We can think of it as a linux application that takes the logs generated by the system and sends them to the destination we determine.
Syslog-ng
can be used to follow the logs in the systems to facilitate problem
identification and to take precautions against problems that may arise
through continuous monitoring.
Syslog-ng configuration;
The configuration file is the syslog-ng.conf file located in / etc / syslog-ng /. Here we specify source and destination and logs from the source are collected and written to the destination we specified.
The configuration file is the syslog-ng.conf file located in / etc / syslog-ng /. Here we specify source and destination and logs from the source are collected and written to the destination we specified.
For source of syslog messages, you can use below tamplates;
source s_sys {
file (“/proc/kmsg” log_prefix(“kernel: “));
unix-stream (“/dev/log2” max-connections(500));
internal();
};
source s_net {
udp(ip(0.0.0.0) port(514) so_rcvbuf(2203648));
};
source s_sys {
file (“/proc/kmsg” log_prefix(“kernel: “));
unix-stream (“/dev/log2” max-connections(500));
internal();
};
source s_net {
udp(ip(0.0.0.0) port(514) so_rcvbuf(2203648));
};
For filter to syslog messages, you can use below tamplates;
filter f_traplog { facility(local6) and level(crit); };
filter f_patchlg { facility(local6) and level(info); };
filter f_statlog { facility(local7) and level(debug); };
filter f_histlog { facility(local7) and level(alert); };
filter f_authlog { facility(auth,authpriv) ; };
filter f_daemonl { facility(daemon) ; };
filter f_kernlog { facility(kern) ; };
filter f_userlog { facility(user) ; };
filter f_syslog { facility(syslog) ; };
filter f_patchlg { facility(local6) and level(info); };
filter f_statlog { facility(local7) and level(debug); };
filter f_histlog { facility(local7) and level(alert); };
filter f_authlog { facility(auth,authpriv) ; };
filter f_daemonl { facility(daemon) ; };
filter f_kernlog { facility(kern) ; };
filter f_userlog { facility(user) ; };
filter f_syslog { facility(syslog) ; };
For destination of syslog messages, you can use below tamplates;
destination d_cons { file(“/dev/console”); };
destination d_mesg { file(“/var/log/messages”); };
#destination d_auth { file(“/var/log/secure”); };
destination d_mail { file(“/var/log/maillog” sync(10)); };
destination d_spol { file(“/var/log/spooler”); };
#destination d_boot { file(“/var/log/boot.log”); };
destination d_cron { file(“/var/log/cron.log”); };
# Sending logs to all logged users is intentionally disabled.
#destination d_mlal { usertty(“*”); };
destination d_mesg { file(“/var/log/messages”); };
#destination d_auth { file(“/var/log/secure”); };
destination d_mail { file(“/var/log/maillog” sync(10)); };
destination d_spol { file(“/var/log/spooler”); };
#destination d_boot { file(“/var/log/boot.log”); };
destination d_cron { file(“/var/log/cron.log”); };
# Sending logs to all logged users is intentionally disabled.
#destination d_mlal { usertty(“*”); };
VSE Destinations:
destination d_desl { file(“/var/log/designlog”); };
destination d_auth { file(“/var/log/auth.log” group(“secadm”) perm(0640)); };
destination d_daem { file(“/var/log/daemon.log”); };
destination d_kern { file(“/var/log/kern.log”); };
destination d_user { file(“/var/log/user.log”); };
destination d_sysl { file(“/var/log/syslog”); };
destination d_trap { file(“/var/log/traplog”); };
destination d_patc { file(“/var/log/patchlog”); };
destination d_stat { file(“/var/log/statlog”); };
destination d_hist { file(“/var/log/hist.log”); };
destination d_cust { file(“/var/log/custlog” perm(0644)); };
destination d_audi { file(“/var/log/auditlog” group(“secadm”) perm(0640)); };
destination d_seca { file(“/var/log/securityalertlog” group(“secadm”) perm(0640)); };
destination d_remo { udp(“typhoon-base-mate” port(514)); };
destination d_auth { file(“/var/log/auth.log” group(“secadm”) perm(0640)); };
destination d_daem { file(“/var/log/daemon.log”); };
destination d_kern { file(“/var/log/kern.log”); };
destination d_user { file(“/var/log/user.log”); };
destination d_sysl { file(“/var/log/syslog”); };
destination d_trap { file(“/var/log/traplog”); };
destination d_patc { file(“/var/log/patchlog”); };
destination d_stat { file(“/var/log/statlog”); };
destination d_hist { file(“/var/log/hist.log”); };
destination d_cust { file(“/var/log/custlog” perm(0644)); };
destination d_audi { file(“/var/log/auditlog” group(“secadm”) perm(0640)); };
destination d_seca { file(“/var/log/securityalertlog” group(“secadm”) perm(0640)); };
destination d_remo { udp(“typhoon-base-mate” port(514)); };
I used this syslog-ng config to send syslog messages from Genband C20 to syslog server;
source source_syslog { file(“/var/applog/gvm/logs/alert_audit.txt”); };
// We named the source file and specified where to retrieve the logs. (We can give the name we want instead of ‘source_syslog’.)
destination destination_remote { udp(“x.x.x.x” port(***)); };
destination destination_remote { udp(“x.x.x.x” port(***)); };
//
We specified where to write our logs (server ip and port) and named the
destination file. (We can give the name we want instead of
‘destination_syslog’.)
log { source(source_syslog); destination(destination_syslog); };
log { source(source_syslog); destination(destination_syslog); };
// In this section we link the logs between source and destination.
Attention!
The syslog-ng service needs to be restarted in order to run changes in the syslog-ng.config.
On Ubuntu you can restart as follows;
The syslog-ng service needs to be restarted in order to run changes in the syslog-ng.config.
On Ubuntu you can restart as follows;
Please do not hesitate to ask any question about syslog-ng with using my e-mail.
No comments:
Post a Comment