imported>DrOwl (Created page with "== Syslog-ng== [http://www.balabit.com/network-security/syslog-ng Syslog-ng] is a syslogd replacement, but with new functionality. The standard sun syslogd service does not hav...") |
(No difference)
|
Latest revision as of 09:42, 7 June 2011
Syslog-ng[edit]
Syslog-ng is a syslogd replacement, but with new functionality.
The standard sun syslogd service does not have the functionality to separate out the incoming messages from remote servers as required. We will use syslog-ng to filter incoming syslog messages from 3rd party servers into there own log files.
This is a guide to installing syslog-ng on Solaris 10.
We will be installing the application from standard packages. All the required packages are in the Sun Freeware repos.
Installing the Dependancys:[edit]
Use pkgadd to install the required dependancys:
eventlog, libiconv, libintl ->libiconv zlib, pcre, openssl-1.0.0d, glib, libgcc,
syslog-ng need the charset.alias in 'local' too
# ln -s /usr/lib/charset.alias /usr/local/lib/charset.alias
+ we need to make sure /usr/local/lib is first in the LD_LIBRARY_PATH
- you can check this with a "# echo $LD_LIBRARY_PATH", and if its not a quick "# export $LD_LIBRARY_PATH; LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH"
Install syslog NG[edit]
Use pkgadd to install the package: syslogng that you got from Sun Freeware
Configure syslog NG confile file[edit]
place it in /etc/syslog-ng.conf here is the one i used:
@version: 3.0 # Options options { flush_lines (100); flush_timeout(1000); time_reopen (10); log_fifo_size (1000); normalize_hostnames(yes); use_fqdn (no); create_dirs (yes); keep_hostname (yes); chain_hostnames(no); use_dns (yes); dns_cache(yes); dns_cache_expire(43800); check_hostname(yes); dir_perm(0755); perm(0644); }; # Sources of syslog messages (both local and remote messages on the server) source s_local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; source s_stunnel { tcp(ip("127.0.0.1") port(514) max-connections(1)); }; source s_udp { udp(); }; # Level Filters - ##Inclusive ones filter f_emerg { level (emerg); }; filter f_alert { level (alert .. emerg); }; filter f_crit { level (crit .. emerg); }; filter f_err { level (err .. emerg); }; filter f_warning { level (warning .. emerg); }; filter f_notice { level (notice .. emerg); }; filter f_info { level (info .. emerg); }; filter f_debug { level (debug .. emerg); }; ##exclusive ones filter f_emerg_e { level (emerg); }; filter f_alert_e { level (alert); }; filter f_crit_e { level (crit); }; filter f_err_e { level (err); }; filter f_warning_e { level (warning); }; filter f_notice_e { level (notice); }; filter f_info_e { level (info); }; filter f_debug_e { level (debug); }; # Facility Filters filter f_kern { facility (kern); }; filter f_user { facility (user); }; filter f_mail { facility (mail); }; filter f_daemon { facility (daemon); }; filter f_auth { facility (auth); }; filter f_auth_not { not facility (auth); }; filter f_syslog { facility (syslog); }; filter f_lpr { facility (lpr); }; filter f_news { facility (news); }; filter f_uucp { facility (uucp); }; filter f_cron { facility (cron); }; filter f_local0 { facility (local0); }; filter f_local1 { facility (local1); }; filter f_local2 { facility (local2); }; filter f_local3 { facility (local3); }; filter f_local4 { facility (local4); }; filter f_local5 { facility (local5); }; filter f_local6 { facility (local6); }; filter f_local7 { facility (local7); }; # Custom Filters filter f_user_none { not facility (user); }; filter f_kern_debug { filter (f_kern) and filter (f_debug); }; filter f_daemon_notice { filter (f_daemon) and filter (f_notice); }; filter f_mail_crit { filter (f_mail) and filter (f_crit); }; filter f_mesg { filter (f_kern_debug) or filter (f_daemon_notice) or filter (f_mail_crit); }; filter f_authinfo { filter (f_auth) or program (sudo); }; filter f_crond_not { not program(CROND); }; # Destinations: ##local files, the console, and the client files destination l_authlog { file ("/var/log/authlog"); }; destination l_messages { file ("/var/adm/messages"); }; destination l_maillog { file ("/var/log/maillog"); }; destination l_ipflog { file ("/var/log/ipflog"); }; destination l_imaplog { file ("/var/log/imaplog"); }; destination l_syslog { file ("/var/log/syslog"); }; destination l_console { file ("/dev/console"); }; ## for "remote files" destination r_authlog { file ("/var/log/clients/$HOST/authlog"); }; destination r_messages { file ("/var/log/clients/$HOST/messages"); }; destination r_maillog { file ("/var/log/clients/$HOST/maillog"); }; destination r_ipflog { file ("/var/log/clients/$HOST/ipflog"); }; destination r_imaplog { file ("/var/log/clients/$HOST/imaplog"); }; destination r_console { file ("/var/log/clients/$HOST/consolelog"); }; destination r_syslog { file ("/var/log/clients/$HOST/syslog"); }; destination r_fallback { file ("/var/log/clients/$HOST/$FACILITY-$LEVEL"); }; # Log statements ## Local sources #log { source (s_local); filter (f_emerg); filter (f_user_none); destination (l_console); }; log { source (s_local); filter (f_emerg); destination (l_console); }; log { source (s_local); filter (f_err_e); destination (l_console); }; log { source (s_local); filter (f_kern); filter (f_notice); destination (l_console); }; log { source (s_local); filter (f_auth); filter (f_notice); destination (l_console); }; log { source (s_local); filter (f_authinfo); filter (f_notice); destination (l_authlog); }; log { source (s_local); filter (f_notice); filter (f_auth_not); destination (l_messages); }; log { source (s_local); filter (f_mail); destination (l_maillog); }; ## Remote sources ### some specific host - We want info level for these hosts too filter r_host_hsm { host('my-host-web.*'); }; log { source (s_udp) ; filter (f_info_e); filter (r_host_hsm); filter (f_crond_not); destination (r_messages); }; ### Standard hosts log { source (s_local); source (s_stunnel); source (s_udp) ; filter (f_notice); destination (r_messages); };
Create service[edit]
create the manifest file as below
- svccfg validate /var/svc/manifest/system/syslog-ng.xml
- svccfg import /var/svc/manifest/system/syslog-ng.xml
before starting the new service we need to disable the standard one:
# svcadm disable system-log
Enable the new service:
# svcadm enable syslog-ng
Manifest file[edit]
/var/svc/manifest/system/syslog-ng.xml
<?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <service_bundle type='manifest' name='syslog-ng'> <service name='system/syslog-ng' type='service' version='1'> <create_default_instance enabled='false' /> <single_instance/> <dependency name='milestone' grouping='require_all' restart_on='none' type='service'> <service_fmri value='svc:/milestone/sysconfig' /> </dependency> <dependency name='filesystem' grouping='require_all' restart_on='none' type='service'> <service_fmri value='svc:/system/filesystem/local' /> </dependency> <dependency name='autofs' grouping='optional_all' restart_on='none' type='service'> <service_fmri value='svc:/system/filesystem/autofs' /> </dependency> <dependency name='name-services' grouping='require_all' restart_on='none' type='service'> <service_fmri value='svc:/milestone/name-services' /> </dependency> <dependent name='syslog-ng_single-user' grouping='optional_all' restart_on='none'> <service_fmri value='svc:/milestone/multi-user' /> </dependent> <exec_method type='method' name='start' exec='/usr/local/sbin/syslog-ng --cfgfile=/etc/syslog-ng.conf' timeout_seconds='60' /> <exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' /> <exec_method type='method' name='refresh' exec=':kill -HUP' timeout_seconds='60' /> <stability value='Unstable' /> <template> <common_name> <loctext xml:lang='C'> syslog-ng </loctext> </common_name> <documentation> <manpage title='syslog-ng' section='1M' manpath='/usr/local/man' /> </documentation> </template> </service> </service_bundle>