Difference between revisions of "Syslog"

From YobiWiki
Jump to navigation Jump to search
Line 3: Line 3:
 
apt-get install syslog-ng
  
apt-get install syslog-ng
   
/etc/syslog-ng/syslog-ng.conf:
 +
Example of /etc/syslog-ng/syslog-ng.conf:
   
source net {
  
udp(ip(192.168.2.1));
  
};
  
filter f_sw1 {
 
host(192.168.2.2) and level(info,notice,warn,crit,err);
  
};
  
destination d_net_devices {
  
file("/var/log/$HOST.log" owner("root") group("adm") perm(0640));
  
};
  
log {
 
source(net);
  
filter(f_sw1);
  
destination(d_net_devices);
  
};
  
 
Comment kernel source out as we are in a vserver:
  
Comment kernel source out as we are in a vserver:
 
source s_all {
  
source s_all {
 
#file("/proc/kmsg" log_prefix("kernel: "));
  
#file("/proc/kmsg" log_prefix("kernel: "));
  +
  +
Enable logging per remote host
 
source net { udp(ip(192.168.x.xxx)); };
  +
destination df_zeus { file("/var/log/remote-zeus.log" owner("root") group("adm") perm(0640)); };
  +
destination df_public { file("/var/log/remote-public.log" owner("root") group("adm") perm(0640)); };
  +
destination df_private { file("/var/log/remote-private.log" owner("root") group("adm") perm(0640)); };
  +
destination df_ns0 { file("/var/log/remote-ns0.log" owner("root") group("adm") perm(0640)); };
  +
destination df_sql { file("/var/log/remote-sql.log" owner("root") group("adm") perm(0640)); };
 
destination df_others { file("/var/log/remote-$HOST.log" owner("root") group("adm") perm(0640)); };
  +
filter f_zeus { host(192.168.x.xxx) };
  +
filter f_public { host(192.168.x.xxx) };
  +
filter f_private { host(192.168.x.xxx) };
  +
filter f_ns0 { host(192.168.x.xxx) };
  +
filter f_sql { host(192.168.x.xxx) };
  +
filter f_others { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) };
 
log {
 
source(net);
 
filter(f_zeus);
 
destination(df_zeus);
 
};
  +
log {
 
...
 
Manual
  
Manual
 
* http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.txt
  
* http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.txt

Revision as of 02:33, 4 December 2006

Syslog-ng install

apt-get install syslog-ng

Example of /etc/syslog-ng/syslog-ng.conf:

Comment kernel source out as we are in a vserver: 

   source s_all {
       #file("/proc/kmsg" log_prefix("kernel: "));

Enable logging per remote host 

   source net { udp(ip(192.168.x.xxx)); };
   destination df_zeus    {   file("/var/log/remote-zeus.log"    owner("root") group("adm") perm(0640)); };
   destination df_public  {   file("/var/log/remote-public.log"  owner("root") group("adm") perm(0640)); };
   destination df_private {   file("/var/log/remote-private.log" owner("root") group("adm") perm(0640)); };
   destination df_ns0     {   file("/var/log/remote-ns0.log"     owner("root") group("adm") perm(0640)); };
   destination df_sql     {   file("/var/log/remote-sql.log"     owner("root") group("adm") perm(0640)); };
   destination df_others  {   file("/var/log/remote-$HOST.log"   owner("root") group("adm") perm(0640)); };
   filter f_zeus    { host(192.168.x.xxx) };
   filter f_public  { host(192.168.x.xxx) };
   filter f_private { host(192.168.x.xxx) };
   filter f_ns0     { host(192.168.x.xxx) };
   filter f_sql     { host(192.168.x.xxx) };
   filter f_others  { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) };
   log { 
       source(net);
       filter(f_zeus);
       destination(df_zeus);
   };
   log {
       ...

Manual

Resources & Credits


   source net {
       udp(ip(192.168.2.1));
       };
   filter f_sw1 { 
       host(192.168.2.2) and level(info,notice,warn,crit,err);
       };
   destination d_net_devices {
       file("/var/log/$HOST.log" owner("root") group("adm") perm(0640));
       };
   log { 
       source(net);
       filter(f_sw1);
       destination(d_net_devices);
       };

Resources & Credits


fwlogwatch 

-A INPUT -s 192.168.2.2 -p udp --dport 514 -m state --state NEW -j ACCEPT

Logcheck

apt-get install logcheck logcheck-database

In /etc/logcheck/logcheck.conf: 

REPORTLEVEL="paranoid"

Filtering

I have many such messages in the vserver: 

pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0

Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron: 

#session    required     pam_limits.so

For common imapd timeouts: 

/etc/logcheck/ignore.d.paranoid/local-imapd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$
Retrieved from "https://wiki.yobi.be/index.php?title=Syslog&oldid=1569"