[syslog-ng] log server duplication
Pal, Laszlo
vlad at vlad.hu
Thu Nov 14 14:15:15 UTC 2019
In path try use like this
"/var/log/netlog/app/${HOST}/${PROGRAM}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
On Wed, Nov 13, 2019 at 7:36 PM <freebsd at tango.lu> wrote:
> Hello,
>
> I have a syslogNG based siem setup with customized rules like:
>
> options {
> use_dns(no);
> use_fqdn(no);
> check_hostname(no);
> owner(root);
> group(root);
> perm(0640);
> dir_owner(root);
> dir_group(root);
> dir_perm(0750);
> create_dirs(yes);
> normalize_hostnames(yes);
> keep_hostname(yes);
> # disable stats
> stats_freq(0);
> };
>
>
>
> destination d_net_auth {
> file("/var/log/corporate/$HOST_FROM/auth.log"); };
> ...
>
> These settings will not do dns resolution will result that when hosts
> sending their logs into this SIEM directories will be created by their
> IP addresses where the logs go.
>
> I would like to replicate this server on a second location without using
> brute methods like rsyncing the whole directory structure daily. I have
> configured syslogng to keep forwarding the logs to a remote destination
> which works fine however I can't select the messages based on the same
> criteria on the new log server because if I use the same config
> everything will originate from the IP for logserver 1. I need IP based
> directories on the second loghost as well, everything to be identical.
>
> I'm using syslogng 3.12.
>
> Is there a workaround for this?
>
> Thanks
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191114/0a8b4253/attachment.html>
More information about the syslog-ng
mailing list