[prev in list] [next in list] [prev in thread] [next in thread]
List: syslog-ng
Subject: RE: [syslog-ng] Newbie Question
From: "Donald Rush" <drush () net-blazer ! com>
Date: 2006-08-21 20:18:53
Message-ID: 2AFB2E23E9794B4BA6A0431607D6458877EC83 () ehost010-7 ! exch010 ! intermedia ! net
[Download RAW message or body]
--===============1295213462==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C6C55E.D6AA2954"
This is a multi-part message in MIME format.
I have split out the logging with the following.
destination logip {
file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$M
ONTH$DAY"
owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes) );
};
log {
source(src);
destination(logip);
};
What I can't figure out is how to keep the messages from show up in the
following.
filter f_messages { not facility(news, mail) and not
filter(f_iptables); };
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };
They look like they are coming in as local4. So would I just add local4
in the "not facility" of the f_messages filter?
________________________________
From: syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of William Bell
Sent: Monday, August 21, 2006 10:41 AM
To: Syslog-ng users' and developers' mailing list
Subject: RE: [syslog-ng] Newbie Question
You should probably create multiple sources. Like:
source remote { udp(ip("0.0.0.0") port(514)); };
Then send the remote files to a nice archive directive destination ala:
destination remotelogs {
file("/var/REMOTE/$HOST.log"
owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes));
};
Finish it up with its own log directive like:
log { source(remote); destination(remotelogs); };
Adding any filters you want to the log directive above. I hope this
helps.
William L. Bell II
CWIE Security Dept.
________________________________
From: syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Donald Rush
Sent: Monday, August 21, 2006 10:18 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] Newbie Question
All,
I am working on creating a logging host for some network hardware.
Being new to lunix and syslog-ng I am a little confused to how to keep
the remote syslog messages from showing up in the system log files. I
had to rem out the messages and and localmessages do to they are filling
to fast. Any advice would be greatly appreciated.
Don R.
rushd-linux:/home/rushd # cat /etc/syslog-ng/syslog-ng.conf
#
# /etc/syslog-ng/syslog-ng.conf
#
# Automatically generated by SuSEconfig on Thu Aug 17 16:58:59 PDT 2006.
#
# PLEASE DO NOT EDIT THIS FILE!
#
# you can modify /etc/syslog-ng/syslog-ng.conf.in instead
#
#
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#
#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();
#
# the following line will be replaced by the
# socket list generated by SuSEconfig using
# variables from /etc/sysconfig/syslog:
#
unix-dgram("/dev/log");
#
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
};
#
# Filter definitions
#
filter f_iptables { facility(kern) and match("IN=") and match("OUT=");
};
filter f_console { level(warn) and facility(kern) and not
filter(f_iptables)
or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };
filter f_acpid { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not
filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables);
};
filter f_alert { level(alert); };
#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { file("/dev/tty10" group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };
# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };
#
# News-messages in separate files:
#
destination newscrit { file("/var/log/news/news.crit"
owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err"
owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice"
owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };
#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };
#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };
destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };
destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };
#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };
#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };
#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final);
};
#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };
#
# Some boot scripts use/require local[1-7]:
#
##destination localmessages { file("/var/log/localmessages"); };
##log { source(src); filter(f_local); destination(localmessages); };
#
# All messages except iptables and the facilities news and mail:
#
##destination messages { file("/var/log/messages"); };
##log { source(src); filter(f_messages); destination(messages); };
#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };
#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };
#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };
destination logip {
file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$M
ONTH$DAY"
owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes) );
};
log {
source(src);
destination(logip);
};
rushd-linux:/home/rushd #
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Tahoma;
}
@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=869091420-21082006><FONT face=Arial
color=#0000ff size=2>I have split out the logging with the
following.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=869091420-21082006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=869091420-21082006>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">destination logip
{<BR>
file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$MONTH$DAY"<BR> \
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);<BR>};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">log
{<BR>
source(src);<BR>
destination(logip);<BR>};<BR></SPAN></FONT></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN
class=869091420-21082006>What I can't figure out is how to keep the messages
from show up in the following.</SPAN></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN
class=869091420-21082006></SPAN></SPAN> </P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN
class=869091420-21082006><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter f_messages { not
facility(news, mail) and not filter(f_iptables); };</SPAN></SPAN></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN
class=869091420-21082006><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"># All
messages except iptables and the facilities news and mail:<BR>#<BR>destination
messages { file("/var/log/messages"); };<BR>log { source(src);
filter(f_messages); destination(messages); };</SPAN></SPAN></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN
class=869091420-21082006></SPAN></SPAN> </P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN
class=869091420-21082006><FONT color=#0000ff>They look like they are coming in
as local4. So would I just add local4 in the "not facility" of the
f_messages filter?</FONT></SPAN></P></SPAN></DIV></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>William
Bell<BR><B>Sent:</B> Monday, August 21, 2006 10:41 AM<BR><B>To:</B> Syslog-ng
users' and developers' mailing list<BR><B>Subject:</B> RE: [syslog-ng] Newbie
Question<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">You should probably
create multiple sources. Like:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial \
color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial">source remote { </SPAN></FONT><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">udp(ip("0.0.0.0") port(514));
};<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Then send the remote files to a nice
archive directive destination ala:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">destination remotelogs
{<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
file("/var/REMOTE/$HOST.log"<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">
owner(root) group(root) perm(0755) dir_perm(0755)
create_dirs(yes));<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial">};<o:p></o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial color=navy \
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial \
color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial">Finish it up with its own log directive like:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial \
size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">log { source(remote);
destination(remotelogs); };<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Adding any filters you want to the
log directive above. I hope this helps.<FONT color=navy><SPAN
style="COLOR: navy"><o:p></o:p></SPAN></FONT></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <DIV>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">William L. Bell
II</SPAN></FONT><FONT color=navy><SPAN
style="COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">CWIE Security
Dept.</SPAN></FONT><FONT color=navy><SPAN
style="COLOR: navy"><o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT
face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal><B><FONT face=Tahoma size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: \
Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma size=2><SPAN style="FONT-SIZE: \
10pt; FONT-FAMILY: Tahoma"> syslog-ng-bounces@lists.balabit.hu \
[mailto:syslog-ng-bounces@lists.balabit.hu] <B><SPAN style="FONT-WEIGHT: bold">On \
Behalf Of </SPAN></B>Donald Rush<BR><B><SPAN style="FONT-WEIGHT: \
bold">Sent:</SPAN></B> Monday, August 21, 2006 10:18 AM<BR><B><SPAN \
style="FONT-WEIGHT: bold">To:</SPAN></B> syslog-ng@lists.balabit.hu<BR><B><SPAN
style="FONT-WEIGHT: bold">Subject:</SPAN></B> [syslog-ng] Newbie
Question</SPAN></FONT><o:p></o:p></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"><o:p> </o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">All,</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I am working on creating a logging
host for some network hardware. Being new to lunix and syslog-ng I am a
little confused to how to keep the remote syslog messages from showing up in the
system log files. I had to rem out the messages and and localmessages do
to they are filling to fast. Any advice would be greatly
appreciated.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Don
R.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">rushd-linux:/home/rushd # cat
/etc/syslog-ng/syslog-ng.conf<BR>#<BR># /etc/syslog-ng/syslog-ng.conf<BR>#<BR>#
Automatically generated by SuSEconfig on Thu Aug 17 16:58:59 PDT 2006.<BR>#<BR>#
PLEASE DO NOT EDIT THIS FILE!<BR>#<BR># you can modify
/etc/syslog-ng/syslog-ng.conf.in instead<BR>#<BR>#<BR>#<BR># File format
description can be found in syslog-ng.conf(5)<BR># and
/usr/share/doc/packages/syslog-ng/syslog-ng.txt.<BR>#</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#<BR># Global
options.<BR>#<BR>options { long_hostnames(off); sync(0); perm(0640);
stats(3600); };</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#<BR># 'src' is our main source
definition. you can add<BR># more sources driver definitions to it, or
define<BR># your own sources, i.e.:<BR>#<BR>#source my_src { ....
};<BR>#<BR>source src {<BR>
#<BR> # include internal syslog-ng
messages<BR> # note: the internal()
soure is required!<BR>
#<BR>
internal();</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: \
Arial"> \
#<BR> # the following line will be \
replaced by the<BR> # socket list \
generated by SuSEconfig using<BR> # \
variables from
/etc/sysconfig/syslog:<BR>
#<BR>
unix-dgram("/dev/log");</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: \
Arial"> \
#<BR> # uncomment to process log messages \
from network:<BR> \
#<BR> udp(ip("0.0.0.0") \
port(514));<BR>};</SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># Filter
definitions<BR>#<BR>filter f_iptables { facility(kern) and
match("IN=") and match("OUT="); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter f_console {
level(warn) and facility(kern) and not
filter(f_iptables)<BR> \
or level(err) and not facility(authpriv); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter f_newsnotice { level(notice)
and facility(news); };<BR>filter f_newscrit {
level(crit) and facility(news); };<BR>filter
f_newserr { level(err) and facility(news);
};<BR>filter f_news { facility(news);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter f_mailinfo {
level(info) and facility(mail); };<BR>filter
f_mailwarn { level(warn) and
facility(mail); };<BR>filter f_mailerr { level(err, crit) and
facility(mail); };<BR>filter f_mail {
facility(mail); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter
f_cron { facility(cron);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter
f_local { facility(local0, local1, local2,
local3,<BR> &nb \
sp; \
local4, local5, local6, local7); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter
f_acpid { match('^\[acpid\]:'); };<BR>filter
f_netmgm { match('^NetworkManager:');
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">filter f_messages { not
facility(news, mail) and not filter(f_iptables); };<BR>filter
f_warn { level(warn, err, crit) and not
filter(f_iptables); };<BR>filter f_alert {
level(alert); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># Most warning and errors
on tty10 and on the xconsole pipe:<BR>#<BR>destination console {
file("/dev/tty10" group(tty) perm(0620)); };<BR>log {
source(src); filter(f_console); destination(console);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">destination xconsole {
pipe("/dev/xconsole" group(tty) perm(0400)); };<BR>log { source(src);
filter(f_console); destination(xconsole); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"># Enable this, if you want that root
is informed immediately,<BR># e.g. of logins:<BR>#<BR>#destination root {
usertty("root"); };<BR>#log { source(src); filter(f_alert); destination(root);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># News-messages in separate
files:<BR>#<BR>destination newscrit {
file("/var/log/news/news.crit"<BR> &nbs \
p; \
owner(news) group(news)); };<BR>log { source(src); filter(f_newscrit);
destination(newscrit); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">destination
newserr {
file("/var/log/news/news.err"<BR>   \
; \
owner(news) group(news)); };<BR>log { source(src); filter(f_newserr);
destination(newserr); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">destination newsnotice {
file("/var/log/news/news.notice"<BR> &n \
bsp; \
owner(news) group(news)); };<BR>log { source(src); filter(f_newsnotice);
destination(newsnotice); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#<BR># and optionally also all in
one file:<BR># (don't forget to provide logrotation config)<BR>#<BR>#destination
news { file("/var/log/news.all"); };<BR>#log { source(src); filter(f_news);
destination(news); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># Mail-messages in separate
files:<BR>#<BR>destination mailinfo { file("/var/log/mail.info"); };<BR>log {
source(src); filter(f_mailinfo); destination(mailinfo);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">destination mailwarn {
file("/var/log/mail.warn"); };<BR>log { source(src); filter(f_mailwarn);
destination(mailwarn); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">destination mailerr {
file("/var/log/mail.err" fsync(yes)); };<BR>log { source(src);
filter(f_mailerr); destination(mailerr);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#<BR># and also all in one
file:<BR>#<BR>destination mail { file("/var/log/mail"); };<BR>log { source(src);
filter(f_mail); destination(mail); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># acpid messages in one
file:<BR>#<BR>destination acpid { file("/var/log/acpid"); };<BR>log {
source(src); filter(f_acpid); destination(acpid); flags(final);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#<BR># NetworkManager messages in
one file:<BR>#<BR>destination netmgm { file("/var/log/NetworkManager");
};<BR>log { source(src); filter(f_netmgm); destination(netmgm); flags(final);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># Cron-messages in one
file:<BR># (don't forget to provide logrotation config)<BR>#<BR>#destination
cron { file("/var/log/cron"); };<BR>#log { source(src); filter(f_cron);
destination(cron); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># Some boot scripts
use/require local[1-7]:<BR>#<BR>##destination localmessages {
file("/var/log/localmessages"); };<BR>##log { source(src); filter(f_local);
destination(localmessages); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># All messages except
iptables and the facilities news and mail:<BR>#<BR>##destination messages {
file("/var/log/messages"); };<BR>##log { source(src); filter(f_messages);
destination(messages); };<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># Firewall (iptables)
messages in one file:<BR>#<BR>destination firewall { file("/var/log/firewall");
};<BR>log { source(src); filter(f_iptables); destination(firewall);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>#<BR># Warnings (except
iptables) in one file:<BR>#<BR>destination warn { file("/var/log/warn"
fsync(yes)); };<BR>log { source(src); filter(f_warn); destination(warn);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">#<BR># Enable this, if you want to
keep all messages in one file:<BR># (don't forget to provide logrotation
config)<BR>#<BR>#destination allmessages { file("/var/log/allmessages");
};<BR>#log { source(src); destination(allmessages);
};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">destination logip
{<BR>
file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$MONTH$DAY"<BR> \
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);<BR>};<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">log
{<BR>
source(src);<BR>
destination(logip);<BR>};<BR>rushd-linux:/home/rushd
#</SPAN></FONT><o:p></o:p></P></DIV></DIV></BODY></HTML>
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
--===============1295213462==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic