Difference between revisions of "Syslog"

Revision as of 13:28, 4 December 2006

Syslog-ng install

apt-get install syslog-ng

Example of /etc/syslog-ng/syslog-ng.conf:

Comment kernel source out as we are in a vserver:

   source s_all {
       #file("/proc/kmsg" log_prefix("kernel: "));

I want to keep the original hostnames:

   options {
       keep_hostname(1);

Enable logging per remote host

   source net { udp(ip(192.168.x.xxx)); };
   destination df_zeus    {   file("/var/log/syslog-zeus.log"    owner("root") group("adm") perm(0640)); };
   destination df_public  {   file("/var/log/syslog-public.log"  owner("root") group("adm") perm(0640)); };
   destination df_private {   file("/var/log/syslog-private.log" owner("root") group("adm") perm(0640)); };
   destination df_ns0     {   file("/var/log/syslog-ns0.log"     owner("root") group("adm") perm(0640)); };
   destination df_sql     {   file("/var/log/syslog-sql.log"     owner("root") group("adm") perm(0640)); };
   destination df_others  {   file("/var/log/syslog-$HOST.log"   owner("root") group("adm") perm(0640)); };
   filter f_zeus    { host(192.168.x.xxx); };
   filter f_public  { host(192.168.x.xxx); };
   filter f_private { host(192.168.x.xxx); };
   filter f_ns0     { host(192.168.x.xxx); };
   filter f_sql     { host(192.168.x.xxx); };
   filter f_others  { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) };
   log { 
       source(net);
       filter(f_zeus);
       destination(df_zeus);
   };
   log {
       ...

Allow inbound connections from monitoring subnet

iptables -A INPUT -s xxxx -d xxxx -p udp --dport 514 -m state --state NEW -j ACCEPT

On satellite hosts: add to /etc/syslog.conf

.* @192.168.x.xxx

Resources & Credits

Main page
Manual in html or txt
FAQ
Misc
- http://www.linux-france.org/prj/inetdoc/articles/devmgmt/devmgmt.log.html (FR)
- http://wiki.egee-see.org/index.php/SyslogNG

Logcheck

apt-get install logcheck logcheck-database

In /etc/logcheck/logcheck.conf:

REPORTLEVEL="paranoid"

Tuning logcheck filters

I have many such messages in the vserver:

pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0

Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron:

#session    required     pam_limits.so

For common imapd timeouts:

/etc/logcheck/ignore.d.paranoid/local-imapd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$

TODO

update syslog-ng notes with new filters, flag final etc
logcheck them, ! fw of zeus
source IP of zeus seems to be 100
fwlogwatch?
http://www.phpwizardry.com/php-syslog-ng.php ?
logrotate

@@ Line 38: / Line 38: @@
 On satellite hosts: add to /etc/syslog.conf
 *.*               @192.168.x.xxx
-==TODO==
-* filters host(192.168.1.1) capture 192.168.1.100 also :-(
-* devel on vlan4
-* logcheck them, ! fw of zeus
-* source IP of zeus seems to be 100
 ==Resources & Credits==
@@ Line 53: / Line 47: @@
 ** http://wiki.egee-see.org/index.php/SyslogNG
-fwlogwatch
 ==Logcheck==
@@ Line 60: / Line 53: @@
  REPORTLEVEL="paranoid"
-===Filtering===
+===Tuning logcheck filters===
 I have many such messages in the vserver:
  pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
@@ Line 70: / Line 63: @@
  /etc/logcheck/ignore.d.paranoid/local-imapd
  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$
+==TODO==
+* update syslog-ng notes with new filters, flag final etc
+* logcheck them, ! fw of zeus
+* source IP of zeus seems to be 100
+* fwlogwatch?
+* http://www.phpwizardry.com/php-syslog-ng.php ?
+* logrotate