Syslog: Difference between revisions
Jump to navigation
Jump to search
Content deleted Content added
mNo edit summary |
|||
| Line 38: | Line 38: | ||
On satellite hosts: add to /etc/syslog.conf |
On satellite hosts: add to /etc/syslog.conf |
||
*.* @192.168.x.xxx |
*.* @192.168.x.xxx |
||
| ⚫ | |||
* filters host(192.168.1.1) capture 192.168.1.100 also :-( |
|||
* devel on vlan4 |
|||
| ⚫ | |||
| ⚫ | |||
==Resources & Credits== |
==Resources & Credits== |
||
| Line 53: | Line 47: | ||
** http://wiki.egee-see.org/index.php/SyslogNG |
** http://wiki.egee-see.org/index.php/SyslogNG |
||
| ⚫ | |||
==Logcheck== |
==Logcheck== |
||
| Line 60: | Line 53: | ||
REPORTLEVEL="paranoid" |
REPORTLEVEL="paranoid" |
||
=== |
===Tuning logcheck filters=== |
||
I have many such messages in the vserver: |
I have many such messages in the vserver: |
||
pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 |
pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 |
||
| Line 70: | Line 63: | ||
/etc/logcheck/ignore.d.paranoid/local-imapd |
/etc/logcheck/ignore.d.paranoid/local-imapd |
||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$ |
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$ |
||
| ⚫ | |||
* update syslog-ng notes with new filters, flag final etc |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
* http://www.phpwizardry.com/php-syslog-ng.php ? |
|||
* logrotate |
|||
Revision as of 11:28, 4 December 2006
Syslog-ng install
apt-get install syslog-ng
Example of /etc/syslog-ng/syslog-ng.conf:
Comment kernel source out as we are in a vserver:
source s_all {
#file("/proc/kmsg" log_prefix("kernel: "));
I want to keep the original hostnames:
options {
keep_hostname(1);
Enable logging per remote host
source net { udp(ip(192.168.x.xxx)); };
destination df_zeus { file("/var/log/syslog-zeus.log" owner("root") group("adm") perm(0640)); };
destination df_public { file("/var/log/syslog-public.log" owner("root") group("adm") perm(0640)); };
destination df_private { file("/var/log/syslog-private.log" owner("root") group("adm") perm(0640)); };
destination df_ns0 { file("/var/log/syslog-ns0.log" owner("root") group("adm") perm(0640)); };
destination df_sql { file("/var/log/syslog-sql.log" owner("root") group("adm") perm(0640)); };
destination df_others { file("/var/log/syslog-$HOST.log" owner("root") group("adm") perm(0640)); };
filter f_zeus { host(192.168.x.xxx); };
filter f_public { host(192.168.x.xxx); };
filter f_private { host(192.168.x.xxx); };
filter f_ns0 { host(192.168.x.xxx); };
filter f_sql { host(192.168.x.xxx); };
filter f_others { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) };
log {
source(net);
filter(f_zeus);
destination(df_zeus);
};
log {
...
Allow inbound connections from monitoring subnet
iptables -A INPUT -s xxxx -d xxxx -p udp --dport 514 -m state --state NEW -j ACCEPT
On satellite hosts: add to /etc/syslog.conf
- .* @192.168.x.xxx
Resources & Credits
Logcheck
apt-get install logcheck logcheck-database
In /etc/logcheck/logcheck.conf:
REPORTLEVEL="paranoid"
Tuning logcheck filters
I have many such messages in the vserver:
pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron:
#session required pam_limits.so
For common imapd timeouts:
/etc/logcheck/ignore.d.paranoid/local-imapd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$
TODO
- update syslog-ng notes with new filters, flag final etc
- logcheck them, ! fw of zeus
- source IP of zeus seems to be 100
- fwlogwatch?
- http://www.phpwizardry.com/php-syslog-ng.php ?
- logrotate