# # Syslog-ng example configuration for for Debian GNU/Linux # # Copyright (c) 1999 anonymous # Copyright (c) 1999 Balazs Scheidler # $Id: syslog-ng.conf,v 1.5 2004/05/07 23:19:26 llam Exp llam $ # # Syslog-ng configuration file, compatible with default Debian syslogd # installation. # # OPTIONS options { sync(0); time_reopen (10); log_fifo_size (1000); chain_hostnames(no); use_dns (no); use_fqdn(yes); gc_idle_threshold(100); gc_busy_threshold(3000); }; # SOURCE source src { unix-dgram("/var/run/log"); internal(); udp(ip(0.0.0.0) port(514));}; # DESTINATION destination 3dns { file("/c1/logs/3dns.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination auth { file("/c1/logs/authlog" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination authcrit { file("/c1/logs/auth.crit" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination cacheflow { file("/c1/logs/cacheflow.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination ces600 { file("/c1/logs/ces600.log"); }; destination cisco { file("/c1/logs/ciscolog"); }; destination ciscocrit { file("/c1/logs/cisco.crit"); }; destination console { usertty("root"); }; destination cron { file("/var/log/cron" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination daemon { file("/c1/logs/daemon.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination default { file("/c1/logs/default.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination inetd { file("/c1/logs/inetd.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination kern { file("/c1/logs/kern.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination lpr { file("/var/log/lpd-errs" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination mail { file("/c1/logs/maillog"); }; destination mailcrit { file("/c1/logs/mail.crit" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination messages { file("/c1/logs/messages" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination netscreen { file("/c1/logs/netscreen.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination named { file("/c1/logs/named.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination namedcrit { file("/c1/logs/named.crit" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination news { file("/var/log/news/news.log"); }; destination pix { file("/c1/logs/pixlog"); }; destination pixcrit { file("/c1/logs/pix.crit"); }; destination proxy { file("/var/log/proxynet" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination radiusd { file("/c1/logs/radiusd.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination raptor { file("/c1/logs/raptorlog" template("$MSG\n")); }; destination sshd { file("/c1/logs/sshd.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination syslog-ng { file("/c1/logs/syslog-ng.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination tacacs { file("/c1/logs/tacacs" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); }; destination trash { file("/c1/logs/null");}; destination vpn { file("/c1/logs/vpnlog"); }; # FILTER filter f_3dns { host(43.134.1.132) or host(43.134.1.133) or host(43.144.86.132) or host(43.144.86.133); }; filter f_auth { facility(auth); }; filter f_authcrit { facility(auth,authpriv) and level(err,crit,alert,emerg); }; filter f_authpriv { facility(auth, authpriv); }; filter f_cacheflow { match( CacheOS) or host(43.134.0.33) or host(43.134.0.35) or host(43.131.5.12) or host(43.130.1.20) or host(43.191.32.32) or host(43.146.0.9) or host(43.146.0.6) or host(43.136.15.21) or host(43.136.15.20) or host(43.155.1.6) or host(43.155.1.5) or host(43.144.73.28) or host(43.144.73.179); }; filter f_ciscocrit { facility(local7) and not match(IPACCESSLOGP) and not match(IPACCESSLOGDP) and not match(IPACCESSLOGNP); }; filter f_console { level(err) or facility(kern) or (facility(auth) and level(notice)) or facility(mail) ; }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_emergency { level(emerg); }; filter f_glob { level(notice) or facility(auth) or (facility(kern) and level(debug)) or facility(daemon) or facility(news) or facility(local7) ; }; filter f_kern { facility(kern); }; filter f_local0 { facility(local0); }; filter f_local1 { facility(local1); }; filter f_local2 { facility(local2); }; filter f_local3 { facility(local3); }; filter f_local4 { facility(local4); }; filter f_local5 { facility(local5); }; filter f_local6 { facility(local6); }; filter f_local7 { facility(local7); }; filter f_lpr { facility(lpr) and level(info); }; filter f_mail { facility(mail); }; filter f_mailcrit { program(sendmail) and level(err,crit,alert,emerg) or match(WorkList); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_news { facility(news); }; filter f_named { match( named); }; filter f_namedcrit { program(named) and level(crit,alert,emerg); }; filter f_pix_ignore { match( %PIX-4-106023:.*/13[5-9]) or match( %PIX-4-106023:.*/80) or match( %PIX-4-106023:.*/445); }; filter f_pix { match( %PIX-); }; filter f_pixcrit { match( %PIX-3-) or match( %PIX-2-) or match( %PIX-1-) or match( %PIX-0-); }; filter f_radiusd { facility(daemon) and match( radiusd); }; filter f_sshd { match( sshd); }; filter f_syslog { not facility(authpriv, mail); }; filter f_syslog-ng { match( syslog-ng); }; #filter f_trash { match("connect from hpntbox1.corpnet.sel.sony.com"); }; # LOG # for e-Security (don't use final keyword) log { source(src); filter(f_mailcrit); destination(mailcrit); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_authcrit); destination(authcrit); }; log { source(src); filter(f_pixcrit); destination(pixcrit); }; log { source(src); filter(f_namedcrit); destination(namedcrit); }; # # exact rules (with final) #log { source(src); filter(f_trash); destination(trash); flags(final); }; log { source(src); filter(f_3dns); destination(3dns); flags(final); }; log { source(src); filter(f_local0); destination(proxy); flags(final); }; log { source(src); filter(f_local1); destination(netscreen); flags(final); }; log { source(src); filter(f_local2); destination(raptor); flags(final); }; log { source(src); filter(f_local3); destination(ces600); flags(final); }; log { source(src); filter(f_local4); destination(vpn); flags(final); }; log { source(src); filter(f_local5); destination(tacacs); flags(final); }; log { source(src); filter(f_pix_ignore); destination(trash); flags(final); }; log { source(src); filter(f_pix); destination(pix); flags(final); }; log { source(src); filter(f_ciscocrit); destination(ciscocrit); }; log { source(src); filter(f_local7); destination(cisco); flags(final); }; log { source(src); filter(f_named); destination(named); flags(final); }; log { source(src); filter(f_radiusd); destination(radiusd); flags(final); }; log { source(src); filter(f_sshd); destination(sshd); flags(final); }; log { source(src); filter(f_syslog-ng); destination(syslog-ng); flags(final); }; log { source(src); filter(f_cacheflow); destination(cacheflow); flags(final); }; # the rest log { source(src); filter(f_authpriv); destination(auth); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_glob); destination(messages); }; log { source(src); filter(f_glob); destination(messages); }; log { source(src); filter(f_cron); destination(cron); }; # Fallback log { source(src); destination(default); flags(fallback); }; #log { source(src); filter(f_authpriv); destination(authlog); }; #log { source(src); filter(f_syslog); destination(syslog); }; #log { source(src); filter(f_user); destination(user); }; #log { source(src); filter(f_uucp); destination(uucp); }; #log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; #log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; #log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; #log { source(src); filter(f_debug); destination(debug); }; #log { source(src); filter(f_messages); destination(messages); }; #log { source(src); destination(console_all); };