file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog");
> };
> destination d_spol { file("/var/log/spooler"); }; destination d_boot {
> file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron");
> };
> destination d_mlal { usertty("*"); }; destination d_kernel {
> file("/var/log/kern"); };
>
> destination d_tcp {
> file("/var/log/remote/$HOST/$YEAR.$MONTH.$DAY/$FACILITY"); }; destination
> d_udp { file("/var/log/remote/$HOST/$YEAR.$MONTH.$DAY/$FACILITY"); };
>
>
> destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs
> (host, facility, priority, level, tag, datetime, program, msg)
> VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
> '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
> l '$PROGRAM', '$MSG' );\n") template-escape(yes)); };
> filter f_filter1 { facility(kern); }; filter f_filter2 {
> level(info) and not (facility(mail) or facility(authpriv) or facility(cron)
> or program("kernel")); }; filter f_filter3 { facility(authpriv); };
> filter f_filter4 { facility(mail); }; filter f_filter5 {
> level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news)
> and level(crit)); }; filter f_filter7 { facility(local7); }; filter
> f_filter8 { facility(cron); }; filter f_kernel { level(info) and
> program("kernel"); };
>
> log { source(s_sys); filter(f_filter1); destination(d_cons); }; log {
> source(s_sys); filter(f_filter2); destination(d_mesg); }; log {
> source(s_sys); filter(f_filter3); destination(d_auth); }; log {
> source(s_sys); filter(f_filter4); destination(d_mail); }; log {
> source(s_sys); filter(f_filter5); destination(d_mlal); }; log {
> source(s_sys); filter(f_filter6); destination(d_spol); }; log {
> source(s_sys); filter(f_filter7); destination(d_boot); }; log {
> source(s_sys); filter(f_filter8); destination(d_cron); }; log {
> source(s_sys); filter(f_kernel); destination(d_kernel); };
>
> log { source(s_tcp); destination(d_tcp); }; log { source(s_tcp);
> destination(d_mysql); };
>
> log { source(s_udp); destination(d_udp); }; log { source(s_udp);
> destination(d_mysql); };
>
> log { source(s_sys); destination(d_mysql); };
>
>
>
> Jamie Furtner wrote:
>
>> What are you trying to do?
>>
>>
>> Jamie
>>
>>
>> On Tue, February 21, 2006 3:11 pm, Ben Ruset wrote:
>>
>>> Any syslog-NG gurus on the list?
>>>
>>>
>>>
>>>
>>
>>
>
>
--
Jamie Furtner [EMAIL PROTECTED]
"I aim to misbehave"
- Malcom Reynolds (Serenity movie)
"It's not safe...
"For them."
- River Tam (Serenity movie)
