LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Sending 3rd party logs to remote syslog server (http://www.linuxquestions.org/questions/linux-server-73/sending-3rd-party-logs-to-remote-syslog-server-691246/)

OlRoy 12-17-2008 10:15 AM

Sending 3rd party logs to remote syslog server
 
Hey guys, I have a couple questions...

1. Is it possible to send 3rd party application logs like webmin.log to a remote logging server using syslog or syslog-ng if that 3rd party software doesn't officially support syslog messages?

2. I have the client using regular syslog and the server using syslog-ng with the following config, which works for sending firewall logs to firewall.log.

Code:

source sf_source { udp (); };
destination df_destination { file("/var/log/$HOST/firewall.log"); };
filter f_firewall { host( "192.168.127.131" ) and match(".*kernel.*(INBOUND|OUTBOUND)"); };
log { source ( sf_source ); filter( f_firewall ); destination ( df_destination ); };

However, firewall logs are the only logs I'm getting from that host. What's the easiest way to also get all other system logs to the same /var/log/$HOST folder with the appropriate log name such as auth.log, messages, mail.log, etc.?

unSpawn 12-21-2008 08:45 AM

Quote:

Originally Posted by OlRoy (Post 3378726)
Is it possible to send 3rd party application logs like webmin.log to a remote logging server using syslog or syslog-ng if that 3rd party software doesn't officially support syslog messages?

With Syslog-ng you should be able to use "source s_file { file("/path/to/logfile"};"


Quote:

Originally Posted by OlRoy (Post 3378726)
However, firewall logs are the only logs I'm getting from that host.

Maybe because you're using a filter of "match(".*kernel.*(INBOUND|OUTBOUND)")"?


Quote:

Originally Posted by OlRoy (Post 3378726)
What's the easiest way to also get all other system logs to the same /var/log/$HOST folder with the appropriate log name such as auth.log, messages, mail.log, etc.?

How does syslog determine what messages go where? (facility.priority) What types of corresponding filters do you have in Syslog-ng?

OlRoy 12-24-2008 12:35 PM

Unspawn, thanks for the answer for the first question, I'll use syslog-ng on the client as well. As for the second, I've spent some more time messing around with syslog-ng and this config seems to do what I want.

Code:


###IPTable logs go to iptables.log###

# all known message sources
source s_all {
        # message generated by Syslog-NG
        internal();
        # standard Linux log source (this is the default place for the syslog()
        # function to send logs to)
        unix-stream("/dev/log");
        # messages from the kernel
        file("/proc/kmsg" log_prefix("kernel: "));
        # use the following line if you want to receive remote UDP logging messages
        # (this is equivalent to the "-r" syslogd flag)
        udp();
};

destination iptables {
        file("/var/log/HOSTS/$HOST/iptables.log"); };

filter f_iptables { host( "192.168.127.131" ) and match(".*kernel.*(INBOUND|OUTBOUND)"); };

log {
        source(s_all);
        destination(iptables);
        filter(f_iptables);
};


###Everything but IPTable logs goes to $FACILITY.log###
destination dst {
        file ("/var/log/HOSTS/$HOST/$FACILITY.log"); };
filter f_noiptables { not match(".*kernel.*(INBOUND|OUTBOUND)"); };
log {
        source(s_all);
        destination(dst);
        filter(f_noiptables);
};


unSpawn 12-24-2008 06:06 PM

Thanks for posting back your config wrt facility usage, much appreciated.


All times are GMT -5. The time now is 02:10 PM.