Syslog logging question

[remy06]

Hi all,

Currently Im having a syslog server that consolidate firewall logs on port 514 udp.

Im also having a IDS device that I wish to push its logs to this particular syslog server so that I can retrieve my IDS logs on this server as well.

Is it possible to do so?Having syslog listening on port 514 for both firewall and IDS logs?

If it is possible will the logs be recorded in a single log file?Or will it be recorded in a separate log file ie. firewall.log, IDS.log etc??

I wish to have them in separate individual log files or else there will be hard time segregating the log entries in a single file.

Can anyone advice on how to achieve this??

Thanks in advance.

[remy06]

noone knows??

[Admin]

Yes, this can be done. 

You can do it one of two ways...  Using the standard syslog that comes with most operating systems, you would need to set the facility used to send the syslog messages to something different between the IDS and firewall systems.  Then, you can filter the facility in syslog.conf to send the IDS logs to one file and the firewall logs to another file.

Alternatively, if you are using rsyslog or syslog-ng, this is much easier, and you can filter to different files based on the source IP address.

[remy06]

Ic thanks for the info.

will try setting the facility to use local0-local7 for the firewall and ids logs then.