Ddevleeschauwer : Page créée avec « {{ Introduction | Cette page va vous permettre de mettre en place un système de log avec Syslog-ng }} == Installation Syslog-ng == Que ça soit sur votre machine "serve... »

2013-04-08T13:08:47Z

Page créée avec « {{ Introduction | Cette page va vous permettre de mettre en place un système de log avec Syslog-ng }} == Installation Syslog-ng == Que ça soit sur votre machine "serve... »

Nouvelle page

{{ Introduction | Cette page va vous permettre de mettre en place un système de log avec Syslog-ng }}

== Installation Syslog-ng ==

Que ça soit sur votre machine "server" qui va récolter les logs de plusieurs hosts ou sur la machine qui va envoyer ses logs sur un hôte distant, le paquet à installer est identiquement le même

{{ Console root | apt-get install syslog-ng }}
<br />

== Configuration ==
<br />
=== Machine serveur ===
Pour configurer votre serveur afin qu'il puisse stocker les logs qu'on lui envoie, il vous faut éditer le fichier {{ File | /etc/syslog-ng/syslog-ng.conf }} :

<syntaxhighlight lang="bash">
options {
# disable the chained hostname format in logs
# (default is enabled)
chain_hostnames(0);

# the time to wait before a died connection is re-established
# (default is 60)
time_reopen(10);

# the time to wait before an idle destination file is closed
# (default is 60)
time_reap(360);

# the number of lines buffered before written to file
# you might want to increase this if your disk isn't catching with
# all the log messages you get or if you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);

# the number of lines fitting in the output queue
log_fifo_size(2048);

# enable or disable directory creation for destination files
create_dirs(yes);

# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
owner(root);
#group(adm);
perm(0640);

# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
dir_owner(root);
#dir_group(root);
dir_perm(0755);

# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);

# maximum length of message in bytes
# this is only limited by the program listening on the /dev/log Unix
# socket, glibc can handle arbitrary length log messages, but -- for
# example -- syslogd accepts only 1024 bytes
# (default is 2048)
#log_msg_size(2048);

};

########################
# Sources
########################
# all known message sources
source local {
# message generated by Syslog-NG
#internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log" max-connections(40));
# messages from the kernel
#file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
tcp(ip(0.0.0.0));
udp(ip(0.0.0.0));
};

########################
# Destinations #
########################
#destination dst-all-messages {
# file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/messages"
# template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
# template_escape(no)
# );
#};

destination all-messages {
file("/var/log/syslog-ng/$HOST/messages.log");
};

destination apache {
file("/var/log/syslog-ng/$HOST/apache.log");
};

########################
# Filters
########################
# Here's come the filter options. With this rules, we can set which
# message go where.

filter apache { program("apache2"); };

########################
# Log paths
########################
# Pour le auth.log du pare-feu
#log {
# source(local);
# destination(dst-all-messages);
#};

log {
source(local);
destination(all-messages);
};

log {
source(local);
filter(apache);
destination(apache);

};
</syntaxhighlight>
<br />
=== Machine Cliente ===

Pour qu'une machine envoie ses logs sur un host distant, le fichier de configuration est toujours {{ File | /etc/syslog-ng/syslog-ng.conf }} :

<syntaxhighlight lang="bash">
######
# options

options {
# disable the chained hostname format in logs
# (default is enabled)
chain_hostnames(0);

# the time to wait before a died connection is re-established
# (default is 60)
time_reopen(10);

# the time to wait before an idle destination file is closed
# (default is 60)
time_reap(360);

# the number of lines buffered before written to file
# you might want to increase this if your disk isn't catching with
# all the log messages you get or if you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);

# the number of lines fitting in the output queue
log_fifo_size(2048);

# enable or disable directory creation for destination files
create_dirs(yes);

# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
owner(root);
#group(adm);
perm(0640);

# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
dir_owner(root);
#dir_group(root);
dir_perm(0755);

# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);

# maximum length of message in bytes
# this is only limited by the program listening on the /dev/log Unix
# socket, glibc can handle arbitrary length log messages, but -- for
# example -- syslogd accepts only 1024 bytes
# (default is 2048)
#log_msg_size(2048);

#Disable statistic log messages.
stats_freq(0);

# Some program send log messages through a private implementation.
# and sometimes that implementation is bad. If this happen syslog-ng
# may recognise the program name as hostname. Whit this option
# we tell the syslog-ng that if a hostname match this regexp than that
# is not a real hostname.
bad_hostname("^gconfd$");

flush_lines (0);
};

############################
# Sources
############################
# all known message sources
source s_all {
# message generated by Syslog-NG
#internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
#file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
};

source apache {
file("/var/log/apache2/access.log" follow_freq(1) flags(no-parse));
file("/var/log/apache2/error.log" follow_freq(1) flags(no-parse));
};

###########################
# Destinations
###########################
#Serveur distant
destination srv_dist {
udp ("192.168.100.20" port(514));
};

#Local
destination local_messages {
file("/var/log/syslog-ng/messages");
};

################################
# Filters
################################
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };

# all messages except from the auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv); };

# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };

# some filters to select messages of priority greater or equal to info, warn,
# and err
# (equivalents of syslogd's *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };

# all messages of priority debug not coming from the auth, authpriv, news, and
# mail facilities
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };

# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news);
};

# messages with priority emerg
filter f_emerg { level(emerg); };

# complex filter for messages usually sent to the xconsole
filter f_xconsole {
facility(daemon,mail)
or level(debug,info,notice,warn)
or (facility(news)
and level(crit,err,notice));
};

###################################################
# Filtre "perso"
##################################################

######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement

# these rules provide the same behavior as the commented original syslogd rules

log {
source(s_all);
destination(srv_dist);
filter(f_auth);
};

log {
source(apache);
destination(srv_dist);
};

log {
source(s_all);
destination(local_messages);
};

</syntaxhighlight>
<br />
=== Astuces ===

==== Filtre selon l'IP ====

Il est possible de filter des logs sur l'adresse IP. Pour ce faire, le filtre ressemble à ceci :
<pre>
filter sogo { netmask(192.168.100.130/255.255.255.255); };
</pre>

Dans ce cas-ci, on filtre les logs arrivant de la machine ayant l'adresse IP : 192.168.100.130

== Splunk ==
Voir la page [[Splunk]]

== Logrotate ==
Pour configurer la rotation des logs, voir la page [[Logrotate]]
[[Catégorie:Système]]

Syslog-ng - Historique des versions

Ddevleeschauwer : Page créée avec « {{ Introduction | Cette page va vous permettre de mettre en place un système de log avec Syslog-ng }} == Installation Syslog-ng == Que ça soit sur votre machine "serve... »