[syslog-ng]Syslog-ng conf file

Leonard Mills syslog-ng@lists.balabit.hu
Wed, 13 Oct 2004 20:07:46 +0000 

This is a multipart MIME message.

--==_Exmh_-7821470720
Content-Type: text/plain; charset=us-ascii

 Sp0ng3b0b <sp0ng3b0b@sbcglobal.net> wrote:

>I would like to see some examples.

Attached is one that I use.

Enjoy!

Len

--==_Exmh_-7821470720
Content-Type: text/plain ; name="syslog-ng.conf"; charset=us-ascii
Content-Description: syslog-ng.conf
Content-Disposition: attachment; filename="syslog-ng.conf"

#
# Syslog-ng example configuration for for Debian GNU/Linux
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf,v 1.5 2004/05/07 23:19:26 llam Exp llam $
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation. 
#

# OPTIONS
options { 	
		sync(0);
		time_reopen (10);
		log_fifo_size (1000);
		chain_hostnames(no);
		use_dns (no);
		use_fqdn(yes);
		gc_idle_threshold(100);
		gc_busy_threshold(3000);
	};

# SOURCE
source src { unix-dgram("/var/run/log"); internal(); udp(ip(0.0.0.0) port(514));};

# DESTINATION
destination 3dns	{ file("/c1/logs/3dns.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination auth	{ file("/c1/logs/authlog" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination authcrit	{ file("/c1/logs/auth.crit" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination cacheflow	{ file("/c1/logs/cacheflow.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination ces600	{ file("/c1/logs/ces600.log"); };
destination cisco	{ file("/c1/logs/ciscolog"); };
destination ciscocrit	{ file("/c1/logs/cisco.crit"); };
destination console	{ usertty("root"); };
destination cron	{ file("/var/log/cron" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination daemon	{ file("/c1/logs/daemon.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination default	{ file("/c1/logs/default.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination inetd	{ file("/c1/logs/inetd.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination kern	{ file("/c1/logs/kern.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination lpr 	{ file("/var/log/lpd-errs" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination mail	{ file("/c1/logs/maillog"); };
destination mailcrit	{ file("/c1/logs/mail.crit" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination messages	{ file("/c1/logs/messages" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination netscreen	{ file("/c1/logs/netscreen.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination named	{ file("/c1/logs/named.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination namedcrit	{ file("/c1/logs/named.crit" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination news	{ file("/var/log/news/news.log"); };
destination pix 	{ file("/c1/logs/pixlog"); };
destination pixcrit 	{ file("/c1/logs/pix.crit"); };
destination proxy	{ file("/var/log/proxynet" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination radiusd	{ file("/c1/logs/radiusd.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination raptor	{ file("/c1/logs/raptorlog" template("$MSG\n")); };
destination sshd	{ file("/c1/logs/sshd.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination syslog-ng	{ file("/c1/logs/syslog-ng.log" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination tacacs	{ file("/c1/logs/tacacs" template("$DATE $HOST $PROGRAM: [$FACILITY.$PRIORITY] $MSG\n")); };
destination trash	{ file("/c1/logs/null");};
destination vpn 	{ file("/c1/logs/vpnlog"); };

# FILTER
filter f_3dns		{ host(43.134.1.132) or host(43.134.1.133) or
				host(43.144.86.132) or host(43.144.86.133); };
filter f_auth		{ facility(auth); };
filter f_authcrit	{ facility(auth,authpriv) and level(err,crit,alert,emerg); };
filter f_authpriv	{ facility(auth, authpriv); };
filter f_cacheflow	{ match( CacheOS) or host(43.134.0.33) or host(43.134.0.35) or
				host(43.131.5.12) or host(43.130.1.20) or host(43.191.32.32) or
				host(43.146.0.9) or host(43.146.0.6) or host(43.136.15.21) or
				host(43.136.15.20) or host(43.155.1.6) or host(43.155.1.5) or
				host(43.144.73.28) or host(43.144.73.179); };
filter f_ciscocrit	{ facility(local7) and not match(IPACCESSLOGP) and not match(IPACCESSLOGDP)
				and not match(IPACCESSLOGNP); };
filter f_console	{ level(err) or facility(kern) or (facility(auth) and level(notice))
				or facility(mail) ; };
filter f_cron		{ facility(cron); };
filter f_daemon		{ facility(daemon); };
filter f_debug		{ not facility(auth, authpriv, news, mail); };
filter f_emergency	{ level(emerg); };
filter f_glob		{ level(notice) or facility(auth) or (facility(kern) and level(debug))
				or facility(daemon) or facility(news) or facility(local7) ; };
filter f_kern		{ facility(kern); };
filter f_local0		{ facility(local0); };
filter f_local1		{ facility(local1); };
filter f_local2		{ facility(local2); };
filter f_local3		{ facility(local3); };
filter f_local4		{ facility(local4); };
filter f_local5		{ facility(local5); };
filter f_local6		{ facility(local6); };
filter f_local7		{ facility(local7); };
filter f_lpr		{ facility(lpr) and level(info); };
filter f_mail		{ facility(mail); };
filter f_mailcrit	{ program(sendmail) and level(err,crit,alert,emerg) or match(WorkList); };
filter f_messages	{ level(info..warn) 
				and not facility(auth, authpriv, mail, news); };
filter f_news		{ facility(news); };
filter f_named		{ match( named); };
filter f_namedcrit	{ program(named) and level(crit,alert,emerg); };
filter f_pix_ignore	{ match( %PIX-4-106023:.*/13[5-9]) or match( %PIX-4-106023:.*/80) or match( %PIX-4-106023:.*/445); };
filter f_pix		{ match( %PIX-); };
filter f_pixcrit	{ match( %PIX-3-) or match( %PIX-2-) or 
				match( %PIX-1-) or match( %PIX-0-); };
filter f_radiusd	{ facility(daemon) and match( radiusd); };
filter f_sshd		{ match( sshd); };
filter f_syslog		{ not facility(authpriv, mail); };
filter f_syslog-ng	{ match( syslog-ng); };
#filter f_trash		{ match("connect from hpntbox1.corpnet.sel.sony.com"); };


# LOG
# for e-Security (don't use final keyword)
log { source(src); filter(f_mailcrit); destination(mailcrit); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_authcrit); destination(authcrit); };
log { source(src); filter(f_pixcrit); destination(pixcrit); };
log { source(src); filter(f_namedcrit); destination(namedcrit); };
#
# exact rules (with final)
#log { source(src); filter(f_trash); destination(trash); flags(final); };
log { source(src); filter(f_3dns); destination(3dns); flags(final); };
log { source(src); filter(f_local0); destination(proxy); flags(final); };
log { source(src); filter(f_local1); destination(netscreen); flags(final); };
log { source(src); filter(f_local2); destination(raptor); flags(final); };
log { source(src); filter(f_local3); destination(ces600); flags(final); };
log { source(src); filter(f_local4); destination(vpn); flags(final); };
log { source(src); filter(f_local5); destination(tacacs); flags(final); };
log { source(src); filter(f_pix_ignore); destination(trash); flags(final); };
log { source(src); filter(f_pix); destination(pix); flags(final); };
log { source(src); filter(f_ciscocrit); destination(ciscocrit); };
log { source(src); filter(f_local7); destination(cisco); flags(final); };
log { source(src); filter(f_named); destination(named); flags(final); };
log { source(src); filter(f_radiusd); destination(radiusd); flags(final); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); };
log { source(src); filter(f_syslog-ng); destination(syslog-ng); flags(final); };
log { source(src); filter(f_cacheflow); destination(cacheflow); flags(final); };
# the rest
log { source(src); filter(f_authpriv); destination(auth); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_news); destination(news); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_glob); destination(messages); };
log { source(src); filter(f_glob); destination(messages); };
log { source(src); filter(f_cron); destination(cron); };
# Fallback
log { source(src); destination(default); flags(fallback); };

#log { source(src); filter(f_authpriv); destination(authlog); };
#log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_user); destination(user); };
#log { source(src); filter(f_uucp); destination(uucp); };
#log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
#log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
#log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
#log { source(src); filter(f_debug); destination(debug); };
#log { source(src); filter(f_messages); destination(messages); };
#log { source(src); destination(console_all); };

--==_Exmh_-7821470720--