Sending 3rd party logs to remote syslog server

OlRoy · 12-17-2008, 10:15 AM

Hey guys, I have a couple questions...

1. Is it possible to send 3rd party application logs like webmin.log to a remote logging server using syslog or syslog-ng if that 3rd party software doesn't officially support syslog messages?

2. I have the client using regular syslog and the server using syslog-ng with the following config, which works for sending firewall logs to firewall.log.

Code:

source sf_source { udp (); };
destination df_destination { file("/var/log/$HOST/firewall.log"); };
filter f_firewall { host( "192.168.127.131" ) and match(".*kernel.*(INBOUND|OUTBOUND)"); };
log { source ( sf_source ); filter( f_firewall ); destination ( df_destination ); };

However, firewall logs are the only logs I'm getting from that host. What's the easiest way to also get all other system logs to the same /var/log/$HOST folder with the appropriate log name such as auth.log, messages, mail.log, etc.?

unSpawn · 12-21-2008, 08:45 AM

Quote:

Originally Posted by OlRoy

Is it possible to send 3rd party application logs like webmin.log to a remote logging server using syslog or syslog-ng if that 3rd party software doesn't officially support syslog messages?

With Syslog-ng you should be able to use "source s_file { file("/path/to/logfile"};"

Quote:

Originally Posted by OlRoy

However, firewall logs are the only logs I'm getting from that host.

Maybe because you're using a filter of "match(".*kernel.*(INBOUND|OUTBOUND)")"?

Quote:

Originally Posted by OlRoy

What's the easiest way to also get all other system logs to the same /var/log/$HOST folder with the appropriate log name such as auth.log, messages, mail.log, etc.?

How does syslog determine what messages go where? (facility.priority) What types of corresponding filters do you have in Syslog-ng?

OlRoy · 12-24-2008, 12:35 PM

Unspawn, thanks for the answer for the first question, I'll use syslog-ng on the client as well. As for the second, I've spent some more time messing around with syslog-ng and this config seems to do what I want.

Code:

###IPTable logs go to iptables.log###

# all known message sources
source s_all {
        # message generated by Syslog-NG
        internal();
        # standard Linux log source (this is the default place for the syslog()
        # function to send logs to)
        unix-stream("/dev/log");
        # messages from the kernel
        file("/proc/kmsg" log_prefix("kernel: "));
        # use the following line if you want to receive remote UDP logging messages
        # (this is equivalent to the "-r" syslogd flag)
        udp();
};

destination iptables {
        file("/var/log/HOSTS/$HOST/iptables.log"); };

filter f_iptables { host( "192.168.127.131" ) and match(".*kernel.*(INBOUND|OUTBOUND)"); };

log {
        source(s_all);
        destination(iptables);
        filter(f_iptables);
};


###Everything but IPTable logs goes to $FACILITY.log###
destination dst {
        file ("/var/log/HOSTS/$HOST/$FACILITY.log"); };
filter f_noiptables { not match(".*kernel.*(INBOUND|OUTBOUND)"); };
log {
        source(s_all);
        destination(dst);
        filter(f_noiptables);
};

unSpawn · 12-24-2008, 06:06 PM

Thanks for posting back your config wrt facility usage, much appreciated.