Difference between revisions of "Syslog"
Jump to navigation
Jump to search
Line 35: | Line 35: | ||
==Resources & Credits== |
==Resources & Credits== |
||
* http://www.linux-france.org/prj/inetdoc/articles/devmgmt/devmgmt.log.html (FR) |
* http://www.linux-france.org/prj/inetdoc/articles/devmgmt/devmgmt.log.html (FR) |
||
− | |||
− | |||
− | source net { |
||
− | udp(ip(192.168.2.1)); |
||
− | }; |
||
− | filter f_sw1 { |
||
− | host(192.168.2.2) and level(info,notice,warn,crit,err); |
||
− | }; |
||
− | destination d_net_devices { |
||
− | file("/var/log/$HOST.log" owner("root") group("adm") perm(0640)); |
||
− | }; |
||
− | log { |
||
− | source(net); |
||
− | filter(f_sw1); |
||
− | destination(d_net_devices); |
||
− | }; |
||
==Resources & Credits== |
==Resources & Credits== |
Revision as of 02:35, 4 December 2006
Syslog-ng install
apt-get install syslog-ng
Example of /etc/syslog-ng/syslog-ng.conf:
Comment kernel source out as we are in a vserver:
source s_all { #file("/proc/kmsg" log_prefix("kernel: "));
Enable logging per remote host
source net { udp(ip(192.168.x.xxx)); }; destination df_zeus { file("/var/log/remote-zeus.log" owner("root") group("adm") perm(0640)); }; destination df_public { file("/var/log/remote-public.log" owner("root") group("adm") perm(0640)); }; destination df_private { file("/var/log/remote-private.log" owner("root") group("adm") perm(0640)); }; destination df_ns0 { file("/var/log/remote-ns0.log" owner("root") group("adm") perm(0640)); }; destination df_sql { file("/var/log/remote-sql.log" owner("root") group("adm") perm(0640)); }; destination df_others { file("/var/log/remote-$HOST.log" owner("root") group("adm") perm(0640)); }; filter f_zeus { host(192.168.x.xxx); }; filter f_public { host(192.168.x.xxx); }; filter f_private { host(192.168.x.xxx); }; filter f_ns0 { host(192.168.x.xxx); }; filter f_sql { host(192.168.x.xxx); }; filter f_others { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) }; log { source(net); filter(f_zeus); destination(df_zeus); }; log { ...
Manual
Resources & Credits
Resources & Credits
fwlogwatch
-A INPUT -s 192.168.2.2 -p udp --dport 514 -m state --state NEW -j ACCEPT
Logcheck
apt-get install logcheck logcheck-database
In /etc/logcheck/logcheck.conf:
REPORTLEVEL="paranoid"
Filtering
I have many such messages in the vserver:
pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron:
#session required pam_limits.so
For common imapd timeouts:
/etc/logcheck/ignore.d.paranoid/local-imapd ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$