[syslog-ng] Simple config question

Miguel Alvarez miguellvrz9 at gmail.com
Thu Nov 3 16:59:22 CET 2011 

On Thu, Nov 3, 2011 at 9:27 AM, Gergely Nagy <algernon at balabit.hu> wrote:
> Miguel Alvarez <miguellvrz9 at gmail.com> writes:
>
>> After being less than impressed with the stability of rsyslog, I just
>> discovered syslog-ng and it looks really impressive but a bit
>> overwhelming!
>>
>> I have a simple configuration with my existing rsyslog set up where
>> it's performing normal system syslog responsibilities but also tagging
>> other log files and then forwarding them to a centralized log server.
>> The examples I've seen for syslog-ng are making my head swim so I was
>> hoping someone would be able to point me in the right direction on how
>> to do the same with syslog-ng.
>
> I don't quite understand the "tagging other log files" part, I'm afraid
> (but my rsyslog knowledge is... *ahem* lacking). Could you perhaps share
> the rsyslog config with us?
>
> We could then see about how to convert it to a similar syslog-ng.conf.
>
> (By the way, an rsyslog.conf->syslog-ng.conf converter has been
> requested before, and one of these days, I might get around to write it,
> especially if there's bigger interest in such a tool.)

Thank you for the quick reply, Gergely!

Sorry, I should have elaborated on the tagging other files part.

I have a system that runs snort as well as bro.  Snort writes its
alert file to /var/log/snort/alert .  Bro writes to a few files such
as /var/log/bro/conn.log and /var/log/bro/http.log .  Right now, I
have rsyslog tagging each with a description of the given alert file
so they can be filtered on the remote log server side.  "[SNORT]" for
snort, "[BRO-CONN]" and "[BRO-HTTP]" for bro's conn.log and http.log
respectively.  Here are the rsyslog configuration sections for those
three logs:

$InputFileName /var/log/snort/alert
$InputFileTag [SNORT]
$InputFileStateFile snortalertstate
$InputFilePollInterval 5
$InputFileFacility local7
$InputFileSeverity info
$InputRunFileMonitor

$InputFileName /var/log/bro/conn.log
$InputFileTag [BRO-CONN]
$InputFileStateFile bro-conn
$InputFilePollInterval 5
$InputFileFacility local7
$InputFileSeverity local
$inputRunFileMonitor

$InputFileName /var/log/bro/http.log
$InputFileTag [BRO-HTTP]
$InputFileStateFile bro-http
$InputFilePollInterval 5
$InputFileFacility local7
$InputFileSeverity info
$InputRunFileMonitor

I've attached the entire rsyslog.conf to this email but the
"$InputFileStateFile" file is like barnyard's waldo file where it
keeps track of where it is in the logs so it doesn't resend the
already sent log messages.

I think a rsyslog.conf > syslog-ng.conf tool would be hugely helpful!
Especially since some linux distros like ubuntu I think are shipping
with rsyslog as the default log server now and if the only real
barrier to migrating to syslog-ng is eased to the point where it's a
non-issue, you'd likely have a lot more adoptees!  Just my $0.02
anyway :-)

Thank you again for the help!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rsyslog.conf
Type: application/octet-stream
Size: 2310 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111103/12172cd3/attachment.obj

More information about the syslog-ng mailing list