[syslog-ng]Ok, I think I've got it now...
Nijs, Daniel
NijsD@telergy.net
Mon, 06 Aug 2001 13:46:56 -0400
What I am interested in is which software package you are using to allow NT
machines to log to a syslog server. I have considered writing the app
myself (since I can not find a good free version), but was hoping there is
such thing as "free lunch" ;)
Best regards,
Dan
-----Original Message-----
From: Michael Hargadon [mailto:MHargadon@ITDepartment.com]
Sent: Friday, August 03, 2001 1:34 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: [syslog-ng]Ok, I think I've got it now...
Good afternoon.
Some time ago I posted a question about matching RegExes and filtering log
messages using Syslog-NG. After some investigation, I've determined the
following:
1) My regexp's are defined properly
2) Messages are being matched and diverted to the appropriate location
3) The matched messages are still showing up in /var/log/syslog anyways.
Since I'm attempting to monitor about fifty Windows NT computers I need some
way by which I can filter out the more useless messages (document x was
printed, some sucker logged off, etc.). My configuration is as follows:
options { long_hostnames(off); sync(0); };
source src { unix-stream("/dev/log"); internal(); udp(); file("/proc/kmsg");
};
destination authlog { file("/var/log/auth.log" owner("root") group("adm")
perm(0640)); };
destination syslog { file("/var/log/syslog" owner("root") group("adm")
perm(0640)); };
destination cron { file("/var/log/cron.log" owner("root") group("adm")
perm(0640)); };
destination daemon { file("/var/log/daemon.log" owner("root") group("adm")
perm(0640)); };
destination kern { file("/var/log/kern.log" owner("root") group("adm")
perm(0640)); };
destination lpr { file("/var/log/lpr.log" owner("root") group("adm")
perm(0640)); };
destination mail { file("/var/log/mail.log" owner("root") group("adm")
perm(0640)); };
destination user { file("/var/log/user.log" owner("root") group("adm")
perm(0640)); };
destination uucp { file("/var/log/uucp.log" owner("root") group("adm")
perm(0640)); };
destination null { file("/var/log/filtered" owner("root") group("root")
perm(0666)); };
destination mailinfo { file("/var/log/mail.info" owner("root") group("adm")
perm(0640)); };
destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm")
perm(0640)); };
destination mailerr { file("/var/log/mail.err" owner("root") group("adm")
perm(0640)); };
destination debug { file("/var/log/debug" owner("root") group("adm")
perm(0640)); };
destination messages { file("/var/log/messages" owner("root") group("adm")
perm(0640)); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty8"); };
destination xconsole { pipe("/dev/xconsole"); };
destination ppp { file("/var/log/ppp.log" owner("root") group("adm")
perm(0640)); };
# Filters here
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon,
mail); };
filter ppp { facility(local2); };
# Begin NT Event Log Filters Here
# Successful Logon
# one sample only please
filter f_nt0014 { match("POP3 connection accepted from"); };
# Log destinations now please
log { source(src); filter(f_nt0014); destination(null); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice);
destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_cnews); destination(console_all); };
#log { source(src); filter(f_cother); destination(console_all); };
log { source(src); filter(f_cnews); destination(xconsole); };
log { source(src); filter(f_cother); destination(xconsole); };
log { source(src); filter(ppp); destination(ppp); };
Now, if I receive a message as follows:
Aug 3 12:55:40 Mail Application 236515 Fri Aug 03 12:53:55 2001
1073818460 MSExchange Pop3 Interface N/A N/A Information
xxxxxxx POP3 connection accepted from xxx.xxx.xxx.xx
I'll see that message pop up in /var/log/filtered. I'll also see exactly
the same message pop up in /var/log/syslog. I know I've got to be
overlooking something quite obvious here -- can anyone offer any assistance
with this?
Regards,
Michael Hargadon
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng