[syslog-ng]New to the List.
Nicholas Bernstein
syslog-ng@lists.balabit.hu
25 Mar 2003 12:13:07 -0800
First off, I wanted to say hello and introduce myself to everyone. I'm
new to using syslog-ng, but from the reading I've been doing over the
last day or two, it seems very nice. :) It's probably going to take me a
little while to get used to it though.
I do have a few questions:
1. Does anyone know of a syslog-ng rpm package that works with RedHat
7.3? I try to automate the setup of my servers and installing from an
rpm only take one line in the script per package as opposed to building
it from scratch which is messier.
2. I want to set up two custom filters; one for ftpd* -> seperate log
file and a second where all kernel messages about iptables logged
packets go. Does this look right?
** example of ftp log entry:
----------
Mar 25 11:39:33 da ftpd[6035]: FTP session closed
Mar 25 11:39:35 da ftpd[6231]: FTP LOGIN FROM www2.docmagic.com
[192.168.210.22], webftp
---------
** example of kernel packet log entry:
---------
Mar 23 23:23:34 da2 kernel: IN=eth0 OUT=
MAC=00:08:02:b0:67:c1:00:50:54:ff:12:6a
:08:00 SRC=68.69.59.21 DST=192.168.210.13 LEN=60 TOS=0x00 PREC=0x00
TTL=42 ID=43
080 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=23547
Mar 23 23:23:34 da2 kernel: IN= OUT=eth0 SRC=192.168.210.13
DST=68.69.59.21 LEN=
60 TOS=0x00 PREC=0x00 TTL=64 ID=55063 PROTO=ICMP TYPE=0 CODE=0 ID=512
SEQ=23547
---------
is this correct:
destination ftpd { file("/var/log/ftpd.log"); };
destination firewall { file("/var/log/firewaill.log"); };
filter f_ftpd {
program("ftpd*:*")
}
filter f_firewall {
program("kernel:*")
and match("(IN=eth0|IN= )")
}
log { source(src); filter(f_ftpd); destination(ftpd); };
log { source(src); filter(f_firewall); destination(firewall); };
-------------------
Also, I'm using the /syslog-ng-1.6.0rc1/contrib/syslog-ng.conf.RedHat to
get started. What are some of the general reccomended additions to it?
-----
[nick@da2 syslog-ng]$ more syslog-ng.conf
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb@sysfive.com
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 10 Aug 2002
# - for Red Hat 7.3
# - totally do away with klogd
# - add message "kernel:" as is done with klogd.
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 22 Aug 2002
# - use the log_prefix option as per Balazs Scheidler's email
#
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream
("/dev/lo
g"); internal(); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
-------
Thanks, look forward to hearing from you all,
Nick
--
+---------------------------------------------------------------+
| Nicholas Bernstein | nick@docmagic.com |
| UNIX Systems Administrator | http://www.docmagic.com |
| Document Systems Inc. | |
+---------------------------------------------------------------+