Re: [opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
I agree the PC-DOS-Windows industry has bastardised the concept of a syslog daemon. Syslog-ng IS the Linux system log daemon, however it performs function in much the same way as a Mainframe Daemon works and depending on my audience I have to be very specific with the reference 'syslog daemon' due its multiple meanings. If I had a big enough business I would always go for a Main Frame and rock solid O/S in lieu of a blade server and clustering despite the O/S. I still have issues with insecure comms that we use every day in the form of the collection TCP/IP. SNA forever Keep smiling Scott Carlos E. R. wrote: The Monday 2007-04-23 at 05:17 +1000, Registration Account wrote: Dear Carlos, With your already wonderful script I can log the file as received however as I am aware of the RFC which defines syslog rules and conventions found at http://www.faqs.org/rfcs/rfc3164.html I need to substitute the value in ? for the following before the log is created. Yes, I understand that, but the linux syslog daemong doesn't record it in the files. After I succeed I will be happy to provide the result. There is an enormous requirement for a Linux Syslog. If you wish you may wish to publish on web. There is a linux syslog daemon, you will have to rename it somehow or people will not understand you. I don't suppose it would be difficult to modify the existing service to record the severity number: but don't look at me, I have never done serious programming in linux. smime.p7s Description: S/MIME Cryptographic Signature
Re: [opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Tuesday 2007-04-24 at 17:58 +1000, Registration Account wrote: I agree the PC-DOS-Windows industry has bastardised the concept of a syslog daemon. Syslog-ng IS the Linux system log daemon, however it performs function in much the same way as a Mainframe Daemon works and depending on my audience I have to be very specific with the reference 'syslog daemon' due its multiple meanings. I simply meant that the syslog or syslog-ng daemon in linux doesn't do what you want, ie, record the priority level in the string sent to the file, nor do I know how to write it, short of modifying the source code, which I haven't even inspected to estimate the dificulty of such a simple modification. :-) - -- Cheers, Carlos E. R. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGLe1ltTMYHG2NR9URAg0eAKCRrs6x1TX6etRZRZ6KtlWdtD0nqgCeOFJx W96wveuNin7YkKXbQBQhe5c= =o1eH -END PGP SIGNATURE- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
Dear Carlos, With your already wonderful script I can log the file as received however as I am aware of the RFC which defines syslog rules and conventions found at http://www.faqs.org/rfcs/rfc3164.html I need to substitute the value in ? for the following before the log is created. This is where we get the definitions of Where the number enclosed by is equal to 0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level message Within standard syslog information as I quoted [2007-04-21 17:31:55] *6*EFW: ALG: prio=1 algmod=http algsesid=70500 action=close reason=backlisted_url.. In the above this represents an Informational event. It it were to be a 4 this would substitute the work 'warning' As ALL syslog messages conform to at least these 2 mandatory fields can I incorporate your code and see any value enclosed in * * and have it substitute for the correct Event Title. Normal expectations of messages are about. 38,000 mph - again dependant on staff numbers. I am in the process of building a dedicated Linux PC to perform just this function. under normal usage you would expect up to 38,000 messages per hour during heavy traffic. Hence I have a management model to do all the statistical work and trends. (Linux) After I succeed I will be happy to provide the result. There is an enormous requirement for a Linux Syslog. If you wish you may wish to publish on web. Kind Regards Scott :-) Carlos E. R. wrote: The Sunday 2007-04-22 at 07:47 +1000, Registration Account wrote: Those few lines of code are just what I need. Yes off course I can use KsystemLog - its all set up to chase the file as it grows by the millisecond and has a wide application use. An Xterm will not offer as much I feel. Oh, yes, xterm is much faster than any other gui app. Try, leave an xterm with tailf logfile. With respect to the substitution of the Priority codes below in place of the value contained the string below as ? is that also as easy to achieve. I'm not sure what you want there... syslog has standard priority values, but the priority is not printed, its just used to filter them out to different destination files if wanted. For instance: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr{ level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_myemail{ level(notice) and facility(mail) and not (program(amavis) and match(Passed CLEAN,)); }; # info o notice ... destination maildebug { file(/var/log/mail.debug ); }; log { source(src); filter(f_mail); destination(maildebug); }; log { source(src); filter(f_myemail); destination(mail); }; log { source(src); filter(f_mail); destination(mail); }; The /var/log/mail.debug file will contain all the mail messages of any level, but the /var/log/mail will only contain those of lever notice and higher importance, except those comming from the program amavis with certain string. But I don't know how to insert an arbitrary string indicating the level; for that I think you will need to hack the syslog-ng code. Please let me know where to send chocolate! Ugh, I have half a kilo downstairs I shouldn't even look at... leave it as virtual ;-) smime.p7s Description: S/MIME Cryptographic Signature
Re: [opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Monday 2007-04-23 at 05:17 +1000, Registration Account wrote: Dear Carlos, With your already wonderful script I can log the file as received however as I am aware of the RFC which defines syslog rules and conventions found at http://www.faqs.org/rfcs/rfc3164.html I need to substitute the value in ? for the following before the log is created. Yes, I understand that, but the linux syslog daemong doesn't record it in the files. After I succeed I will be happy to provide the result. There is an enormous requirement for a Linux Syslog. If you wish you may wish to publish on web. There is a linux syslog daemon, you will have to rename it somehow or people will not understand you. I don't suppose it would be difficult to modify the existing service to record the severity number: but don't look at me, I have never done serious programming in linux. - -- Cheers, Carlos E. R. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGK7urtTMYHG2NR9URArgGAJ9v2AT7K8Sd+SgLHaSezzuZApb1LgCfdys+ O0srR05eLR49w4+aCx47TX0= =CIKe -END PGP SIGNATURE- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
I want to build a Syslog Server. I have a Linux Log file viewer so most of the work is done. http://www.kiwisyslog.com/log-viewer-v2-beta-info.htm I needs syslog-ng to listen to UDP/514 and write a continuous file on the information it hears. Fortunately I do not need any log rotation as the file is only text base and although it has the potential to reach large sizes I can deal with a lot of space. Syslog-ng appears to have many config files and I am not sure which to modify. Can anyone assist me with this short line of syntax, given the above Linux Log file's ability to display the file as it changes and the various parameters it uses, some of which I understand but not all. The ability to NOT have to maintain a M$ PC just to be a Syslog +daemon would be a breakthrough for so many sysop's who require real time syslog data. Data from my multiple IDS's is sent to my current M$ Windows Syslog+Daemon, however I do have a large Linux IDS Management Module that does number crunching, provides warnings and reports but cannot display the data in realtime. Syslog data is sent to UDP/514 to Facility's numbering Local 0-7. The text stream looks something like [2007-04-21 17:31:55] 6EFW: ALG: prio=1 algmod=http algsesid=70500 action=close reason=backlisted_url url=www.download.windowsupdate.com/msdownload/update/v3-19990518/ca peer=client connipproto=TCP connrecvif=LAN connsrcip=192.168.100.40 connsrcport=3767 conndestif=core conndestip=202.158.212.136 conndestport=80 origsent=364 termsent=84 Where the number enclosed by is equal to 0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level message If anyone is really board and wants to learn about the convention there is a short war and piece version at http://www.faqs.org/rfcs/rfc3164.html Dont worry about understand the text, thats my job. I just offer it as an example for delineation purposes. I know this is a big ask, but no one but no one currently produces as Linux Syslog Daemon + Log Viewer. In my reading of my 2000 page into to C++, I have only got to page 95 and I know this is a 3 line entry into a config. Please tell me if I ask too much. Many thanks if anyone can assist. Scott :'( smime.p7s Description: S/MIME Cryptographic Signature
Re: [opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Saturday 2007-04-21 at 18:05 +1000, Registration Account wrote: Syslog-ng appears to have many config files and I am not sure which to modify. I see only one - where are you looking at? /etc/syslog-ng/syslog-ng.conf Can anyone assist me with this short line of syntax, given the above Linux Log file's ability to display the file as it changes and the various parameters it uses, some of which I understand but not all. The ability to NOT have to maintain a M$ PC just to be a Syslog +daemon would be a breakthrough for so many sysop's who require real time syslog data. To log external sources, I add: source ext { udp(ip(0.0.0.0) port(514)); }; below the existing source src {... }; section. Later on, I add, for instance: filter f_router { host(router); }; ... destination router { file(/var/log/router); }; log { source(ext); filter(f_router); destination(router); }; I know this is a big ask, but no one but no one currently produces as Linux Syslog Daemon + Log Viewer. Viewer? I just use plain less /var/log/file in an xterm. Or tailf ... for a continuous display with less resources spent. Viewing the log is a completely diferent task from logging it. - -- Cheers, Carlos E. R. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGKiCftTMYHG2NR9URAsQaAKCSg2Y/j+x31ETWWYO5eOdL7F0OowCfXZ0u rByKHrIV6E/H1C0iiA+6vpk= =DAes -END PGP SIGNATURE- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
Thank you Carlos, Those few lines of code are just what I need. Yes off course I can use KsystemLog - its all set up to chase the file as it grows by the millisecond and has a wide application use. An Xterm will not offer as much I feel. With respect to the substitution of the Priority codes below in place of the value contained the string below as ? is that also as easy to achieve. Please let me know where to send chocolate! With great thanks and appreciation Scott 2007-04-21 17:31:55] 6EFW: ALG: prio=1 algmod=http algsesid=70500 action=close reason=backlisted_url url=www.download.windowsupdate.com/msdownload/update/v3-19990518/ca peer=client connipproto=TCP connrecvif=LAN connsrcip=192.168.100.40 connsrcport=3767 conndestif=core conndestip=202.158.212.136 conndestport=80 origsent=364 termsent=84 Where the number enclosed by is equal to 0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level message Carlos E. R. wrote: The Saturday 2007-04-21 at 18:05 +1000, Registration Account wrote: Syslog-ng appears to have many config files and I am not sure which to modify. I see only one - where are you looking at? /etc/syslog-ng/syslog-ng.conf Can anyone assist me with this short line of syntax, given the above Linux Log file's ability to display the file as it changes and the various parameters it uses, some of which I understand but not all. The ability to NOT have to maintain a M$ PC just to be a Syslog +daemon would be a breakthrough for so many sysop's who require real time syslog data. To log external sources, I add: source ext { udp(ip(0.0.0.0) port(514)); }; below the existing source src {... }; section. Later on, I add, for instance: filter f_router { host(router); }; ... destination router { file(/var/log/router); }; log { source(ext); filter(f_router); destination(router); }; I know this is a big ask, but no one but no one currently produces as Linux Syslog Daemon + Log Viewer. Viewer? I just use plain less /var/log/file in an xterm. Or tailf ... for a continuous display with less resources spent. Viewing the log is a completely diferent task from logging it. smime.p7s Description: S/MIME Cryptographic Signature
Re: [opensuse] Need help creating a syslog -ng config file to perform a Syslog Daemon's Work.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Sunday 2007-04-22 at 07:47 +1000, Registration Account wrote: Those few lines of code are just what I need. Yes off course I can use KsystemLog - its all set up to chase the file as it grows by the millisecond and has a wide application use. An Xterm will not offer as much I feel. Oh, yes, xterm is much faster than any other gui app. Try, leave an xterm with tailf logfile. With respect to the substitution of the Priority codes below in place of the value contained the string below as ? is that also as easy to achieve. I'm not sure what you want there... syslog has standard priority values, but the priority is not printed, its just used to filter them out to different destination files if wanted. For instance: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr{ level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_myemail{ level(notice) and facility(mail) and not (program(amavis) and match(Passed CLEAN,)); }; # info o notice ... destination maildebug { file(/var/log/mail.debug ); }; log { source(src); filter(f_mail); destination(maildebug); }; log { source(src); filter(f_myemail); destination(mail); }; log { source(src); filter(f_mail); destination(mail); }; The /var/log/mail.debug file will contain all the mail messages of any level, but the /var/log/mail will only contain those of lever notice and higher importance, except those comming from the program amavis with certain string. But I don't know how to insert an arbitrary string indicating the level; for that I think you will need to hack the syslog-ng code. Please let me know where to send chocolate! Ugh, I have half a kilo downstairs I shouldn't even look at... leave it as virtual ;-) - -- Cheers, Carlos E. R. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGKo2DtTMYHG2NR9URAjY2AJwLvbfhiK7obQOfdGeMCBoHL2WeAACeIZxG +hh7l6pBk5ykFo03xQobqv0= =52N0 -END PGP SIGNATURE- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]