[syslog-ng] Host Seperation

Balazs Scheidler bazsi@balabit.hu
Thu, 9 Dec 1999 11:27:31 +0100


> We run a rather large network, and are looking at running a secured
> machine for syslog, running syslog-ng hopefully.
> 
> Obviously, we want to seperate out the log files for each host. Due to the
> number of hosts, this looks most easily done with the latest beta having
> the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 .
> 
> I made a rough fast configuration (see below). The idea is that the files
> end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which
> I guessed (docs are rather vague on most things) would make it use long
> host names for comparisons.

log_hostnames() means that each hop on which the message traverses gets
added to the host field:

Message on host1, from source src: src@host1
As this message is forwarded to host2, the _source_ hostname is appended:
src@host1/host1, then if it is again forwarded to host3:
src@host1/host1/host2 and so on.

This is needed if the message passes several firewalls. The $HOST macro
always uses the first hostname.

> To test, I didn't create the /syslog/name directories, and ran syslog-ng
> -d -v and it came up with "unable to open /syslog/max1/debug". Obviously
> this is incorrect as I wanted it to have a long host name. 
> 
> I thought the obvious method here, is to just remove hostnames all
> together, and use ip addresses (we use ip's for all radius related stuff,
> to stop dns dependency). So I remove resolv.conf and restart it with
> syslog-ng -d -v, this time it comes up with "unable to open
> /syslog/1.1.1.1/debug" which is fine.
> 
> So I create the directory 1.1.1.1 and restart the daemon, now it comes up
> with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch
> the names back on and try, and it writes the file fine under
> /syslog/max1/debug. Turn names off again, and once again it will not write
> the file.
> 
> Any ideas ? or is this a bug that may be fixed soon =) The program looks
> great from where I am standing, if I could sort out this problem.

If I understand correctly the above, if names can be resolved, everything
works well. If they cannot, syslog-ng gives you "unable to write to file,
because it's a directory"

> My other annoyance, is that it does partial name matches, unless there is
> some way to turn this off that I havn't come across. Even with ip
> addresses, using host(1.1.1.1) matches 1.1.1.1 and
> 1.1.1.10,100,101 etc etc.

You should use regular expressions here, host("^1\.1\.1\.1$") should match
only 1.1.1.1.

I would disable DNS, and add all logging hosts to the /etc/hosts file,
because otherwise syslog-ng may block on DNS lookups. Maybe I'll have to add
an option to disable DNS lookups completely, because it may easily lead to
DoS attacks. 

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt