syslog-ng.conf

system · March 5, 2008, 7:37pm

Has anyone here configured a central syslog server using syslog-ng ?

I have set one up and I'm trying to tune the syslog-ng.conf file, both for the server and the client. I have found lots of linux example files, but not much on Solaris which is slightly different.

So if you have a Solaris syslog-ng.conf or have any links to some I would love to see them.

This is what I have:
Server:

#
# syslog-ng server configuration:
#

options
  {
    sync (0);
    stats (0);
    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0755);
    dns_cache(yes);
    keep_hostname(yes);
    log_fifo_size(2048);
    long_hostnames(on);
    perm(0644);
    time_reopen (10);
    use_dns(yes);
  };

source s_local  { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };
source s_remote { tcp(); };

#----------------------------------------------------------------------
#  Standard Log file locations
#----------------------------------------------------------------------
destination d_cons      { file("/dev/console"); };
destination d_mesg      { file("/var/adm/messages"); };
destination d_mail      { file("/var/log/syslog"); };
destination d_auth      { file("/var/log/authlog"); };
destination d_mlop      { usertty("operator"); };
destination d_mlrt      { usertty("root"); };
destination d_mlal      { usertty("*"); };

#----------------------------------------------------------------------
#  Remote logs sorting by host
#----------------------------------------------------------------------
destination d_clients       { file("/var/log/HOSTS/$HOST/$R_YEAR/$R_MONTH/$R_DAY/$FACILITY"); };

#----------------------------------------------------------------------
#  Standard filters for the standard destinations.
#----------------------------------------------------------------------
filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

#----------------------------------------------------------------------
#  Standard logging
#----------------------------------------------------------------------
log { source(s_local); filter(f_filter1); destination(d_cons); };
log { source(s_local); filter(f_filter2); destination(d_mesg); };
log { source(s_local); filter(f_filter3); destination(d_mlop); };
log { source(s_local); filter(f_filter4); destination(d_mlrt); };
log { source(s_local); filter(f_filter5); destination(d_mlal); };
log { source(s_local); filter(f_filter6); destination(d_auth); };
log { source(s_local); filter(f_filter7); destination(d_mail); };
log { source(s_local); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };
log { source(s_local); filter(f_filter9); destination(d_mlop);
                                        destination(d_mlrt); };

#----------------------------------------------------------------------
#  Remote logging
#----------------------------------------------------------------------
log { source(s_remote); destination(d_clients); };

##########################################
##        NOT SURE IF I NEED THIS       ##
##########################################
#----------------------------------------------------------------------
#  Special catch all destination sorting by host
#----------------------------------------------------------------------
log { source(s_local); source(s_remote); destination(d_clients); };

Client:

#
# syslog-ng client configuration: some local logs, in addition to TCP
# logging to central loghost.
#

options
  {
    sync (0);
    stats (0);
    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0755);
    dns_cache(yes);
    keep_hostname(yes);
    log_fifo_size(2048);
    long_hostnames(on);
    perm(0644);
    time_reopen (10);
    use_dns(yes);
  };

source s_local  { sun-streams ("/dev/log" door("/var/run/syslog_door")); internal(); };

#----------------------------------------------------------------------
#  Standard Log file locations
#----------------------------------------------------------------------
destination d_cons      { file("/dev/console"); };
destination d_mesg      { file("/var/adm/messages"); };
destination d_mail      { file("/var/log/syslog"); };
destination d_auth      { file("/var/log/authlog"); };
destination d_mlop      { usertty("operator"); };
destination d_mlrt      { usertty("root"); };
destination d_mlal      { usertty("*"); };

#----------------------------------------------------------------------
#  Forward to a loghost server
#----------------------------------------------------------------------
destination d_loghostdr   { tcp("loghostdr" port(514)); };

#----------------------------------------------------------------------
#  Standard filters for the standard destinations.
#----------------------------------------------------------------------
filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

#----------------------------------------------------------------------
#  Standard logging
#----------------------------------------------------------------------
log { source(s_local); filter(f_filter1); destination(d_cons); };
log { source(s_local); filter(f_filter2); destination(d_mesg); };
log { source(s_local); filter(f_filter3); destination(d_mlop); };
log { source(s_local); filter(f_filter4); destination(d_mlrt); };
log { source(s_local); filter(f_filter5); destination(d_mlal); };
log { source(s_local); filter(f_filter6); destination(d_auth); };
log { source(s_local); filter(f_filter7); destination(d_mail); };
log { source(s_local); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };
log { source(s_local); filter(f_filter9); destination(d_mlop);
                                        destination(d_mlrt); };

#----------------------------------------------------------------------
#  Send to a remote loghost
#----------------------------------------------------------------------
log { source(s_local); destination(d_loghostdr); };

sixty_nine · October 9, 2008, 9:20am

I think the last line of the server conf file is redundant. You don't need this. Another thing: you can add the flag(final); statement to each of the log entries so that no log will be stored more than once if it matches multiple filters.

Thanks

system · November 16, 2008, 8:49pm

I am getting this error now..

On Client:

On Server:

All I can find is this solution.

The problem is that I am not using unix-streams and max-connections(20) is an option for unix-streams. This is what my source line looks like.

Anyone know how I can fix this error in my config(using sun-streams) ?

Here is the definition from the config file:

# unix-stream
# unix-dgram - These two drivers behave similarly:
# they open the given AF_UNIX socket, and start
# listening on them for messages. unix-stream() is
# primarily used on Linux, and uses SOCK_STREAM
# semantics (connection oriented, no messages are
# lost), unix-dgram() is used on BSDs, and uses
# SOCK_DGRAM semantics, this may result in lost
# local messages, if the system is overloaded.
#
# To avoid denial of service attacks when using
# connection-oriented protocols, the number of
# simultaneously accepted connections should be
# limited. This can be achieved using the
# max-connections() parameter. The default value of
# this parameter is quite strict, you might have to
# increase it on a busy system.
#
# Both unix-stream and unix-dgram has a single
# required positional argument, specifying the
# filename of the socket to create, and several
# optional parameters.

# sun-streams
# Solaris uses its STREAMS API to send messages to
# the syslogd process. You'll have to compile
# syslog-ng with this driver compiled in (see
# ./configure --help).
#
# Newer versions of Solaris (2.5.1 and above), uses a
# new IPC in addition to STREAMS, called door to
# confirm delivery of a message. Syslog-ng supports
# this new IPC mechanism with the door() option.
#
# The sun-streams() driver has a single required
# argument, specifying the STREAMS device to open and
# a single option.

system · November 16, 2008, 9:37pm

I have added this line and it has fixed the problem..

When required I will increase this value..

Diabolist · November 18, 2008, 4:36am

Your file and directory perms are way too open.

They shouldn't exceed 0750 for the directory, and 0640 for the files. You might want to expicitly set the owner() and group() for both the file and directories as well.

If you limit access to root, set the group so others can view the file, ie:

destination d_auth { file("/var/log/authlog") owner(root) group(sysadmin); };

I don't know how large your deployment is, how important you feel the remote logging is or what nanny alerts you have in place... but you could use udp instead of tcp.

system · November 18, 2008, 6:20am

At the moment it is being used in a lab on about 13 systems..