[syslog-ng] Help settings regarding Syslog NG

jrhendri at roadrunner.com jrhendri at roadrunner.com
Mon Sep 15 16:33:32 CEST 2014


Umm... OK - but that is WAYYY too broad a question for any specific recommendations.

That said 
- log EVERYTHING from the security devices and send it to syslog-ng over the network
  (shun vendors who claim you should use their own log reporting tool or otherwise resist using syslog protocol over the network in real-time)

- For further processing of the logs make syslog-ng forward copies of whatever you deem important on to the destination (like a SIEM or log search tool)

- use UDP wherever possible (although TCP is a "reliable" protocol - I have personally seen many implementations of vendor products that do not correctly close TCP connections resulting in syslog-ng running out of open connections. UDP over relatively short distances and hopefully stable networks is absolutely fine.

- use filters on the syslog-ng end to control what you log (rather than requiring changes on every endpoint device)
  an example of that from unix / linux would be to have the linux system send all facilities and all priorities
 (e.g. *.debug) to syslog-ng and have syslog-ng use a filter to only keep the messages you want

- I like to store messages by the IP address of the sending server (using $HOST_FROM instead of $HOST) since it does not rely on parsing sometimes very broken syslog formatted messages to obtain the HOST name.

- I also use macros to rotate logs by date, making compressing or deleting older logs pretty straightforward.
  (e.g. 
destination d_separatedbyhosts {
   file("/data/syslog-ng/$YEAR/$MONTH/$DAY/$HOST_FROM/$HOST_FROM.$FACILITY.$PRIORITY.$YEAR.$MONTH.$DAY");
};


Hope this helps!
Jim




---- Simon OBOUNOU <simon.obounou at hifa.biz> wrote: 
> Hi

I need helps regarding setting between syslog ng server and security 
solutions like checkpoint firewall, stormshield IDS and so one.



-- 
Bien cordialement, Kind Regards
HIFA, Chairman

32 rue de la République 92190 MEUDON - FRANCE
Phone: +33 1 46 31 44 25
Mobile: +33 6 11 30 36 57
email: simon.obounou at hifa.biz
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq





More information about the syslog-ng mailing list