[syslog-ng]Configure syslog-ng to act as a central logging server

Ryan McCain syslog-ng@lists.balabit.hu
Thu, 31 Mar 2005 10:27:13 -0600 

I will be logging from 10 firewalls, 20 linux boxes, 2 routers and a
handful of workstations.  Will this configuration file do the trick?


source s_sys { file ("/proc/kmsg" log_prefix("kernel: "));
unix_stream("/dev/log"); internal(); };

destination hosts {
file("/var/syslog/HOSTS/$HOST/$YEAR/$MONTH/$HOST-$FACILITY-$YEAR$MONTH$DAY"
owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes));
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };

#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys); destination(hosts); };

Thanks,
Ryan



 
 
>>>Bill Nash <billn@billn.net> 03/31 10:26 am >>> 
 
You'll need a log() directive that includes the destination. 
 
The basic path is: 
 
Log Source -> Optional Filter -> Destination. 
 
- billn 
 
On Thu, 31 Mar 2005, Ryan McCain wrote: 
 
>Bill, 
> 
>So I can simply add this to my conf. file (modifying owner, group,
perm, 
>dir_perm of course) and it will start accepting logs from remote 
>servers? 
> 
> 
>Where do I specify which hosts to accept logs from (I'd prefer not to 
>use tcp wrappers)? 
> 
>Thanks again, 
>Ryan 
> 
>>>>Bill Nash <billn@billn.net> 03/31 10:15 am >>> 
>On Thu, 31 Mar 2005, Ryan McCain wrote: 
> 
>>I'm starting to understand the syntax.  However, what part of this 
>>statement tells syslog-ng to create a file for each host its receiving

>>logs from? 
> 
>>destination hosts { 
>>file("/var/syslog/HOSTS/$HOST/$YEAR/$MONTH/$HOST-$FACILITY-$YEAR$MONTH$DAY"

> 
>>owner(bob) group(llamafood) perm(0755) dir_perm(0755) 
>create_dirs(yes)); 
> 
> 
>If the file doesn't exist, it will be created. If the directory doesn't

>exist, you need the create_dirs directive. 
> 
>- billn 
>