Results 1 to 5 of 5

Thread: Syslog setup questions

  1. #1
    sc123 NNTP User

    Default Syslog setup questions

    So I have 10.3 and I'm just trying to setup syslog-ng to listen for and log and messages sent from my firewall but I can't figure it out. I used the guide here but it is dated and seems to be missing steps and/or referencing older versions of the conf file. Can anyone point me to a newer/better guide or assist? Thanks!

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Syslog setup questions

    That guide isn't too far off. First you have to tell syslog-ng to listen to messages from other computers. As the comments in /etc/syslog-ng/syslog-ng.conf indicate, uncomment this line in the src section:

    Code:
            udp(ip("0.0.0.0") port(514));
    Also open your firewall to 514/udp to your LAN machines.

    Since the remote log messages will be mixed with local log messages, you might want to write some matching rules so that remote log messages go to some other file.

  3. #3
    sc123 NNTP User

    Default Re: Syslog setup questions

    Thanks for your help - uncommenting that line was the only thing missing to get syslog logging.

    I would like to add the code to tell syslog to create a log file for just the data coming from my firewall at 192.168.0.1, but I'm unfamiliar with the syntax. Would you happen to know what that would be? Right now everything is just going to /var/log/allmessages.

  4. #4
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Syslog setup questions

    Have a look at man syslog-ng.conf

    What you probably want to do is to create another source, another destination and then connect them up using a log statement so that this chain is separate from the existing chain.

  5. #5
    sc123 NNTP User

    Default Re: Syslog setup questions

    Thanks for your motivation, I gave it a whirl and got it to work. To save others from learning, here is what I added (first I re-commented out the following in the source "src":

    Code:
    	#udp(ip("0.0.0.0") port(514));
    Then I added the following code to create a new source, destination and log entry:

    Code:
    source checkpoint {
    	#
    	# uncomment to process log messages from network:
    	#
    	udp(ip("0.0.0.0") port(514));
    };
    
    destination checkpoint { file("/var/log/checkpoint"); };
    log { source(checkpoint); destination(checkpoint); };
    Works like a charm!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •