Custom remote log files

[mrbranden]

Hi. I've searched and I can't find an answer to this question...

I am using syslog-ng 3.0.2 on an AIX 5.3 system. I'd like to take a plain text log file from an app (abc.log) and send that to a central logging server. On the logging server, I'd like to preserve the original log name.

I tried something like this:

Client:

source  s_file_abclog { file("/tmp/abc.log" follow_freq(1));};
source  s_local { unix-stream("/dev/log"); udp(ip(127.0.0.1) port(514)); internal(); };

destination d_abc { udp( "1.2.3.4" port(514); file("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };

log { source(s_file_abclog); destination(d_abc); };


On the server, I have (this is abbreviated):
        source s_net    { udp(); };

# Destination
        destination d_syslog { file("/server/$HOST/$YEAR/$MONTH/$DAY/syslog.log"); };
        destination d_daemonlog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/daemon.log"); };
        destination d_maillog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/mail.log"); };
        destination d_authlog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/auth.log"); };
        destination d_abclog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };

log { source ( s_net); filter (f_syslog); destination ( d_syslog ); };
log { source ( s_net); filter (f_daemon); destination ( d_daemonlog ); };
log { source ( s_net); filter (f_mail); destination ( d_maillog ); };
log { source ( s_net); filter (f_auth); destination ( d_authlog ); };


I'm at a loss for how to tell the server to put abc.log into /server/$HOST/$YEAR/$MONTH/$DAY/abc.log. It just wants to put it into syslog.log, but that's not what we're after.

How can I take a plain text file from a client and send it to a custom log on a central log server via syslog-ng?

Thank you in advance!

[mutex]

If the logs from /tmp/abc.log are ending up in /server/$HOST/$YEAR/$MONTH/$DAY/syslog.log, something is not working as you expect.

Try this.  Set your syslog-ng.conf file to this:

Code:

source  s_file_abclog { file("/tmp/abc.log" follow_freq(1));};
destination d_abc { udp( "1.2.3.4" port(514); file("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };
log { source(s_file_abclog); destination(d_abc); };

then restart syslog-ng and see what happens.  If the logs are still going to syslog.log, we'll know it's not syslog-ng sending them there.

[mutex]

I just thought of something - are you expecting this line:
destination d_abc { udp( "1.2.3.4" port(514); file("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };
to put it in the file /server/$HOST/$YEAR/$MONTH/$DAY/abc.log on the host 1.2.3.4?  If so, that's not what the line says. 
The first part says "send the log message to 1.2.3.4".
The second part says "store the log in the file /server/$HOST/$YEAR/$MONTH/$DAY/abc.log" - on the local server, not on the remote server

[mrbranden]

Yes, I was expecting it to store the file in that path on the REMOTE server (1.2.3.4). How do I get syslog-ng to put abc.log into /server/$HOST/$YEAR/$MONTH/$DAY/abc.log on the remote/central log server?

I made the modification you suggested above but nothing changed.

Thanks!

[mutex]

You will have to run syslog-ng on the remote server - 1.2.3.4 first.

Then, you will have to configure syslog-ng on the remote server like this:

options{ keep_hostname(); };
source s_net    { udp(); };
destination d_abc {file("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };
log { source(s_net); destination(d_abc); };

On the original host, you can shorten this line:
destination d_abc { udp( "1.2.3.4" port(514); file("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };
to
destination d_abc { udp( "1.2.3.4" port(514); };

[mrbranden]

Thank you for your fast responses. Unfortunately, that hasn't fixed the problem. I already had the remote server configured the way you suggested. Here's what it looks like:


options {
        keep_hostname(yes);
        use_dns(yes);
        dns_cache(yes);
        create_dirs(yes);
        time_reopen(10);
        log_fifo_size(100);
        use_fqdn(no);
        perm(0644);
        dir_perm(0755);
        chain_hostnames(no);
};

# Source definitions
        source s_net    { udp(); };

# Destination
        destination d_syslog { file("/server/$HOST/$YEAR/$MONTH/$DAY/syslog.log"); };
        destination d_daemonlog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/daemon.log"); };
        destination d_maillog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/mail.log"); };
        destination d_authlog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/auth.log"); };
        destination d_abclog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };

# Filter definitions
        filter_f_syslog { facility (syslog); };
        filter f_daemon { facility (daemon); };
        filter f_auth   { facility (auth); };
        filter f_mail   { facility (mail); };
        filter f_debug  { level (debug .. emerg);       };

log { source ( s_net); filter (f_syslog); destination ( d_syslog ); };
log { source ( s_net); filter (f_daemon); destination ( d_daemonlog ); };
log { source ( s_net); filter (f_mail); destination ( d_maillog ); };
log { source ( s_net); filter (f_auth); destination ( d_authlog ); };
log { source ( s_net); destination (d_abclog); };

I'm really at a loss as to why it's not working...
How does it know that the abc.log in the client conf is the abc.log I'm referring to in the remote conf?

Thanks again!

[mutex]

I understand the problem.  We're going to have to send the logs from /tmp/abc.log to the log host with a different priority, then filter out that priority on the 1.2.3.4 side into the /server/$HOST/$YEAR/$MONTH/$DAY/abc.log


Try this (server with the /tmp/abc.log):

Code:

source  s_file_abclog { file("/tmp/abc.log" follow_freq(1));};
destination d_abc { udp( "1.2.3.4" port(514); facility (local7)); };
log { source(s_file_abclog); destination(d_abc); };

Server 1.2.3.4

Code:

options {
        keep_hostname(yes);
        use_dns(yes);
        dns_cache(yes);
        create_dirs(yes);
        time_reopen(10);
        log_fifo_size(100);
        use_fqdn(no);
        perm(0644);
        dir_perm(0755);
        chain_hostnames(no);
};

# Source definitions
        source s_net    { udp(); };

# Destination
        destination d_syslog { file("/server/$HOST/$YEAR/$MONTH/$DAY/syslog.log"); };
        destination d_daemonlog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/daemon.log"); };
        destination d_maillog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/mail.log"); };
        destination d_authlog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/auth.log"); };
        destination d_abclog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };

# Filter definitions
        filter_f_syslog { facility (syslog); };
        filter f_daemon { facility (daemon); };
        filter f_auth   { facility (auth); };
        filter f_mail   { facility (mail); };
        filter f_debug  { level (debug .. emerg);       };
        filter f_local7{facility(local7);};

log { source ( s_net); filter (f_syslog); destination ( d_syslog ); };
log { source ( s_net); filter (f_daemon); destination ( d_daemonlog ); };
log { source ( s_net); filter (f_mail); destination ( d_maillog ); };
log { source ( s_net); filter (f_auth); destination ( d_authlog ); };
log { source ( s_net); filter (f_local7); destination (d_abclog); };

[mrbranden]

Unfortunately, those changes didn't seem to make a difference. It's still posting syslog.log on the remote server.
And in case someone asks, yes, I'm stopping/starting the syslog-ng service on both client and server after each change.
I've done a lot of searching on this subject. I wonder if what I'm trying to do is even possible with syslog-ng. Sounds like something pretty simple, but I can't find others who are doing it...

[mutex]

It is possible.  Here's what's happening:

the logs are being sent over the network as defined by this command:
destination d_abc { udp( "1.2.3.4" port(514); facility (local7)); };

the receiving syslog-ng server is catching it with this source:
source s_net    { udp(); };

We know that the logs are going to syslog.log, which means that it's hitting this command:
log { source ( s_net); filter (f_syslog); destination ( d_syslog ); };
which tells us this the logs are tripping this filter:
filter_f_syslog { facility (syslog); };

It might be a good idea to start basic on the 1.2.3.4 server with something like this:

Code:

options {
        keep_hostname(yes);
        use_dns(yes);
        dns_cache(yes);
        create_dirs(yes);
        time_reopen(10);
        log_fifo_size(100);
        use_fqdn(no);
        perm(0644);
        dir_perm(0755);
        chain_hostnames(no);
};

# Source definitions
        source s_net    { udp(); };

# Destination

        destination d_abclog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };

# Filter definitions

        filter f_local7{facility(local7);};

log { source ( s_net); filter (f_local7); destination (d_abclog); };

See if you can get that to work.  If it does work, we can add back the other pieces one at a time until we see where it is breaking.
If it doesn't work, then we can try something even more basic:

Code:

options {
        keep_hostname(yes);
        use_dns(yes);
        dns_cache(yes);
        create_dirs(yes);
        time_reopen(10);
        log_fifo_size(100);
        use_fqdn(no);
        perm(0644);
        dir_perm(0755);
        chain_hostnames(no);
};

# Source definitions
        source s_net    { udp(); };

# Destination

        destination d_abclog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };

# Filter definitions

log { source ( s_net); destination (d_abclog); };

I would be shocked if that did not work.

[mrbranden]

Fortunately, you do not have to go into shock. :-)  The very last barebones thing worked. The only thing it logged was abc.log and it put it in the correct place.

I think the culprit was this line on the client:

source  s_local { unix-stream("/dev/log"); udp(ip(127.0.0.1) port(514)); internal(); };

As soon as that was removed, it worked.

So presumably I can slowly turn on other logging services and see where it breaks, like you suggested. I will play around and post here again if I still have trouble. Feel free to let me know if you have any tips.

Thank you SO much for your time and patience with this issue. It is very much appreciated.

[mutex]

Ah, yes.  if you have more than one source defined that listens to the network, only the first one will receive the messages, and the second one will be ignored. Take the "udp(ip(127.0.0.1) port(514));" out of s_local and you should be able to start adding things back.

[mrbranden]

Hmm... I'm still having trouble. I thought I had it working but I was mistaken. Unless the file has a standard facility (such as syslog), I can't filter it to its own custom file.
Adding "facility(local7)" to the destination parameter results in a syntax error.

I can log syslog (or any facility) entries to /server/$HOST/$YEAR/$MONTH/$DAY/syslog.log
OR
I can log abc.log entries to /server/$HOST/$YEAR/$MONTH/$DAY/abc.log
OR
I can have abc.log show up in syslog.log, which isn't good.

If I could filter by facility (such as a custom facility or a local7 or something) from the source or destination on the client, that might work. But I can't figure out how to do that without getting a syntax error.

Am I making any sense?

Thank you again.

[mutex]

yes, makes sense.  I'll try it on my syslog-ng test box this evening.  allegedly the facility() in the destination is valid but undocumented, but I've never tried it.

[mrbranden]

Hmmm... maybe I mis-typed something, but the syntax error with facility in the destination has gone away. It's still not filtering correctly, but there's no longer a syntax error.

I have this right now on the client:

source  s_file_abclog { file("/home/rootdir/abc.log" follow_freq(1));};
source s_local { unix-dgram("/dev/log"); internal();};

destination d_remote{ udp("1.2.3.4" port(514)); };
destination d_remote_abc { udp("1.2.3.4" port(514); facility(local7));};

log { source(s_local); destination(d_remote); };
log { source(s_file_abclog); destination(d_remote_abc);};

And on the server:

# Source definitions
        source s_net    { udp(); };
#       source s_tcp    { tcp(ip("130.64.7.105") port(5140)); };


# Destination
        destination d_syslog { file("/server/$HOST/$YEAR/$MONTH/$DAY/syslog.log"); };
        destination d_abclog { file ("/server/$HOST/$YEAR/$MONTH/$DAY/abc.log"); };

# Filter definitions
        filter f_syslog { facility (syslog); };
        filter f_local7 { facility (local7);};

log { source ( s_net); filter (f_syslog); destination ( d_syslog ); };
log { source ( s_net); filter (f_local7); destination ( d_abclog); };


It all LOOKS okay.. it logs to syslog fine, but it won't log the abclog stuff.

You've been very patient and helpful. Thank you again!

[mutex]

My apologies for the delay in getting back.  I had an trip that lasted longer than I expected. 

On the destination server, try running tcpdump to look at the log messages.  I am curious now if the problem is on the sending side or the receiving side.