[syslog-ng] Can't get basic syslog to work for my firewall logs?

Tim Tyler tyler at beloit.edu
Fri Feb 24 19:47:34 UTC 2017


Thanks everyone.  I got it to work leveraging the hostname from the column
in the log file and setting keep_hostname(yes).   I had originally wanted
to use the ip address, but for some reason, I could never get a match for
it.  The ip address would have to be matched within the packet and not the
log itself.  But every permutation I tried failed to get an ip match.  But
it really doesn’t matter to me because the hostname (which is not DNS’d)
works fine.

  Little tricky to me, but thank you all for your help.

Tim



*From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf Of
*Czanik, Péter
*Sent:* Friday, February 24, 2017 11:26 AM
*To:* Syslog-ng users' and developers' mailing list <
syslog-ng at lists.balabit.hu>
*Subject:* Re: [syslog-ng] Can't get basic syslog to work for my firewall
logs?



Hi,

The name of the firewall  seems to be "PA-3020.its.beloit.edu" in your log:
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.9-guides/en/syslog-ng-ose-v3.9-guide-admin/html-single/index.html#filter-host
If you want an IP address, use keep-hostame(no) and use-dns(no) options.

Bye,


Peter Czanik (CzP) <peter.czanik at balabit.com>
Balabit / syslog-ng upstream
https://www.balabit.com/blog/author/peterczanik/
https://twitter.com/PCzanik



On Fri, Feb 24, 2017 at 6:03 PM, Tim Tyler <tyler at beloit.edu> wrote:

Damien,

Ok, I fired it up in the foreground and I got the following results below.
I am noticing filter rule “not match” for f_NAMEOFTHEFIREWALL.   I guess I
am misunderstanding this line.   I had set this to the ip address of the
firewall.  I believe that variable is using a host ip assignment.  But I am
guessing In might need to change NAMEOOFTHEFIREWALL.  Do I need to change
NAMEOFTHEFIREWALL to the actual fqdn name?

 -tim





syslog-ng starting up; version='3.5.6'

Incoming log entry; line='<14>Feb 24 10:36:41 PA-3020.its.beloit.edu
1,2017/02/24 10:36:41,001801001111,CONFIG,0,0,2017/02/24
10:36:41,144.89.x.x,,edit,admin,Web,Succeeded, vsys  vsys1 rulebase
security rules  admissions.beloit.edu,867,0x0'

Filter rule evaluation begins; rule='f_NAMEOFTHEFIREWALL',
location='/etc/syslog-ng/conf.d/firewalls.conf:22:29'

Filter node evaluation result; result='not-match'

Filter rule evaluation result; result='not-match',
rule='f_NAMEOFTHEFIREWALL',
location='/etc/syslog-ng/conf.d/firewalls.conf:22:29'

Incoming log entry; line='<14>Feb 24 10:36:54 PA-3020.its.beloit.edu
1,2017/02/24 10:36:54,001801001111,CONFIG,0,0,2017/02/24
10:36:54,144.89.41.210,,commit,admin,Web,Submitted,,868,0x0'

Filter rule evaluation begins; rule='f_NAMEOFTHEFIREWALL',
location='/etc/syslog-ng/conf.d/firewalls.conf:22:29'

Filter node evaluation result; result='not-match'

Filter rule evaluation result; result='not-match',
rule='f_NAMEOFTHEFIREWALL',
location='/etc/syslog-ng/conf.d/firewalls.conf:22:29'



Tim



*From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf Of
*Damian Bell
*Sent:* Friday, February 24, 2017 9:36 AM
*To:* syslog-ng at lists.balabit.hu
*Subject:* Re: [syslog-ng] Can't get basic syslog to work for my firewall
logs?





Have you disabled any other syslog servers that might be listening on UDP
514? Rsyslog, etc? (ps aux | grep syslog) Try (temporarily) disabling
SELINUX and keep firewall turned off. See if you can start syslog-ng in the
foreground and see what you get (syslog-ng –Fed)







*Damian* *Bell*
Infrastructure Engineer | Support | H Clarkson & Co Ltd


Email: Damian.Bell at clarksons.com



*From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu
<syslog-ng-bounces at lists.balabit.hu>] *On Behalf Of *Tim Tyler
*Sent:* 24 February 2017 15:07
*To:* syslog-ng at lists.balabit.hu
*Subject:* [syslog-ng] Can't get basic syslog to work for my firewall logs?



Syslog-ng experts.

  I am very new to syslog-ng.  I installed syslog-ng on a fresh Redhat 7.3
server.   It defaults working with internal logging.  So I configured my
firewall to send syslog with facility set to log_user.  I turned on
Wireshark on the syslog-ng server and observed the firewall sending traffic
to the server on udp 514.



But the syslog server never created the directory structure and logs.  I
disabled the redhat firewall just to eliminate it as a possibility.  Still
no logging.  So I don’t know what I am doing wrong at this point. I don’t
know if this is a permission problem or some other configuration issue.  I
found someone that had posted a very basic syslog-ng configuration for
firewalls.  So I copied It into a firewall.conf I put in conf.d.  Can
anyone see what might be wrong with it?



####################

options {

        create_dirs(yes);

        owner(root);

        group(root);

        perm(0640);

        dir_owner(root);

        dir_group(root);

        dir_perm(0750);

};





##################################################

source s_udp {

        udp(port(514));

};



#Template for a new firewall in the firewalls.conf file

#Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL



##################################################

filter f_NAMEOFTHEFIREWALL {

        host("192.168.30.1");

};

destination d_NAMEOFTHEFIREWALL {

        file("/var/log/firewalls/PA/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.PA.log");

};

log {

        source(s_udp);

        filter(f_NAMEOFTHEFIREWALL);

        destination(d_NAMEOFTHEFIREWALL);

};





Tim Tyler

Network Engineer

Beloit College


------------------------------

This message is private and confidential. If you have received it in error,
you are on notice of its status. Please notify us immediately by reply
email and then delete this message from your system. Please do not copy it
or use it for any purposes, or disclose its contents to any other person:
to do so could be a breach of confidence.

Emails may be monitored.

Details of Clarkson group companies and their regulators (where applicable)
can be found at this url: Disclosure <http://www.clarksons.com/disclosure/>
------------------------------


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170224/955e65ac/attachment.html>


More information about the syslog-ng mailing list