LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Customizing syslog (https://www.linuxquestions.org/questions/linux-general-1/customizing-syslog-168125/)

cpgeorge 04-09-2004 09:48 AM
Customizing syslog
 
I am running iMail 8.02 for a mail server. iMail is setup to send the mail log to *.info, when logging to an external syslog host. I would like to set it up to log the mail information to another log facility to make the logs more manageable. I have searched Google and message boards for a way to configure syslog to filter out specific hosts from one log and enter them into another log file. But I have not found a solution. If someone can help me out with this I would greatly appreciate it. I am running RH 7 if that helps.

Thanks for any help you can can provide on this.
George

hw-tph 04-11-2004 06:14 AM
I suppose it all comes down to what syslog you use. I use syslog-ng and it provides ample resources for customizing. Here is a good primer from LinuxJournal's security expert Mick Bauer.


Håkan

cpgeorge 04-12-2004 10:29 AM
Thanks Håkan for you reply. It does not quite answer what I need to do though. What I need to do is log different hosts to different log files—even if the hosts all send on the same facility.

As for what Syslog we are using it is just the one that standard with RH7

I hope this helps out more on what I am looking to do.

Thanks again George

hw-tph 04-12-2004 06:47 PM
I assume the syslog in Redhat 7 is syslog-ng as this is the most widely used syslog nowadays. Host-based differentiation is pretty common with syslog servers (that keeps logs for several different systems). Have a look at the example below.

Code:
options { long_hostnames(on); sync(0); };

source src { udp 0.0.0.0,514; unix-stream /dev/log; internal; };

filter f_sendmail { program("sendmail"); };
filter f_host1 { host("host1"); };
filter f_host2 { host("host2"); };

destination sendmail { file /var/log/sendmail; };
destination host1 { file /var/log/host1; };
destination host2 { file /var/log/host2; };

log { source src; filter f_sendmail; destination sendmail; };
log { source src; filter f_host1; destination host1; };
log { source src; filter f_host2; destination host2; };
(Gleefully pirated from an article in the LinuxGazette)


Håkan

wedgeworth 04-13-2004 04:08 PM
i'm also trying to get my syslog to redirect logs to different files....what was the final outcome here. was anyone able to edit configurations to redirect certain entries to places other than say....messages?

hw-tph 04-13-2004 05:24 PM
Yes, but it's not really easy before you get used to it. Here is the syslog-ng.conf I use on my laptop:
Code:
options {
        long_hostnames(on);
        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line
        # to the file every 10 minutes.  That's pretty ugly after a while.
        # Change it to every 12 hours so you get a nice daily update of
        # how many messages syslog-ng missed (0).
        stats(43200);
};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };
log { source(src); destination(console_all); };

# --- ADDED BY HW ----------------------------------------------------------
# --- FILTERS ----
filter f_bootlog { facility(local7); };
filter f_authlog { facility(auth,authpriv); };
filter f_cronlog { facility(cron); };
filter f_kernlog { facility(kern); };

# --- DESTINATIONS ---
destination authlog {
  file("/var/log/auth.log"
        sync(0) log_fifo_size(10) create_dirs(yes)
        owner(root) group(adm) perm(0660) dir_perm(0770));
};

destination kernlog {
  file("/var/log/kernel.log"
        sync(0) log_fifo_size(10) create_dirs(yes)
        owner(root) group(adm) perm(0660) dir_perm(0770));
};
destination cronlog {
  file("/var/log/cron.log"
        sync(0) log_fifo_size(10) create_dirs(yes)
        owner(root) group(adm) perm(0660) dir_perm(0770));
};

destination bootlog {
  file("/var/log/boot.log"
        sync(0) log_fifo_size(10) create_dirs(yes)
        owner(root) group(system) perm(0660) dir_perm(0770));
};

# --- LOGS ---
log { source(src);
      filter(f_bootlog);
      destination(bootlog);
};

log { source(src);
      filter(f_authlog);
      destination(authlog);
};

log { source(src);
      filter(f_cronlog);
      destination(cronlog);
};

log { source(src);
      filter(f_kernlog);
      destination(kernlog);
};

Håkan

wedgeworth 04-14-2004 10:02 AM
thnx for the help. i'm also running rh 7. however, i have no syslog-ng.conf file. i just have a regular syslog.conf file. it looks like this:

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log



will you config file example "work" at all like mine would. or am i to start looking for other examples with other syntax, or that work and redierct logs completely different. sorry i don't know enough about this. i haven't really ever gotten into watching and/or tweaking any system logs before.

cpgeorge 04-15-2004 09:08 AM
We have syslog-ng up and running locally. But we need to be able to receive logs from remote equipment that does not have the capability of sending the logs secure—such as routers. I have found a lot on how to set syslog-ng to receive remote logs securely but can anyone help me on how to receive unsecured remote logs. Thank you for all you help.

cpgeorge 04-28-2004 01:29 PM
Quote:
Originally posted by cpgeorge
We have syslog-ng up and running locally. But we need to be able to receive logs from remote equipment that does not have the capability of sending the logs secure—such as routers. I have found a lot on how to set syslog-ng to receive remote logs securely but can anyone help me on how to receive unsecured remote logs. Thank you for all you help.
Can anyone point me in the right direction to learn how to do this? I really like syslog-ng but can not use it unless I can remotely log some things unsecure.

Thanks for any help anyone can provide on this.


All times are GMT -5. The time now is 07:08 AM.