[syslog-ng]config file

Smith, James syslog-ng@lists.balabit.hu
Thu, 31 Mar 2005 14:45:47 -0500


This is my server config file:

#
# Syslog-ng configuration file. Originally written by anonymous (I can't
find
# his name) Revised, and rewrited by me (SZALAY Attila <sasa@debian.org>)
# revised again by Nate Campi <nate at campin dot net>

###############################################################
# First, set some global options.

options { 
#	use_fqdn(yes); 
#	use_dns(yes); 
#	dns_cache(yes); 
	create_dirs (yes);
	keep_hostname(yes); 
	long_hostnames(on); 
	sync(1); 
	log_fifo_size(1024); 
	use_dns (yes);
};

###############################################################
#
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
#source src { unix-stream("/dev/log"); internal(); };


source src { 
#	don't read from /proc/kmsg and run klogd also (Linux)
#	pipe("/proc/kmsg"); 
#	file("/proc/kmsg") log_prefix("kernel: "); 
	sun-streams("/dev/log" door("/etc/.syslog_door")); 
#	unix-stream("/dev/log"); 
#	unix-stream("/chroot/named/dev/log"); 
	internal(); 
#	udp();
#	udp(ip("10.0.5.8") port(514)); 
#	tcp(port(5140) keep-alive(yes)); 
#	tcp(ip("10.9.9.3") port(5140) keep-alive(yes)); 
};

source net {
	tcp(port(5140) keep-alive(yes) max_connections(100)); 
};

###############################################################
# After that set destinations.

# First some standard logfile
#
destination authlog { file("/var/log/auth.log"); };
destination bootlog { file("/var/log/boot.log"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination debug { file("/var/log/debug"); };
destination explan { file("/var/log/explanations"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination messages { file("/var/adm/messages"); };
destination routers { file("/var/log/routers.log"); };
destination secure { file("/var/log/secure"); };
destination spooler { file("/var/log/spooler"); };
destination syslog { file("/var/log/syslog"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };

destination mail { file("/var/log/mail.log"); };
destination maillog { file("/var/log/maillog"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty8"); };

filter f_attack_alert { 
	match("attackalert"); 
};

filter f_ssh_login_attempt { 
	program("sshd.*") 
	and match("(Failed|Accepted)") 
	and not match("Accepted (hostbased|publickey) for (root|zoneaxfr)
from (10.4.3.1)"); 
};

#filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
#filter f_general { facility(*); }; 

#filter f_news { facility(news); };

filter f_debug { not facility(auth, mail); };
filter f_messages { level(info .. warn) 
	and not facility(auth, cron, daemon, mail); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

#filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon,
mail); };

###############################################################
#
# log statements actually send logs somewhere, to a file, across the
network, etc
#

#log { source(src); filter(f_authpriv); destination(authlog); };
#log { source(src); filter(f_authpriv); destination(syslog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_daemon); destination(messages); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_kern); destination(messages); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_user); destination(messages); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); destination(maillog); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
#log { source(src); filter(f_news); filter(f_crit); destination(newscrit);
};
#log { source(src); filter(f_news); filter(f_err); destination(newserr); };
#log { source(src); filter(f_news); filter(f_notice);
destination(newsnotice); };
#log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_general); destination(messages); };
log { source(src); filter(f_cother); destination(messages); };

destination net_authlog { file("/uag/HOSTS/$HOST/auth.log"); };
destination net_bootlog { file("/uag/HOSTS/$HOST/boot.log"); };
destination net_cron { file("/uag/HOSTS/$HOST/cron.log"); };
destination net_daemon { file("/uag/HOSTS/$HOST/daemon.log"); };
destination net_debug { file("/uag/HOSTS/$HOST/debug"); };
destination net_explan { file("/uag/HOSTS/$HOST/explanations"); };
destination net_kern { file("/uag/HOSTS/$HOST/kern.log"); };
destination net_lpr { file("/uag/HOSTS/$HOST/lpr.log"); };
destination net_messages { file("/uag/HOSTS/$HOST/messages"); };
destination net_routers { file("/uag/HOSTS/$HOST/routers.log"); };
destination net_secure { file("/uag/HOSTS/$HOST/secure"); };
destination net_spooler { file("/uag/HOSTS/$HOST/spooler"); };
destination net_syslog { file("/uag/HOSTS/$HOST/syslog"); };
destination net_user { file("/uag/HOSTS/$HOST/user.log"); };
destination net_uucp { file("/uag/HOSTS/$HOST/uucp.log"); };

# This files are the log come from the mail subsystem.
#
destination net_mail { file("/uag/HOSTS/$HOST/mail.log"); };
destination net_maillog { file("/uag/HOSTS/$HOST/maillog"); };
destination net_mailinfo { file("/uag/HOSTS/$HOST/mail.info"); };
destination net_mailwarn { file("/uag/HOSTS/$HOST/mail.warn"); };
destination net_mailerr { file("/uag/HOSTS/$HOST/mail.err"); };
destination net_console { usertty("root"); };
destination net_console_all { file("/dev/tty8"); };
destination net_dump { file("/uag/HOSTS/dump2/syslog"); };

filter net_f_attack_alert { 
	match("attackalert"); 
};

filter net_f_ssh_login_attempt { 
	program("sshd.*") 
	and match("(Failed|Accepted)") 
	and not match("Accepted (hostbased|publickey) for (root|zoneaxfr)
from (10.4.3.1)"); 
};

filter net_f_syslog { not facility(auth) and not facility(mail); };
filter net_f_cron { facility(cron); };
filter net_f_daemon { facility(daemon); };
filter net_f_kern { facility(kern); };
filter net_f_lpr { facility(lpr); };
filter net_f_mail { facility(mail); };
filter net_f_user { facility(user); };
filter net_f_uucp { facility(cron); };
#filter net_f_general { facility(*); }; 
filter net_f_debug { not facility(auth, mail); };
filter net_f_messages { level(info .. warn) 
	and not facility(auth, cron, daemon, mail); };
filter net_f_emergency { level(emerg); };
filter net_f_info { level(info); };
filter net_f_notice { level(notice); };
filter net_f_warn { level(warn); };
filter net_f_crit { level(crit); };
filter net_f_err { level(err); };
filter net_f_cother { level(debug, info, notice, warn) or facility(daemon,
mail); };

###############################################################
#
# log statements actually send logs somewhere, to a file, across the
network, etc
#
#log { source(net); filter(net_f_authpriv); destination(net_authlog); };
#log { source(net); filter(net_f_authpriv); destination(net_syslog); };
log { source(net); filter(net_f_syslog); destination(net_syslog); };
log { source(net); filter(net_f_cron); destination(net_cron); };
log { source(net); filter(net_f_daemon); destination(net_daemon); };
log { source(net); filter(net_f_daemon); destination(net_messages); };
log { source(net); filter(net_f_kern); destination(net_kern); };
log { source(net); filter(net_f_kern); destination(net_messages); };
log { source(net); filter(net_f_lpr); destination(net_lpr); };
log { source(net); filter(net_f_mail); destination(net_mail); };
log { source(net); filter(net_f_user); destination(net_user); };
log { source(net); filter(net_f_user); destination(net_messages); };
log { source(net); filter(net_f_uucp); destination(net_uucp); };
log { source(net); filter(net_f_mail); destination(net_maillog); };
log { source(net); filter(net_f_mail); filter(net_f_info);
destination(net_mailinfo); };
log { source(net); filter(net_f_mail); filter(net_f_warn);
destination(net_mailwarn); };
log { source(net); filter(net_f_mail); filter(net_f_err);
destination(net_mailerr); };
#log { source(net); filter(net_f_news); filter(net_f_crit);
destination(net_newscrit); };
#log { source(net); filter(net_f_news); filter(net_f_err);
destination(net_newserr); };
#log { source(net); filter(net_f_news); filter(net_f_notice);
destination(net_newsnotice); };
#log { source(net); filter(net_f_debug); destination(net_debug); };
log { source(net); filter(net_f_messages); destination(net_messages); };
log { source(net); filter(net_f_emergency); destination(net_console); };
log { source(net); filter(net_f_cother); destination(net_messages); };


# send everything to loghost, too
log {
        source(net);
        destination(net_dump);
};