Hi,
I’m running openSUSE 11 and I am setting up a Cisco ASA to log to syslog-ng on this machine. The messages keep writing to /var/log/messages and not the file I set.
nmon:/var/log #
nmon:/var/log # cd /etc/syslog-ng/
nmon:/etc/syslog-ng # cat syslog-ng.conf/etc/syslog-ng/syslog-ng.conf
File format description can be found in syslog-ng.conf(5)
and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
NOTE: The SuSEconfig script and its syslog-ng.conf.in
configuration template aren’t used any more.
Feel free to edit this file directly.
Additional log sockets for chroot environments can
be declared in the /etc/sysconfig/syslog file using
SYSLOGD_ADDITIONAL_SOCKET<NAME>
variables. This way allows to define a socket from
RPM scripts and is used by several services, e.g.
bind and dhcpd.
The sockets defined in /etc/sysconfig/syslog file
are added by the /etc/ini.d/syslog init-script using
“-a path” command line options while syslog-ng is
started.
This syslog-ng contains an extension and appends the
sockets added by “-a” option to the same source group
and using the same socket type (unix-dgram) as the
“/dev/log” socket.
If one of the sockets added by “-a” option already
exists in any (other) source group in the config file,
then the socket added by “-a” option is ignored.
Global options.
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
‘src’ is our main source definition. you can add
more sources driver definitions to it, or define
your own sources, i.e.:
#source my_src { … };
source src {
include internal syslog-ng messages
note: the internal() soure is required!
internal();
the default log socket for local logging:
unix-dgram("/dev/log");
uncomment to process log messages from network:
udp(ip(“0.0.0.0”) port(514));
};Filter definitions
filter f_iptables { facility(kern) and match(“IN=”) and match(“OUT=”); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables)
or level(err) and not facility(authpriv); };filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };filter f_cron { facility(cron); };
filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };acpid messages
filter f_acpid_full { match(’^acpid:’); };
filter f_acpid { level(emerg…notice) and match(’^acpid:’); };this is for the old acpid < 1.0.6
filter f_acpid_old { match(’^[acpid]:’); };
filter f_netmgm { match(’^NetworkManager:’); };
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };Enable this and adopt IP to send log messages to a log server.
#destination logserver { udp(“10.10.10.10” port(514)); };
#log { source(src); destination(logserver); };Enable this, if you want to keep all messages in one file:
(don’t forget to provide logrotation config)
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };Most warning and errors on tty10 and on the xconsole pipe:
destination console { pipe("/dev/tty10" owner(-1) group(-1) perm(-1)); };
log { source(src); filter(f_console); destination(console); };destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1)); };
log { source(src); filter(f_console); destination(xconsole); };Enable this, if you want that root is informed immediately,
e.g. of logins:
#destination root { usertty(“root”); };
#log { source(src); filter(f_alert); destination(root); };News-messages in separate files:
destination newscrit { file("/var/log/news/news.crit"
owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };destination newserr { file("/var/log/news/news.err"
owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };destination newsnotice { file("/var/log/news/news.notice"
owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };and optionally also all in one file:
(don’t forget to provide logrotation config)
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };Mail-messages in separate files:
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };and also all in one file:
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };acpid messages in one file:
destination acpid { file("/var/log/acpid"); };
destination null { };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };if you want more verbose acpid logging, comment the destination(null)
line and uncomment the destination(acpid) line
log { source(src); filter(f_acpid_full); destination(null); flags(final); };
log { source(src); filter(f_acpid_full); destination(acpid); flags(final); };
old acpid < 1.0.6
log { source(src); filter(f_acpid_old); destination(acpid); flags(final); };
NetworkManager messages in one file:
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };Cron-messages in one file:
(don’t forget to provide logrotation config)
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };Some boot scripts use/require local[1-7]:
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };use FQDN and long names
options {
long_hostnames(on);
keep_hostname(on);
use_fqdn(on);
sync(0);
};lets things log from the network, might need to allow udp/514 on your firewall
source net { udp(); };
Does a lookup on the IP the message came from and uses that as the file name
remember to set a logging interface preferably the loopback
destination d_cisco_devices { file("/var/log/cisco/$HOST.log"); };
you can probably do fancier stuff with this
filter f_cisco_info { level(info); };
filter f_cisco_notice { level(notice); };
filter f_cisco_warn { level(warn); };
filter f_cisco_crit { level(crit); };
filter f_cisco_err { level(err); };Ditto for here, too
log { source(net); filter(f_cisco_info); destination(d_cisco_devices); };
log { source(net); filter(f_cisco_notice); destination(d_cisco_devices); };
log { source(net); filter(f_cisco_warn); destination(d_cisco_devices); };
log { source(net); filter(f_cisco_crit); destination(d_cisco_devices); };
log { source(net); filter(f_cisco_err); destination(d_cisco_devices); };All messages except iptables and the facilities news and mail:
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };Firewall (iptables) messages in one file:
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };Warnings (except iptables) in one file:
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };Logging for the Cisco ASA 5505
destination d_asa5505 { file("/var/log/asa5505.log");};
source s_asa5505{udp();};
filter f_asa5505{host(“192.168.0.1”);};
log {source(s_asa5505); filter(f_asa5505); destination(d_asa5505);};
source network { udp(ip(192.168.0.243)); };
destination asa5505 { file("/var/log/cisco-asa.log"); };
destination d_asa5505 { file("/var/log/cisco-asa.log"); };
filter f_local6 { facility(local6); };
log { source(network); filter(f_local6); destination(d_asa5505); };
nmon:/etc/syslog-ng #