[syslog-ng] Polling additional machines

Balazs Scheidler bazsi77 at gmail.com
Sat Jan 23 10:20:48 UTC 2021


Hi,

syslog-ng can deliver messages to another host easily, using the generic
network() or the more specific udp()/tcp() drivers. The fw can consume them
with similar source drivers. syslog-ng supports various protocols and
formats for this transport (namely the newer RFC5424 or the legacy BSD
format RFC3164).

This is a very simple config on the clients to send off the messages to fw:

```
@version 3.30
log {
    source { system(); };
    destination { network("fw.lan" transport(tcp)); };
};
```

On the server (fw):
```
@version: 3.30
log {
    source { network(transport(tcp)); };
    destination { file("/var/log/network-messages"); };
};
```

The examples above use the "inline" syntax, where the drivers are specified
right within the log statement that processes their message flow. You can
also declare a source and then reference them in a log statement.
```
@version 3.30

source s_local {
    system();
};

log {
    source(s_local);
    destination { network("fw.lan" transport(tcp)); };
};
```

See the curly vs. simple brackets around the source reference, that's the
indication if you want to use in-line statements. The separate declaration
of a source allows it to be used from multiple log statements, whereas the
inline would only allow a single log statement to be used.

The network() driver would use RFC3164 format on plain TCP, but you can
customize this (the syslog() driver would use RFC5424, and the transport()
option for either of these specifies which transport protocol is used:
simple UDP, TCP or TLS).

That should get you started. If you try to google for syslog-ng, I am sure
you would find tutorials. Some books even include chapters on its
configuration format. And there's the official documentation on
syslog-ng.com.

Hope this helps,
Bazsi

On Sat, Jan 23, 2021 at 7:16 AM Dan Egli <dan at newideatest.site> wrote:

> I have an interesting setup that was proposed to me, and while I _THINK_
> syslog-ng can handle it I don't know for sure, let alone HOW.
>
> There are multiple service-specific machines in the network, behind the
> firewall. I'll just use the services they provide as their hostnames in
> this example. So firewall fw is a small linux machine running syslog-ng
> and fail2ban. Now fail2ban works off of the log files, but it also wants
> to apply changes to the firewall rules locally. So either www has its
> firewall rules while smtp has its rules and imap has a third set (ugly)
> or fail2ban can run on fw and modify the rules there. Trick is, in order
> to do that, all the logs have to be accessible in real time so that
> fail2ban can see them. My thought was to have syslog-ng on each sub
> machine somehow report to the syslog-ng on fw. Then fw's syslog-ng can
> write the files that fail2ban wants to read from.
>
> What would be the best way to go about this? I am still learning
> syslog-ng so if this is something simple, I'm sorry.
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210123/c7fd0f72/attachment.html>


More information about the syslog-ng mailing list