Difference between revisions of "Talk:Syslog-ng"

From ArchWiki
Jump to: navigation, search
(Example configuration file is outdated: re)
(Is match() example right?)
(One intermediate revision by one other user not shown)
Line 21: Line 21:
  
 
[[User:Tojaj|Tojaj]] 16:39, 8 February 2011 (EST)
 
[[User:Tojaj|Tojaj]] 16:39, 8 February 2011 (EST)
 +
 +
 +
 +
I'm Confirming what [[User:Tojaj|Tojaj]] said. It's not only bad, it doesn't work. I looked into [http://www.balabit.com/support/documentation/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/pdf/syslog-ng-ose-v3.4-guide-admin.pdf this documentation] to find a description and a list of supported values.
 +
 +
This is an extract of the documentation :
 +
{{hc|match()|
 +
Description: Match a regular expression to the headers and the message itself (that is, the values returned by the
 +
MSGHDR and MSG macros). Note that in syslog-ng version 2.1 and earlier, the match() filter was applied only to
 +
the text of the message, excluding the headers. This functionality has been moved to the message() filter.
 +
 +
To limit the scope of the match to a specific part of the message (identified with a macro), use the match(regexp
 +
value("MACRO")) syntax. Do not include the $ sign in the parameter of the value() option.
 +
 +
The value() parameter accepts both built-in macros and user-defined ones created with a parser or using a pattern
 +
database. For details on macros and parsers, see Section 11.1.2, Templates and macros (p. 212), Section 12.2, Parsing
 +
messages (p. 234), and Section 13.2.1, Using parser results in filters and templates (p. 244).}}
 +
 
 +
 +
So the complete list of supported values is :
 +
  "AMPM", "BSDTAG", "DATE, C_DATE, R_DATE, S_DATE", "DAY, C_DAY, R_DAY, S_DAY", "FACILITY", "FACILITY_NUM", "FULLDATE, C_FULLDATE, R_FULLDATE, S_FULLDATE", "FULLHOST", "FULLHOST_FROM", "HOUR, C_HOUR, R_HOUR, S_HOUR", "HOUR12, C_HOUR12, R_HOUR12, S_HOUR12", "HOST", "HOST_FROM", "ISODATE, C_ISODATE, R_ISODATE, S_ISODATE", "LEVEL_NUM", "LOGHOST", "MIN, C_MIN, R_MIN, S_MIN", "MONTH, C_MONTH, R_MONTH, S_MONTH", "MONTH_ABBREV, C_MONTH_ABBREV, R_MONTH_ABBREV, S_MONTH_ABBREV", "MONTH_NAME, C_MONTH_NAME, R_MONTH_NAME, S_MONTH_NAME", "MONTH_WEEK, C_MONTH_WEEK, R_MONTH_WEEK, S_MONTH_WEEK", "MSEC, C_MSEC, R_MSEC, S_MSEC", "MSG or MESSAGE", "MSGHDR", "MSGID", "MSGONLY", "PID", "PRI", "PRIORITY or LEVEL", "PROGRAM", "SDATA, .SDATA.SDID.SDNAME", "SEC, C_SEC, R_SEC, S_SEC", "SOURCEIP", "SEQNUM", "STAMP, R_STAMP, S_STAMP", "SYSUPTIME", "TAG", "TAGS", "TZ, C_TZ, R_TZ, S_TZ", "TZOFFSET, C_TZOFFSET, R_TZOFFSET, S_TZOFFSET", "UNIXTIME, C_UNIXTIME, R_UNIXTIME, S_UNIXTIME", "USEC, C_USEC, R_USEC, S_USEC", "YEAR, C_YEAR, R_YEAR, S_YEAR", "WEEK, C_WEEK, R_WEEK, S_WEEK", "WEEK_ABBREV, C_WEEK_ABBREV, R_WEEK_ABBREV, S_WEEK_ABBREV", "WEEK_DAY, C_WEEK_DAY, R_WEEK_DAY, S_WEEK_DAY", "WEEKDAY, C_WEEKDAY, R_WEEKDAY, S_WEEKDAY", "WEEK_DAY_NAME, C_WEEK_DAY_NAME, R_WEEK_DAY_NAME, S_WEEK_DAY_NAME".
 +
 +
[[User:Nrm|Nrm]] ([[User talk:Nrm|talk]]) 07:57, 20 August 2013 (UTC)
  
 
== Reversal typo in Shorewall examples ==
 
== Reversal typo in Shorewall examples ==
Line 86: Line 109:
 
::[[User:Foppe|Foppe]] ([[User talk:Foppe|talk]]) 19:00, 2 July 2012 (UTC)
 
::[[User:Foppe|Foppe]] ([[User talk:Foppe|talk]]) 19:00, 2 July 2012 (UTC)
 
:::I may have misunderstood you. If you're referring to the [https://wiki.archlinux.org/index.php/Syslog-ng#Example_configuration_file Example configuration file] then yes, it is outdated as the current version is 3.3. I think we should replace it with a link to [https://projects.archlinux.org/svntogit/packages.git/plain/trunk/syslog-ng.conf?h=packages/syslog-ng the current one]. What do you think? -- [[User:Karol|Karol]] ([[User talk:Karol|talk]]) 20:30, 2 July 2012 (UTC)
 
:::I may have misunderstood you. If you're referring to the [https://wiki.archlinux.org/index.php/Syslog-ng#Example_configuration_file Example configuration file] then yes, it is outdated as the current version is 3.3. I think we should replace it with a link to [https://projects.archlinux.org/svntogit/packages.git/plain/trunk/syslog-ng.conf?h=packages/syslog-ng the current one]. What do you think? -- [[User:Karol|Karol]] ([[User talk:Karol|talk]]) 20:30, 2 July 2012 (UTC)
 +
::::The author -who uses the description 'my own personal preferences'- has a point providing a more detailed example of the configuration file other than the current one which is already in /etc/syslog-ng/. However, I would like him to update this one so at least it works. [[User:Foppe|Foppe]] ([[User talk:Foppe|talk]]) 23:42, 2 July 2012 (UTC)

Revision as of 07:57, 20 August 2013

after the example syslog-ng.conf, and aside from the timestamps and remote loghost tips, most of this article has been adapted from the gentoo wiki page for syslog-ng.conf .. FYI

So yes it needs updating for arch please

AskApache 22:19, 14 September 2010 (EDT)

Is match() example right?

The example:

 filter f_failed { match("regex" value("failed")); };

is in my opinion bad.

List of supported values in value() should be: "HOST", "HOST_FROM", "MESSAGE", "PROGRAM", "PID", "MSGID" and "SOURCE".

More info: https://lists.balabit.hu/pipermail/syslog-ng/2009-April/012789.html

Better example could be:

 filter f_grsecurity { match("^grsec" value("MESSAGE")); };

This is real/working example from my syslog-ng config.

Tojaj 16:39, 8 February 2011 (EST)


I'm Confirming what Tojaj said. It's not only bad, it doesn't work. I looked into this documentation to find a description and a list of supported values.

This is an extract of the documentation :

match()
Description: Match a regular expression to the headers and the message itself (that is, the values returned by the
MSGHDR and MSG macros). Note that in syslog-ng version 2.1 and earlier, the match() filter was applied only to
the text of the message, excluding the headers. This functionality has been moved to the message() filter.

To limit the scope of the match to a specific part of the message (identified with a macro), use the match(regexp
value("MACRO")) syntax. Do not include the $ sign in the parameter of the value() option.

The value() parameter accepts both built-in macros and user-defined ones created with a parser or using a pattern
database. For details on macros and parsers, see Section 11.1.2, Templates and macros (p. 212), Section 12.2, Parsing
messages (p. 234), and Section 13.2.1, Using parser results in filters and templates (p. 244).


So the complete list of supported values is :

 "AMPM", "BSDTAG", "DATE, C_DATE, R_DATE, S_DATE", "DAY, C_DAY, R_DAY, S_DAY", "FACILITY", "FACILITY_NUM", "FULLDATE, C_FULLDATE, R_FULLDATE, S_FULLDATE", "FULLHOST", "FULLHOST_FROM", "HOUR, C_HOUR, R_HOUR, S_HOUR", "HOUR12, C_HOUR12, R_HOUR12, S_HOUR12", "HOST", "HOST_FROM", "ISODATE, C_ISODATE, R_ISODATE, S_ISODATE", "LEVEL_NUM", "LOGHOST", "MIN, C_MIN, R_MIN, S_MIN", "MONTH, C_MONTH, R_MONTH, S_MONTH", "MONTH_ABBREV, C_MONTH_ABBREV, R_MONTH_ABBREV, S_MONTH_ABBREV", "MONTH_NAME, C_MONTH_NAME, R_MONTH_NAME, S_MONTH_NAME", "MONTH_WEEK, C_MONTH_WEEK, R_MONTH_WEEK, S_MONTH_WEEK", "MSEC, C_MSEC, R_MSEC, S_MSEC", "MSG or MESSAGE", "MSGHDR", "MSGID", "MSGONLY", "PID", "PRI", "PRIORITY or LEVEL", "PROGRAM", "SDATA, .SDATA.SDID.SDNAME", "SEC, C_SEC, R_SEC, S_SEC", "SOURCEIP", "SEQNUM", "STAMP, R_STAMP, S_STAMP", "SYSUPTIME", "TAG", "TAGS", "TZ, C_TZ, R_TZ, S_TZ", "TZOFFSET, C_TZOFFSET, R_TZOFFSET, S_TZOFFSET", "UNIXTIME, C_UNIXTIME, R_UNIXTIME, S_UNIXTIME", "USEC, C_USEC, R_USEC, S_USEC", "YEAR, C_YEAR, R_YEAR, S_YEAR", "WEEK, C_WEEK, R_WEEK, S_WEEK", "WEEK_ABBREV, C_WEEK_ABBREV, R_WEEK_ABBREV, S_WEEK_ABBREV", "WEEK_DAY, C_WEEK_DAY, R_WEEK_DAY, S_WEEK_DAY", "WEEKDAY, C_WEEKDAY, R_WEEKDAY, S_WEEKDAY", "WEEK_DAY_NAME, C_WEEK_DAY_NAME, R_WEEK_DAY_NAME, S_WEEK_DAY_NAME".

Nrm (talk) 07:57, 20 August 2013 (UTC)

Reversal typo in Shorewall examples

The example:

 filter f_shorewall { not match("regex" value("Shorewall")); };                  # Filter everything except regex keyword Shorewall
 filter f_noshorewall { match("regex" value("Shorewall")); };                    # Filter regex keyword Shorewall

I believe the identifiers are switched. I have switched them to what I think they are intended to be. nuclearsandwich 14:58, 26 February 2011 (PST)

Directly to SQL

I notice that we still aren't running syslog-ng with --enable-sql (should be a trivial change at some point) but thought I would populate some basic options that will work well in the wiki when available.

This config is only valid for 3.2 and up (Current as of this writing in Arch is 3.3.4.5).

Taken directly from http://pzolee.blogs.balabit.com/2010/10/syslog-ng-example-configurations/

@version: 3.2
source s_file{file("/var/log/inputfile*.log" follow-freq(1));};
destination d_sql {
  sql(
    type("mysql")
    host("10.100.20.46")
    username("test_user")
    password("password")
    database("test_db")
    table("testtable-$YEAR-$MONTH-$DAY")
    columns("insert_time int", "date_time varchar(32)", "facility int", "priority int", "host varchar(255)", "program varchar(64)", "pid int", "message varchar(4000)")
    values("${R_UNIXTIME}", "${S_YEAR}-${S_MONTH}-${S_DAY} ${S_HOUR}:${S_MIN}:${S_SEC}", "$FACILITY_NUM", "$LEVEL_NUM", "$HOST", "$PROGRAM", "${PID:-0}", "$MSGONLY")
    indexes("insert_time", "date_time", "facility", "host", "program")
  );
};
log{
  source (s_file);
  destination (d_sql);
};

- Provided by HRabbit (2012-04-26)

Example configuration file is outdated

The used /etc/syslog-ng/syslog-ng.conf file is outdated. It generates these errors when restarting syslog-ng:

$ sudo rc.d restart syslog-ng
:: Stopping Syslog-NG                                                    [DONE] 
:: Starting Syslog-NG                                                    [BUSY] 

WARNING: Configuration file format is too old, please update it to use the 3.3 format as some constructs might operate inefficiently;
WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp()/udp() window size changes;
Error parsing config, syntax error, unexpected KW_LOG in /etc/syslog-ng/syslog-ng.conf at line 30, column 10:

   group(log);
         ^^^

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

Foppe (talk) 01:04, 2 July 2012 (UTC)

I'm using syslog-ng 3.3.5-1 and I get no warnings.
For solving such issues, I think forums, IRC or the arch-general mailing list is better than the wiki. - Karol (talk) 08:59, 2 July 2012 (UTC)
Thanks for your response.
I'm not searching for answes to my problems but merely warning the Wiki article might to be out of date. For starters the @version tag in line 1 should read
@version: major.minor
and reflect the current version of syslog-ng used in Arch. I haven't investigated the error I got but probably the original author of this section could have a look.
Foppe (talk) 19:00, 2 July 2012 (UTC)
I may have misunderstood you. If you're referring to the Example configuration file then yes, it is outdated as the current version is 3.3. I think we should replace it with a link to the current one. What do you think? -- Karol (talk) 20:30, 2 July 2012 (UTC)
The author -who uses the description 'my own personal preferences'- has a point providing a more detailed example of the configuration file other than the current one which is already in /etc/syslog-ng/. However, I would like him to update this one so at least it works. Foppe (talk) 23:42, 2 July 2012 (UTC)