[syslog-ng] Can't get basic syslog to work for my firewall logs?
Jim Hendrick
james.r.hendrick at gmail.com
Fri Feb 24 15:41:35 UTC 2017
Perfect - you know the packets are getting there - so that's done.
Now take a look at what creates the logging - As a test, try taking out the
filter.
It is a bit confusing, but HOST, HOST_FROM and FULLHOST_FROM are very
different (you can read the details here)
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html
You might find that HOST_FROM works better if the logs come directly from
the FWs to the syslog server.
But if you take out the filter and it creates the files - you will know
where to work.
Best,
Jim
On Fri, Feb 24, 2017 at 10:06 AM, Tim Tyler <tyler at beloit.edu> wrote:
> Syslog-ng experts.
>
> I am very new to syslog-ng. I installed syslog-ng on a fresh Redhat 7.3
> server. It defaults working with internal logging. So I configured my
> firewall to send syslog with facility set to log_user. I turned on
> Wireshark on the syslog-ng server and observed the firewall sending traffic
> to the server on udp 514.
>
>
>
> But the syslog server never created the directory structure and logs. I
> disabled the redhat firewall just to eliminate it as a possibility. Still
> no logging. So I don’t know what I am doing wrong at this point. I don’t
> know if this is a permission problem or some other configuration issue. I
> found someone that had posted a very basic syslog-ng configuration for
> firewalls. So I copied It into a firewall.conf I put in conf.d. Can
> anyone see what might be wrong with it?
>
>
>
> ####################
>
> options {
>
> create_dirs(yes);
>
> owner(root);
>
> group(root);
>
> perm(0640);
>
> dir_owner(root);
>
> dir_group(root);
>
> dir_perm(0750);
>
> };
>
>
>
>
>
> ##################################################
>
> source s_udp {
>
> udp(port(514));
>
> };
>
>
>
> #Template for a new firewall in the firewalls.conf file
>
> #Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL
>
>
>
> ##################################################
>
> filter f_NAMEOFTHEFIREWALL {
>
> host("192.168.30.1");
>
> };
>
> destination d_NAMEOFTHEFIREWALL {
>
> file("/var/log/firewalls/PA/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.
> PA.log");
>
> };
>
> log {
>
> source(s_udp);
>
> filter(f_NAMEOFTHEFIREWALL);
>
> destination(d_NAMEOFTHEFIREWALL);
>
> };
>
>
>
>
>
> Tim Tyler
>
> Network Engineer
>
> Beloit College
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170224/8849461f/attachment.html>
More information about the syslog-ng
mailing list