[syslog-ng] Can't get basic syslog to work for my firewall logs?

Scheidler, Balázs balazs.scheidler at balabit.com
Fri Feb 24 20:56:04 UTC 2017


The host filter matches the value in the log message itself.

If you want a network match you would need to use the netmask() filter that
really matches the sender IP with a CIDR.

On Feb 24, 2017 8:47 PM, "Tim Tyler" <tyler at beloit.edu> wrote:

> Thanks everyone.  I got it to work leveraging the hostname from the column
> in the log file and setting keep_hostname(yes).   I had originally wanted
> to use the ip address, but for some reason, I could never get a match for
> it.  The ip address would have to be matched within the packet and not the
> log itself.  But every permutation I tried failed to get an ip match.  But
> it really doesn’t matter to me because the hostname (which is not DNS’d)
> works fine.
>
>   Little tricky to me, but thank you all for your help.
>
> Tim
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
> Of *Czanik, Péter
> *Sent:* Friday, February 24, 2017 11:26 AM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Can't get basic syslog to work for my firewall
> logs?
>
>
>
> Hi,
>
> The name of the firewall  seems to be "PA-3020.its.beloit.edu" in your
> log: https://www.balabit.com/sites/default/files/documents/
> syslog-ng-ose-3.9-guides/en/syslog-ng-ose-v3.9-guide-
> admin/html-single/index.html#filter-host If you want an IP address, use
> keep-hostame(no) and use-dns(no) options.
>
> Bye,
>
>
> Peter Czanik (CzP) <peter.czanik at balabit.com>
> Balabit / syslog-ng upstream
> https://www.balabit.com/blog/author/peterczanik/
> https://twitter.com/PCzanik
>
>
>
> On Fri, Feb 24, 2017 at 6:03 PM, Tim Tyler <tyler at beloit.edu> wrote:
>
> Damien,
>
> Ok, I fired it up in the foreground and I got the following results
> below.  I am noticing filter rule “not match” for f_NAMEOFTHEFIREWALL.   I
> guess I am misunderstanding this line.   I had set this to the ip address
> of the firewall.  I believe that variable is using a host ip assignment.
> But I am guessing In might need to change NAMEOOFTHEFIREWALL.  Do I need to
> change NAMEOFTHEFIREWALL to the actual fqdn name?
>
>  -tim
>
>
>
>
>
> syslog-ng starting up; version='3.5.6'
>
> Incoming log entry; line='<14>Feb 24 10:36:41 PA-3020.its.beloit.edu
> 1,2017/02/24 10:36:41,001801001111,CONFIG,0,0,2017/02/24
> 10:36:41,144.89.x.x,,edit,admin,Web,Succeeded, vsys  vsys1 rulebase
> security rules  admissions.beloit.edu,867,0x0'
>
> Filter rule evaluation begins; rule='f_NAMEOFTHEFIREWALL',
> location='/etc/syslog-ng/conf.d/firewalls.conf:22:29'
>
> Filter node evaluation result; result='not-match'
>
> Filter rule evaluation result; result='not-match',
> rule='f_NAMEOFTHEFIREWALL', location='/etc/syslog-ng/conf.
> d/firewalls.conf:22:29'
>
> Incoming log entry; line='<14>Feb 24 10:36:54 PA-3020.its.beloit.edu
> 1,2017/02/24 10:36:54,001801001111,CONFIG,0,0,2017/02/24
> 10:36:54,144.89.41.210,,commit,admin,Web,Submitted,,868,0x0'
>
> Filter rule evaluation begins; rule='f_NAMEOFTHEFIREWALL',
> location='/etc/syslog-ng/conf.d/firewalls.conf:22:29'
>
> Filter node evaluation result; result='not-match'
>
> Filter rule evaluation result; result='not-match',
> rule='f_NAMEOFTHEFIREWALL', location='/etc/syslog-ng/conf.
> d/firewalls.conf:22:29'
>
>
>
> Tim
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
> Of *Damian Bell
> *Sent:* Friday, February 24, 2017 9:36 AM
> *To:* syslog-ng at lists.balabit.hu
> *Subject:* Re: [syslog-ng] Can't get basic syslog to work for my firewall
> logs?
>
>
>
>
>
> Have you disabled any other syslog servers that might be listening on UDP
> 514? Rsyslog, etc? (ps aux | grep syslog) Try (temporarily) disabling
> SELINUX and keep firewall turned off. See if you can start syslog-ng in the
> foreground and see what you get (syslog-ng –Fed)
>
>
>
>
>
>
>
> *Damian* *Bell*
> Infrastructure Engineer | Support | H Clarkson & Co Ltd
>
>
> Email: Damian.Bell at clarksons.com
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu
> <syslog-ng-bounces at lists.balabit.hu>] *On Behalf Of *Tim Tyler
> *Sent:* 24 February 2017 15:07
> *To:* syslog-ng at lists.balabit.hu
> *Subject:* [syslog-ng] Can't get basic syslog to work for my firewall
> logs?
>
>
>
> Syslog-ng experts.
>
>   I am very new to syslog-ng.  I installed syslog-ng on a fresh Redhat 7.3
> server.   It defaults working with internal logging.  So I configured my
> firewall to send syslog with facility set to log_user.  I turned on
> Wireshark on the syslog-ng server and observed the firewall sending traffic
> to the server on udp 514.
>
>
>
> But the syslog server never created the directory structure and logs.  I
> disabled the redhat firewall just to eliminate it as a possibility.  Still
> no logging.  So I don’t know what I am doing wrong at this point. I don’t
> know if this is a permission problem or some other configuration issue.  I
> found someone that had posted a very basic syslog-ng configuration for
> firewalls.  So I copied It into a firewall.conf I put in conf.d.  Can
> anyone see what might be wrong with it?
>
>
>
> ####################
>
> options {
>
>         create_dirs(yes);
>
>         owner(root);
>
>         group(root);
>
>         perm(0640);
>
>         dir_owner(root);
>
>         dir_group(root);
>
>         dir_perm(0750);
>
> };
>
>
>
>
>
> ##################################################
>
> source s_udp {
>
>         udp(port(514));
>
> };
>
>
>
> #Template for a new firewall in the firewalls.conf file
>
> #Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL
>
>
>
> ##################################################
>
> filter f_NAMEOFTHEFIREWALL {
>
>         host("192.168.30.1");
>
> };
>
> destination d_NAMEOFTHEFIREWALL {
>
>         file("/var/log/firewalls/PA/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.
> PA.log");
>
> };
>
> log {
>
>         source(s_udp);
>
>         filter(f_NAMEOFTHEFIREWALL);
>
>         destination(d_NAMEOFTHEFIREWALL);
>
> };
>
>
>
>
>
> Tim Tyler
>
> Network Engineer
>
> Beloit College
>
>
> ------------------------------
>
> This message is private and confidential. If you have received it in
> error, you are on notice of its status. Please notify us immediately by
> reply email and then delete this message from your system. Please do not
> copy it or use it for any purposes, or disclose its contents to any other
> person: to do so could be a breach of confidence.
>
> Emails may be monitored.
>
> Details of Clarkson group companies and their regulators (where
> applicable) can be found at this url: Disclosure
> <http://www.clarksons.com/disclosure/>
> ------------------------------
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170224/085903c4/attachment-0001.html>


More information about the syslog-ng mailing list