Pot Of Syslog-NG Tricks Version 2
Correcting bad or duplicate time and date stamps
Trying to accept logs from applications or devices into syslog-ng, but end up seeing two date and time fields in the resulting log coming out of syslog-ng? This happens because syslog-ng is not able to understand the format that the date and time stamp arrive in. Here’s an easy way to fix that problem. Use a template to only use the “message” part of the incoming log:
source s_net { udp(); };
destination d_file{ file(“/var/log/application.log” template(“$MSG\n”)); };
log { source(s_net); destination(d_file); };
Including the facility & priority of a message syslog-ng output
To add the written form of the facility and priority to logs coming out of syslog-ng, such as “local1:info”, use the following template.
destination d_file {
file(“/var/log/messages”
template(“$FACILITY:$PRIORITY $MSG\n”; template_escape(no))); };
Alternatively, to add the numeric severity, use this:
destination d_file {
file(“/var/log/messages”
template(“$PRI $MSG\n”; template_escape(no))); };
Configuring syslog-ng as a relay
Syslog-ng is pretty straight forward to configure as a relay.
source s_net { udp(); };
destination d_net{ udp(“192.168.0.1″ port(514)); };
log { source(s_net); destination(d_net); };
Running Syslog-NG on Windows
This post describes running syslog-ng as a server on Windows. In another post, we describe how to send Windows Event Logs to syslog.
There are many great commercial syslog servers for Windows. There are not many options for those looking for a free alternative. One option is Aonaware. Another option is to install syslog-ng through cygwin. Cygwin is a Linux-like environment run inside a windows command shell. Cygwin runs on all current desktop and server versions of Windows. In this post, we will walk through setting up syslog-ng on a windows host.
- First, visit the Cygwin website to download the setup.exe application. Save, then run setup.exe.
- Choose “Install From Internet”
- Select the directory to install into and the user to install for (leave this as “all users”).
- Enter the directory for local packages. Accepting the default location is fine.
- Choose your Internet connection type (direct or proxy)
- Select a site to download from. Any one should be fine.
- At the “install packages” window, type is “syslog” in the search box. You will see “Admin” below. Expand the admin section, and you will see syslog-ng. Click the word “skip” until you see 3.0.1 (or whatever the latest supported version is).
- Also choose the following packages:
- Admin/cygrunsrv
- Editors/VIM
- Gnome/glib
- Finish the installation. Read more…
Pot Of Syslog-NG Tricks Version 1
Fixing Duplicate Date and/or Hostname Problems
Some devices send syslog messages with improperly formatted headers, which can cause syslog-ng to append a new set of header information, meaning that the host name and/or date appear twice in the logs. A simple way to solve this is using a template:
source s_net { udp();};
destination d_file { file(“/var/log/file.log” template(“$MSG\n”)); };
log {source(s_net); destination(d_file); };
The template function in the destination definition tells syslog-ng to discard the header from the received message and only keep the actual message data, which is contained in the variable $MSG. Syslog-ng inserts the proper header, using the date the log was received and the host the log came from, resulting in a normal syslog message. Read more…
Segregating Logs From Different Log Files On A Centralized Log Server Using Syslog-NG
In this post, I will demonstrate a way to capture logs from a series of log files, and relay those logs to a central log server, where the logs will be separated into log files, as they existed on the original host.
Reading from files
Syslog-ng has the ability to pull log data from files, then treat those logs as any other source, like this:
source s_file_abclog { file(“/var/log/abc.log” follow_freq(1));};
In this way, you can handle log data from applications that do not have native support for syslog.
Then, you can send that data to a central log server, like this:
source s_file_abclog { file(“/var/log/abc.log” follow_freq(1));};
destination d_remote{udp(“192.168.0.3″ port(514)); };
log { source(s_file_abclog); destination(d_remote);}; Read more…
Categories: Log Management, logging Tags: syslog-ng
Configuring The Snare Windows Client And Syslog-NG To Work Together
In a previous post, we looked at installing Snare to log Windows events to a syslog server. Here, we will configure syslog-ng to accept messages from Snare and implement a few simple customizations, including storing the logs in individual files. We will assume that Snare is operational for the purposes of this guide. Please see the post referenced above for help with installing Snare.
For this test, I am running syslog-ng 3.0.1 on FreeBSD 7.1 and Snare 3.14 on Windows XP.
First, we will start with a very basic configuration that logs to /var/log/messages:
source src {
internal();
udp(port(514));
};
destination messages { file(“/var/log/messages”); };
log {source(src); destination(messages);};
Categories: Windows, logging Tags: Snare, syslog-ng, Windows Logging
Native MySQL support in syslog-ng
So, apparently I’ve been living under a rock. One of the biggest criticisms I’ve had about syslog-ng for a long time is the terribly convoluted process to get logs into MySQL. I was looking through the syslog-ng mailing list and saw someone asking for help with getting the script to work for piping logs into MySQL, and the response was something like “why don’t you just use the native support for interfacing with MySQL?”. Now I’ll need to find something else to complain about.
I have yet to play with this interface, but I’m building a system now to test bed it with.