TITLE: Setting up syslog-ng LFS VERSION: any AUTHOR: Jim Gifford SYNOPSIS: How to setup syslog-ng, a replacement for sysklogd. HINT: $Revision: 1.1 $ Introduction to syslog-ng Download location http://www.balabit.hu/en/downloads/syslog-ng Version used 1.5.21 libol library used 0.3.3 syslog-ng is a a syslogd replacement, but with new functionality. The original syslogd allows messages only to be sorted based on prioiry/facility pairs. Syslog-ng adds the posibility to filter based on message contents using regular expressions. The new configuration shceme is intuitive and powerful. Forwarding logs over TCP and remembering all forwarding hops makes it ideal for firewall environments. --- Installation of syslog-ng Install syslog-ng's libol by running the following commands: ./configure --prefix=/usr --enable-shared && make && make install --- Install syslog-ng by running the following commmands| ./configure --prefix=/usr --sysconfigdir=/etc && make && make install ---- Configuring syslog-ng Config files /etc/syslog-ng/syslog-ng.conf Create the syslog-ng.conf file by running: cat > /etc/syslog-ng/syslog-ng.conf << "EOF" # Begin /etc/syslog-ng/syslog-ng.conf # # Syslog-ng configuration for Linux from Scratch # options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames(off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; destination authlog { file("/var/log/authorize.log"); }; destination syslog { file("/var/log/syslog.log"); }; destination cron { file("/var/log/cron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kernel { file("/var/log/kernel.log"); }; destination lpr { file("/var/log/lpr.log"); }; destination user { file("/var/log/user.log"); }; destination uucp { file("/var/log/uucp.log"); }; destination mail { file("/var/log/mail.log"); }; destination news { file("/var/log/news.log"); }; destination debug { file("/var/log/debug.log"); }; destination messages { file("/var/log/messages.log"); }; destination everything { file("/var/log/everything.log"); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty12"); }; filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(authpriv, mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kernel { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_everything { level(debug..emerg) and not facility(auth, authpriv); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_cron); destination(fcron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kernel); destination(kernel); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(f_everything); destination(everything); }; log { source(src); destination(console_all); }; # END /etc/syslog-ng/syslog-ng.conf --- Configuration information Please note that this only is a sample configuration and you will MOST CERTAINLY have to edit this to suite your needs. This should work with most configuration. For more configuration information check man syslog-ng or go to the syslog-ng web site at http://www.balabit.hu/static/syslog-ng/reference/book1.html for the basic docuemenation --- Make syslog-ng start on bootup Create the /etc/rc.d/init.d/syslog-ng by running: cat > /etc/rc.d/init.d/syslog-ng << "EOF" #!/bin/sh # Begin $rc_base/init.d/syslog-ng - Syslog-ng loader # Based on sysklogd script from LFS-3.1 and earlier. # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org source /etc/sysconfig/rc source $rc_functions case "$1" in start) echo "Starting System Log..." loadproc syslog-ng ;; stop) echo "Stopping System Log..." killproc syslog-ng ;; restart) $0 stop sleep 1 $0 start ;; status) statusproc syslog-ng ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac # End $rc_base/init.d/syslog-ng EOF --- Make the script executable and create the appropriate symlinks by running: chmod 755 /etc/rc.d/init.d/syslog-ng && ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc0.d/K40syslog-ng && ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc1.d/K80syslog-ng && ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc2.d/S10syslog-ng && ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc3.d/S10syslog-ng && ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc4.d/S10syslog-ng && ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc5.d/S10syslog-ng && ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc6.d/K40syslog-ng --- Last step You will need to prevent sysklogd from starting rm /etc/rc.d/rc0.d/K40sysklogd && rm /etc/rc.d/rc1.d/K80sysklogd && rm /etc/rc.d/rc2.d/S10sysklogd && rm /etc/rc.d/rc3.d/S10sysklogd && rm /etc/rc.d/rc4.d/S10sysklogd && rm /etc/rc.d/rc5.d/S10sysklogd && rm /etc/rc.d/rc6.d/K40sysklogd --- Extra: Logging of Iptables Information Add the following information to log all iptables information into it's own file called /var/log/iptables.log destination iptables { file("/var/log/iptables.log"); }; filter f_iptables { match("IN="); }; log { source(src); filter(f_iptables); destination(iptables); }; Mail suggestions to giffordj@linkline.com New Version of this document can be viewed from http://www.jg555.com/cvs