[syslog-ng]Loghost can't see its own syslogs

Doug Hanks syslog-ng@lists.balabit.hu
Sun, 26 Sep 2004 14:20:28 -0700 

Hello,

I have an interesting problem.  I have a loghost with the servername
of FFLOGSVR.  Everything works wonderfully except that FFLOGSVR isn't
logging its own logs.  When I perform the command "logger FFLOGSVR" I
do not see entry in my syslog.

I have attached my syslog-ng.conf for review.

Thank you in advance,

--
- Doug Hanks = dhanks(at)gmail(dot)com

# Syslog-ng (new generation) configuration file
# syslog.conf by Doug Hanks 9/25/04

# Global options
options {
       time_reopen (10);
       log_fifo_size (1000);
       long_hostnames (on);
       use_dns (yes);
       use_fqdn (no);
       create_dirs(yes);
       dns_cache(yes);
       keep_hostname(yes);
};

# Define where the logs come from - udp and /dev/log only
source gateway {
       unix-stream("/dev/log");
       internal();
       udp(port(514));
};

# Define some filters so we can break down the logs by facility

filter f_auth { facility(auth); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
       and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

# LogWatch
filter f_logwatch {
       match("su") or
       match("ssh") or
       match("sudo");
};

# SU
filter f_su_0 {
       match("su: from [a-zA-Z0-9]+ to") or # AIX
       match("'su [a-zA-Z0-9]+' succeeded for") or # Solaris
       match(": su : \+"); # HPUX
};

filter f_su_1 {
       match("su: BAD SU from") or # AIX
       match("'su [a-zA-Z0-9]+' failed for") or # Solaris
       match(": su : \-"); # HPUX
};

# SSH
filter f_ssh_0 {
       match("Accepted [a-zA-Z0-9]+ for") or # AIX, Solaris, and HPUX
       match("[a-zA-Z0-9]+ authentication for user [a-zA-Z0-9]+
accepted"); # SAP
};

filter f_ssh_1 {
       match("Failed [a-zA-Z0-9]+ for") or # AIX, Solaris, and HPUX
       match("[a-zA-Z0-9]+ authentication for user [a-zA-Z0-9]+ failed"); # SAP
};

# SUDO
filter f_sudo_0 { match("sudo:"); };
filter f_sudo_1 {
       match("sudo:") and
       (
               match("command not allowed") or
               match("user NOT in sudoers")
       );
};

# Define containers where you want to stuff the logs
destination localhost { file("/usr/logs/syslog/messages.all"); };
destination loghost {
       file("/usr/logs/HOSTS/$HOST/messages"
               owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes)
       );
};

# Program template for alerts
destination fifo_alert {
       program("/usr/local/sbin/email-syslog-alert"
               template("$HOST:$PROGRAM:$MSG\n")
               template-escape(yes)
       );
};

# SU log
destination su_0 { file("/usr/logs/syslog/messages.su0"); };
destination su_1 { file("/usr/logs/syslog/messages.su1"); };

# SSH logs
destination ssh_0 { file("/usr/logs/syslog/messages.ssh0"); };
destination ssh_1 { file("/usr/logs/syslog/messages.ssh1"); };

# SUDO logs
destination sudo_0 { file("/usr/logs/syslog/messages.sudo0"); };
destination sudo_1 { file("/usr/logs/syslog/messages.sudo1"); };

# LogWatch
destination logwatch { file("/usr/logs/syslog/logwatch.log"); };

# Regular syslogs
destination authlog { file("/usr/logs/syslog/messages.auth"); };
destination cron { file("/usr/logs/syslog/messages.cron"); };
destination daemon { file("/usr/logs/syslog/messages.daemon"); };
destination kern { file("/usr/logs/syslog/messages.kern"); };
destination lpr { file("/usr/logs/syslog/messages.lpr"); };
destination user { file("/usr/logs/syslog/messages.user"); };
destination mail { file("/usr/logs/syslog/messages.mail"); };
destination debug { file("/usr/logs/syslog/messages.debug"); };
destination messages { file("/usr/logs/syslog/messages"); };
destination console { file("/dev/console"); };

# Bring the sources, filters (if any) together and shove it in a log
(read destination)
log { source(gateway); destination(localhost); };
log { source(gateway); destination(loghost); };

# FIFO alert
log { source(gateway); filter(f_su_1); destination(fifo_alert); };
log { source(gateway); filter(f_ssh_1); destination(fifo_alert); };
log { source(gateway); filter(f_sudo_1); destination(fifo_alert); };

# Log SU to roots
log { source(gateway); filter(f_su_0); destination(su_0); };
log { source(gateway); filter(f_su_1); destination(su_1); };

# Log SSH stuff
log { source(gateway); filter(f_ssh_0); destination(ssh_0); };
log { source(gateway); filter(f_ssh_1); destination(ssh_1); };

# Log SUDO stuff
log { source(gateway); filter(f_sudo_0); destination(sudo_0); };
log { source(gateway); filter(f_sudo_1); destination(sudo_1); };

# A master log of SSH, SUDO and SU for LogWatch
log { source(gateway); filter(f_logwatch); destination(logwatch); };

# Break down the logs further
log { source(gateway); filter(f_auth); destination(authlog); };
log { source(gateway); filter(f_cron); destination(cron); };
log { source(gateway); filter(f_daemon); destination(daemon); };
log { source(gateway); filter(f_kern); destination(kern); };
log { source(gateway); filter(f_mail); destination(mail); };
log { source(gateway); filter(f_user); destination(user); };
log { source(gateway); filter(f_debug); destination(debug); };
log { source(gateway); filter(f_messages); destination(messages); };
log { source(gateway); filter(f_emergency); destination(console); };