NSLU2-Linux
view · edit · print · history

Optware.Syslog-ng History

Hide minor edits - Show changes to markup

March 30, 2008, at 04:56 PM by tlhackque --
Changed line 164 from:
to:
    ln -sf /var/tmp/log /dev/log
March 30, 2008, at 04:40 PM by tlhackque -- Provide fully automatic startup file; minor updates
Changed lines 5-6 from:

The current Optware package for syslog-ng is based on version 1.6.11, with appropriate setup scripts, a default config file and a startup script to run syslog-ng at every boot. The standard config file creates all log files under /opt/var/log.

to:

The current Optware package for syslog-ng is based on version 2.0.9, with basic setup scripts, a default config file and a startup script to run syslog-ng at every boot. The standard config file creates all log files under /opt/var/log.

Changed lines 40-43 from:

if [ -e /dev/log ]; then

   rm /dev/log

fi ln -s /var/tmp/log /dev/log

to:

ln -sf /var/tmp/log /dev/log

Changed line 68 from:
to:
  1. destination netlog { udp("192.0.2.12" localip("192.0.2.77") template(std_msg) log_fifo_size(500)); };
Added lines 84-269:

Unslung syslog-ng won't work properly without glib 2.12.12 or greater. Make sure you install it.

The ipkg's configure script is somewhat limited. Here's a more complete one that I use - it provides all the usual functions, and automagically does the necessary edits to other startup files. The code using IPADDR is useful when your machine has more than one IP address; it's harmless otherwise. /opt/etc/config can be used to set customization variables without editing the startup script.

chmod +x!

/opt/etc/init.d/S010syslog-ng

 
#!/bin/sh
#
# Startup script for syslog-ng
#

if [ -e /opt/etc/config ]; then
    . /opt/etc/config
fi

if [ -z "$IPADDR" ]; then
    . /etc/sysconfig/network-scripts/ifcfg-ixp0
fi

if [ -z "$SYSLOGCFG" ]; then
    SYSLOGCFG=/opt/etc/syslog-ng.conf
fi

PIDFILE=/opt/var/run/syslog-ng.pid

config () {
    #
    # Check for configured
    #
    if [ -n "$IPADDR" ]; then
	if ! grep -q "localip(\"$IPADDR\")" $SYSLOGCFG ; then
	    #
            # Adjust config file so all messages sent to the network hub come from our primary IP address
	    #
	    sed -i -e"/destination /s/localip(\"[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\"/localip(\"$IPADDR\"/" \
	                                 $SYSLOGCFG
	fi
    fi
    return 0
}

start () {
    echo -n "Starting syslog-ng Server: "
    if [ -n "`pidof syslog-ng`" ]; then 
	echo "already running..."
	false
	return
    fi

    # Remove standard syslogd/klogd from inittab

    if [ -n "`sed -n -e'/^.log:unknown:\/sbin\/.*logd/p' /etc/inittab`" ]; then
	sed -i -e '/^.log:unknown:\/sbin\/.*logd/s/^/#/' /etc/inittab
	echo "syslogd/klogd have been removed from /etc/inittab."
    fi

    # If old loggers are runing, try to kill them (but as they run under init, probably won't work.)

    if [ -n "`pidof syslogd``pidof klogd`" ]; then
	if [ -n "`pidof syslogd`" ]; then
	    /bin/killall -9 syslogd 2>/dev/null
	fi
	if [ -n "`pidof klogd`" ]; then
	    /bin/killall -9 klogd 2>/dev/null
	fi
	sleep 5
	if [ -n "`pidof syslogd``pidof klogd`" ]; then

	    cat <<EOF
syslogd/klogd have been killed, but were magically restarted,
probably by init.  syslog-ng can not be started with them running.
Please reboot.
EOF
	    /bin/false
	    return
	fi
    fi

    config

    #
    #  Supersedes the kit version
    #
    rm -rf /opt/etc/init.d/S01syslog-ng

    /opt/sbin/syslog-ng -f $SYSLOGCFG -p $PIDFILE $SYSLOGFLAGS
    if [ -n "`pidof syslog-ng`" ]; then
	echo "started"
    else
	echo "failed"
	/bin/false
    fi
    return
}

stop () {
    echo -n "Shutting down syslog-ng Server: "
    if [ -n "`pidof syslog-ng`" ]; then 
	/bin/killall -TERM syslog-ng 2>/dev/null
	sleep 5
    fi
    if [ -n "`pidof syslog-ng`" ]; then 
	echo "Failed"
	/bin/false
    else
	echo "OK"
    fi
    return
}

rstatus () {
    pid="`pidof syslog-ng`"
    if [ -n "$pid" ] && [ $pid = `cat $PIDFILE 2>&1` ]; then
	echo "Server is running (pid $pid)"
    else
	if [ -n "$pid" ]; then
	    echo "Server is running (pid $pid), but $PIDFILE doesn't match"
	else
	    echo "Server is stopped"
	    /bin/false
	fi
    fi
    return
}

restart () {
    stop
    start
}

reload () {
    echo -n "Reloading syslog-ng configuration: "
    config
    /bin/killall -HUP syslog-ng
    sleep 5
    if [ -n "`pidof syslog-ng`" ]; then
	if [ -x /opt/bin/netstat ]; then
	    if /opt/bin/netstat -ax | grep -q /var/tmp/log ; then
		echo "OK"
	    else
		echo "server died - bad version or glib?"
		/bin/false
	    fi
	else
	    echo "OK"
	fi
    else
	echo "server died - bad version or glib?"
	/bin/false
    fi
    return
}

#
# Mainline: command decode and dispatch
#
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        rstatus
        ;;
  reload)
	reload
	;;
  restart)
        restart
        ;;
  condrestart)
        [ -n "`pidof syslog-ng`" ] && restart
        ;;
  *)
        echo "Usage: $0 {start|stop|status|reload|restart|condrestart}"
        exit 1
esac
exit $?

March 07, 2008, at 10:07 PM by tlhackque --
Changed lines 89-90 from:

At BalaBit you can find the Reference Manual in HTML for syslog-ng 1.6. http://www.balabit.com/dl/guides/syslog-ng-v2.0-guide-admin-en.pdf]|Reference Manual in PDF. There is also a FAQ about it.

to:

At BalaBit you can find the Reference Manual in HTML for syslog-ng 1.6. Reference Manual in PDF. There is also a FAQ about it.

March 07, 2008, at 10:07 PM by tlhackque -- Update reference manual link
Changed lines 89-90 from:

At BalaBit you can find the Reference Manual for syslog-ng 1.6. There is also a FAQ about it.

to:

At BalaBit you can find the Reference Manual in HTML for syslog-ng 1.6. http://www.balabit.com/dl/guides/syslog-ng-v2.0-guide-admin-en.pdf]|Reference Manual in PDF. There is also a FAQ about it.

March 07, 2008, at 10:02 PM by tlhackque --
Changed line 39 from:

[=

to:
 [=
Changed line 53 from:

[=

to:
 [=
March 07, 2008, at 09:59 PM by tlhackque -- One more try (preview isn\'t working)
Changed line 39 from:

@@

to:

[=

Changed line 44 from:

@@

to:

=]

Changed line 53 from:

@@

to:

[=

Changed line 84 from:

@@

to:

=]

March 07, 2008, at 09:56 PM by tlhackque -- Minor formatting
Changed lines 33-34 from:

After changing the config file, restart the syslog-ng daemon using the startup script:

to:

Caveats and advice for Unslung

The default config file may not be ideal for an Unslung user; unslung uses /var/log/messages, which the watchdog process truncates aggressively.

Another thing to be aware of is that the default linksys setup is to use DGRAM (not stream) sockets. If you run the distributed file, things shouldn't get confused - but seem to anyway. To fix this, make sure you don't use unix-stream and restore the DGRAM setup:

Deleted lines 38-44:
 /opt/etc/init.d/S01syslog-ng

The default config file may not be ideal for an Unslung user; unslung uses /var/log/messages, which the watchdog process truncates aggressively.

Another thing to be aware of is that the default linksys setup is to use DGRAM (not stream) sockets. If you run the distributed file, things shouldn't get confused - but seem to anyway. To fix this, make sure you don't use unix-stream and restore the DGRAM setup:

March 07, 2008, at 09:54 PM by tlhackque -- Linksys compatibility info & a sample config file
Changed lines 21-22 from:

After that, kill the running copies of syslogd and klogd:

to:

You won't be able to kill the running copies of syslogd and klogd because init will restart them; you must reboot.

Logging from remote sources

If you want to receive log messages from other machines in your network, such as a router or access point, you should configure them to use your slug as a syslog destination, according to the instructions for each device.

At the slug, edit the /opt/etc/syslog-ng/syslog-ng.conf and add a path to send messages from remote devices to a file. Since the original config file already has a source entry called net that receives messages through the syslog UDP protocol, all you need is a line at the end of the file defining a new message path. For example, if you want to send all messages received from remote device to /opt/var/log/syslog, already defined in the file as a destination called syslog, add this line to the end of the config:

Changed lines 30-31 from:
 killall syslogd
 killall klogd
to:
 log { source(net); destination(syslog); };
Changed lines 33-34 from:

Then start syslog-ng using the startup script:

to:

After changing the config file, restart the syslog-ng daemon using the startup script:

Changed lines 39-46 from:

You just have to follow this procedure once. At the next reboot, the built-in syslogd will be disabled and syslog-ng will be started automatically.

Logging from remote sources

If you want to receive log messages from other machines in your network, such as a router or access point, you should configure them to use your slug as a syslog destination, according to the instructions for each device.

At the slug, edit the /opt/etc/syslog-ng/syslog-ng.conf and add a path to send messages from remote devices to a file. Since the original config file already has a source entry called net that receives messages through the syslog UDP protocol, all you need is a line at the end of the file defining a new message path. For example, if you want to send all messages received from remote device to /opt/var/log/syslog, already defined in the file as a destination called syslog, add this line to the end of the config:

to:

The default config file may not be ideal for an Unslung user; unslung uses /var/log/messages, which the watchdog process truncates aggressively.

Another thing to be aware of is that the default linksys setup is to use DGRAM (not stream) sockets. If you run the distributed file, things shouldn't get confused - but seem to anyway. To fix this, make sure you don't use unix-stream and restore the DGRAM setup:

Changed lines 43-48 from:
 log { source(net); destination(syslog); };
to:

@@ if [ -e /dev/log ]; then

   rm /dev/log

fi ln -s /var/tmp/log /dev/log @@

Changed lines 51-52 from:

After changing the config file, restart the syslog-ng daemon using the startup script:

to:

Here's a simple config file that will write a standard syslog to /opt/var/log/messages, while duplicating the linksys /var/log/messages file.

Also shown is how to monitor another (syslog format) log file, and how to exclude some programs that might confuse the linksys utilities from the traditional file.

Changed lines 57-88 from:
 /opt/etc/init.d/S01syslog-ng
to:

@@ options { long_hostnames(off); sync(0); create_dirs(yes); ts_format(bsd); log_msg_size(1024); };

template std_msg { template("<$PRI>$STAMP $HOST $MESSAGE\n"); template_escape(no); }; template old_msg { template("<$PRI>$STAMP $MESSAGE\n"); template_escape(no); };

  1. On NSLU2, /dev/log -> /var/tmp/log & is a DGRAM
  2. Use a file (not a pipe) to read kmsg - pipe is rw
  3. unix-stream("/dev/log" max-connections(10));

source src { file("/proc/kmsg" log_prefix("kernel: "));

             unix-dgram("/var/tmp/log");
             internal();
             file("/var/log/watchnet.log" follow_freq(1)); };
  1. source net { udp(); };

destination messages { file("/opt/var/log/messages" template(std_msg) log_fifo_size(200)); };

destination oldmsgs { file("/var/log/messages" template(old_msg) log_fifo_size(200)); };

  1. Everything to the large logfile

log { source(src); destination(messages); };

  1. Don't put watchnet clutter in the (small) traditional logfile.

filter nowatch { not program(watchnet); };

log { source(src); filter(nowatch); destination(oldmsgs); };

@@

January 25, 2007, at 03:01 PM by fcarolo -- Additional information about syslog protocol vs. snmp
Changed lines 58-60 from:

Question: All slug related events are logging fine, but I'm having trouble logging events from my Linksys router - RT31P2?. I set the router to send logs to the slug's ip address and then to the subnet's broadcast address to no avail. I captured packets with ethereal on another linux box and identified that the snmp traffic is being sent, just not logged by the slug's syslog-ng instance. Could the Linksys snmp be somewhat proprietary? Grant

to:

Question: All slug related events are logging fine, but I'm having trouble logging events from my Linksys router - RT31P2?. I set the router to send logs to the slug's ip address and then to the subnet's broadcast address to no avail. I captured packets with ethereal on another linux box and identified that the snmp traffic is being sent, just not logged by the slug's syslog-ng instance. Could the Linksys snmp be somewhat proprietary? -- Grant

Syslog-ng can only be used to log remote events from other network devices, such as routers and access points, if they use the syslog protocol. It does not receive SNMP trap messages, so if your device generates log and alarm messages via SNMP, you will need an additional tool, such as the snamptrapd server available in the net-snmp Optware package, to receive SNMP traps and log them to syslog.

January 25, 2007, at 02:52 PM by fcarolo --
January 25, 2007, at 04:06 AM by Grant --
Deleted lines 45-46:

Question: All slug related events are logging fine, but I'm having trouble logging events from my Linksys router - RT31P2?. I set the router to send logs to the slugs ip address and the subnet's broadcast address to no avail. I captured packets on with ethereal on another linux box and identified the snmp traffic is being sent, just not logged by the slug's syslog-ng instance. Could the Linksys snmp be somewhat proprietary? Grant

Added lines 57-58:

Question: All slug related events are logging fine, but I'm having trouble logging events from my Linksys router - RT31P2?. I set the router to send logs to the slug's ip address and then to the subnet's broadcast address to no avail. I captured packets with ethereal on another linux box and identified that the snmp traffic is being sent, just not logged by the slug's syslog-ng instance. Could the Linksys snmp be somewhat proprietary? Grant

January 25, 2007, at 04:02 AM by Grant -- Logging problem
Added lines 46-47:

Question: All slug related events are logging fine, but I'm having trouble logging events from my Linksys router - RT31P2?. I set the router to send logs to the slugs ip address and the subnet's broadcast address to no avail. I captured packets on with ethereal on another linux box and identified the snmp traffic is being sent, just not logged by the slug's syslog-ng instance. Could the Linksys snmp be somewhat proprietary? Grant

January 19, 2007, at 11:45 AM by fcarolo -- added links to logrotate
Added lines 55-56:

You should set up some rotation mechanism to archive your logs and prevent them from becoming too long. You can use logrotate for this, it will let you create a rotation schedule for syslog-ng or any other program that generates logfiles.

January 14, 2007, at 07:16 PM by fcarolo -- fixed wiki link
Changed line 54 from:

At BalaBit? you can find the Reference Manual for syslog-ng 1.6. There is also a FAQ about it.

to:

At BalaBit you can find the Reference Manual for syslog-ng 1.6. There is also a FAQ about it.

January 14, 2007, at 07:16 PM by fcarolo -- Added documentation links
Changed lines 52-54 from:
to:

More information

At BalaBit? you can find the Reference Manual for syslog-ng 1.6. There is also a FAQ about it.

January 14, 2007, at 07:15 PM by fcarolo -- Installation instructions
Added lines 1-52:

Syslog-ng is a replacement for the standard syslog utility for Unix and Linux systems. It is developed and maintained by BalaBit Security.

Syslog-ng can be used as a replacement for the stock syslogd provided by Unslung, if you want more control about how messages are logged or if you need to log messages sent by other systems in your network, such as a router or access point, since these devices do not usually have a hard disk to store log messages and can only store a bunch of log messages in memory.

The current Optware package for syslog-ng is based on version 1.6.11, with appropriate setup scripts, a default config file and a startup script to run syslog-ng at every boot. The standard config file creates all log files under /opt/var/log.

Installation

If you want to install it, just update the list of packages available for ipkg and then install it:

ipkg update
ipkg install syslog-ng

If you are running Unslung, before starting syslog-ng for the first time you have to disable the built-in syslogd and klogd. To do this, comment the two lines at /etc/inittab by inserting a '#' at the beginning of each line. The file should like like this:

 #slog:unknown:/sbin/syslogd -n
 #klog:unknown:/sbin/klogd -n

After that, kill the running copies of syslogd and klogd:

 killall syslogd
 killall klogd

Then start syslog-ng using the startup script:

 /opt/etc/init.d/S01syslog-ng

You just have to follow this procedure once. At the next reboot, the built-in syslogd will be disabled and syslog-ng will be started automatically.

Logging from remote sources

If you want to receive log messages from other machines in your network, such as a router or access point, you should configure them to use your slug as a syslog destination, according to the instructions for each device.

At the slug, edit the /opt/etc/syslog-ng/syslog-ng.conf and add a path to send messages from remote devices to a file. Since the original config file already has a source entry called net that receives messages through the syslog UDP protocol, all you need is a line at the end of the file defining a new message path. For example, if you want to send all messages received from remote device to /opt/var/log/syslog, already defined in the file as a destination called syslog, add this line to the end of the config:

 log { source(net); destination(syslog); };

After changing the config file, restart the syslog-ng daemon using the startup script:

 /opt/etc/init.d/S01syslog-ng
view · edit · print · history · Last edited by tlhackque.
Based on work by tlhackque, fcarolo, and Grant.
Originally by fcarolo.
Page last modified on March 30, 2008, at 04:56 PM