# [SOLVED] Problem with Syslog-ng

## DrekAlots

I emerged syslog-ng and was following the page here http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=3#doc_chap4 on how to set it up to save into different files. After copying and pasting the text out I attempted to restart syslo-ng and got this error:

derek@tuxserver ~ $ sudo /etc/init.d/syslog-ng restart

Password:

WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;

 * Starting syslog-ng ...

WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;

Error in configuration, unresolved source reference; source='kernsrc'

 * Failed to start syslog-ng                                                                                           [ !! ]

Any ideas? I'm new to syslog but have a need for my log files to be separated.

EDIT TO ADD CONFIG:

```

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gent                                              oo.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $

#

# Syslog-ng default configuration file for Gentoo Linux

options {

        chain_hostnames(no);

        # The default action of syslog-ng is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats_freq(43200);

};

source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };

log { source(src); destination(console_all); };

#define destinations

destination authlog { file("/var/log/auth.log"); };

destination syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination mail { file("/var/log/mail.log"); };#

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

destination xconsole { pipe("/dev/xconsole"); };

#create filters

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

filter f_failed { match("failed"); };

filter f_denied { match("denied"); };

#connect filter and destination

log { source(src); filter(f_authpriv); destination(authlog); };

#log { source(src); filter(f_syslog); destination(syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

#default log

log { source(src); destination(console_all); };

```

Last edited by DrekAlots on Fri Jan 22, 2010 11:44 pm; edited 1 time in total

----------

## massimo

The following line is wrong since there is no such source defined:

```

log { source(kernsrc); filter(f_kern); destination(kern); }; 

```

Instead of kernsrc put src. Now you can restart syslog-ng.

Take a look at the man page and/or the online manual regarding the other warnings.

----------

## DrekAlots

Ok. I nuked the old config file and wrote a new one. The new one works, meaning it starts with no errors. But I'm not sure if it's correct. Here's the config:

```

@version: 3.0

#

# Syslog NG Config File

# Created 1/21/10

#

options

{

   create_dirs(yes);

   dir_perm(0700);

   perm(0600);

   owner(root);

   group("syslog");

   keep_hostname(yes);

   long_hostnames(on);

};

# Sources

source s_local { unix-stream("/dev/log" max-connections(256)); internal(); };

source s_rtr    { udp(ip(192.168.1.3) port(514)); };

# Destinations

destination d_rtr    { file("/var/log/rtr-$YEAR$MONTH$DAY.log"); };

destination d_auth   { file("/var/log/auth.log"); };

# Filters

filter f_rtr           { host("TheDarkSide"); };

filter f_auth   { program(sshd); };

# Logs

log { source(s_rtr); filter(f_rtr); destination(d_rtr); };

log { source(s_local); filter(f_auth); destination(d_auth); };

```

My questions are these:

1. I logged into the router (Cisco 871w) and forced an entry in the log; the log on the gentoo box running syslog-ng doesn't exist.

2. The auth.log file is also empty after logging in and out with ssh.

3. Do I need anything else to log all other info to the default file "messages" in the /var/log directory?

----------

## massimo

Did you restart syslog-ng after the final change to your syslog-ng?

 *DrekAlots wrote:*   

> 
> 
> 1. I logged into the router (Cisco 871w) and forced an entry in the log; the log on the gentoo box running syslog-ng doesn't exist.
> 
> 

 

Whose IP address is 192.168.1.3? You could do a tcpdump or use wireshark to check if this message does arrive at your syslog server (gentoo box). Maybe you are missing something in the Cisco configuration too. Is your gentoo system able to resolve TheDarkSide?

 *DrekAlots wrote:*   

> 
> 
> 2. The auth.log file is also empty after logging in and out with ssh.
> 
> 

 

Should work as far as I can tell from your configuration.

 *DrekAlots wrote:*   

> 
> 
> 3. Do I need anything else to log all other info to the default file "messages" in the /var/log directory?

 

Yes, you need a log directive which writes everything else into messages. You have no rule which covers that. When you really want "everything else" in messages, then you have to make sure that the other two log directives are the final ones for the given filters.

----------

## DrekAlots

I made some changes from the previous configuration and am now receiving logs form my Cisco router. Also, the auth.log is populating correctly. I am unsure how to specify a log rule for "everything else" though.

```

@version: 3.0

#

# Syslog NG Config File

# Created 1/21/10

#

options

{

   create_dirs(yes);

   dir_perm(0700);

   perm(0600);

   owner(root);

   group("syslog");

   keep_hostname(yes);

   long_hostnames(on);

};

# Sources

source s_local { unix-stream("/dev/log" max-connections(256)); internal(); };

source s_rtr    { udp(ip(192.168.1.3) port(514)); };

# Destinations

destination d_rtr           { file("/var/log/rtr.log"); };

destination d_auth   { file("/var/log/auth.log"); };

destination d_sftp   { file("/var/log/sftp.log"); };

# Filters

filter f_rtr           { facility(23); };

filter f_auth   { program(sshd); };

filter f_sftp           { program(vsftpd); };

# Logs

log { source(s_rtr); filter(f_rtr); destination(d_rtr); };

log { source(s_local); filter(f_auth); destination(d_auth); };

log { source(s_local); filter(f_sftp); destination(d_sftp); };

```

----------

## massimo

Everything else (everything but the log entries that have already been written to another log file):

```

# added

destination d_messages { file("/var/log/messages"); }; 

# modified

log { source(s_rtr); filter(f_rtr); destination(d_rtr); flags(final); };

log { source(s_local); filter(f_auth); destination(d_auth); flags(final); };

log { source(s_local); filter(f_sftp); destination(d_sftp); flags(final); }; 

# added

log { source(s_local); destination(d_messages); }; 

```

----------

## DrekAlots

Thanks!! It's working good now!

----------

