I want to setup a syslog-ng server to do syslogging for my network. So far it's easy, the part I'm having trouble with, and I'm not even sure if it's possible, is I want to log by device to it's own individual syslog file. Hence the reason for using syslog-ng vice sysklogd, I think the syntax would be something as follows, but I could be way off base. device1 /var/log/network/device1 log { source(device1) filter (?????) destination (?????) }; I also don't understand where to define the facilities as I did in standard syslog. Any help would be greatly appreciated. One other quick question, when I do a default install of syslog-ng (on Debian Etch), it automatically logs to the tty. Is this correct for all versions, and whether it is or it's not, how do I stop it? Thanks again, Mark
On Thu, May 11, 2006 at 06:54:16PM -0400, Mark R. White wrote:
I want to setup a syslog-ng server to do syslogging for my network. So far it's easy, the part I'm having trouble with, and I'm not even sure if it's possible, is I want to log by device to it's own individual syslog file. Hence the reason for using syslog-ng vice sysklogd, I think the syntax would be something as follows, but I could be way off base.
Use something like this: http://www.campin.net/newlogcheck.html#syslog-ng
I also don't understand where to define the facilities as I did in standard syslog. Any help would be greatly appreciated. One other quick question, when I do a default install of syslog-ng (on Debian Etch), it automatically logs to the tty. Is this correct for all versions, and whether it is or it's not, how do I stop it?
Comment out the sources and destinations that mention console or tty (names like xconsole and du_all I think). I get dropped messages stats lines when I keep that default debian console/tty stuff enabled. Not logging to consoles or tty's speeds things up, see: http://www.campin.net/syslog-ng/faq.html#perf -- Nate "Get your facts first, and then you can distort them as much as you please." - Samuel Clemens
Nate, Will this syntax work? Mark #Destinations destination corppix { file ("/var/log/network/corppix/" owner (root) group (root) perm (0655) dir_perm (0755)); }; #Netmask Section - To log by device IP. log { netmask("10.10.10.2"); src (src); destination(corppix); }; -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Nate Campi Sent: Thursday, May 11, 2006 8:13 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Newbie Looking for Help On Thu, May 11, 2006 at 06:54:16PM -0400, Mark R. White wrote:
I want to setup a syslog-ng server to do syslogging for my network. So far it's easy, the part I'm having trouble with, and I'm not even sure if it's possible, is I want to log by device to it's own individual
syslog file.
Hence the reason for using syslog-ng vice sysklogd, I think the syntax would be something as follows, but I could be way off base.
Use something like this: http://www.campin.net/newlogcheck.html#syslog-ng
I also don't understand where to define the facilities as I did in standard syslog. Any help would be greatly appreciated. One other quick question, when I do a default install of syslog-ng (on Debian Etch), it automatically logs to the tty. Is this correct for all versions, and whether it is or it's not, how do I stop it?
Comment out the sources and destinations that mention console or tty (names like xconsole and du_all I think). I get dropped messages stats lines when I keep that default debian console/tty stuff enabled. Not logging to consoles or tty's speeds things up, see: http://www.campin.net/syslog-ng/faq.html#perf -- Nate "Get your facts first, and then you can distort them as much as you please." - Samuel Clemens _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On nate campin site, he has this syntax: destination hosts { file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log { source(src); destination(hosts); }; How does this identify which host is which? Thanks, Mark Nate Campi wrote:
On Thu, May 11, 2006 at 06:54:16PM -0400, Mark R. White wrote:
I want to setup a syslog-ng server to do syslogging for my network. So far it's easy, the part I'm having trouble with, and I'm not even sure if it's possible, is I want to log by device to it's own individual syslog file. Hence the reason for using syslog-ng vice sysklogd, I think the syntax would be something as follows, but I could be way off base.
Use something like this:
http://www.campin.net/newlogcheck.html#syslog-ng
I also don't understand where to define the facilities as I did in standard syslog. Any help would be greatly appreciated. One other quick question, when I do a default install of syslog-ng (on Debian Etch), it automatically logs to the tty. Is this correct for all versions, and whether it is or it's not, how do I stop it?
Comment out the sources and destinations that mention console or tty (names like xconsole and du_all I think). I get dropped messages stats lines when I keep that default debian console/tty stuff enabled.
Not logging to consoles or tty's speeds things up, see:
On Sun, 14 May 2006 12:56:44 EDT, "Mark R. White" said:
On nate campin site, he has this syntax:
destination hosts { file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY"
How does this identify which host is which?
Let's grab a random line from my syslog: May 14 04:55:33 turing-police ntpd[7200]: synchronized to 198.82.1.202, stratum 2 ^^^^^^^^^^^^ So this would go with $HOST set to 'turing-police' and get logged in /var/log/turing-police/2006/05/14/yaddayadda...
Okay, I've got my syslog-ng semi-working. Thanks to all of you for your help. I have one more question, I'm logging using this: destination hosts { file("/var/log/network/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(root) perm(0644) dir_perm(0744) create_dirs(yes)); }; log { source(s_all); destination(hosts); }; It's logging all local activity the way it's suppose to be. I have it setup to accept log messages from external sources: source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) udp(); }; My network engineer says he has our corporate pix box pointed to this server, yet I'm not getting any logs. Do I need to specify the facility that it's logging to? And if so, where do I specify that in this set up? I assumed once I had it setup to log, and I was accepting external connections, it would log it into the file system as stated above and I wouldn't have to specify logging for each facility, local4 in this specific case. Is it not correct to assume that since I have uncommented udp, all udp logging traffic would be defined by the s_all variable and forced to log the same as all other syslog data? Thanks again for all of your help. Mark "It's days like this I think I should give my job as a UNIX sytems admin and go work at Best Buy!"
Mark R. White wrote:
My network engineer says he has our corporate pix box pointed to this server, yet I'm not getting any logs. Do I need to specify the facility that it's logging to? And if so, where do I specify that in this set up? I assumed once I had it setup to log, and I was accepting external connections, it would log it into the file system as stated above and I wouldn't have to specify logging for each facility, local4 in this specific case. Is it not correct to assume that since I have uncommented udp, all udp logging traffic would be defined by the s_all variable and forced to log the same as all other syslog data? Thanks again for all of your help.
You don't have to know which facility the PIX is logging with. However as the first debugging step I recommend using tcpdump to be sure whether the PIX sends the log to the host properly or not. If the network packets seem to be OK, then see whether the hostname is correct in the packets or not. Maybe the PIX log ends up somewhere in the wrong system's log. -- Sandor Geller wildy@balabit.hu
Sandor, Good suggestion but I don't think it will work since syslog is UDP traffic. Also, it appears to be a very specific problem with our PIX firewall. This morning, our network engineer and I, set up a half dozen other devices, routers and switches, and they are all logging without any issue. So for now, I'm going to chalk this up as an issue with the PIX IOS, and consider this issue closed. Thanks again for everyone's help. This list is a true credit to the FOSS community. Mark On 5/15/06, Sandor Geller <wildy@balabit.hu> wrote:
Mark R. White wrote:
My network engineer says he has our corporate pix box pointed to this server, yet I'm not getting any logs. Do I need to specify the facility that it's logging to? And if so, where do I specify that in this set up? I assumed once I had it setup to log, and I was accepting external connections, it would log it into the file system as stated above and I wouldn't have to specify logging for each facility, local4 in this specific case. Is it not correct to assume that since I have uncommented udp, all udp logging traffic would be defined by the s_all variable and forced to log the same as all other syslog data? Thanks again for all of your help.
You don't have to know which facility the PIX is logging with. However as the first debugging step I recommend using tcpdump to be sure whether the PIX sends the log to the host properly or not.
If the network packets seem to be OK, then see whether the hostname is correct in the packets or not. Maybe the PIX log ends up somewhere in the wrong system's log.
-- Sandor Geller wildy@balabit.hu _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- "Knowledge is power and I like power." Cobra Bubbles, Lilo & Stitch
On Mon, May 15, 2006 at 10:25:41AM -0400, Mark R. White wrote:
Sandor, Good suggestion but I don't think it will work since syslog is UDP traffic.
Packets are packets. Run this on your syslog server: # tcpdump -i eth0 -n -s1500 -v udp port 514 Then send logs from your PIX. Then see what appears. No packets arriving at all is one problem; packets arriving with an unexpected source address is another.
Also, it appears to be a very specific problem with our PIX firewall. This morning, our network engineer and I, set up a half dozen other devices, routers and switches, and they are all logging without any issue. So for now, I'm going to chalk this up as an issue with the PIX IOS, and consider this issue closed.
That's not an obvious conclusion at all. Here we have several PIXes, running PIXOS 7.0 and 7.1, and we have no problems with syslog at all. The obvious other problems might be: (1) The PIX is sending syslog packets, but the source IP address is not what you expected them to be. tcpdump will show you this. (2) If tcpdump shows no packets arriving at all, then perhaps the PIX is sending them but they are being lost in transit (e.g. some other firewall in between, or the PIX is missing a static route which it would need to reach the syslog server) However it could also be PIX misconfiguration. Regards, Brian.
On Thu, May 11, 2006 at 06:54:16PM -0400, Mark R. White wrote:
I want to setup a syslog-ng server to do syslogging for my network. So far it's easy, the part I'm having trouble with, and I'm not even sure if it's possible, is I want to log by device to it's own individual syslog file.
If "by device" you mean "by source IP address of the syslog packet", then you need the netmask() filter. netmask("10.1.2.3"); -- match from this IP only netmask("10.1.0.0/255.255.0.0"); -- match from this netblock Note that the current released syslog-ng has a bug where conditions like "not netmask(...)" are broken, they are treated as "netmask(...)" HTH, Brian.
participants (5)
-
Brian Candler
-
Mark R. White
-
Nate Campi
-
Sandor Geller
-
Valdis.Kletnieks@vt.edu