Hi,

I have a working syslog-ng 2.1.4 which is running in RHEL 6.1..... Currently we used it for logging network devices.... Now we have planned to log Servers as well..

.... I have done the required changes in audit settings in client side.

cd /etc/audisp/plugins.d/
af_unix.conf syslog.conf
[root@client audit]# cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the
# syslog plugin. It simply takes events and writes
# them to syslog.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

Syslog Configuration --- have the below in syslog
/etc/syslog.conf

#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.* @192.168.1.11

We are able to reach 514 port in Syslog server ( 192.168.1.11). Restarted syslog client....


I have the below syslog-ng server conf




source remote_log {
# udp();
tcp(ip("0.0.0.0") port(514)); udp(ip("0.0.0.0") port(514));
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
# tcp(ip(0.0.0.0) port(514));
};

#######################################
# Local server Destination Specification
#######################################
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_rootsh { file("/var/log/rootsh/all_sessions.log"); };
######################################
# DESTINATION FOR REMOTE LOG
######################################
destination remote_kern { file("/var/Network_Log/$HOST/kern.log"); };
destination remote_messages { file("/var/Network_Log/$HOST/messages.log"); };
destination remote_mail { file("/var/Network_Log/$HOST/maillog"); };
destination remote_cron { file("/var/Network_Log/$HOST/cron.log"); };
destination remote_daemon { file("/var/Network_Log/$HOST/daemon.log"); };
destination remote_squid { file("/var/Network_Log/$HOST/squid.log"); };
destination remote_dhcp { file("/var/Network_Log/$HOST/dhcpd.log"); };
destination remote_samba { file("/var/Network_Log/$HOST/smbd.log"); };
destination remote_dns { file("/var/Network_Log/$HOST/dns.log"); };
destination remote_mysql { file("/var/Network_Log/$HOST/mysql.log"); };
destination remote_oracle { file("/var/Network_Log/$HOST/oracle.log"); };
destination remote_network { file("/var/Network_Log/$HOST/network.log"); };
#destination remote_audit { file("/var/Network_Log/$HOST/audit.log"); };

filter f_filter1 { facility(kern); };
filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
#filter f_local_rootsh { facility(local5) and level(info); };
filter f_local_rootsh { program(rootsh); };
######################################
#FILTER FOR REMOTE LOG
######################################

filter f_kern { facility(kern); };
filter f_messages { level(info..emerg) and
not facility(auth,authpriv,cron,daemon,mail,news,local7); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_squid { program(squid); };
filter f_dhcp { program(dhcp); };
filter f_samba { program(smbd); };
filter f_dns { program(named); };
filter f_mysql { program(mysql); };
filter f_oracle { program(oracle); };
filter f_network { facility(local7); };
filter f_audit { facility (13);};
#filter f_network {
# priority(debug , info , notice , warning , err , crit , alert , emerg) and facility(local0 , local1 , local2 , local3 , local4 , local5 , local6 , local7);
# };

#####################################
#REMOTE LOG DEFENITION
######################################

log { source(remote_log); filter(f_kern); destination(remote_kern); };
log { source(remote_log); filter(f_messages); destination(remote_messages); };
log { source(remote_log); filter(f_mail); destination(remote_mail); };
log { source(remote_log); filter(f_cron); destination(remote_cron); };
log { source(remote_log); filter(f_daemon); destination(remote_daemon); };
log { source(remote_log); filter(f_squid); destination(remote_squid); };
log { source(remote_log); filter(f_dhcp); destination(remote_dhcp); };
log { source(remote_log); filter(f_samba); destination(remote_samba); };
log { source(remote_log); filter(f_dns); destination(remote_dns); };
log { source(remote_log); filter(f_mysql); destination(remote_mysql); };
log { source(remote_log); filter(f_oracle); destination(remote_oracle); };
log { source(remote_log); filter(f_network); destination(remote_network); };
#log { source(remote_log); filter(f_audit); destination(remote_audit); };
log { source(remote_log); filter(f_audit); };

######################################
# Local server Log Definition
######################################
log { source(s_sys); filter(f_local_rootsh); destination(d_rootsh); };
log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };



I get the below client logs alone in Syslog-ng server

/var/Network_Log/192.168.1.81
-rw------- 1 root root 101894 Jan 3 17:30 kern.log
-rw------- 1 root root 276 Jan 3 17:30 daemon.log
-rw------- 1 root root 32024 Jan 3 17:35 maillog
-rw------- 1 root root 18689 Jan 3 17:36 cron.log
-rw------- 1 root root 305493 Jan 3 17:37 messages.log

Audit log is also getting updated in messages.log itself.... I want audit.log to be created separately instead of getting updating in messages.log itself.....

I want to know what configuration must be done in syslog-ng to receive audit logs from remote linux servers and update it in an audit log file.....Why I specifically need audit file is we need to share the details on request to our clients... So audit logs present inside messages logs is creating lot of confusion........ I tried many things, but nothing seems to work..... if anyone can assist it can be helpful

In /etc/audisp/plugins.d/syslog.conf "args = LOG_INFO", in /etc/syslog.conf "local6.* @192.168.1.11" but in syslog-ng server conf an odd facility "filter f_audit { facility (13);};" and no destination?

I took this "filter f_audit { facility (13);};" from a forum only as earlier one did not work.... Destination was there.... i was trying with another name, forgot to uncomment it while posting... below is the I have

Let me know what filter should I use for audit logs...


Syslog-NG Server
=================

source remote_log {
# udp();
tcp(ip("0.0.0.0") port(514)); udp(ip("0.0.0.0") port(514));
};


destination remote_audit { file("/var/Network_Log/$HOST/audit.log"); };

filter f_audit { facility (13);};

log { source(remote_log); filter(f_audit); destination(remote_audit); };

I took the filter from the below site

http://serverfault.com/questions/406...M507RW47Vk6qfr

If you use a facility / priority pair of "local6" on the client side then shouldn't the facility on the server side match? Currently it reads "facility (13)" and 'man 3 syslog' says only LOG_LOCAL0 through LOG_LOCAL7 are available.