Syslog-ng

De DiouxX's Wiki
Aller à : navigation, rechercher
Cette page va vous permettre de mettre en place un système de log avec Syslog-ng

Installation Syslog-ng

Que ça soit sur votre machine "server" qui va récolter les logs de plusieurs hosts ou sur la machine qui va envoyer ses logs sur un hôte distant, le paquet à installer est identiquement le même

Konsole.png
[root@ordi ~]# apt-get install syslog-ng


Configuration


Machine serveur

Pour configurer votre serveur afin qu'il puisse stocker les logs qu'on lui envoie, il vous faut éditer le fichier /etc/syslog-ng/syslog-ng.conf  : 

options {
	# disable the chained hostname format in logs
        # (default is enabled)
        chain_hostnames(0);

        # the time to wait before a died connection is re-established
        # (default is 60)
        time_reopen(10);

        # the time to wait before an idle destination file is closed
        # (default is 60)
        time_reap(360);

        # the number of lines buffered before written to file
        # you might want to increase this if your disk isn't catching with
        # all the log messages you get or if you want less disk activity
        # (say on a laptop)
        # (default is 0)
        #sync(0);

        # the number of lines fitting in the output queue
        log_fifo_size(2048);

        # enable or disable directory creation for destination files
        create_dirs(yes);

        # default owner, group, and permissions for log files
        # (defaults are 0, 0, 0600)
        owner(root);
        #group(adm);
        perm(0640);

        # default owner, group, and permissions for created directories
        # (defaults are 0, 0, 0700)
        dir_owner(root);
        #dir_group(root);
        dir_perm(0755);

        # enable or disable DNS usage
        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
        # a Denial of Service attack
        # (default is yes)
        use_dns(no);

        # maximum length of message in bytes
        # this is only limited by the program listening on the /dev/log Unix
        # socket, glibc can handle arbitrary length log messages, but -- for
        # example -- syslogd accepts only 1024 bytes
        # (default is 2048)
        #log_msg_size(2048);

	
};

########################
# Sources
########################
# all known message sources
source local {
        # message generated by Syslog-NG
        #internal();
        # standard Linux log source (this is the default place for the syslog()
        # function to send logs to)
        unix-stream("/dev/log" max-connections(40));
        # messages from the kernel
        #file("/proc/kmsg" log_prefix("kernel: "));
        # use the following line if you want to receive remote UDP logging messages
        # (this is equivalent to the "-r" syslogd flag)
        # udp();
        tcp(ip(0.0.0.0));
        udp(ip(0.0.0.0));
};

########################
# Destinations         #
########################
#destination dst-all-messages {
#	file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/messages"
#	template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
#	template_escape(no)
#	);
#};

destination all-messages {
	file("/var/log/syslog-ng/$HOST/messages.log");
};

destination apache {
	file("/var/log/syslog-ng/$HOST/apache.log");
};


########################
# Filters
########################
# Here's come the filter options. With this rules, we can set which 
# message go where.

filter apache { program("apache2"); };

########################
# Log paths
########################
# Pour le auth.log du pare-feu
#log {
#        source(local);
#        destination(dst-all-messages);
#};

log {
	source(local);
	destination(all-messages);
};

log {
	source(local);
	filter(apache);
	destination(apache);

};


Machine Cliente

Pour qu'une machine envoie ses logs sur un host distant, le fichier de configuration est toujours /etc/syslog-ng/syslog-ng.conf  : 

######
# options

options {
        # disable the chained hostname format in logs
        # (default is enabled)
        chain_hostnames(0);

        # the time to wait before a died connection is re-established
        # (default is 60)
        time_reopen(10);

        # the time to wait before an idle destination file is closed
        # (default is 60)
        time_reap(360);

        # the number of lines buffered before written to file
        # you might want to increase this if your disk isn't catching with
        # all the log messages you get or if you want less disk activity
        # (say on a laptop)
        # (default is 0)
        #sync(0);

        # the number of lines fitting in the output queue
        log_fifo_size(2048);

        # enable or disable directory creation for destination files
        create_dirs(yes);

        # default owner, group, and permissions for log files
        # (defaults are 0, 0, 0600)
        owner(root);
        #group(adm);
        perm(0640);

        # default owner, group, and permissions for created directories
        # (defaults are 0, 0, 0700)
        dir_owner(root);
        #dir_group(root);
        dir_perm(0755);

        # enable or disable DNS usage
        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
        # a Denial of Service attack
        # (default is yes)
        use_dns(no);

        # maximum length of message in bytes
        # this is only limited by the program listening on the /dev/log Unix
        # socket, glibc can handle arbitrary length log messages, but -- for
        # example -- syslogd accepts only 1024 bytes
        # (default is 2048)
        #log_msg_size(2048);

	#Disable statistic log messages.
	stats_freq(0);

	# Some program send log messages through a private implementation.
	# and sometimes that implementation is bad. If this happen syslog-ng
	# may recognise the program name as hostname. Whit this option
	# we tell the syslog-ng that if a hostname match this regexp than that
	# is not a real hostname.
	bad_hostname("^gconfd$");

	flush_lines (0);
};


############################
# Sources
############################
# all known message sources
source s_all {
        # message generated by Syslog-NG
        #internal();
        # standard Linux log source (this is the default place for the syslog()
        # function to send logs to)
        unix-stream("/dev/log");
        # messages from the kernel
        #file("/proc/kmsg" log_prefix("kernel: "));
        # use the following line if you want to receive remote UDP logging messages
        # (this is equivalent to the "-r" syslogd flag)
        # udp();
};

source apache {
	file("/var/log/apache2/access.log" follow_freq(1) flags(no-parse));
	file("/var/log/apache2/error.log" follow_freq(1) flags(no-parse));
};


###########################
# Destinations
###########################
#Serveur distant
destination srv_dist {
	udp ("192.168.100.20" port(514));
};

#Local
destination local_messages {
	file("/var/log/syslog-ng/messages");
};




################################
# Filters
################################
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };

# all messages except from the auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv); };

# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };

# some filters to select messages of priority greater or equal to info, warn,
# and err
# (equivalents of syslogd's *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };

# all messages of priority debug not coming from the auth, authpriv, news, and
# mail facilities
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };

# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
        level(info,notice,warn)
            and not facility(auth,authpriv,cron,daemon,mail,news);
};

# messages with priority emerg
filter f_emerg { level(emerg); };

# complex filter for messages usually sent to the xconsole
filter f_xconsole {
    facility(daemon,mail)
        or level(debug,info,notice,warn)
        or (facility(news)
                and level(crit,err,notice));
};

###################################################
# Filtre "perso"
##################################################


######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement

# these rules provide the same behavior as the commented original syslogd rules

log {
        source(s_all);
	destination(srv_dist);
	filter(f_auth);
};

log {
	source(apache);
	destination(srv_dist);
};

log {
	source(s_all);
	destination(local_messages);
};


Astuces

Filtre selon l'IP

Il est possible de filter des logs sur l'adresse IP. Pour ce faire, le filtre ressemble à ceci : 

filter sogo { netmask(192.168.100.130/255.255.255.255); };

Dans ce cas-ci, on filtre les logs arrivant de la machine ayant l'adresse IP : 192.168.100.130

Splunk

Voir la page Splunk

Logrotate

Pour configurer la rotation des logs, voir la page Logrotate

Récupérée de « http://wiki.diouxx.be/index.php?title=Syslog-ng&oldid=43 »