Hi,

syslog-ng can deliver messages to another host easily, using the generic network() or the more specific udp()/tcp() drivers. The fw can consume them with similar source drivers. syslog-ng supports various protocols and formats for this transport (namely the newer RFC5424 or the legacy BSD format RFC3164).

This is a very simple config on the clients to send off the messages to fw:

```
@version 3.30
log {
    source { system(); };
    destination { network("fw.lan" transport(tcp)); };
};
```

On the server (fw):
```
@version: 3.30
log {
    source { network(transport(tcp)); };
    destination { file("/var/log/network-messages"); };
};
```

The examples above use the "inline" syntax, where the drivers are specified right within the log statement that processes their message flow. You can also declare a source and then reference them in a log statement.
```
@version 3.30

source s_local {
    system();
};

log {
    source(s_local);
    destination { network("fw.lan" transport(tcp)); };
};
```

See the curly vs. simple brackets around the source reference, that's the indication if you want to use in-line statements. The separate declaration of a source allows it to be used from multiple log statements, whereas the inline would only allow a single log statement to be used.

The network() driver would use RFC3164 format on plain TCP, but you can customize this (the syslog() driver would use RFC5424, and the transport() option for either of these specifies which transport protocol is used: simple UDP, TCP or TLS).

That should get you started. If you try to google for syslog-ng, I am sure you would find tutorials. Some books even include chapters on its configuration format. And there's the official documentation on syslog-ng.com.

Hope this helps,
Bazsi

On Sat, Jan 23, 2021 at 7:16 AM Dan Egli <dan@newideatest.site> wrote:
I have an interesting setup that was proposed to me, and while I _THINK_
syslog-ng can handle it I don't know for sure, let alone HOW.

There are multiple service-specific machines in the network, behind the
firewall. I'll just use the services they provide as their hostnames in
this example. So firewall fw is a small linux machine running syslog-ng
and fail2ban. Now fail2ban works off of the log files, but it also wants
to apply changes to the firewall rules locally. So either www has its
firewall rules while smtp has its rules and imap has a third set (ugly)
or fail2ban can run on fw and modify the rules there. Trick is, in order
to do that, all the logs have to be accessible in real time so that
fail2ban can see them. My thought was to have syslog-ng on each sub
machine somehow report to the syslog-ng on fw. Then fw's syslog-ng can
write the files that fail2ban wants to read from.

What would be the best way to go about this? I am still learning
syslog-ng so if this is something simple, I'm sorry.


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



--
Bazsi