Logging, Syslog and Log Anaylsys Forums
July 30, 2010, 09:59:45 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
   Home   WIKI BLOG Help Search Recent Topics GoogleTagged Login Register  
Pages: 1 [2]
« previous next »
  Print  
Author Topic: individual files  (Read 5721 times)
jt
Newbie
*
Offline Offline

Posts: 4


View Profile Email
« Reply #15 on: August 11, 2008, 12:09:45 pm »
spider and mutex, the problem is the _ character.  Syslog-ng is trying to expand the macro $FACILITY.  So, you want the destination section to look like this:

destination std {
   file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY"
      owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
   );
};
Logged
spider
Newbie
*
Offline Offline

Posts: 10


View Profile
« Reply #16 on: August 11, 2008, 09:26:35 pm »
Hey guys got it figured out with the help of the mailing list used some well placed braces. ex.
Code:
destination std {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/${FACILITY}_${HOST}_${YEAR}_${MONTH}_${DAY}.log"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
};

Now just need to sort my logs out. after runing for over 12hrs I've only ended up with 2 logs per host an authpriv and a kern, I guess I was expecting the following:
messages
syslog
debug
secure
cron
maillog
auth

for your consideration...

Code:
###############################################################
# First, set some global options.

options {
use_fqdn(yes);
use_dns(yes);
dns_cache(yes);
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
};

###############################################################
#
# Logs may come from unix stream, and UDP:514
#
source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
# internal();
udp(ip("192.168.2.3") port(514));
tcp(ip("192.168.2.3") port(514) keep-alive(yes));
};


###############################################################
# First some standard logfile
#
#destination authlog { file("/var/log/auth.log"); };
#destination syslog { file("/var/log/syslog"); };
#destination cron { file("/var/log/cron.log"); };
#destination daemon { file("/var/log/daemon.log"); };
#destination user { file("/var/log/user.log"); };
#destination debug { file("/var/log/debug"); };
#destination messages { file("/var/log/messages"); };

##########################################
# Here's the filter options. With this rules, we can set which
# message go where.

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

###############################################################
#
# log statements actually send logs somewhere, to a file, across the network, etc
#

#log { source(src); filter(f_authpriv); destination(authlog); };
#log { source(src); filter(f_authpriv); destination(syslog); };
#log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
#log { source(src); filter(f_daemon); destination(daemon); };
#log { source(src); filter(f_daemon); destination(messages); };
#log { source(src); filter(f_kern); destination(messages); };
#log { source(src); filter(f_user); destination(messages); };
#log { source(src); filter(f_debug); destination(debug); };

#
# automatic host sorting (usually used on a loghost)
#
destination std {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/${FACILITY}_${YEAR}_${MONTH}_${DAY}.log"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};

log {
source(src);
destination(std);
};

I love the thought of this auto host system it reduces work every time a new host is added to my network but I have to wonder if it isn’t simpler at this point to hard code them, some copy and paste and replaces could resolve this quickly, at the same time I don’t wish to admit defeat lol.
« Last Edit: August 12, 2008, 09:06:51 am by spider » Logged
mutex
Administrator
Newbie
*****
Offline Offline

Posts: 901


View Profile
« Reply #17 on: August 12, 2008, 09:23:09 am »
Quote from: spider on August 11, 2008, 09:26:35 pm
I love the thought of this auto host system it reduces work every time a new host is added to my network but I have to wonder if it isn’t simpler at this point to hard code them, some copy and paste and replaces could resolve this quickly, at the same time I don’t wish to admit defeat lol.

I am not sure I understand what you mean by "hard coding them"...  Do you mean creating a config section for each host with a filter, log and destination command? 
Logged
spider
Newbie
*
Offline Offline

Posts: 10


View Profile
« Reply #18 on: August 12, 2008, 10:05:29 am »
Exactly, the thought of scaling it scares me. I think i might be able to live with how i have it running right now. spent the last hour generating different kinds of events and it apears to work. I guess my only issue left would be catch apache access logs which I understand can be done with snare apache. The one concern I have is I have three internet facing slackware servers they all run denyhosts to block the nasties from services like SSH, mail, etc. Denyhosts generates a log at /var/log/denyhosts and i'd love to collect those. any suggestions?
Logged
Pages: 1 [2]
  Print  

« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC | Sitemap Valid XHTML 1.0! Valid CSS!