[syslog-ng] Re: logging to another machine

Balazs Scheidler bazsi@balabit.hu
Thu, 19 Aug 1999 22:46:32 +0200


Hi,

On Mon, Aug 16, 1999 at 11:35:06AM -0400, Jamie Orzechowski wrote:
> Hi There ... I have your AWSOME syslog-ng installed and just have a few
> questions
> 
> 1) does it log TCP/UDP ?? .. so I can log port scans and attacks on my
> machine ...

syslog-ng listens on an UDP or TCP socket to get log messages from the
network. It's not a portscan detection tool. For portscan detection you
could use tcplogd, or ippl.

> 2) I need a config line to send all the logs to another host (I have abackup
> logging host)

It's not a problem, but the needed source declaration depends on the
platform you are trying to run syslog-ng. On a Linux box all local messages
are sent to a UNIX SOCK_STREAM socket named /dev/log. On other operating
systems, this can be something else. So to send all messages to another host
from a Linux system use:

source src { unix-stream("/dev/log"); internal(); };
destination all { udp("xxx.xxx.xxx.xxx"); };

log { source src; destination all; };

Substitute the IP  address of your loghost to xxx.xxx.xxx.xxx. You could use
a hostname as well, but syslog-ng has to be able to resolv this name upon
startup. (e.g. you have to include it in your /etc/hosts file)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt