Skip to main content

Log Server using Syslog-NG

Server - RHEL 5
Stop Syslog and turn it off through Run Levels

# service syslog stop
# chkconfig syslog off

Download syslog-ng
# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/eventlog/0.2/eventlog-0.2.5.tar.gz

# tar xzf eventlog-0.2.5.tar.gz
# cd eventlog-0.2.5
# ./configure --prefix=/usr/local/eventlog
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.18.tar.gz
# tar xzf libol-0.3.18.tar.gz
# cd libol-0.3.18
# ./configure --prefix=/usr/local/libol
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/syslog-ng-2.0.6.tar.gz
# tar xzf syslog-ng-2.0.6.tar.gz
# cd syslog-ng-2.0.6

# export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig
# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
# make
# make install

# cd /usr/local/syslog-ng
# mkdir etc
# cd etc
# vi syslog-ng.conf

### Refer http://www.campin.net/syslog-ng.conf
options {
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
};

source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
internal();
udp();
tcp(port(5140) keep-alive(yes));
};

destination authlog { file("/var/log/syslog-ng/auth.log"); };
destination syslog { file("/var/log/syslog-ng/syslog"); };
destination cron { file("/var/log/syslog-ng/cron.log"); };
destination daemon { file("/var/log/syslog-ng/daemon.log"); };
destination kern { file("/var/log/syslog-ng/kern.log"); };
destination lpr { file("/var/log/syslog-ng/lpr.log"); };
destination user { file("/var/log/syslog-ng/user.log"); };
destination uucp { file("/var/log/syslog-ng/uucp.log"); };

destination mail { file("/var/log/syslog-ng/mail.log"); };
destination maillog { file("/var/log/syslog-ng/maillog"); };
destination mailinfo { file("/var/log/syslog-ng/mail.info"); };
destination mailwarn { file("/var/log/syslog-ng/mail.warn"); };
destination mailerr { file("/var/log/syslog-ng/mail.err"); };

destination debug { file("/var/log/syslog-ng/debug"); };
destination messages { file("/var/log/syslog-ng/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty8"); };

filter f_attack_alert {
match("attackalert");
};

filter f_ssh_login_attempt {
program("sshd.*")
and match("(Failed|Accepted)")
and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)");
};

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_daemon); destination(messages); };
log { source(src); filter(f_kern); destination(messages); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_user); destination(messages); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); destination(maillog); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

destination HOSTBASED {
file("/var/log/syslog-ng/HOSTBASED/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
};

log {
source(src);
destination(HOSTBASED);
};


# mkdir /var/log/syslog-ng

Started syslog-ng daemon
# /usr/local/syslog-ng/sbin/syslog-ng

Client - RHEL 5

Stop Syslog and turn it off through Run Levels

# service syslog stop
# chkconfig syslog off

Download syslog-ng
# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/eventlog/0.2/eventlog-0.2.5.tar.gz
# tar xzf eventlog-0.2.5.tar.gz
# cd eventlog-0.2.5
# ./configure --prefix=/usr/local/eventlog
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.18.tar.gz
# tar xzf libol-0.3.18.tar.gz
# cd libol-0.3.18
# ./configure --prefix=/usr/local/libol
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/syslog-ng-2.0.6.tar.gz
# tar xzf syslog-ng-2.0.6.tar.gz
# cd syslog-ng-2.0.6

# export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig
# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
# make
# make install

# cd /usr/local/syslog-ng
# mkdir etc
# cd etc
# vi syslog-ng.conf

Reference - http://www.campin.net/syslog-ng.conf

options {
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
};

source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
internal();
udp();
tcp(port(5140) keep-alive(yes));
};

destination loghost { tcp("192.168.0.111" port(5140)); };

filter f_attack_alert {
match("attackalert");
};

filter f_ssh_login_attempt {
program("sshd.*")
and match("(Failed|Accepted)")
and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)");
};

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

log { source(src); filter(f_authpriv); destination(loghost); };
log { source(src); filter(f_syslog); destination(loghost); };
log { source(src); filter(f_daemon); destination(loghost); };
log { source(src); filter(f_kern); destination(loghost); };
log { source(src); filter(f_lpr); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_user); destination(loghost); };
log { source(src); filter(f_uucp); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_mail); filter(f_info); destination(loghost); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

log { source(src); filter(f_authpriv); destination(loghost); };
log { source(src); filter(f_syslog); destination(loghost); };
log { source(src); filter(f_daemon); destination(loghost); };
log { source(src); filter(f_kern); destination(loghost); };
log { source(src); filter(f_lpr); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_user); destination(loghost); };
log { source(src); filter(f_uucp); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_mail); filter(f_info); destination(loghost); };
log { source(src); filter(f_mail); filter(f_warn); destination(loghost); };
log { source(src); filter(f_mail); filter(f_err); destination(loghost); };
log { source(src); filter(f_messages); destination(loghost); };
log { source(src); filter(f_emergency); destination(loghost); };

destination std {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
};

log {
source(src);
destination(std);
};


# mkdir /var/log/syslog-ng

Started syslog-ng daemon
# /usr/local/syslog-ng/sbin/syslog-ng

Comments

Popular posts from this blog

Check remote UDP connectivity from Linux

Hi there, You all know how to check TCP port connectivity from a Linux or UNIX machine to a remote machine using telnet as per th example below $ telnet 127.0.0.1 25 but we can't adopt TELNET to check UDP connectivity. Linux and most of the UNIXes come with a network layer utility called nc (abbreviation for netcat) which is very useful to check UDP connectivity and to explore a lot with both TCP and UDP. An example is shown below # nc -v -u -z -w 3 172.24.16.131 123 Connection to 172.24.16.131 123 port [udp/ntp] succeeded!

The best putty package available

Bored of Black screened Task bar filling putty? Issues with porting Saved sessions from machine to machine? Do you like tabbed SSH sessions? Start using portaputty instead of normal putty and link it with puttycm . Puttycm supports sessions to be saved in its own Database files. You can use the Putty sessions you have saved already right inside putty. You can have any number of databases which allow you to arrange Remote servers in folders and convenient namings. I personally recommend creating Database with puttycm rather than using the sessions saved in putty which doesn't offer any option to create folders and saving sessions under that directory tree. You can even save username/password to get it logged automatically and there is an option to pass commands to be run soon after login. I can't recommend this since some bug was found with these options. Portaputty is a variant of putty which stores all the Configuration data in text files instead of MS Window

PING.sh

#!/usr/bin/env bash ## Ping all machines in a Network PING="$(which ping) -c 1 -W 1" echo "Enter Subnet(eg:192.168.0)" read Subnet echo "Do you want to PING the entire network or a RANGE of IPs ? Enter your choice" echo 1. Ping Entire Network echo 2. Ping a RANGE read choice if [ $choice = 1 ]; then { echo Pinging..... for((i=1;i<255;i++)); do ${PING} ${Subnet}.${i} > /dev/null 2> /dev/null if [ $? -eq 0 ]; then echo -e "${Subnet}.${i} is up" fi done } fi if [ $choice = 2 ]; then { echo Enter the Starting IP of Range read a echo Enter the Last IP of Range read b echo Pinging..... for((i=$a;i<$b;i++)); do ${PING} ${Subnet}.${i} > /dev/null 2> /dev/null if [ $? -eq 0 ]; then echo -e "${Subnet}.${i} is up" fi done } fi exit 0