Syslog

From YobiWiki
Jump to navigation Jump to search

Syslog-ng install

apt-get install syslog-ng

/etc/syslog-ng/syslog-ng.conf:

   source net {
       udp(ip(192.168.2.1));
       };
   filter f_sw1 { 
       host(192.168.2.2) and level(info,notice,warn,crit,err);
       };
   destination d_net_devices {
       file("/var/log/$HOST.log" owner("root") group("adm") perm(0640));
       };
   log { 
       source(net);
       filter(f_sw1);
       destination(d_net_devices);
       };

Comment kernel source out as we are in a vserver:

   source s_all {
       #file("/proc/kmsg" log_prefix("kernel: "));

Manual

Resources & Credits


   source net {
       udp(ip(192.168.2.1));
       };
   filter f_sw1 { 
       host(192.168.2.2) and level(info,notice,warn,crit,err);
       };
   destination d_net_devices {
       file("/var/log/$HOST.log" owner("root") group("adm") perm(0640));
       };
   log { 
       source(net);
       filter(f_sw1);
       destination(d_net_devices);
       };

Resources & Credits


fwlogwatch

-A INPUT -s 192.168.2.2 -p udp --dport 514 -m state --state NEW -j ACCEPT

Logcheck

apt-get install logcheck logcheck-database

In /etc/logcheck/logcheck.conf:

REPORTLEVEL="paranoid"

Filtering

I have many such messages in the vserver:

pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0

Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron:

#session    required     pam_limits.so

For common imapd timeouts:

/etc/logcheck/ignore.d.paranoid/local-imapd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$