LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-12-2006, 05:07 AM   #1
man_linux
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Rep: Reputation: 0
Syslog


How to configure syslog daemon to store logs in different files depending on application, I want to store Snort logs in a different file away from normal system logs.

Thanks
 
Old 12-12-2006, 01:34 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You can specify that certain programs get logged to different locations with !program.

example:
Code:
*.err;kern.debug;auth.notice;authpriv.none;mail.crit    /dev/console
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;user.info;syslog.info                        /var/log/messages
auth.info                                               /var/log/authlog
authpriv.debug                                          /var/log/secure
cron.info                                               /var/cron/log
daemon.info                                             /var/log/daemon
ftp.info                                                /var/log/xferlog
lpr.debug                                               /var/log/lpd-errs
mail.info                                               /var/log/maillog
#uucp.info                                              /var/log/uucp

*.err                                                   root
*.notice;auth.debug                                     root
*.alert                                                 root
*.emerg                                                 *
!snort
*.*                                                    /var/log/snort
 
Old 12-12-2006, 02:34 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
IIRC at compile-time you can choose to tell Snort to log to syslog.
If you do you will use one of the "local.*" facility slots.
Then set that facility in syslog.
 
Old 03-06-2007, 07:23 AM   #4
lostjohnny
Member
 
Registered: May 2006
Distribution: Fedora Core 6
Posts: 37

Rep: Reputation: 15
Quote:
Originally Posted by chort
You can specify that certain programs get logged to different locations with !program.

example:
Code:
*.err;kern.debug;auth.notice;authpriv.none;mail.crit    /dev/console
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;user.info;syslog.info                        /var/log/messages
auth.info                                               /var/log/authlog
authpriv.debug                                          /var/log/secure
cron.info                                               /var/cron/log
daemon.info                                             /var/log/daemon
ftp.info                                                /var/log/xferlog
lpr.debug                                               /var/log/lpd-errs
mail.info                                               /var/log/maillog
#uucp.info                                              /var/log/uucp

*.err                                                   root
*.notice;auth.debug                                     root
*.alert                                                 root
*.emerg                                                 *
!snort
*.*                                                    /var/log/snort
I tried this - customised to my requirements.

In my program I call openlog thus:
openlog("gse", LOG_NDELAY, LOG_USER);

then make calls to syslog such as:
syslog(LOG_INFO, "gse started");

I appended to the end of syslog.conf:
Code:
!gse
*.info        /var/log/gse.log
*.=debug      /var/log/gse.debug
and created the two log files with
cp /dev/null /var/log/gse.log
cp /dev/null /var/log/gse.debug

The result is as if the !gse line isn't there. All the messages from my program appear in both /var/log/messages and gse.log. And all messages from everything (it seems - I don't know if it's literally everything) appear in gse.log.

My executable is called "gse" as well as being identified as "gse" in the call to openlog.

Is there something I've missed?

TIA
Lost Johnny
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
syslog-ng sidra Red Hat 1 08-04-2006 08:09 PM
LXer: Centralized Syslog Server Using syslog-NG LXer Syndicated Linux News 0 04-28-2006 06:21 PM
syslog-ng xlh3110 Linux - Software 4 02-21-2006 12:21 PM
Syslog-ng XaViaR Suse/Novell 2 06-16-2005 03:45 PM
syslog bulliver Linux - General 4 04-22-2003 03:45 PM


All times are GMT -5. The time now is 05:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration