[syslog-ng] Having hostname and sender's IP address in header
Worsham, Michael
mworsham at SCIRES.COM
Tue Oct 26 01:57:08 CEST 2010
Umm... what? Totally lost me there.
---
Attached is the syslog-ng.conf that is currently running on the DCS/Syslog server (the data repository):
@version: 3.0
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
chain_hostnames(no);
time_reopen(10);
time_reap(360);
log_fifo_size(1000);
group(adm);
perm(0644);
dir_perm(0755);
use_dns(yes);
use_fqdn(yes);
create_dirs(yes);
keep_hostname(no);
log_msg_size(32768);
stats_freq(0);
flush_lines(0);
};
#
# Connectivity needs, TLS encryption also available
#
source s_localhost {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
};
source s_general {
tcp(ip(10.153.29.235) port (514) max-connections(1000) );
};
source s_weblogic {
tcp(ip(10.153.29.235) port (515) max-connections(1000) );
};
source s_apache {
tcp(ip(10.153.29.235) port (516) max-connections(1000) );
};
source s_windows {
tcp(ip(10.153.29.235) port (517) max-connections(1000) );
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"
template("$DATE $HOST <$FACILITY.$PRIORITY> $MSG\n")
template_escape(no)
);
};
destination d_auth {
file("/var/log/secure"
template("$DATE $HOST <$FACILITY.$PRIORITY> $MSG\n")
template_escape(no)
);
};
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };
filter notdebug { level(info...emerg); };
filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };
#
# Filters needed for RHEL platforms
#
filter M_audit { not message("Audit daemon rotating log files"); };
filter M_repeat { not message("last message repeated"); };
filter M_stats { not message("Log statistics"); };
filter M_cron { not message("CMD"); };
filter M_snmp { not message("SNMP"); };
filter M_snmp2 { not message("UDP"); };
filter windows { program(MSWinEventLog); };
#log { source(s_localhost); filter(f_kernel); destination(d_cons); };
log { source(s_localhost); filter(f_kernel); destination(d_kern); };
log { source(s_localhost); filter(f_default); filter(M_snmp); filter(M_snmp2); destination(d_mesg); };
log { source(s_localhost); filter(f_auth); destination(d_auth); };
log { source(s_localhost); filter(f_mail); destination(d_mail); };
log { source(s_localhost); filter(f_emergency); destination(d_mlal); };
log { source(s_localhost); filter(f_news); destination(d_spol); };
log { source(s_localhost); filter(f_boot); destination(d_boot); };
log { source(s_localhost); filter(f_cron); destination(d_cron); };
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
#
# Destinations for storing data logs
#
destination d_general {
file ("/var/log/syslog/general/$HOST/$FULLHOST-$MONTH.$DAY.$YEAR.log"
template("$DATE $HOST <$FACILITY.$PRIORITY> $MSGHDR $MSG\n")
template_escape(no)
);
};
destination d_weblogic {
file ("/var/log/syslog/weblogic/$HOST/$FULLHOST-$MONTH.$DAY.$YEAR.log");
};
destination d_apache {
file ("/var/log/syslog/apache/$HOST/$FULLHOST-$MONTH.$DAY.$YEAR.log");
};
destination d_windows {
file("/var/log/syslog/windows/$HOST/$FULLHOST-$MONTH.$DAY.$YEAR.log"
template("$DATE <$FACILITY.$PRIORITY> $HOST $MSGHDR $MSG\n")
template_escape(no)
);
};
destination d_tripwire_udp {
udp("10.153.29.249" port (514));
};
#
# How to log and apply filters, if necessary
#
log { source(s_localhost);
filter(M_audit);
filter(M_repeat);
filter(M_stats);
filter(M_cron);
filter(M_snmp);
filter(M_snmp2);
filter(notdebug);
destination(d_general);
};
log { source(s_general);
filter(M_audit);
filter(M_repeat);
filter(M_stats);
filter(M_cron);
filter(M_snmp);
filter(M_snmp2);
destination(d_general);
destination(d_tripwire_udp);
};
log { source(s_weblogic);
destination(d_weblogic);
};
log { source(s_apache);
destination(d_apache);
};
log { source(s_windows);
filter(windows);
destination(d_windows);
flags(final);
};
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Matthew Hall
Sent: Monday, October 25, 2010 7:48 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Having hostname and sender's IP address in header
On Mon, Oct 25, 2010 at 07:31:00PM -0400, Worsham, Michael wrote:
> How do I satisfy each requirement:
> 1) Allow the incoming data stream to be saved in a format based on the
> incoming sender's hostname for the directory structure (ex:
> "/var/log/syslog/general/$HOST/$FULLHOST-$MONTH.$DAY.$YEAR.log")?
> 2) Allow the IP address of the sender to be seen in the actual data
> file once saved to the DCS server (ex: "Oct 25 18:51:12 10.153.13.70
> <syslog.err>...")?
> 3) Is there an option to have the incoming sender's data saved with
> both the hostname and IP address in the same header format (ex: "Oct
> 25 18:51:12 CH33Test-WebCO 10.153.13.70 <syslog.err>...")?
I think your best bet would be something like setting it up to receive
the messages on the port the servers are logging onto using a log source
which has flags(final).
Then you will send the messages back to yourself. Using TCP, UDP, UNIX,
or pipe would work for this part.
To do this you will configure a destination, which is used to relay the
messages as they come in from the servers, and a source which is used to
allow syslog-ng another chance to process the messages.
1) one socket which is set with flags to use DNS for local storage
2) one socket which is set with flags to use IPs for Tripwire
That way you could apply different properties to each socket.
You will probably need to experiment with the template used for relaying
the messages from yourself to yourself to be sure nothing weird gets
added when they are reforwarded back to you. For this part, using a UDP
127.0.0.1 socket might be helpful at first because you can spy on the
traffic using wireshark / tshark / tcpdump along with "udp port XXXX"
filter to be sure everything looks like it should.
> -- Michael
HTH,
Matthew Hall.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
More information about the syslog-ng
mailing list