NSLU2-Linux
- FAQ: Frequently Asked Questions
- Donations
- Downloads
- Trac Bug Tracker
- Package Search Engine
- All Recent Wiki Changes
General
- HowTo Recipes
- Cool Peripherals
- Cool Applications
- Information Pages
- Ideas and Wish List
- Slug Success Stories
- Slug-Related Articles
- Project Mailing Lists
- Project IRC Channels
- Donations and Sponsors
- NSLU2-Linux Photo Gallery
OS/Firmware Projects
- NSLU2-Linux Development
- How Do I Get Involved?
- Unslung Firmware
- Debian Installation
- SlugOS Firmware
- OpenSlug Firmware
- SlugOS/LE Firmware
- OpenWrt Firmware
- Angstrom Firmware
- UcSlugC Firmware
- GentooSlug Firmware
- UpSlug Upload Tool
- Puppy Topfield Access
Firmware Targets
Optware
Optware Targets
Other Hardware
Wiki Resources
Sponsored Links
hosting by:
Syslog-ng is a replacement for the standard syslog utility for Unix and Linux systems. It is developed and maintained by BalaBit Security.
Syslog-ng can be used as a replacement for the stock syslogd provided by Unslung, if you want more control about how messages are logged or if you need to log messages sent by other systems in your network, such as a router or access point, since these devices do not usually have a hard disk to store log messages and can only store a bunch of log messages in memory.
The current Optware package for syslog-ng is based on version 2.0.9, with basic setup scripts, a default config file and a startup script to run syslog-ng at every boot. The standard config file creates all log files under /opt/var/log.
Installation
If you want to install it, just update the list of packages available for ipkg and then install it:
ipkg update
ipkg install syslog-ng
If you are running Unslung, before starting syslog-ng for the first time you have to disable the built-in syslogd and klogd. To do this, comment the two lines at /etc/inittab by inserting a '#' at the beginning of each line. The file should like like this:
#slog:unknown:/sbin/syslogd -n #klog:unknown:/sbin/klogd -n
You won't be able to kill the running copies of syslogd and klogd because init will restart them; you must reboot.
Logging from remote sources
If you want to receive log messages from other machines in your network, such as a router or access point, you should configure them to use your slug as a syslog destination, according to the instructions for each device.
At the slug, edit the /opt/etc/syslog-ng/syslog-ng.conf and add a path to send messages from remote devices to a file. Since the original config file already has a source entry called net that receives messages through the syslog UDP protocol, all you need is a line at the end of the file defining a new message path. For example, if you want to send all messages received from remote device to /opt/var/log/syslog, already defined in the file as a destination called syslog, add this line to the end of the config:
log { source(net); destination(syslog); };
Caveats and advice for Unslung
The default config file may not be ideal for an Unslung user; unslung uses /var/log/messages, which the watchdog process truncates aggressively.
Another thing to be aware of is that the default linksys setup is to use DGRAM (not stream) sockets. If you run the distributed file, things shouldn't get confused - but seem to anyway. To fix this, make sure you don't use unix-stream and restore the DGRAM setup:
ln -sf /var/tmp/log /dev/log
Here's a simple config file that will write a standard syslog to /opt/var/log/messages, while duplicating the linksys /var/log/messages file.
Also shown is how to monitor another (syslog format) log file, and how to exclude some programs that might confuse the linksys utilities from the traditional file.
options { long_hostnames(off); sync(0); create_dirs(yes); ts_format(bsd); log_msg_size(1024); };
template std_msg { template("<$PRI>$STAMP $HOST $MESSAGE\n"); template_escape(no); };
template old_msg { template("<$PRI>$STAMP $MESSAGE\n"); template_escape(no); };
#On NSLU2, /dev/log -> /var/tmp/log & is a DGRAM
#Use a file (not a pipe) to read kmsg - pipe is rw
#unix-stream("/dev/log" max-connections(10));
source src { file("/proc/kmsg" log_prefix("kernel: "));
unix-dgram("/var/tmp/log");
internal();
file("/var/log/watchnet.log" follow_freq(1)); };
#source net { udp(); };
destination messages { file("/opt/var/log/messages" template(std_msg) log_fifo_size(200)); };
#destination netlog { udp("192.0.2.12" localip("192.0.2.77") template(std_msg) log_fifo_size(500)); };
destination oldmsgs { file("/var/log/messages" template(old_msg) log_fifo_size(200)); };
#Everything to the large logfile
#
log { source(src); destination(messages); };
# Don't put watchnet clutter in the (small) traditional logfile.
filter nowatch { not program(watchnet); };
log { source(src); filter(nowatch); destination(oldmsgs); };
Unslung syslog-ng won't work properly without glib 2.12.12 or greater. Make sure you install it.
The ipkg's configure script is somewhat limited. Here's a more complete one that I use - it provides all the usual functions, and automagically does the necessary edits to other startup files. The code using IPADDR is useful when your machine has more than one IP address; it's harmless otherwise. /opt/etc/config can be used to set customization variables without editing the startup script.
chmod +x!
/opt/etc/init.d/S010syslog-ng
#!/bin/sh
#
# Startup script for syslog-ng
#
if [ -e /opt/etc/config ]; then
. /opt/etc/config
fi
if [ -z "$IPADDR" ]; then
. /etc/sysconfig/network-scripts/ifcfg-ixp0
fi
if [ -z "$SYSLOGCFG" ]; then
SYSLOGCFG=/opt/etc/syslog-ng.conf
fi
PIDFILE=/opt/var/run/syslog-ng.pid
config () {
#
# Check for configured
#
if [ -n "$IPADDR" ]; then
if ! grep -q "localip(\"$IPADDR\")" $SYSLOGCFG ; then
#
# Adjust config file so all messages sent to the network hub come from our primary IP address
#
sed -i -e"/destination /s/localip(\"[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\"/localip(\"$IPADDR\"/" \
$SYSLOGCFG
fi
fi
return 0
}
start () {
echo -n "Starting syslog-ng Server: "
if [ -n "`pidof syslog-ng`" ]; then
echo "already running..."
false
return
fi
# Remove standard syslogd/klogd from inittab
if [ -n "`sed -n -e'/^.log:unknown:\/sbin\/.*logd/p' /etc/inittab`" ]; then
sed -i -e '/^.log:unknown:\/sbin\/.*logd/s/^/#/' /etc/inittab
echo "syslogd/klogd have been removed from /etc/inittab."
fi
# If old loggers are runing, try to kill them (but as they run under init, probably won't work.)
if [ -n "`pidof syslogd``pidof klogd`" ]; then
if [ -n "`pidof syslogd`" ]; then
/bin/killall -9 syslogd 2>/dev/null
fi
if [ -n "`pidof klogd`" ]; then
/bin/killall -9 klogd 2>/dev/null
fi
sleep 5
if [ -n "`pidof syslogd``pidof klogd`" ]; then
cat <<EOF
syslogd/klogd have been killed, but were magically restarted,
probably by init. syslog-ng can not be started with them running.
Please reboot.
EOF
/bin/false
return
fi
fi
ln -sf /var/tmp/log /dev/log
config
#
# Supersedes the kit version
#
rm -rf /opt/etc/init.d/S01syslog-ng
/opt/sbin/syslog-ng -f $SYSLOGCFG -p $PIDFILE $SYSLOGFLAGS
if [ -n "`pidof syslog-ng`" ]; then
echo "started"
else
echo "failed"
/bin/false
fi
return
}
stop () {
echo -n "Shutting down syslog-ng Server: "
if [ -n "`pidof syslog-ng`" ]; then
/bin/killall -TERM syslog-ng 2>/dev/null
sleep 5
fi
if [ -n "`pidof syslog-ng`" ]; then
echo "Failed"
/bin/false
else
echo "OK"
fi
return
}
rstatus () {
pid="`pidof syslog-ng`"
if [ -n "$pid" ] && [ $pid = `cat $PIDFILE 2>&1` ]; then
echo "Server is running (pid $pid)"
else
if [ -n "$pid" ]; then
echo "Server is running (pid $pid), but $PIDFILE doesn't match"
else
echo "Server is stopped"
/bin/false
fi
fi
return
}
restart () {
stop
start
}
reload () {
echo -n "Reloading syslog-ng configuration: "
config
/bin/killall -HUP syslog-ng
sleep 5
if [ -n "`pidof syslog-ng`" ]; then
if [ -x /opt/bin/netstat ]; then
if /opt/bin/netstat -ax | grep -q /var/tmp/log ; then
echo "OK"
else
echo "server died - bad version or glib?"
/bin/false
fi
else
echo "OK"
fi
else
echo "server died - bad version or glib?"
/bin/false
fi
return
}
#
# Mainline: command decode and dispatch
#
case "$1" in
start)
start
;;
stop)
stop
;;
status)
rstatus
;;
reload)
reload
;;
restart)
restart
;;
condrestart)
[ -n "`pidof syslog-ng`" ] && restart
;;
*)
echo "Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac
exit $?
More information
At BalaBit you can find the Reference Manual in HTML for syslog-ng 1.6. Reference Manual in PDF. There is also a FAQ about it.
You should set up some rotation mechanism to archive your logs and prevent them from becoming too long. You can use logrotate for this, it will let you create a rotation schedule for syslog-ng or any other program that generates logfiles.
Question: All slug related events are logging fine, but I'm having trouble logging events from my Linksys router - RT31P2?. I set the router to send logs to the slug's ip address and then to the subnet's broadcast address to no avail. I captured packets with ethereal on another linux box and identified that the snmp traffic is being sent, just not logged by the slug's syslog-ng instance. Could the Linksys snmp be somewhat proprietary? -- Grant
Syslog-ng can only be used to log remote events from other network devices, such as routers and access points, if they use the syslog protocol. It does not receive SNMP trap messages, so if your device generates log and alarm messages via SNMP, you will need an additional tool, such as the snamptrapd server available in the net-snmp Optware package, to receive SNMP traps and log them to syslog.