Differences

This shows you the differences between two versions of the page.

--- howtos:syslog-ng_on_ubuntu [25/08/2017 14:10] – created domingo
+++ howtos:syslog-ng_on_ubuntu [02/12/2018 21:34] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+===== Install syslog-ng =====
+Changing from syslog to the more flexible syslog-ng isn't that hard.
+Basically just select the package: apt-get install syslog-ng (this will automatically requirer uninstallation of syslog, klogd, ubuntu-minimal).
+===== Modifications to syslog-ng.conf =====
+The default syslog-ng.conf needs some changes to make syslog-ng behave as I want it to do. More specific I would like to have mail and iptables logs out of the syslog file and written into there own set of files. Those two daemons messes up the syslog file serverly, almost makes it unreadable.
+I've added three lines to create a dedicated firewall log: a "destination", a "filter" and a "log". To clean mail and iptables noise from the syslog I've changed the "syslog filter" from:
+<code>
+filter f_syslog { not facility(auth, authpriv); };
+</code>
+to
+<code>
+filter f_syslog { not facility(auth, authpriv, mail) and not filter(f_iptables); };
+</code>
+As mail by default has the mail.* files set there is no need to make any further changes to the syslog-ng.conf.
+===== /etc/syslog-ng/syslog-ng.conf =====
+<file>
+#
+# Configuration file for syslog-ng under Debian
+#
+# attempts at reproducing default syslog behavior
+# the standard syslog levels are (in descending order of priority):
+# emerg alert crit err warning notice info debug
+# the aliases "error", "panic", and "warn" are deprecated
+# the "none" priority found in the original syslogd configuration is
+# only used in internal messages created by syslogd
+######
+# options
+options {
+        # disable the chained hostname format in logs
+        # (default is enabled)
+        chain_hostnames(0);
+        # the time to wait before a died connection is re-established
+        # (default is 60)
+        time_reopen(10);
+        # the time to wait before an idle destination file is closed
+        # (default is 60)
+        time_reap(360);
+        # the number of lines buffered before written to file
+        # you might want to increase this if your disk isn't catching with
+        # all the log messages you get or if you want less disk activity
+        # (say on a laptop)
+        # (default is 0)
+        #sync(0);
+        # the number of lines fitting in the output queue
+        log_fifo_size(2048);
+        # enable or disable directory creation for destination files
+        create_dirs(yes);
+        # default owner, group, and permissions for log files
+        # (defaults are 0, 0, 0600)
+        #owner(root);
+        group(adm);
+        perm(0640);
+        # default owner, group, and permissions for created directories
+        # (defaults are 0, 0, 0700)
+        #dir_owner(root);
+        #dir_group(root);
+        dir_perm(0755);
+        # enable or disable DNS usage
+        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
+        # a Denial of Service attack
+        # (default is yes)
+        use_dns(no);
+        # maximum length of message in bytes
+        # this is only limited by the program listening on the /dev/log Unix
+        # socket, glibc can handle arbitrary length log messages, but -- for
+        # example -- syslogd accepts only 1024 bytes
+        # (default is 2048)
+        #log_msg_size(2048);
+	#Disable statistic log messages.
+	stats_freq(0);
+	# Some program send log messages through a private implementation.
+	# and sometimes that implementation is bad. If this happen syslog-ng
+	# may recognise the program name as hostname. Whit this option
+	# we tell the syslog-ng that if a hostname match this regexp than that
+	# is not a real hostname.
+	bad_hostname("^gconfd$");
+};
+######
+# sources
+# all known message sources
+source s_all {
+        # message generated by Syslog-NG
+        internal();
+        # standard Linux log source (this is the default place for the syslog()
+        # function to send logs to)
+        unix-stream("/dev/log");
+        # messages from the kernel
+        file("/proc/kmsg" log_prefix("kernel: "));
+        # use the following line if you want to receive remote UDP logging messages
+        # (this is equivalent to the "-r" syslogd flag)
+        # udp();
+};
+######
+# destinations
+# some standard log files
+destination df_auth { file("/var/log/auth.log"); };
+destination df_syslog { file("/var/log/syslog"); };
+destination df_cron { file("/var/log/cron.log"); };
+destination df_daemon { file("/var/log/daemon.log"); };
+destination df_kern { file("/var/log/kern.log"); };
+destination df_lpr { file("/var/log/lpr.log"); };
+destination df_mail { file("/var/log/mail.log"); };
+destination df_user { file("/var/log/user.log"); };
+destination df_uucp { file("/var/log/uucp.log"); };
+# these files are meant for the mail system log files
+# and provide re-usable destinations for {mail,cron,...}.info,
+# {mail,cron,...}.notice, etc.
+destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
+destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
+destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
+destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
+destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
+# these files are meant for the news system, and are kept separated
+# because they should be owned by "news" instead of "root"
+destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
+destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
+destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
+# some more classical and useful files found in standard syslog configurations
+destination df_debug { file("/var/log/debug"); };
+destination df_messages { file("/var/log/messages"); };
+# pipes
+# a console to view log messages under X
+destination dp_xconsole { pipe("/dev/xconsole"); };
+# consoles
+# this will send messages to everyone logged in
+destination du_all { usertty("*"); };
+# iptables logfile
+destination firewall { file("/var/log/firewall"); };
+######
+# filters
+# all messages from iptables
+filter f_iptables   { facility(kern) and match("IN=") and match ("OUT="); };
+# all messages from the auth and authpriv facilities
+filter f_auth { facility(auth, authpriv); };
+# all messages except from the auth and authpriv facilities
+filter f_syslog { not facility(auth, authpriv, mail) and not filter(f_iptables); };
+# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
+# and uucp facilities
+filter f_cron { facility(cron); };
+filter f_daemon { facility(daemon); };
+filter f_kern { facility(kern); };
+filter f_lpr { facility(lpr); };
+filter f_mail { facility(mail); };
+filter f_news { facility(news); };
+filter f_user { facility(user); };
+filter f_uucp { facility(uucp); };
+# some filters to select messages of priority greater or equal to info, warn,
+# and err
+# (equivalents of syslogd's *.info, *.warn, and *.err)
+filter f_at_least_info { level(info..emerg); };
+filter f_at_least_notice { level(notice..emerg); };
+filter f_at_least_warn { level(warn..emerg); };
+filter f_at_least_err { level(err..emerg); };
+filter f_at_least_crit { level(crit..emerg); };
+# all messages of priority debug not coming from the auth, authpriv, news, and
+# mail facilities
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+# all messages of info, notice, or warn priority not coming form the auth,
+# authpriv, cron, daemon, mail, and news facilities
+filter f_messages {
+        level(info,notice,warn)
+            and not facility(auth,authpriv,cron,daemon,mail,news);
+};
+# messages with priority emerg
+filter f_emerg { level(emerg); };
+# complex filter for messages usually sent to the xconsole
+filter f_xconsole {
+    facility(daemon,mail)
+        or level(debug,info,notice,warn)
+        or (facility(news)
+                and level(crit,err,notice));
+};
+######
+# logs
+# order matters if you use "flags(final);" to mark the end of processing in a
+# "log" statement
+# these rules provide the same behavior as the commented original syslogd rules
+# auth,authpriv.*                 /var/log/auth.log
+log {
+        source(s_all);
+        filter(f_auth);
+        destination(df_auth);
+};
+# *.*;auth,authpriv.none          -/var/log/syslog
+log {
+        source(s_all);
+        filter(f_syslog);
+        destination(df_syslog);
+};
+# this is commented out in the default syslog.conf
+# cron.*                         /var/log/cron.log
+#log {
+#        source(s_all);
+#        filter(f_cron);
+#        destination(df_cron);
+#};
+# daemon.*                        -/var/log/daemon.log
+log {
+        source(s_all);
+        filter(f_daemon);
+        destination(df_daemon);
+};
+# kern.*                          -/var/log/kern.log
+log {
+        source(s_all);
+        filter(f_kern);
+        destination(df_kern);
+};
+# lpr.*                           -/var/log/lpr.log
+log {
+        source(s_all);
+        filter(f_lpr);
+        destination(df_lpr);
+};
+# mail.*                          -/var/log/mail.log
+log {
+        source(s_all);
+        filter(f_mail);
+        destination(df_mail);
+};
+# user.*                          -/var/log/user.log
+log {
+        source(s_all);
+        filter(f_user);
+        destination(df_user);
+};
+# uucp.*                          /var/log/uucp.log
+log {
+        source(s_all);
+        filter(f_uucp);
+        destination(df_uucp);
+};
+# mail.info                       -/var/log/mail.info
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_info);
+        destination(df_facility_dot_info);
+};
+# mail.warn                       -/var/log/mail.warn
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_warn);
+        destination(df_facility_dot_warn);
+};
+# mail.err                        /var/log/mail.err
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_err);
+        destination(df_facility_dot_err);
+};
+# news.crit                       /var/log/news/news.crit
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_crit);
+        destination(df_news_dot_crit);
+};
+# news.err                        /var/log/news/news.err
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_err);
+        destination(df_news_dot_err);
+};
+# news.notice                     /var/log/news/news.notice
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_notice);
+        destination(df_news_dot_notice);
+};
+# *.=debug;\
+#         auth,authpriv.none;\
+#         news.none;mail.none     -/var/log/debug
+log {
+        source(s_all);
+        filter(f_debug);
+        destination(df_debug);
+};
+# *.=info;*.=notice;*.=warn;\
+#         auth,authpriv.none;\
+#         cron,daemon.none;\
+#         mail,news.none          -/var/log/messages
+log {
+        source(s_all);
+        filter(f_messages);
+        destination(df_messages);
+};
+# *.emerg                         *
+log {
+        source(s_all);
+        filter(f_emerg);
+        destination(du_all);
+};
+# daemon.*;mail.*;\
+#         news.crit;news.err;news.notice;\
+#         *.=debug;*.=info;\
+#         *.=notice;*.=warn       |/dev/xconsole
+log {
+        source(s_all);
+        filter(f_xconsole);
+        destination(dp_xconsole);
+};
+#
+# Firewall (iptables) messages in one file:
+#
+log {
+	source(s_all);
+	filter(f_iptables);
+	destination(firewall);
+};
+</file>
+===== syslog-ng.conf with dhcpd and dhclient files =====
+This version extend the above one by excluding dhcpd and dhclient logs from syslog and output them into two seperat files.
+<file>
+#
+# Configuration file for syslog-ng under Debian
+#
+# attempts at reproducing default syslog behavior
+# the standard syslog levels are (in descending order of priority):
+# emerg alert crit err warning notice info debug
+# the aliases "error", "panic", and "warn" are deprecated
+# the "none" priority found in the original syslogd configuration is
+# only used in internal messages created by syslogd
+######
+# options
+options {
+        # disable the chained hostname format in logs
+        # (default is enabled)
+        chain_hostnames(0);
+        # the time to wait before a died connection is re-established
+        # (default is 60)
+        time_reopen(10);
+        # the time to wait before an idle destination file is closed
+        # (default is 60)
+        time_reap(360);
+        # the number of lines buffered before written to file
+        # you might want to increase this if your disk isn't catching with
+        # all the log messages you get or if you want less disk activity
+        # (say on a laptop)
+        # (default is 0)
+        #sync(0);
+        # the number of lines fitting in the output queue
+        log_fifo_size(2048);
+        # enable or disable directory creation for destination files
+        create_dirs(yes);
+        # default owner, group, and permissions for log files
+        # (defaults are 0, 0, 0600)
+        #owner(root);
+        group(adm);
+        perm(0640);
+        # default owner, group, and permissions for created directories
+        # (defaults are 0, 0, 0700)
+        #dir_owner(root);
+        #dir_group(root);
+        dir_perm(0755);
+        # enable or disable DNS usage
+        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
+        # a Denial of Service attack
+        # (default is yes)
+        use_dns(no);
+        # maximum length of message in bytes
+        # this is only limited by the program listening on the /dev/log Unix
+        # socket, glibc can handle arbitrary length log messages, but -- for
+        # example -- syslogd accepts only 1024 bytes
+        # (default is 2048)
+        #log_msg_size(2048);
+	#Disable statistic log messages.
+	stats_freq(0);
+	# Some program send log messages through a private implementation.
+	# and sometimes that implementation is bad. If this happen syslog-ng
+	# may recognise the program name as hostname. Whit this option
+	# we tell the syslog-ng that if a hostname match this regexp than that
+	# is not a real hostname.
+	bad_hostname("^gconfd$");
+};
+######
+# sources
+# all known message sources
+source s_all {
+        # message generated by Syslog-NG
+        internal();
+        # standard Linux log source (this is the default place for the syslog()
+        # function to send logs to)
+        unix-stream("/dev/log");
+        # messages from the kernel
+        file("/proc/kmsg" log_prefix("kernel: "));
+        # use the following line if you want to receive remote UDP logging messages
+        # (this is equivalent to the "-r" syslogd flag)
+        # udp();
+};
+######
+# destinations
+# some standard log files
+destination df_auth { file("/var/log/auth.log"); };
+destination df_syslog { file("/var/log/syslog"); };
+destination df_cron { file("/var/log/cron.log"); };
+destination df_daemon { file("/var/log/daemon.log"); };
+destination df_kern { file("/var/log/kern.log"); };
+destination df_lpr { file("/var/log/lpr.log"); };
+destination df_mail { file("/var/log/mail.log"); };
+destination df_user { file("/var/log/user.log"); };
+destination df_uucp { file("/var/log/uucp.log"); };
+# these files are meant for the mail system log files
+# and provide re-usable destinations for {mail,cron,...}.info,
+# {mail,cron,...}.notice, etc.
+destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
+destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
+destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
+destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
+destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
+# these files are meant for the news system, and are kept separated
+# because they should be owned by "news" instead of "root"
+destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
+destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
+destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
+# some more classical and useful files found in standard syslog configurations
+destination df_debug { file("/var/log/debug"); };
+destination df_messages { file("/var/log/messages"); };
+# pipes
+# a console to view log messages under X
+destination dp_xconsole { pipe("/dev/xconsole"); };
+# consoles
+# this will send messages to everyone logged in
+destination du_all { usertty("*"); };
+# iptables
+destination firewall { file("/var/log/firewall"); };
+# dhcpd
+destination dhcpd { file("/var/log/dhcpd"); };
+# dhclient
+destination dhclient { file("/var/log/dhclient"); };
+######
+# filters
+# iptables logs
+filter f_iptables { facility(kern) and match("IN=") and match ("OUT="); };
+# dhcpd logs
+filter f_dhcpd  { match("dhcpd:"); };
+# dhclient logs
+filter f_dhclient  { match("dhclient:"); };
+# all messages from the auth and authpriv facilities
+filter f_auth { facility(auth, authpriv); };
+# all messages except from the auth and authpriv facilities
+filter f_syslog { not facility(auth, authpriv, mail) and not filter(f_iptables) and not filter(f_dhclient) and not filter(f_dhcpd); };
+# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
+# and uucp facilities
+filter f_cron { facility(cron); };
+filter f_daemon { facility(daemon); };
+filter f_kern { facility(kern); };
+filter f_lpr { facility(lpr); };
+filter f_mail { facility(mail); };
+filter f_news { facility(news); };
+filter f_user { facility(user); };
+filter f_uucp { facility(uucp); };
+# some filters to select messages of priority greater or equal to info, warn,
+# and err
+# (equivalents of syslogd's *.info, *.warn, and *.err)
+filter f_at_least_info { level(info..emerg); };
+filter f_at_least_notice { level(notice..emerg); };
+filter f_at_least_warn { level(warn..emerg); };
+filter f_at_least_err { level(err..emerg); };
+filter f_at_least_crit { level(crit..emerg); };
+# all messages of priority debug not coming from the auth, authpriv, news, and
+# mail facilities
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+# all messages of info, notice, or warn priority not coming form the auth,
+# authpriv, cron, daemon, mail, and news facilities
+filter f_messages {
+        level(info,notice,warn)
+            and not facility(auth,authpriv,cron,daemon,mail,news);
+};
+# messages with priority emerg
+filter f_emerg { level(emerg); };
+# complex filter for messages usually sent to the xconsole
+filter f_xconsole {
+    facility(daemon,mail)
+        or level(debug,info,notice,warn)
+        or (facility(news)
+                and level(crit,err,notice));
+};
+######
+# logs
+# order matters if you use "flags(final);" to mark the end of processing in a
+# "log" statement
+# these rules provide the same behavior as the commented original syslogd rules
+# auth,authpriv.*                 /var/log/auth.log
+log {
+        source(s_all);
+        filter(f_auth);
+        destination(df_auth);
+};
+# *.*;auth,authpriv.none          -/var/log/syslog
+log {
+        source(s_all);
+        filter(f_syslog);
+        destination(df_syslog);
+};
+# this is commented out in the default syslog.conf
+# cron.*                         /var/log/cron.log
+#log {
+#        source(s_all);
+#        filter(f_cron);
+#        destination(df_cron);
+#};
+# daemon.*                        -/var/log/daemon.log
+log {
+        source(s_all);
+        filter(f_daemon);
+        destination(df_daemon);
+};
+# kern.*                          -/var/log/kern.log
+log {
+        source(s_all);
+        filter(f_kern);
+        destination(df_kern);
+};
+# lpr.*                           -/var/log/lpr.log
+log {
+        source(s_all);
+        filter(f_lpr);
+        destination(df_lpr);
+};
+# mail.*                          -/var/log/mail.log
+log {
+        source(s_all);
+        filter(f_mail);
+        destination(df_mail);
+};
+# user.*                          -/var/log/user.log
+log {
+        source(s_all);
+        filter(f_user);
+        destination(df_user);
+};
+# uucp.*                          /var/log/uucp.log
+log {
+        source(s_all);
+        filter(f_uucp);
+        destination(df_uucp);
+};
+# mail.info                       -/var/log/mail.info
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_info);
+        destination(df_facility_dot_info);
+};
+# mail.warn                       -/var/log/mail.warn
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_warn);
+        destination(df_facility_dot_warn);
+};
+# mail.err                        /var/log/mail.err
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_err);
+        destination(df_facility_dot_err);
+};
+# news.crit                       /var/log/news/news.crit
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_crit);
+        destination(df_news_dot_crit);
+};
+# news.err                        /var/log/news/news.err
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_err);
+        destination(df_news_dot_err);
+};
+# news.notice                     /var/log/news/news.notice
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_notice);
+        destination(df_news_dot_notice);
+};
+# *.=debug;\
+#         auth,authpriv.none;\
+#         news.none;mail.none     -/var/log/debug
+log {
+        source(s_all);
+        filter(f_debug);
+        destination(df_debug);
+};
+# *.=info;*.=notice;*.=warn;\
+#         auth,authpriv.none;\
+#         cron,daemon.none;\
+#         mail,news.none          -/var/log/messages
+log {
+        source(s_all);
+        filter(f_messages);
+        destination(df_messages);
+};
+# *.emerg                         *
+log {
+        source(s_all);
+        filter(f_emerg);
+        destination(du_all);
+};
+# daemon.*;mail.*;\
+#         news.crit;news.err;news.notice;\
+#         *.=debug;*.=info;\
+#         *.=notice;*.=warn       |/dev/xconsole
+log {
+        source(s_all);
+        filter(f_xconsole);
+        destination(dp_xconsole);
+};
+#
+# Firewall (iptables) messages in one file:
+#
+log {
+	source(s_all);
+	filter(f_iptables);
+	destination(firewall);
+};
+#
+# DHCPD logs:
+#
+log {
+        source(s_all);
+        filter(f_dhcpd);
+        destination(dhcpd);
+};
+#
+# DHCP client logs:
+#
+log {
+        source(s_all);
+        filter(f_dhclient);
+        destination(dhclient);
+};
+</file>