Difference between revisions of "Syslog"

From YobiWiki
Jump to navigation Jump to search
m (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen)
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Syslog-ng install==
+
==Syslog-ng==
  +
===Install===
   
 
apt-get install syslog-ng
 
apt-get install syslog-ng
Line 14: Line 15:
   
 
Enable logging per remote host
 
Enable logging per remote host
source net { udp(ip(192.168.x.xxx)); };
+
source net { udp(ip(<local_ip_or_hostname>)); };
destination df_zeus { file("/var/log/syslog-zeus.log" owner("root") group("adm") perm(0640)); };
+
Add specific destination files to collect auth.log and syslog.log of every remote (and local) node:
  +
<br>Note that for some we add a template to replace the IP by the hostname in the msgs
destination df_public { file("/var/log/syslog-public.log" owner("root") group("adm") perm(0640)); };
 
destination df_private { file("/var/log/syslog-private.log" owner("root") group("adm") perm(0640)); };
+
destination df_zeus_auth { file("/var/log/remote/MAIN/auth.log" owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_ns0 { file("/var/log/syslog-ns0.log" owner("root") group("adm") perm(0640)); };
+
destination df_zeus_syslog { file("/var/log/remote/MAIN/syslog.log" owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_sql { file("/var/log/syslog-sql.log" owner("root") group("adm") perm(0640)); };
+
destination df_zeus_kern { file("/var/log/remote/MAIN/kern.log" owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_others { file("/var/log/syslog-$HOST.log" owner("root") group("adm") perm(0640)); };
+
destination df_mx_auth { file("/var/log/remote/mx/auth.log" owner("root") group("adm") perm(0640)); };
  +
destination df_mx_syslog { file("/var/log/remote/mx/syslog.log" owner("root") group("adm") perm(0640)); };
filter f_zeus { host(192.168.x.xxx); };
 
  +
destination df_public_auth { file("/var/log/remote/public/auth.log" owner("root") group("adm") perm(0640) template("$DATE public $MESSAGE\n")); };
filter f_public { host(192.168.x.xxx); };
 
  +
destination df_public_syslog { file("/var/log/remote/public/syslog.log" owner("root") group("adm") perm(0640) template("$DATE public $MESSAGE\n")); };
filter f_private { host(192.168.x.xxx); };
 
  +
destination df_private_auth { file("/var/log/remote/private/auth.log" owner("root") group("adm") perm(0640) template("$DATE private $MESSAGE\n")); };
filter f_ns0 { host(192.168.x.xxx); };
 
  +
destination df_private_syslog { file("/var/log/remote/private/syslog.log" owner("root") group("adm") perm(0640) template("$DATE private $MESSAGE\n")); };
filter f_sql { host(192.168.x.xxx); };
 
  +
destination df_ns0_auth { file("/var/log/remote/ns0/auth.log" owner("root") group("adm") perm(0640) template("$DATE ns0 $MESSAGE\n")); };
filter f_others { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) };
 
  +
destination df_ns0_syslog { file("/var/log/remote/ns0/syslog.log" owner("root") group("adm") perm(0640) template("$DATE ns0 $MESSAGE\n")); };
log {
 
  +
destination df_sql_auth { file("/var/log/remote/sql/auth.log" owner("root") group("adm") perm(0640) template("$DATE sql $MESSAGE\n")); };
  +
destination df_sql_syslog { file("/var/log/remote/sql/syslog.log" owner("root") group("adm") perm(0640) template("$DATE sql $MESSAGE\n")); };
  +
destination df_devel_auth { file("/var/log/remote/devel/auth.log" owner("root") group("adm") perm(0640) template("$DATE devel $MESSAGE\n")); };
  +
destination df_devel_syslog { file("/var/log/remote/devel/syslog.log" owner("root") group("adm") perm(0640) template("$DATE devel $MESSAGE\n")); };
  +
destination df_others_auth { file("/var/log/remote/$HOST/auth.log" owner("root") group("adm") perm(0640)); };
  +
destination df_others_syslog { file("/var/log/remote/$HOST/syslog.log" owner("root") group("adm") perm(0640)); };
  +
destination df_nf_ethr_in { file("/var/log/remote/MAIN/NF/ethr_in.log" owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
  +
destination df_nf_ethr_out { file("/var/log/remote/MAIN/NF/ethr_out.log" owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
  +
destination df_nf_others { file("/var/log/remote/MAIN/NF/others.log" owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
  +
Add filters for remote nodes:
  +
<br>This is quite strange but msgs from the host are seen as coming from the IP of the collecting node
  +
<br>As the source will be net instead of s_all, we can still distinguish both from each other
  +
<br>Filters are sub-string regexps so we have to pay attention that IP x.x.x.1 can catch IP x.x.x.100 if not ended with a $
  +
filter f_zeus { host(192.168.x.x$); };
  +
filter f_public { host(192.168.x.x$); };
  +
filter f_private { host(192.168.x.x$); };
  +
filter f_ns0 { host(192.168.x.x$); };
  +
filter f_devel { host(192.168.x.x$); };
  +
filter f_sql { host(192.168.x.x$); };
  +
For the host which gets the kernel logs, we add filters for the netfilter logs:
  +
filter f_nf { match("NF Dropped "); };
  +
filter f_ethr_in { match("ETH_R IN "); };
  +
filter f_ethr_out { match("ETH_R OUT "); };
  +
Then combine all those in log statements
  +
<br>They all contain the flag final so each entry will be captured only once, this avoids us to write negated filters and this should accelerate a bit the processing
  +
<pre>
  +
log {
 
source(net);
 
source(net);
 
filter(f_zeus);
 
filter(f_zeus);
destination(df_zeus);
+
filter(f_auth);
  +
destination(df_zeus_auth);
};
 
log {
+
flags(final);
  +
};
...
 
  +
log {
  +
source(net);
  +
filter(f_zeus);
  +
filter(f_kern);
  +
filter(f_nf);
  +
filter(f_ethr_in);
  +
destination(df_nf_ethr_in);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_zeus);
  +
filter(f_kern);
  +
filter(f_nf);
  +
filter(f_ethr_out);
  +
destination(df_nf_ethr_out);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_zeus);
  +
filter(f_kern);
  +
filter(f_nf);
  +
destination(df_nf_others);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_zeus);
  +
filter(f_kern);
  +
destination(df_zeus_kern);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_zeus);
  +
filter(f_syslog);
  +
destination(df_zeus_syslog);
  +
flags(final);
  +
};
  +
# Don't forget ourselves:
  +
log {
  +
source(s_all);
  +
filter(f_auth);
  +
destination(df_mx_auth);
  +
};
  +
log {
  +
source(s_all);
  +
filter(f_syslog);
  +
destination(df_mx_syslog);
  +
};
  +
# Other vservers:
  +
log {
  +
source(net);
  +
filter(f_public);
  +
filter(f_auth);
  +
destination(df_public_auth);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_public);
  +
filter(f_syslog);
  +
destination(df_public_syslog);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_private);
  +
filter(f_auth);
  +
destination(df_private_auth);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_private);
  +
filter(f_syslog);
  +
destination(df_private_syslog);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_ns0);
  +
filter(f_auth);
  +
destination(df_ns0_auth);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_ns0);
  +
filter(f_syslog);
  +
destination(df_ns0_syslog);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_sql);
  +
filter(f_auth);
  +
destination(df_sql_auth);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_sql);
  +
filter(f_syslog);
  +
destination(df_sql_syslog);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_devel);
  +
filter(f_auth);
  +
destination(df_devel_auth);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_devel);
  +
filter(f_syslog);
  +
destination(df_devel_syslog);
  +
flags(final);
  +
};
  +
# Catch other remote hosts:
  +
log {
  +
source(net);
  +
filter(f_auth);
  +
destination(df_others_auth);
  +
flags(final);
  +
};
  +
log {
  +
source(net);
  +
filter(f_syslog);
  +
destination(df_others_syslog);
  +
flags(final);
  +
};
  +
</pre>
  +
 
Allow inbound connections from monitoring subnet
 
Allow inbound connections from monitoring subnet
 
iptables -A INPUT -s xxxx -d xxxx -p udp --dport 514 -m state --state NEW -j ACCEPT
 
iptables -A INPUT -s xxxx -d xxxx -p udp --dport 514 -m state --state NEW -j ACCEPT
 
On satellite hosts: add to /etc/syslog.conf
 
On satellite hosts: add to /etc/syslog.conf
*.* @192.168.x.xxx
+
*.* @192.168.x.xxx
   
==Resources & Credits==
+
===Resources & Credits===
 
* [http://www.balabit.com/products/syslog_ng/ Main page]
 
* [http://www.balabit.com/products/syslog_ng/ Main page]
 
* Manual in [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html html] or [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.txt txt]
 
* Manual in [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html html] or [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.txt txt]
Line 48: Line 213:
   
   
==Logcheck==
+
==Logrotate==
  +
We add a file to rotate our new log files:
apt-get install logcheck logcheck-database
 
  +
/etc/logrotate.d/local-syslog-ng:
In /etc/logcheck/logcheck.conf:
 
  +
/var/log/remote/*/*.log {
REPORTLEVEL="paranoid"
 
  +
rotate 28
 
  +
missingok
===Tuning logcheck filters===
 
  +
notifempty
I have many such messages in the vserver:
 
  +
daily
pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
 
  +
compress
Not sure why, probably because vserver max limits are reduced.
 
  +
}
<br>To get rid of it, comment the line in /etc/pam.d/cron and /etc/pam.d/ssh:
 
  +
The call to syslog-ng reload will be done by the native /etc/logrotate.d/syslog-ng so we don't need to do it ourselves
#session required pam_limits.so
 
  +
==Others==
 
  +
Check [[Logcheck]] and [[Php-Syslog-ng]].
To test logcheck filtering rules:
 
sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep '<regexp>'
 
 
For common imapd timeouts:
 
/etc/logcheck/ignore.d.paranoid/local-imap:
 
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$
 
 
 
==TODO==
 
==TODO==
  +
* source IP of zeus seems to be 100, why?
* update syslog-ng notes with new filters, flag final etc
 
* logcheck them, ! fw of zeus
 
* source IP of zeus seems to be 100
 
 
* fwlogwatch?
 
* fwlogwatch?
* http://www.phpwizardry.com/php-syslog-ng.php ?
 
* logrotate
 

Latest revision as of 21:38, 24 November 2010

Syslog-ng

Install

apt-get install syslog-ng

Example of /etc/syslog-ng/syslog-ng.conf:

Comment kernel source out as we are in a vserver:

   source s_all {
       #file("/proc/kmsg" log_prefix("kernel: "));

I want to keep the original hostnames:

   options {
       keep_hostname(1);

Enable logging per remote host

source net { udp(ip(<local_ip_or_hostname>)); };

Add specific destination files to collect auth.log and syslog.log of every remote (and local) node:
Note that for some we add a template to replace the IP by the hostname in the msgs

destination df_zeus_auth      {   file("/var/log/remote/MAIN/auth.log"        owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_zeus_syslog    {   file("/var/log/remote/MAIN/syslog.log"      owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_zeus_kern      {   file("/var/log/remote/MAIN/kern.log"        owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_mx_auth        {   file("/var/log/remote/mx/auth.log"          owner("root") group("adm") perm(0640)); };
destination df_mx_syslog      {   file("/var/log/remote/mx/syslog.log"        owner("root") group("adm") perm(0640)); };
destination df_public_auth    {   file("/var/log/remote/public/auth.log"      owner("root") group("adm") perm(0640) template("$DATE public $MESSAGE\n")); };
destination df_public_syslog  {   file("/var/log/remote/public/syslog.log"    owner("root") group("adm") perm(0640) template("$DATE public $MESSAGE\n")); };
destination df_private_auth   {   file("/var/log/remote/private/auth.log"     owner("root") group("adm") perm(0640) template("$DATE private $MESSAGE\n")); };
destination df_private_syslog {   file("/var/log/remote/private/syslog.log"   owner("root") group("adm") perm(0640) template("$DATE private $MESSAGE\n")); };
destination df_ns0_auth       {   file("/var/log/remote/ns0/auth.log"         owner("root") group("adm") perm(0640) template("$DATE ns0 $MESSAGE\n")); };
destination df_ns0_syslog     {   file("/var/log/remote/ns0/syslog.log"       owner("root") group("adm") perm(0640) template("$DATE ns0 $MESSAGE\n")); };
destination df_sql_auth       {   file("/var/log/remote/sql/auth.log"         owner("root") group("adm") perm(0640) template("$DATE sql $MESSAGE\n")); };
destination df_sql_syslog     {   file("/var/log/remote/sql/syslog.log"       owner("root") group("adm") perm(0640) template("$DATE sql $MESSAGE\n")); };
destination df_devel_auth     {   file("/var/log/remote/devel/auth.log"       owner("root") group("adm") perm(0640) template("$DATE devel $MESSAGE\n")); };
destination df_devel_syslog   {   file("/var/log/remote/devel/syslog.log"     owner("root") group("adm") perm(0640) template("$DATE devel $MESSAGE\n")); };
destination df_others_auth    {   file("/var/log/remote/$HOST/auth.log"       owner("root") group("adm") perm(0640)); };
destination df_others_syslog  {   file("/var/log/remote/$HOST/syslog.log"     owner("root") group("adm") perm(0640)); };
destination df_nf_ethr_in     {   file("/var/log/remote/MAIN/NF/ethr_in.log"  owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_nf_ethr_out    {   file("/var/log/remote/MAIN/NF/ethr_out.log" owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };
destination df_nf_others      {   file("/var/log/remote/MAIN/NF/others.log"   owner("root") group("adm") perm(0640) template("$DATE MAIN $MESSAGE\n")); };

Add filters for remote nodes:
This is quite strange but msgs from the host are seen as coming from the IP of the collecting node
As the source will be net instead of s_all, we can still distinguish both from each other
Filters are sub-string regexps so we have to pay attention that IP x.x.x.1 can catch IP x.x.x.100 if not ended with a $

filter f_zeus    { host(192.168.x.x$); };
filter f_public  { host(192.168.x.x$); };
filter f_private { host(192.168.x.x$); };
filter f_ns0     { host(192.168.x.x$); };
filter f_devel   { host(192.168.x.x$); };
filter f_sql     { host(192.168.x.x$); };

For the host which gets the kernel logs, we add filters for the netfilter logs:

filter f_nf       { match("NF Dropped "); };
filter f_ethr_in  { match("ETH_R IN "); };
filter f_ethr_out { match("ETH_R OUT "); };

Then combine all those in log statements
They all contain the flag final so each entry will be captured only once, this avoids us to write negated filters and this should accelerate a bit the processing

log {
        source(net);
        filter(f_zeus);
        filter(f_auth);
        destination(df_zeus_auth);
        flags(final);
};
log {
        source(net);
        filter(f_zeus);
        filter(f_kern);
        filter(f_nf);
        filter(f_ethr_in);
        destination(df_nf_ethr_in);
        flags(final);
};
log {
        source(net);
        filter(f_zeus);
        filter(f_kern);
        filter(f_nf);
        filter(f_ethr_out);
        destination(df_nf_ethr_out);
        flags(final);
};
log {
        source(net);
        filter(f_zeus);
        filter(f_kern);
        filter(f_nf);
        destination(df_nf_others);
        flags(final);
};
log {
        source(net);
        filter(f_zeus);
        filter(f_kern);
        destination(df_zeus_kern);
        flags(final);
};
log {
        source(net);
        filter(f_zeus);
        filter(f_syslog);
        destination(df_zeus_syslog);
        flags(final);
};
# Don't forget ourselves:
log {
        source(s_all);
        filter(f_auth);
        destination(df_mx_auth);
};
log {
        source(s_all);
        filter(f_syslog);
        destination(df_mx_syslog);
};
# Other vservers:
log {
        source(net);
        filter(f_public);
        filter(f_auth);
        destination(df_public_auth);
        flags(final);
};
log {
        source(net);
        filter(f_public);
        filter(f_syslog);
        destination(df_public_syslog);
        flags(final);
};
log {
        source(net);
        filter(f_private);
        filter(f_auth);
        destination(df_private_auth);
        flags(final);
};
log {
        source(net);
        filter(f_private);
        filter(f_syslog);
        destination(df_private_syslog);
        flags(final);
};
log {
        source(net);
        filter(f_ns0);
        filter(f_auth);
        destination(df_ns0_auth);
        flags(final);
};
log {
        source(net);
        filter(f_ns0);
        filter(f_syslog);
        destination(df_ns0_syslog);
        flags(final);
};
log {
        source(net);
        filter(f_sql);
        filter(f_auth);
        destination(df_sql_auth);
        flags(final);
};
log {
        source(net);
        filter(f_sql);
        filter(f_syslog);
        destination(df_sql_syslog);
        flags(final);
};
log {
        source(net);
        filter(f_devel);
        filter(f_auth);
        destination(df_devel_auth);
        flags(final);
};
log {
        source(net);
        filter(f_devel);
        filter(f_syslog);
        destination(df_devel_syslog);
        flags(final);
};
# Catch other remote hosts:
log {
        source(net);
        filter(f_auth);
        destination(df_others_auth);
        flags(final);
};
log {
        source(net);
        filter(f_syslog);
        destination(df_others_syslog);
        flags(final);
};

Allow inbound connections from monitoring subnet

iptables -A INPUT -s xxxx -d xxxx -p udp --dport 514 -m state --state NEW -j ACCEPT

On satellite hosts: add to /etc/syslog.conf

*.*               @192.168.x.xxx

Resources & Credits


Logrotate

We add a file to rotate our new log files:

/etc/logrotate.d/local-syslog-ng:
/var/log/remote/*/*.log {
  rotate 28
  missingok
  notifempty
  daily
  compress
}

The call to syslog-ng reload will be done by the native /etc/logrotate.d/syslog-ng so we don't need to do it ourselves

Others

Check Logcheck and Php-Syslog-ng.

TODO

  • source IP of zeus seems to be 100, why?
  • fwlogwatch?