Friday, September 14, 2007

Easy Syslog-ng configuration

Syslog-ng have been the successor of the well-known Syslog which have many enhacements in features and easiness to configure. Here I will show you the basic configuration of the Syslog-ng with some examples in filter.
Although Syslog-ng is supported in Linux, Solaris, All BSD variants, AIX, HP-UX, Tru64 Unix, Irix, etc, I will only give the example in Linux only.
I assume that you already have syslog-ng installed in your machine, otherwise you can consult the vendor or distro of your Linux website or documentation.

Setting the Router, Firewall and Switches:

CISCO Router & Switch (IOS):
service timestamps log datetime localtime
no logging console
no logging monitor
logging 10.16.1.100 facility local4

HUAWEI:
info-center enable
info-center loghost 10.16.1.100 facility local4 language english

The configuration file of syslog-ng located at /etc/syslog-ng/syslog-ng.conf:

# /etc/syslog-ng/syslog-ng.conf options { long_hostnames(off); sync(0); perm(0640); stats(3600); };

source src { internal(); udp(ip("0.0.0.0") port(514)); };

## Filter for facility type or device
filter f_router { facility(local4);};
filter f_firewall { facility(local5);};
filter f_switch { facility(local6);};

## Filter for IP address
filter f_ROUTER01 { host("10.10.5.1"); };
filter f_FIREWALL01 { host("10.10.5.2"); };
filter f_FIREWALL02 { host("10.10.5.3"); }; filter f_SWITCH01 { host("10.10.5.4"); };


#Destination files
destination ROUTER01 { file("/var/log/ROUTER01.log"); };
log { source(src); filter(f_router); filter(f_
ROUTER01); destination(ROUTER01); };

destination FIREWALL01 { file("/var/log/FIREWALL01.log"); };
log { source(src); filter(f_firewall); filter(f_
FIREWALL01); destination(FIREWALL01); };

destination FIREWALL02 { file("/var/log/FIREWALL02.log"); };
log { source(src); filter(f_firewall); filter(f_
FIREWALL02); destination(FIREWALL02); };
destination
SWITCH01 { file("/var/log/SWITCH01.log"); };
log { source(src); filter(f_switch); filter(f_
SWITCH01); destination(SWITCH01); };

save it, then execute these command to make the log files.

touch /var/log/ROUTER01.log
touch /var/log/FIREWALL01.log
touch /var/log/FIREWALL02.log
touch /var/log/SWITCH01.log


To START/STOP the Syslog-ng service:

service syslog start and service syslog stop or service syslog reload

try to log in to the router, and do some command like to show the cpu, then on the linux excute this command:


tail -f
/var/log/ROUTER01.log

You will see some log will write to the log file.

3 comments:

Patrich said...

Thanks for this! I was stuck figuring out to log my router (D-Link DIR-655).

Augusto Yamazaki said...

I've got the following error in ubuntu 12.04.2 with syslog-ng:


WARNING: Configuration file has no version number, assuming syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the file;
WARNING: Configuration file format is too old, please update it to use the 3.3 format as some constructs might operate inefficiently;
WARNING: global: the default value of chain_hostnames is changing to 'no' in version 3.0, please update your configuration accordingly;
WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp()/udp() window size changes;
Error parsing config, syntax error, unexpected LL_IDENTIFIER, expecting $end in /etc/syslog-ng/syslog-ng.conf at line 1, column 1:

 /etc/syslog-ng/syslog-ng.conf options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

Augusto Yamazaki said...

I've got the following error in ubuntu 12.04.2 with syslog-ng:

WARNING: Configuration file has no version number, assuming syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the file;
WARNING: Configuration file format is too old, please update it to use the 3.3 format as some constructs might operate inefficiently;
WARNING: global: the default value of chain_hostnames is changing to 'no' in version 3.0, please update your configuration accordingly;
WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp()/udp() window size changes;
Error parsing config, syntax error, unexpected LL_IDENTIFIER, expecting $end in /etc/syslog-ng/syslog-ng.conf at line 1, column 1:

 /etc/syslog-ng/syslog-ng.conf options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng