<div dir="ltr">Thanks for reply. I am a newbie on syslog-ng and quite confuse aboute the src. I have install it on Freebsd 6.3 and syslog-ng <a href="http://1.6.12.">1.6.12.</a> I really appriciate that you guys can help me. This is my syslog-ng.conf:<br>
<br>#<br># This sample configuration file is essentially equilivent to the stock<br># FreeBSD /etc/syslog.conf file.<br>#<br><br>#<br># options<br>#<br>options { long_hostnames(off); sync(0); };<br><br>#<br># sources<br>#<br>
source src { unix-dgram(&quot;/var/run/log&quot;);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unix-dgram(&quot;/var/run/logpriv&quot; perm(0600));<br>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; udp(); internal(); file(&quot;/dev/klog&quot;); };<br><br>#<br># destinations<br>#<br>#destination <a href="http://local0.info">local0.info</a> {<br>
#file(&quot;/var/log/remote/servers/$HOST/$YEAR/$MONTH/$DAY/pflogd/pflogd.log&quot;<br>#owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)<br>#);<br>#};<br><br><br>destination messages { file(&quot;/var/log/remote/messages&quot;); };<br>
destination localhost { file(&quot;/var/log/remote/syslog-ng.all&quot;); };<br>destination security { file(&quot;/var/log/remote/security&quot;); };<br>destination authlog { file(&quot;/var/log/remote/auth.log&quot;); };<br>
destination maillog { file(&quot;/var/log/remote/maillog&quot;); };<br>destination lpd-errs { file(&quot;/var/log/remote/lpd-errs&quot;); };<br>destination xferlog { file(&quot;/var/log/remote/xferlog&quot;); };<br>destination cron { file(&quot;/var/log/remote/cron&quot;); };<br>
destination debuglog { file(&quot;/var/log/remote/debug.log&quot;); };<br>destination consolelog { file(&quot;/var/log/remote/console.log&quot;); };<br>destination all { file(&quot;/var/log/remote/all.log&quot;); };<br>destination newscrit { file(&quot;/var/log/news/news.crit&quot;); };<br>
destination newserr { file(&quot;/var/log/news/news.err&quot;); };<br>destination newsnotice { file(&quot;/var/log/news/news.notice&quot;); };<br>destination slip { file(&quot;/var/log/remote/slip.log&quot;); };<br>destination ppp { file(&quot;/var/log/remote/ppp.log&quot;); };<br>
destination console { file(&quot;/dev/console&quot;); };<br>destination allusers { usertty(&quot;*&quot;); };<br>#destination loghost { udp(&quot;loghost&quot; port(514)); };<br>#destination local0 { file(&quot;/var/log/remote/pflog.txt&quot;); };<br>
destination local0 { file(&quot;/var/log/remote/local0.log&quot;); };<br>#destination local1 { file(&quot;/var/log/remote/alert&quot;); };<br>destination local1 { file(&quot;/var/log/remote/local1.log&quot;); };<br><br>#log {<br>
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source(tcp); source(internal); source(udp); source(unix);<br>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source(s_tcp); source(s_internal); source(s_udp); source(s_unix);<br>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; filter(f_local0); filter(f_local1);<br>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination(df_local1);<br>
# };<br><br><br>#<br># log facility filters<br>#<br>filter f_auth { facility(auth); };<br>filter f_authpriv { facility(authpriv); };<br>filter f_not_authpriv { not facility(authpriv); };<br>filter f_console { facility(console); };<br>
filter f_cron { facility(cron); };<br>filter f_daemon { facility(daemon); };<br>filter f_ftp { facility(ftp); };<br>filter f_kern { facility(kern); };<br>filter f_lpr { facility(lpr); };<br>filter f_mail { facility(mail); };<br>
filter f_news { facility(news); };<br>filter f_security { facility(security); };<br>filter f_user { facility(user); };<br>filter f_uucp { facility(uucp); };<br>#filter f_local0 { facility(local0); };<br>#filter f_local00 { facility(local0); };<br>
#filter f_local1 { facility(local1); };<br>#filter f_local01 { facility(local1) or facility(local1); };<br>filter f_local2 { facility(local2); };<br>filter f_local3 { facility(local3); };<br>filter f_local4 { facility(local4); };<br>
filter f_local5 { facility(local5); };<br>filter f_local6 { facility(local6); };<br>filter f_local7 { facility(local7); };<br><br>#<br># log level filters<br>#<br>filter f_emerg { level(emerg); };<br>filter f_alert { level(alert..emerg); };<br>
filter f_crit { level(crit..emerg); };<br>filter f_err { level(err..emerg); };<br>filter f_warning { level(warning..emerg); };<br>filter f_notice { level(notice..emerg); };<br>filter f_info { level(info..emerg); };<br>filter f_debug { level(debug..emerg); };<br>
filter f_is_debug { level(debug); };<br><br>#<br># program filters<br>#<br>filter f_ppp { program(&quot;ppp&quot;); };<br>filter f_slip { program(&quot;startslip&quot;); };<br><br>#<br># *.err;kern.warning;auth.notice;mail.crit&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /dev/console<br>
#<br>log { source(src); filter(f_err); destination(console); };<br>log { source(src); filter(f_kern); filter(f_warning); destination(console); };<br>log { source(src); filter(f_auth); filter(f_notice); destination(console); };<br>
log { source(src); filter(f_mail); filter(f_crit); destination(console); };<br><br>#<br># *.notice;authpriv.none;kern.debug;<a href="http://lpr.info">lpr.info</a>;mail.crit;news.err&nbsp;&nbsp;&nbsp; /var/log/messages<br>#<br>log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };<br>
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };<br>log { source(src); filter(f_lpr); filter(f_info); destination(messages); };<br>log { source(src); filter(f_mail); filter(f_crit); destination(messages); };<br>
log { source(src); filter(f_news); filter(f_err); destination(messages); };<br><br>#<br># security.*&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/security<br>#<br>log { source(src); filter(f_security); destination(security); };<br><br>
#<br># <a href="http://auth.info">auth.info</a>;<a href="http://authpriv.info">authpriv.info</a>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/auth.log<br>log { source(src); filter(f_auth); filter(f_info); destination(authlog); };<br>log { source(src); filter(f_authpriv); filter(f_info); destination(authlog); };<br>
<br>#<br># <a href="http://mail.info">mail.info</a>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/maillog<br>#<br>log { source(src); filter(f_mail); filter(f_info); destination(maillog); };<br><br>#<br># <a href="http://lpr.info">lpr.info</a>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/lpd-errs<br>
#<br>log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); };<br><br>#<br># <a href="http://ftp.info">ftp.info</a>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/xferlog<br>#<br>log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); };<br>
<br>#<br># cron.*&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/cron<br>#<br>log { source(src); filter(f_cron); destination(cron); };<br><br>#<br># *.=debug&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/debug.log<br>#<br>log { source(src); filter(f_is_debug); destination(debuglog); };<br>
<br>#<br># *.emerg&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; *<br>#<br>log { source(src); filter(f_emerg); destination(allusers); };<br><br>#<br># uncomment this to log all writes to /dev/console to /var/log/console.log<br># <a href="http://console.info">console.info</a>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/console.log<br>
#<br>#log { source(src); filter(f_console); filter(f_info); destination(consolelog); };<br><br>#<br># uncomment this to enable logging of all log messages to /var/log/all.log<br># touch /var/log/all.log and chmod it to mode 600 before it will work<br>
# *.*&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/all.log<br>#<br>#log { source(src); destination(all); };<br><br>#<br># uncomment this to enable logging to a remote loghost named loghost<br># *.*&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; @loghost<br>
#<br>#log { source(src); destination(loghost); };<br><br>#<br># uncomment these if you&#39;re running inn<br># news.crit&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/news/news.crit<br># news.err&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/news/news.err<br>
# news.notice&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/news/news.notice<br>#<br>#log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };<br>#log { source(src); filter(f_news); filter(f_err); destination(newserr); };<br>
#log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };<br><br>#<br># !startslip<br># *.*&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/slip.log<br>#<br>log { source(src); filter(f_slip); destination(slip); };<br>
<br>#<br># !ppp<br># *.*&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; /var/log/ppp.log<br>#<br>log { source(src); filter(f_ppp); destination(ppp); };<br><br><br>Thanks...<br><br><div class="gmail_quote">On Thu, Sep 11, 2008 at 4:16 PM, Geller, Sandor (IT) <span dir="ltr">&lt;<a href="mailto:Sandor.Geller@morganstanley.com">Sandor.Geller@morganstanley.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">Hi,<br>
<br>
&gt; I have install syslog-ng on my remote server. I need to<br>
&gt; centralized my pflog (firewall log) and snort alert to the<br>
&gt; syslog server. For your info i have successfully log all log<br>
&gt; except the pflog and snort alert. I have define the snort<br>
&gt; alert as <a href="http://local0.info" target="_blank">local0.info</a> and pflog as <a href="http://local1.info" target="_blank">local1.info</a>. Can you all<br>
&gt; give me the sample of configuration?<br>
&gt;1.<br>
&gt; I have tcpdump for and grep the <a href="http://local1.info" target="_blank">local1.info</a> and <a href="http://local0.info" target="_blank">local0.info</a><br>
&gt; and its show on console. I&#39;m confuse why the system not write<br>
&gt; to destination that i specify.<br>
&gt;<br>
&gt; Below is some configuration that i do on syslog-ng.conf (destination):<br>
&gt; destination local0 { file(&quot;/var/log/remote/local0.log&quot;); };<br>
&gt; destination local1 { file(&quot;/var/log/remote/local1.log&quot;); };<br>
<br>
</div>Do you have log sections which actually use the destinations above?<br>
Filters, etc.? Without seeing the complete config there is no way to<br>
correct your config.<br>
<br>
Check whether you have something like the following in your config:<br>
<br>
filter f_snort {<br>
 &nbsp; &nbsp; &nbsp; &nbsp;facility(local0) and severity(info);<br>
};<br>
<br>
filter f_pflog {<br>
 &nbsp; &nbsp; &nbsp; &nbsp;facility(local1) and severity(info);<br>
};<br>
<br>
...<br>
<br>
log {<br>
 &nbsp; &nbsp; &nbsp; &nbsp;source(s_something);<br>
 &nbsp; &nbsp; &nbsp; &nbsp;filter(f_snort);<br>
 &nbsp; &nbsp; &nbsp; &nbsp;destination(d_local0);<br>
};<br>
<br>
log {<br>
 &nbsp; &nbsp; &nbsp; &nbsp;source(s_something);<br>
 &nbsp; &nbsp; &nbsp; &nbsp;filter(f_pflog);<br>
 &nbsp; &nbsp; &nbsp; &nbsp;destination(d_local1);<br>
};<br>
<br>
Of course there are many ways to achieve this logging. Refer to<br>
the reference guide and check the sample configs included in the<br>
source tarball, this might help you understanding how syslog-ng<br>
works.<br>
<br>
Regards,<br>
<br>
Sandor<br>
--------------------------------------------------------<br>
<br>
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br>MUHAMMAD AZIZUL DARUS<br><a href="http://www.foodmalaysia.net">http://www.foodmalaysia.net</a><br><a href="http://www.myfelis.com">http://www.myfelis.com</a><br><a href="http://yourubuntulinux.blogspot.com">http://yourubuntulinux.blogspot.com</a><br>
<a href="http://opensource-2u.blogspot.com">http://opensource-2u.blogspot.com</a><br><a href="http://photograph2u.blogspot.com">http://photograph2u.blogspot.com</a><br><a href="http://malaysiataste.blogspot.com">http://malaysiataste.blogspot.com</a><br>
<a href="http://jomshopping.blogspot.com">http://jomshopping.blogspot.com</a><br><a href="http://jahitan-manik.blogspot.com">http://jahitan-manik.blogspot.com</a><br><a href="http://nissan-maniac.blogspot.com">http://nissan-maniac.blogspot.com</a><br>
<a href="http://narutoslash.blogspot.com/">http://narutoslash.blogspot.com/</a><br>
</div>