Hi,
I’m running openSUSE 11 and I am setting up a Cisco ASA to log to
syslog-ng on this machine. The messages keep writing to
/var/log/messages and not the file I set.
> nmon:/var/log #
> nmon:/var/log # cd /etc/syslog-ng/
> nmon:/etc/syslog-ng # cat syslog-ng.conf
> #
> # /etc/syslog-ng/syslog-ng.conf
> #
> # File format description can be found in syslog-ng.conf(5)
> # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
> #
> # NOTE: The SuSEconfig script and its syslog-ng.conf.in
> # configuration template aren’t used any more.
> #
> # Feel free to edit this file directly.
> #
> # Additional log sockets for chroot environments can
> # be declared in the /etc/sysconfig/syslog file using
> # SYSLOGD_ADDITIONAL_SOCKET<NAME>
> # variables. This way allows to define a socket from
> # RPM scripts and is used by several services, e.g.
> # bind and dhcpd.
> #
> # The sockets defined in /etc/sysconfig/syslog file
> # are added by the /etc/ini.d/syslog init-script using
> # “-a path” command line options while syslog-ng is
> # started.
> #
> # This syslog-ng contains an extension and appends the
> # sockets added by “-a” option to the same source group
> # and using the same socket type (unix-dgram) as the
> # “/dev/log” socket.
> # If one of the sockets added by “-a” option already
> # exists in any (other) source group in the config file,
> # then the socket added by “-a” option is ignored.
> #
>
> #
> # Global options.
> #
> options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
>
> #
> # ‘src’ is our main source definition. you can add
> # more sources driver definitions to it, or define
> # your own sources, i.e.:
> #
> #source my_src { … };
> #
> source src {
> #
> # include internal syslog-ng messages
> # note: the internal() soure is required!
> #
> internal();
>
> #
> # the default log socket for local logging:
> #
> unix-dgram("/dev/log");
>
> #
> # uncomment to process log messages from network:
> #
> udp(ip(“0.0.0.0”) port(514));
> };
>
>
> #
> # Filter definitions
> #
> filter f_iptables { facility(kern) and match(“IN=”) and
> match(“OUT=”); };
>
> filter f_console { level(warn) and facility(kern) and not
> filter(f_iptables)
> or level(err) and not facility(authpriv); };
>
> filter f_newsnotice { level(notice) and facility(news); };
> filter f_newscrit { level(crit) and facility(news); };
> filter f_newserr { level(err) and facility(news); };
> filter f_news { facility(news); };
>
> filter f_mailinfo { level(info) and facility(mail); };
> filter f_mailwarn { level(warn) and facility(mail); };
> filter f_mailerr { level(err, crit) and facility(mail); };
> filter f_mail { facility(mail); };
>
> filter f_cron { facility(cron); };
>
> filter f_local { facility(local0, local1, local2, local3,
> local4, local5, local6, local7); };
>
> #
> # acpid messages
> #
> filter f_acpid_full { match(’^acpid:’); };
> filter f_acpid { level(emerg…notice) and match(’^acpid:’); };
>
> # this is for the old acpid < 1.0.6
> filter f_acpid_old { match(’^[acpid]:’); };
>
> filter f_netmgm { match(’^NetworkManager:’); };
>
> filter f_messages { not facility(news, mail) and not
> filter(f_iptables); };
> filter f_warn { level(warn, err, crit) and not
> filter(f_iptables); };
> filter f_alert { level(alert); };
>
>
> #
> # Enable this and adopt IP to send log messages to a log server.
> #
> #destination logserver { udp(“10.10.10.10” port(514)); };
> #log { source(src); destination(logserver); };
>
> #
> # Enable this, if you want to keep all messages in one file:
> # (don’t forget to provide logrotation config)
> #
> #destination allmessages { file("/var/log/allmessages"); };
> #log { source(src); destination(allmessages); };
>
> #
> # Most warning and errors on tty10 and on the xconsole pipe:
> #
> destination console { pipe("/dev/tty10" owner(-1) group(-1)
> perm(-1)); };
> log { source(src); filter(f_console); destination(console); };
>
> destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1)
> perm(-1)); };
> log { source(src); filter(f_console); destination(xconsole); };
>
> # Enable this, if you want that root is informed immediately,
> # e.g. of logins:
> #
> #destination root { usertty(“root”); };
> #log { source(src); filter(f_alert); destination(root); };
>
>
> #
> # News-messages in separate files:
> #
> destination newscrit { file("/var/log/news/news.crit"
> owner(news) group(news)); };
> log { source(src); filter(f_newscrit); destination(newscrit); };
>
> destination newserr { file("/var/log/news/news.err"
> owner(news) group(news)); };
> log { source(src); filter(f_newserr); destination(newserr); };
>
> destination newsnotice { file("/var/log/news/news.notice"
> owner(news) group(news)); };
> log { source(src); filter(f_newsnotice); destination(newsnotice); };
>
> #
> # and optionally also all in one file:
> # (don’t forget to provide logrotation config)
> #
> #destination news { file("/var/log/news.all"); };
> #log { source(src); filter(f_news); destination(news); };
>
>
> #
> # Mail-messages in separate files:
> #
> destination mailinfo { file("/var/log/mail.info"); };
> log { source(src); filter(f_mailinfo); destination(mailinfo); };
>
> destination mailwarn { file("/var/log/mail.warn"); };
> log { source(src); filter(f_mailwarn); destination(mailwarn); };
>
> destination mailerr { file("/var/log/mail.err" fsync(yes)); };
> log { source(src); filter(f_mailerr); destination(mailerr); };
>
> #
> # and also all in one file:
> #
> destination mail { file("/var/log/mail"); };
> log { source(src); filter(f_mail); destination(mail); };
>
>
> #
> # acpid messages in one file:
> #
> destination acpid { file("/var/log/acpid"); };
> destination null { };
> log { source(src); filter(f_acpid); destination(acpid); flags(final);
> };
> #
> # if you want more verbose acpid logging, comment the
> destination(null)
> # line and uncomment the destination(acpid) line
> #
> log { source(src); filter(f_acpid_full); destination(null);
> flags(final); };
> # log { source(src); filter(f_acpid_full); destination(acpid);
> flags(final); };
> #
> # old acpid < 1.0.6
> log { source(src); filter(f_acpid_old); destination(acpid);
> flags(final); };
>
> #
> # NetworkManager messages in one file:
> #
> destination netmgm { file("/var/log/NetworkManager"); };
> log { source(src); filter(f_netmgm); destination(netmgm); flags(final);
> };
>
>
> #
> # Cron-messages in one file:
> # (don’t forget to provide logrotation config)
> #
> #destination cron { file("/var/log/cron"); };
> #log { source(src); filter(f_cron); destination(cron); };
>
>
> #
> # Some boot scripts use/require local[1-7]:
> #
> destination localmessages { file("/var/log/localmessages"); };
> log { source(src); filter(f_local); destination(localmessages); };
>
> #####
> #####
> # use FQDN and long names
> options {
> long_hostnames(on);
> keep_hostname(on);
> use_fqdn(on);
> sync(0);
> };
>
> # lets things log from the network, might need to allow udp/514 on your
> firewall
> source net { udp(); };
>
> # Does a lookup on the IP the message came from and uses that as the
> file name
> # remember to set a logging interface preferably the loopback
> destination d_cisco_devices { file("/var/log/cisco/$HOST.log"); };
>
> # you can probably do fancier stuff with this
> filter f_cisco_info { level(info); };
> filter f_cisco_notice { level(notice); };
> filter f_cisco_warn { level(warn); };
> filter f_cisco_crit { level(crit); };
> filter f_cisco_err { level(err); };
>
> # Ditto for here, too
> log { source(net); filter(f_cisco_info); destination(d_cisco_devices);
> };
> log { source(net); filter(f_cisco_notice);
> destination(d_cisco_devices); };
> log { source(net); filter(f_cisco_warn); destination(d_cisco_devices);
> };
> log { source(net); filter(f_cisco_crit); destination(d_cisco_devices);
> };
> log { source(net); filter(f_cisco_err); destination(d_cisco_devices);
> };
> #####
> #####
> #
> # All messages except iptables and the facilities news and mail:
> #
> destination messages { file("/var/log/messages"); };
> log { source(src); filter(f_messages); destination(messages); };
>
>
> #
> # Firewall (iptables) messages in one file:
> #
> destination firewall { file("/var/log/firewall"); };
> log { source(src); filter(f_iptables); destination(firewall); };
>
>
> #
> # Warnings (except iptables) in one file:
> #
> destination warn { file("/var/log/warn" fsync(yes)); };
> log { source(src); filter(f_warn); destination(warn); };
>
> #
> # Logging for the Cisco ASA 5505
> #
>
> ####
> # destination d_asa5505 { file("/var/log/asa5505.log");};
> # source s_asa5505{udp();};
> # filter f_asa5505{host(“192.168.0.1”);};
> # log {source(s_asa5505); filter(f_asa5505); destination(d_asa5505);};
>
> ####
>
>
> # source network { udp(ip(192.168.0.243)); };
> # destination asa5505 { file("/var/log/cisco-asa.log"); };
>
>
> # destination d_asa5505 { file("/var/log/cisco-asa.log"); };
> # filter f_local6 { facility(local6); };
> # log { source(network); filter(f_local6); destination(d_asa5505); };
> nmon:/etc/syslog-ng #
>