LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Closed Thread
 
Search this Thread
Old 12-25-2007, 07:50 AM   #1
sakthi.s
Member
 
Registered: Nov 2006
Posts: 42

Rep: Reputation: 15
Central Log Server using syslog-ng


Dear All

As per our company policy , we need to have centralised logging server, we have choosen syslog-ng. Configured everything, but the logs are not capturing in syslog-ng from other hosts like win2k3 server , linux clients, cisco routers etc.

But the local logs are getting captured, I am clueless. Enclosed syslog-ng.conf file,

* Already disabled the default syslog service.
* syslog-ng service is running

Pls. help me.

Regards
Sakthi

#
# Syslog-ng example configuration for for Debian GNU/Linux
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.
#

options {
long_hostnames(off);
sync(0);
time_reopen(10);
log_fifo_size(1000);
use_dns(no);
use_fqdn(no);
create_dirs(no)
keep_hostnames(yes);
stats(3600);
};

source src { unix-stream("/dev/log"); internal(); };
source net { udp(); };

destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination mail { file("/var/log/mail.log"); };

destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination loghost { udp("loghost" port(999)); };
destination xconsole { pipe("/dev/xconsole"); };

destination remote_logs {
file ("/var/log/syslog-ng/$FULLHOST/$YEAR/$MONTH/$DAY/$FULLHOST-$YEAR-$MONTH-$DAY.log"
owner(root) group(root) perm(0777) dir_perm(0777) create_dirs(yes)
template("$DATE $FULLHOST $PROGRAM $STAG [$FACILITY.$LEVEL] $MESSAGE\n"));
};

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_ppp { facility(local2); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); destination(console_all); };

log { source (src); destination (remote_logs);};
log { source (net); destination (remote_logs};};
 
Old 12-26-2007, 08:44 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
what do your log files say?
do you see network traffic hitting the box?
does the user have permissions to create directories and flies on the fly?
is SELinux moaning about something, if you're using it?
 
Old 12-26-2007, 09:28 AM   #3
rshaw
Senior Member
 
Registered: Apr 2001
Location: Perry, Iowa
Distribution: Mepis , Debian
Posts: 2,692

Rep: Reputation: 45
his dup. thread is getting more action , this one could be closed.

other is here:

http://www.linuxquestions.org/questi...log-ng-609024/
 
Old 12-26-2007, 06:04 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
central server log / databased . . syslog-ng maybe? sir-lancealot Linux - Server 2 08-28-2007 12:55 PM
Syslog-ng central logserver is dropping logs humbletech99 Linux - Networking 2 06-22-2006 04:09 AM
central syslog binary_0011 Linux - Newbie 1 06-13-2006 05:05 AM
Syslog server can't open log files >500mb mikeyt_333 Linux - General 2 01-11-2005 12:32 PM
Configure SLES9 Server as a central log host gcw123 Linux - Software 4 12-29-2004 07:31 AM


All times are GMT -5. The time now is 03:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration