|> |>For the server. Sorry. |> Here is what I use. I have the Solaris 8 syslogd startup with -t so it does not listen to the network on the central log host. Then I have syslog-ng listening for the messages that come in from the network. Messages coming in from the network go to /data/logs/messages.$HOST unless they are su or op(sudo like) and I have those go into seperate files elsewhere for monitoring etc. Pretty generic and works for me. Your milage may vary. Syslog-ng version is 1.4.14. options { sync(0); chain_hostnames(no); }; # Starting with this version of syslog-ng we are letting Solaris syslogd handle # system messages, but start it with a "-t" to tell it not to listen to network # traffic. We then use syslog-ng to only listen on the network. source s_remote { udp(ip(0.0.0.0) port(514)); internal(); }; # Filter defs. How to break out the incoming messages. filter f_hosts { level(err..emerg) or ( facility(kern) and level(debug..emerg)) or ( facility(daemon) and level(notice..emerg)) or ( facility(mail) and level(crit..emerg)); }; filter f_subad { program(su) and match(root) and match(failed); }; filter f_sugood { program(su) and match(root) and match(succeeded); }; filter f_sucombined { program(su) and match(su:); }; filter f_opbad { program(op) and match (FAILED); }; filter f_opgood { program(op) and match (SUCCEDED); }; filter f_opcombined { program(op) and match(op:); }; filter f_panic { match(panic); }; filter f_reboot { match(Generic_); }; # Destination defs. Where the messages go destination d_subad { file("/data/logs/su/bad_su_attempts"); }; destination d_sugood { file("/data/logs/su/good_su_attempts"); }; destination d_sucombined { file("/data/logs/su/su_attempts"); }; destination d_opbad { file("/data/logs/op/bad_op_attempts"); }; destination d_opgood { file("/data/logs/op/good_op_attempts"); }; destination d_opcombined { file("/data/logs/op/op_attempts"); }; destination d_panic { file("/data/logs/panic.log"); }; destination d_reboot { file("/data/logs/reboot.log"); }; destination d_hostmsg { file("/data/logs/hosts/messages.$HOST"); }; # Log actions for messages generated remotely log { source(s_remote); filter(f_subad); destination(d_subad); }; log { source(s_remote); filter(f_sugood); destination(d_sugood); }; log { source(s_remote); filter(f_sucombined); destination(d_sucombined); }; log { source(s_remote); filter(f_opbad); destination(d_opbad); }; log { source(s_remote); filter(f_opgood); destination(d_opgood); }; log { source(s_remote); filter(f_opcombined); destination(d_opcombined); }; log { source(s_remote); filter(f_panic); destination(d_panic); }; log { source(s_remote); filter(f_reboot); destination(d_reboot); }; log { source(s_remote); filter(f_hosts); destination(d_hostmsg); }; Jamie
Cool. Thanks for the info. -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Jamie McKnight Sent: Thursday, November 15, 2001 12:19 PM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Sample Solaris config |> |>For the server. Sorry. |> Here is what I use. I have the Solaris 8 syslogd startup with -t so it does not listen to the network on the central log host. Then I have syslog-ng listening for the messages that come in from the network. Messages coming in from the network go to /data/logs/messages.$HOST unless they are su or op(sudo like) and I have those go into seperate files elsewhere for monitoring etc. Pretty generic and works for me. Your milage may vary. Syslog-ng version is 1.4.14. options { sync(0); chain_hostnames(no); }; # Starting with this version of syslog-ng we are letting Solaris syslogd handle # system messages, but start it with a "-t" to tell it not to listen to network # traffic. We then use syslog-ng to only listen on the network. source s_remote { udp(ip(0.0.0.0) port(514)); internal(); }; # Filter defs. How to break out the incoming messages. filter f_hosts { level(err..emerg) or ( facility(kern) and level(debug..emerg)) or ( facility(daemon) and level(notice..emerg)) or ( facility(mail) and level(crit..emerg)); }; filter f_subad { program(su) and match(root) and match(failed); }; filter f_sugood { program(su) and match(root) and match(succeeded); }; filter f_sucombined { program(su) and match(su:); }; filter f_opbad { program(op) and match (FAILED); }; filter f_opgood { program(op) and match (SUCCEDED); }; filter f_opcombined { program(op) and match(op:); }; filter f_panic { match(panic); }; filter f_reboot { match(Generic_); }; # Destination defs. Where the messages go destination d_subad { file("/data/logs/su/bad_su_attempts"); }; destination d_sugood { file("/data/logs/su/good_su_attempts"); }; destination d_sucombined { file("/data/logs/su/su_attempts"); }; destination d_opbad { file("/data/logs/op/bad_op_attempts"); }; destination d_opgood { file("/data/logs/op/good_op_attempts"); }; destination d_opcombined { file("/data/logs/op/op_attempts"); }; destination d_panic { file("/data/logs/panic.log"); }; destination d_reboot { file("/data/logs/reboot.log"); }; destination d_hostmsg { file("/data/logs/hosts/messages.$HOST"); }; # Log actions for messages generated remotely log { source(s_remote); filter(f_subad); destination(d_subad); }; log { source(s_remote); filter(f_sugood); destination(d_sugood); }; log { source(s_remote); filter(f_sucombined); destination(d_sucombined); }; log { source(s_remote); filter(f_opbad); destination(d_opbad); }; log { source(s_remote); filter(f_opgood); destination(d_opgood); }; log { source(s_remote); filter(f_opcombined); destination(d_opcombined); }; log { source(s_remote); filter(f_panic); destination(d_panic); }; log { source(s_remote); filter(f_reboot); destination(d_reboot); }; log { source(s_remote); filter(f_hosts); destination(d_hostmsg); }; Jamie _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
participants (2)
-
Chuck Kelly
-
Jamie McKnight