Dispersed dokumentation

User Tools

Site Tools

Trace:
linux:syslog-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux:syslog-ng [2013-02-12 12:17]
kokkez 		linux:syslog-ng [2013-02-12 12:30] (current)
kokkez
Line 8: Line 8:
 [[http://www.campin.net/syslog-ng/faq.html|FAQ]]. [[http://www.campin.net/syslog-ng/faq.html|FAQ]].
  
-This is not just used to log users but a replacement to your syslog. From +This is not just used to log users but a replacement to your syslog. 
-the syslog-ng information: "The application can operate in server or agent +From the syslog-ng information:
-mode, and - apart from UDP - supports the reliable TCP and the encrypted +
-TLS protocols. That way syslog-ng can be used to create flexible and +
-reliable logging  infrastructure even in heterogeneous environments." +
-"syslog-ng reads and logs messages to the system console, log files, other +
-machines and/or users as specified by its configuration file."+
  
-Note that syslog-ng is a logger only. It does not report. It is up to you +"The application can operate in server or agent mode, and apart from UDP supports the reliable TCP and the encrypted TLS protocolsThat way **syslog-ng** can be used to create flexible and reliable logging infrastructure even in heterogeneous environments. **syslog-ng** reads and logs messages to the system consolelog filesother machines and/or users as specified by its configuration file."
-to use a method to parse/view your logs. Find a list of a variety of log +
-analysis programs to help you do this under my tutorial section 'LOG +
-ANALYZERS-PARSERS'Syslog-ng messages can be piped into a MySQL data +
-base for a beautiful web based graphical interface using LogZilla +
-(formerly php-syslog-ng, tutorial HERE), or using Splunk, (tutorial HERE).+
  
-INSTALL: +Note that syslog-ng is a logger only. It does not report. It is up to you to use a method to parse/view your logs. Find a list of a variety of log analysis programs to help you do this under my tutorial section 'LOG 
-```````` +ANALYZERS-PARSERS'. Syslog-ng messages can be piped into a MySQL database for a beautiful web based graphical interface using LogZilla (formerly php-syslog-ng, tutorial HERE), or using Splunk, (tutorial HERE). 
-View HERE, or HERE if you want to install in chroot jail, otherwise: + 
-su +===== INSTALL: == 
-aptitude update + 
-aptitude install syslog-ng +View [[http://www.campin.net/syslog-ng/chroot-jail.html|HERE]], or [[http://eagain.net/articles/syslog-ng-chroot/|HERE]] if you want to install in chroot jail, otherwise: 
-y+  su 
 +  aptitude update 
 +  aptitude install syslog-ng 
 +  y
  
 Output will be similar to: Output will be similar to:
-[snip] +  [snip] 
-The following NEW packages will be installed: +  The following NEW packages will be installed: 
-libevtlog0{a} syslog-ng +  libevtlog0{a} syslog-ng 
-The following packages will be REMOVED: +  The following packages will be REMOVED: 
-klogd{a} sysklogd{a} +  klogd{a} sysklogd{a} 
-[snip] +  [snip] 
-Removing klogd ... +  Removing klogd ... 
-Stopping kernel log daemon.... +  Stopping kernel log daemon.... 
-Removing sysklogd ... +  Removing sysklogd ... 
-Stopping system log daemon.... +  Stopping system log daemon.... 
-[snip] +  [snip] 
-Setting up libevtlog0 (0.2.8~1-2) ... +  Setting up libevtlog0 (0.2.8~1-2) ... 
-Setting up syslog-ng (2.0.9-4.1) ... +  Setting up syslog-ng (2.0.9-4.1) ... 
-Starting system logging: syslog-ng. +  Starting system logging: syslog-ng. 
-[snip]+  [snip] 
 + 
 +  ps x 
 +  13395 ?        Ss     0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
  
-ps x +Syslog-ng will be installed with the service to run after reboot (2-5), you need not manually set it. 
-13395 ?        Ss     0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid+If you like to view its settings: 
 +  sysv-rc-conf
  
-Syslog-ng will be installed with the service to run after reboot (2-5), 
-you need not manually set it. If you like to view its settings: 
-sysv-rc-conf 
 It will have this: It will have this:
-syslog-ng [ ] [X] [X] [X] [X] [ ] [ ] [ ]+  syslog-ng [ ] [X] [X] [X] [X] [ ] [ ] [ ]
  
-Syslog-ng is highly configurable. Such things as alert you, filters, +Syslog-ng is highly configurable. Such things as alert you, filters, logging sent to multiple destinations such as another server to prevent tampering of the logs, log or not log x programs, log per host, etc. View HERE for all syslog-ng.conf default settings in an easy to view format. There are many other settings you can add to suit your needs. 
-logging sent to multiple destinations such as another server to prevent + 
-tampering of the logs, log or not log x programs, log per host, etc. View +===== FILES: == 
-HERE for all syslog-ng.conf default settings in an easy to view format. + 
-There are many other settings you can add to suit your needs.+Default configuration file is here, read it, make changes to suit your needs: 
 +  cat /etc/syslog-ng/syslog-ng.conf
  
-FILES: 
-`````` 
-Default configuration file is here, read it, make changes to suit your 
-needs: 
-cat /etc/syslog-ng/syslog-ng.conf 
 Can set variables here also: Can set variables here also:
-cat /etc/default/syslog-ng+  cat /etc/default/syslog-ng 
 Process ID: Process ID:
-cat /var/run/syslog-ng.pid+  cat /var/run/syslog-ng.pid 
 Log: Log:
-/var/log/syslog+  /var/log/syslog 
 And of course it will now take over the writing the normal syslog logs: And of course it will now take over the writing the normal syslog logs:
-/var/log/auth.log +  /var/log/auth.log 
-/var/log/daemon.log +  /var/log/daemon.log 
-/var/log/debug +  /var/log/debug 
-/var/log/kern.log +  /var/log/kern.log 
-/var/log/mail.err +  /var/log/mail.err 
-/var/log/mail.log +  /var/log/mail.log 
-/var/log/messages +  /var/log/messages 
-/var/log/user.log +  /var/log/user.log 
-/var/log/uucp.log+  /var/log/uucp.log 
 + 
 +===== COMMANDS: == 
 + 
 +  man syslog-ng
  
-COMMANDS: 
-````````` 
-man syslog-ng 
 To restart syslog-ng: To restart syslog-ng:
-/etc/init.d/syslog-ng restart+  /etc/init.d/syslog-ng restart 
 + 
 +===== CRON LOGS: == 
 + 
 +A feature of syslog-ng is that you can have your cron jobs log to a separate file, instead of mixing with the other logs. 
 +To enable this feature: 
 +  pico /etc/syslog-ng/syslog-ng.conf
  
-CRON LOGS: 
-`````````` 
-A feature of syslog-ng is that you can have your cron jobs log to a 
-separate file, instead of mixing with the other logs. To enable this 
-feature: 
-pico /etc/syslog-ng/syslog-ng.conf 
 Has this: Has this:
-# this is commented out in the default syslog.conf +  # this is commented out in the default syslog.conf 
-# cron.*                         /var/log/cron.log +  # cron.*                         /var/log/cron.log 
-#log { +  #log { 
-       source(s_all); +     source(s_all); 
-       filter(f_cron); +     filter(f_cron); 
-       destination(df_cron); +     destination(df_cron); 
-#};+  #};
  
 Change to: Change to:
-# this is commented out in the default syslog.conf +  # this is commented out in the default syslog.conf 
-# cron.*                         /var/log/cron.log +  # cron.*                         /var/log/cron.log 
-log { +  log { 
-  source(s_all); +      source(s_all); 
-  filter(f_cron); +      filter(f_cron); 
-  destination(df_cron); +      destination(df_cron); 
-};+  };
  
  
-/etc/init.d/syslog-ng restart+  /etc/init.d/syslog-ng restart 
 Wait until a cron job has been run, then you'll have the file 'cron.log': Wait until a cron job has been run, then you'll have the file 'cron.log':
-ls -al /var/log/cron* +  ls -al /var/log/cron* 
-cat /var/log/cron.log+  cat /var/log/cron.log
  
 syslog-ng will rotate cron.log as well, you needn't do anything, it's syslog-ng will rotate cron.log as well, you needn't do anything, it's
Line 125: Line 120:
 cat /etc/logrotate.d/syslog-ng cat /etc/logrotate.d/syslog-ng
  
-LOG ROTATION TROUBLE SHOOTING NOTE: +===== LOG ROTATION TROUBLE SHOOTING NOTE: == 
-``````````````````````````````````` + 
-Syslog-ng will install its own logrotation script. IF you have +Syslog-ng will install its own logrotation script. IF you have previously set up custom settings for any your standard Debian logs, check if syslog-ng has also created a setting for any of these logs here: 
-previously set up custom settings for any your standard Debian logs, check +  cat /etc/logrotate.d/syslog-ng 
-if syslog-ng has also created a setting for any of these logs here: + 
-cat /etc/logrotate.d/syslog-ng +For example I had added my own settings for auth.log and then after installing syslog-ng I noticed root had received e-mails stating: 
-For example I had added my own settings for auth.log and then after +  /etc/cron.daily/logrotate: 
-installing syslog-ng I noticed root had received e-mails stating: +  error: /etc/logrotate.conf:41 duplicate log entry for /var/log/auth.log 
-/etc/cron.daily/logrotate: +  run-parts: /etc/cron.daily/logrotate exited with return code 1
-error: /etc/logrotate.conf:41 duplicate log entry for /var/log/auth.log +
-run-parts: /etc/cron.daily/logrotate exited with return code 1+
  
 To find the culprit of this error I did: To find the culprit of this error I did:
-grep -r auth.log /etc/*+  grep -r auth.log /etc/*
  
-Which then I discoverd syslog-ng had this file listed in its rotation. So +Which then I discoverd syslog-ng had this file listed in its rotation. So then I removed my custom settings (on /etc/logrotate.conf) and added them
-then I removed my custom settings (on /etc/logrotate.conf) and added them+
 to syslog-ng rotation settings like this: to syslog-ng rotation settings like this:
-pico /etc/logrotate.d/syslog-ng+  pico /etc/logrotate.d/syslog-ng 
 Has this: Has this:
-/var/log/auth.log { +  /var/log/auth.log { 
-rotate 4 +      rotate 4 
-missingok +      missingok 
-notifempty +      notifempty 
-weekly +      weekly 
-compress +      compress 
-}+  }
  
 I changed it to: I changed it to:
-/var/log/auth.log { +  /var/log/auth.log { 
-rotate 3 +      rotate 3 
-notifempty +      notifempty 
-daily +      daily 
-delaycompress +      delaycompress 
-compress +      compress 
-create 640 root adm +      create 640 root adm 
-mailfirst +      mailfirst 
-mail my_email@gmail.com +      mail my_email@gmail.com 
-}+  }
  
 Then you'll need to restart syslog-ng: Then you'll need to restart syslog-ng:
-/etc/init.d/syslog-ng restart+  /etc/init.d/syslog-ng restart
  
 If you want to test logrotation without actually rotating: If you want to test logrotation without actually rotating:
-logrotate --debug --force /etc/logrotate.d/syslog-ng+  logrotate --debug --force /etc/logrotate.d/syslog-ng 
 You might see an error stating no such file: You might see an error stating no such file:
-[snip] +  [snip] 
-error: failed to open /var/log/auth.log.1.gz for mailing: No such file or +  error: failed to open /var/log/auth.log.1.gz for mailing: No such file or 
-directory +  directory 
-[snip]+  [snip]
  
 Then to rotate manually: Then to rotate manually:
-logrotate --force -v /etc/logrotate.d/syslog-ng +  logrotate --force -v /etc/logrotate.d/syslog-ng
-Which might also produce an error IF auth.log has grown larger then your +
-e-mail client is set up to send- that is IF you have it set up to be +
-e-mailed out: +
-[snip] +
-Can't send mail: sendmail process failed with error code 1 +
-[snip]+
  
-So then I just ran the manual rotation one more time to make sure all +Which might also produce an error IF auth.log has grown larger then your e-mail client is set up to send- that is IF you have it set up to be e-mailed out: 
-worked now that size was down (rotation made a new file): +  [snip] 
-logrotate --force -v /etc/logrotate.d/syslog-ng +  Can't send mail: sendmail process failed with error code 1 
-Received my e-mail again noticed that with the different settings it had, +  [snip] 
-it left 2 stragglers from 10 days previous (when the error started): + 
-ls -al /var/log +So then I just ran the manual rotation one more time to make sure all worked now that size was down (rotation made a new file): 
-1 root adm     5305 2010-07-28 11:00 auth.log +  logrotate --force -v /etc/logrotate.d/syslog-ng 
-1 root adm    36891 2010-07-18 06:47 auth.log.0 + 
-1 root adm     4561 2010-07-28 10:59 auth.log.1 +Received my e-mail again noticed that with the different settings it had, it left 2 stragglers from 10 days previous (when the error started): 
-1 root adm  1292972 2010-07-18 06:25 auth.log.2 +  ls -al /var/log 
-1 root adm     3775 2010-07-28 10:57 auth.log.2.gz +  1 root adm     5305 2010-07-28 11:00 auth.log 
-1 root adm      508 2010-07-28 10:24 auth.log.3.gz+  1 root adm    36891 2010-07-18 06:47 auth.log.0 
 +  1 root adm     4561 2010-07-28 10:59 auth.log.1 
 +  1 root adm  1292972 2010-07-18 06:25 auth.log.2 
 +  1 root adm     3775 2010-07-28 10:57 auth.log.2.gz 
 +  1 root adm      508 2010-07-28 10:24 auth.log.3.gz
  
 Or you might have received the error: Or you might have received the error:
-old log /var/log/auth.log.0.gz does not exist+  old log /var/log/auth.log.0.gz does not exist 
 So then I did: So then I did:
-gzip /var/log/auth.log.0 +  gzip /var/log/auth.log.0 
-gzip /var/log/auth.log.2 +  gzip /var/log/auth.log.2 
-y+  y 
 + 
 +  logrotate --force -v /etc/logrotate.d/syslog-ng
  
-logrotate --force -v /etc/logrotate.d/syslog-ng 
 And all is fine now: And all is fine now:
-ls -al /var/log/auth.* +  ls -al /var/log/auth.* 
-Then download auth.log.2.gz if you need it for your records before it is + 
-rotated out.+Then download auth.log.2.gz if you need it for your records before it is rotated out.
  
  
linux/syslog-ng.1360667822.txt.gz · Last modified: 2013-02-12 12:17 by kokkez

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki