# $Header: /home/wschlich/work/gentoo/autosetup/gentoo-autosetup-current/gentoo-autosetup.d/syslog-ng/RCS/syslog-ng.conf,v 1.2 2007/05/31 10:31:37 wschlich Exp wschlich $ # vim:nowrap: # syslog-ng config created by # - Wolfram Schlich # - Klaus Schleicher # Distributed under the terms of the GNU General Public License v2 # # see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/index.html ## ## global options ## ## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch09s06.html ## options { ## general settings time_reopen(10); # Reopen a dead connection after this many seconds time_reap(120); # Close an idle destination file after this many seconds time_sleep(5); # Wait these many milliseconds between poll iterations ts_format(rfc3164); # Timestamp format: rfc3164|rfc3339|bsd|iso log_fifo_size(1000); # Output queue size log_msg_size(8192); # Max size of a single message log_fetch_limit(1000); # The maximum number of messages fetched from a source during a single poll loop. flush_lines(10); # Buffer this many lines of output (0 to send to disk immediately) flush_timeout(1000); # Wait at most this many milliseconds before forcibly flushing the output buffer mark_freq(300); # MARK line logging interval stats_freq(0); # Stats logging interval (0 = disabled) ## remote logging normalize_hostnames(yes); # Do normalize hostnames (transform to lower case) chain_hostnames(on); # Chain hostnames? keep_hostname(yes); # Keep the hostname the client sent? keep_timestamp(no); # Do not use the timestamp the client sent -- it might be wrong use_dns(yes); # Use DNS? Good for log servers. use_fqdn(no); # Use FQDNs? Good for log servers. dns_cache(yes); # Cache DNS results? dns_cache_size(1024); # Number of DNS lookup results to cache dns_cache_expire(3600); # Expire cached successful DNS lookup results after this many seconds dns_cache_expire_failed(60); # Expire cached failed DNS lookup results after this many seconds ## log file handling create_dirs(yes); # Create directories for log files if they don't exist dir_owner("root"); # Owner of newly created directories dir_group("adm"); # Group of newly created directories dir_perm(0750); # Permissions of newly created directories owner("root"); # Owner of newly created log files group("adm"); # Group of newly created log files perm(0640); # Permissions of newly created log files ## misc # Some program send log messages through a private implementation. # and sometimes that implementation is bad. If this happen syslog-ng # may recognise the program name as hostname. Whit this option # we tell the syslog-ng that if a hostname match this regexp than that # is not a real hostname. bad_hostname("^gconfd$"); }; ## ## filters ## ## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s06.html ## ## standard syslog facilities filter f_kern { facility(kern); }; filter f_auth { facility(auth); }; # -- note: 'security' is a deprecated alias filter f_authpriv { facility(authpriv); }; filter f_syslog { facility(syslog); }; filter f_daemon { facility(daemon); }; filter f_cron { facility(cron); }; filter f_ftp { facility(ftp); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_uucp { facility(uucp); }; filter f_user { facility(user); }; filter f_local0 { facility(local0); }; filter f_local1 { facility(local1); }; filter f_local2 { facility(local2); }; filter f_local3 { facility(local3); }; filter f_local4 { facility(local4); }; filter f_local5 { facility(local5); }; filter f_local6 { facility(local6); }; filter f_local7 { facility(local7); }; ## standard syslog priorities: "exactly" filter f_emerg { priority(emerg); }; # 0 -- note: 'panic' is a deprecated alias filter f_alert { priority(alert); }; # 1 filter f_crit { priority(crit); }; # 2 filter f_err { priority(err); }; # 3 -- note: 'error' is a deprecated alias filter f_warning { priority(warning); }; # 4 -- note: 'warn' is a deprecated alias filter f_notice { priority(notice); }; # 5 filter f_info { priority(info); }; # 6 filter f_debug { priority(debug); }; # 7 ## standard syslog priorities: "at least" filter f_alert+ { priority(alert..emerg); }; # 1-0 filter f_crit+ { priority(crit..emerg); }; # 2-0 filter f_err+ { priority(err..emerg); }; # 3-0 filter f_warning+ { priority(warning..emerg); }; # 4-0 filter f_notice+ { priority(notice..emerg); }; # 5-0 filter f_info+ { priority(info..emerg); }; # 6-0 filter f_debug+ { priority(debug..emerg); }; # 7-0 ## ## templates for the log messages ## ## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s07.html ## ## WARNING: syslog logfile analysis tools might stumble over non-standard ## formats! tools like mailgraph and tenshi just come to mind. ## ## for tenshi, it's easy to circumvent problems by either using the standard ## format for the tenshi fifo or by using the "logprefix" feature in tenshi.conf ## to match the custom format, e.g. when using facility and priority as alerting ## criteria. ## ## mailgraph probably needs to be patched for being able to deal with a ## non-standard log message format. ## # macro quick-reference: # - DATE: "Jun 13 15:58:00" (default syslog date) # - FULLDATE: "2006 Jun 13 15:56:57" # - ISODATE: "2006-06-13T15:56:51+02:00" # - PRI: see http://www.faqs.org/rfcs/rfc3164.html, 4.1.1 # - TZOFFSET: "+02:00" ## default message format (standard syslog message format) template t_default { template("${DATE} ${HOST} ${MSG}\n"); template_escape(no); }; ## log and admin console messagee formats template t_logtty { template("${DATE}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); }; template t_admintty { template("${DATE}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); }; ## custom local message format (used by default throughout this configuration, also see t_remote_r) template t_local { template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${TZOFFSET}; ${HOST}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); }; ## tenshi message format (tenshi.conf needs to be adjusted for this format!) template t_tenshi { template("${HOST}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); }; ## mailgraph message format template t_mgraph { template("${DATE} ${HOST} ${MSG}\n"); template_escape(no); }; ## remote reception message format (replaces time information of received messages with local system time) template t_remote_r { template("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC} ${R_TZOFFSET}; ${HOST}/${SOURCEIP}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); }; ## remote delivery message format (standard syslog protocol format) template t_remote_d { template("<${PRI}>${DATE} ${HOST} ${MSG}\n"); template_escape(no); }; ## ## local sources ## ## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s03.html ## ## local syslog messages + syslog-ng internal messages source s_local { unix-stream("/dev/log" max-connections(1000)); internal(); }; ## kernel messages source s_kernel { file("/proc/kmsg" flags(kernel) log_prefix("kernel: ")); }; ## ## local destinations and log paths ## ## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s04.html ## and http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s05.html ## # # discard messages # ## example for discarding certain messages using an empty destination and the final flag #destination d_null { }; #filter f_null { match("I am a message that wants to be discarded"); }; #log { source(s_local); filter(f_null); destination(d_null); flags(final); }; # # system specials # ## kernel messages destination d_kernel { file("/var/log/syslog-ng/kernel.log" template(t_local)); }; log { source(s_kernel); destination(d_kernel); }; ## log console destination d_logtty { file("/dev/tty10" template(t_logtty)); }; log { source(s_local); source(s_kernel); destination(d_logtty); }; ## admin console destination d_admintty { usertty("root"); }; log { source(s_local); filter(f_emerg); destination(d_admintty); }; ## tenshi (log monitoring): log all messages to a fifo -- note: the fifo needs to be created with mkfifo first! #destination d_tenshi { fifo("/var/log/tenshi.fifo" owner("root") group("tenshi") perm(0640) template(t_tenshi)); }; #log { source(s_local); source(s_kernel); destination(d_tenshi); }; ## mailgraph: log all messages for facility 'mail' to a fifo -- note: the fifo needs to be created with mkfifo first! #destination d_mgraph { fifo("/var/log/mgraph.fifo" owner("root") group("mgraph") perm(0640) template(t_mgraph)); }; #log { source(s_local); filter(f_mail); destination(d_mgraph); }; # # application specific # ## firewall (iptables, using custom iptables log prefixes) destination d_firewall { file("/var/log/syslog-ng/firewall.log" template(t_local)); }; filter f_firewall { match("^kernel: ipt_FW ") or match("^kernel: ip4t_FW ") or match("^kernel: ip6t_FW "); }; log { source(s_kernel); filter(f_firewall); destination(d_firewall); }; ## sudo destination d_sudo { file("/var/log/syslog-ng/sudo.log" template(t_local)); }; filter f_sudo { program("^sudo$"); }; log { source(s_local); filter(f_sudo); destination(d_sudo); }; ## sshd destination d_sshd { file("/var/log/syslog-ng/sshd.log" template(t_local)); }; filter f_sshd { program("^sshd$") or program("^sftp-server$"); }; log { source(s_local); filter(f_sshd); destination(d_sshd); }; ## cron destination d_cron { file("/var/log/syslog-ng/cron.log" template(t_local)); }; filter f_cron { facility(cron); }; log { source(s_local); filter(f_cron); destination(d_cron); }; ## xinetd destination d_xinetd { file("/var/log/syslog-ng/xinetd.log" template(t_local)); }; filter f_xinetd { program("^xinetd$"); }; log { source(s_local); filter(f_xinetd); destination(d_xinetd); }; ## postfix destination d_postfix { file("/var/log/syslog-ng/postfix.log" template(t_local)); }; filter f_postfix { program("^postfix/") or program("^postgrey"); }; log { source(s_local); filter(f_postfix); destination(d_postfix); }; ## fetchmail destination d_fetchmail { file("/var/log/syslog-ng/fetchmail.log" template(t_local)); }; filter f_fetchmail { program("^fetchmail$"); }; log { source(s_local); filter(f_fetchmail); destination(d_fetchmail); }; ## dovecot destination d_dovecot { file("/var/log/syslog-ng/dovecot.log" template(t_local)); }; filter f_dovecot { program("^dovecot$"); }; log { source(s_local); filter(f_dovecot); destination(d_dovecot); }; ## courier smtp/imap/pop3 destination d_courier { file("/var/log/syslog-ng/courier.log" template(t_local)); }; filter f_courier { program("^courier") or program("^pop3d$") or program("^pop3d-ssl$") or program("^imapd$") or program("^imapd-ssl$"); }; log { source(s_local); filter(f_courier); destination(d_courier); }; ## uw-imap #destination d_uwimap { file("/var/log/syslog-ng/uw-imap.log" template(t_local)); }; #filter f_uwimap { program("^ipop3d$") or program("^imapd$"); }; #log { source(s_local); filter(f_uwimap); destination(d_uwimap); }; ## antivir destination d_antivir { file("/var/log/syslog-ng/antivir.log" template(t_local)); }; filter f_antivir { program("^antivir$"); }; log { source(s_local); filter(f_antivir); destination(d_antivir); }; ## antivir mailgate destination d_avmailgate { file("/var/log/syslog-ng/avmailgate.log" template(t_local)); }; filter f_avmailgate { program("^avmailgate.bin$") or program("^avgated$") or program("^avgatefwd$"); }; log { source(s_local); filter(f_avmailgate); destination(d_avmailgate); }; ## clamav destination d_clamav { file("/var/log/syslog-ng/clamav.log" template(t_local)); }; filter f_clamav { program("^clamd$") or program("^freshclam$"); }; log { source(s_local); filter(f_clamav); destination(d_clamav); }; ## amavis ## mark debug messages as final so they don't get into any other file destination d_amavis { file("/var/log/syslog-ng/amavis.log" template(t_local)); }; filter f_amavis { program("^amavis$"); }; log { source(s_local); filter(f_amavis); filter(f_debug); destination(d_amavis); flags(final); }; log { source(s_local); filter(f_amavis); destination(d_amavis); }; ## spamassassin destination d_spamassassin { file("/var/log/syslog-ng/spamassassin.log" template(t_local)); }; filter f_spamassassin { program("^spamd$") or program("^spamc"); }; log { source(s_local); filter(f_spamassassin); destination(d_spamassassin); }; ## ntpd destination d_ntpd { file("/var/log/syslog-ng/ntpd.log" template(t_local)); }; filter f_ntpd { program("^ntpd$"); }; log { source(s_local); filter(f_ntpd); destination(d_ntpd); }; ## OpenVPN destination d_openvpn { file("/var/log/syslog-ng/openvpn.log" template(t_local)); }; filter f_openvpn { program("^openvpn"); }; log { source(s_local); filter(f_openvpn); destination(d_openvpn); }; ## pppd destination d_pppd { file("/var/log/syslog-ng/pppd.log" template(t_local)); }; filter f_pppd { program("^pppd$"); }; log { source(s_local); filter(f_pppd); destination(d_pppd); }; ## pmacctd destination d_pmacctd { file("/var/log/syslog-ng/pmacctd.log" template(t_local)); }; filter f_pmacctd { program("^pmacctd$"); }; log { source(s_local); filter(f_pmacctd); destination(d_pmacctd); }; ## nagios destination d_nagios { file("/var/log/syslog-ng/nagios.log" template(t_local)); }; filter f_nagios { program("^nagios$"); }; log { source(s_local); filter(f_nagios); destination(d_nagios); }; ## named destination d_named { file("/var/log/syslog-ng/named.log" template(t_local)); }; filter f_named { program("^named$"); }; log { source(s_local); filter(f_named); destination(d_named); }; ## OpenLDAP SLAPD ## mark debug messages as final so they don't get into any other file destination d_slapd { file("/var/log/syslog-ng/slapd.log" template(t_local)); }; filter f_slapd { program("^slapd$"); }; log { source(s_local); filter(f_slapd); filter(f_debug); destination(d_slapd); flags(final); }; log { source(s_local); filter(f_slapd); destination(d_slapd); }; ## samba destination d_samba { file("/var/log/syslog-ng/samba.log" template(t_local)); }; filter f_samba { program("^[ns]mbd$"); }; log { source(s_local); filter(f_samba); destination(d_samba); }; ## jabberd destination d_jabberd { file("/var/log/syslog-ng/jabberd.log" template(t_local)); }; filter f_jabberd { program("^jabberd/"); }; log { source(s_local); filter(f_jabberd); destination(d_jabberd); }; ## php-cli destination d_php { file("/var/log/syslog-ng/php.log" template(t_local)); }; filter f_php { program("^php$"); }; log { source(s_local); filter(f_php); destination(d_php); }; ## hardened php destination d_hphp { file("/var/log/syslog-ng/hphp.log" template(t_local)); }; filter f_hphp { program("^hphp$"); }; log { source(s_local); filter(f_hphp); destination(d_hphp); }; ## hddtemp destination d_hddtemp { file("/var/log/syslog-ng/hddtemp.log" template(t_local)); }; filter f_hddtemp { program("^hddtemp$"); }; log { source(s_local); filter(f_hddtemp); destination(d_hddtemp); }; ## smartd (smartmontools) destination d_smartd { file("/var/log/syslog-ng/smartd.log" template(t_local)); }; filter f_smartd { program("^smartd$"); }; log { source(s_local); filter(f_smartd); destination(d_smartd); }; ## arpwatch destination d_arpwatch { file("/var/log/syslog-ng/arpwatch.log" template(t_local)); }; filter f_arpwatch { program("^arpwatch$"); }; log { source(s_local); filter(f_arpwatch); destination(d_arpwatch); }; ## DRBD destination d_drbd { file("/var/log/syslog-ng/drbd.log" template(t_local)); }; filter f_drbd { match("^kernel: drbd([[:digit:]]+)?:"); }; log { source(s_kernel); filter(f_drbd); destination(d_drbd); }; ## Linux-HA: attrd destination d_ha_attrd { file("/var/log/syslog-ng/ha/attrd.log" template(t_local)); }; filter f_ha_attrd { program("^attrd$"); }; log { source(s_local); filter(f_ha_attrd); destination(d_ha_attrd); }; ## Linux-HA: ccm destination d_ha_ccm { file("/var/log/syslog-ng/ha/ccm.log" template(t_local)); }; filter f_ha_ccm { program("^ccm$"); }; log { source(s_local); filter(f_ha_ccm); destination(d_ha_ccm); }; ## Linux-HA: cib destination d_ha_cib { file("/var/log/syslog-ng/ha/cib.log" template(t_local)); }; filter f_ha_cib { program("^cib$"); }; log { source(s_local); filter(f_ha_cib); destination(d_ha_cib); }; ## Linux-HA: cibmon destination d_ha_cibmon { file("/var/log/syslog-ng/ha/cibmon.log" template(t_local)); }; filter f_ha_cibmon { program("^cibmon$"); }; log { source(s_local); filter(f_ha_cibmon); destination(d_ha_cibmon); }; ## Linux-HA: crmd destination d_ha_crmd { file("/var/log/syslog-ng/ha/crmd.log" template(t_local)); }; filter f_ha_crmd { program("^crmd$"); }; log { source(s_local); filter(f_ha_crmd); destination(d_ha_crmd); }; ## Linux-HA: heartbeat destination d_ha_heartbeat { file("/var/log/syslog-ng/ha/heartbeat.log" template(t_local)); }; filter f_ha_heartbeat { program("^heartbeat$"); }; log { source(s_local); filter(f_ha_heartbeat); destination(d_ha_heartbeat); }; ## Linux-HA: ipfail destination d_ha_ipfail { file("/var/log/syslog-ng/ha/ipfail.log" template(t_local)); }; filter f_ha_ipfail { program("^ipfail$"); }; log { source(s_local); filter(f_ha_ipfail); destination(d_ha_ipfail); }; ## Linux-HA: logd destination d_ha_logd { file("/var/log/syslog-ng/ha/logd.log" template(t_local)); }; filter f_ha_logd { program("^logd$"); }; log { source(s_local); filter(f_ha_logd); destination(d_ha_logd); }; ## Linux-HA: lrmd destination d_ha_lrmd { file("/var/log/syslog-ng/ha/lrmd.log" template(t_local)); }; filter f_ha_lrmd { program("^lrmd$"); }; log { source(s_local); filter(f_ha_lrmd); destination(d_ha_lrmd); }; ## Linux-HA: pengine destination d_ha_pengine { file("/var/log/syslog-ng/ha/pengine.log" template(t_local)); }; filter f_ha_pengine { program("^pengine$"); }; log { source(s_local); filter(f_ha_pengine); destination(d_ha_pengine); }; ## Linux-HA: pingd destination d_ha_pingd { file("/var/log/syslog-ng/ha/pingd.log" template(t_local)); }; filter f_ha_pingd { program("^pingd$"); }; log { source(s_local); filter(f_ha_pingd); destination(d_ha_pingd); }; ## Linux-HA: stonithd destination d_ha_stonithd { file("/var/log/syslog-ng/ha/stonithd.log" template(t_local)); }; filter f_ha_stonithd { program("^stonithd$"); }; log { source(s_local); filter(f_ha_stonithd); destination(d_ha_stonithd); }; ## Linux-HA: tengine destination d_ha_tengine { file("/var/log/syslog-ng/ha/tengine.log" template(t_local)); }; filter f_ha_tengine { program("^tengine$"); }; log { source(s_local); filter(f_ha_tengine); destination(d_ha_tengine); }; ## Linux-HA: special discarding of debug and XML messages for any default destinations #destination d_ha_discard { }; #filter f_ha_debug { facility(local0) and priority(debug); }; #log { source(s_local); filter(f_ha_debug); destination(d_ha_discard); flags(final); }; #filter f_ha_xml { facility(local0) and (match("log_data_element:") or match("log_cib_diff:") or match("retrieveCib:") or match("cibmon_diff:")); }; #log { source(s_local); filter(f_ha_xml); destination(d_ha_discard); flags(final); }; ## gentoo hardened stuff destination d_avc { file("/var/log/syslog-ng/avc.log" template(t_local)); }; destination d_audit { file("/var/log/syslog-ng/audit.log" template(t_local)); }; destination d_pax { file("/var/log/syslog-ng/pax.log" template(t_local)); }; destination d_grsec { file("/var/log/syslog-ng/grsec.log" template(t_local)); }; filter f_avc { match(".*avc:"); }; filter f_audit { match("^audit") and not match(".*avc:"); }; filter f_pax { match("^PAX:"); }; filter f_grsec { match("^grsec:"); }; log { source(s_kernel); filter(f_pax); destination(d_pax); }; log { source(s_kernel); filter(f_grsec); destination(d_grsec); }; log { source(s_kernel); filter(f_audit); destination(d_audit); }; log { source(s_kernel); filter(f_avc); destination(d_avc); }; # # default: all messages (local syslog + kernel) # # should be at the end so that application specific messages with # "final" flag are not logged # destination d_messages { file("/var/log/messages" template(t_local)); }; log { source(s_local); source(s_kernel); destination(d_messages); }; ## ## remote delivery ## ## remote destination: syslog server directly via UDP (standard syslog) #destination d_remote { udp("syslog.example.com" port(514) template(t_remote_d)); }; #log { source(s_local); source(s_kernel); destination(d_remote); }; ## remote destination: syslog server via TCP and stunnel (for secured logging) #destination d_remote { tcp("localhost" port(514) template(t_remote_d)); }; #log { source(s_local); source(s_kernel); destination(d_remote); }; ## ## remote reception ## ## remote source #source s_remote { # udp(localip("0.0.0.0") localport(514)); # udp(localip("127.0.0.1") localport(514)); # udp(localip("192.168.0.1") localport(514)); # tcp(localip("0.0.0.0") localport(514) max-connections(5)); # tcp(localip("127.0.0.1") localport(514) max-connections(50)); # tcp(localip("192.168.0.1") localport(514) max-connections(50)); #}; ## tenshi (log monitoring) #log { source(s_remote); destination(d_tenshi); }; ## all hosts, all messages #destination d_remote_hosts { file("/var/log/syslog-ng.remote/${R_YEAR}/${R_MONTH}/${R_DAY}/${HOST}/messages" template(t_remote_r)); }; #log { source(s_remote); destination(d_remote_hosts); }; ## all hosts, kernel messages #destination d_remote_hosts_kernel { file("/var/log/syslog-ng.remote/${R_YEAR}/${R_MONTH}/${R_DAY}/${HOST}/kernel.log" template(t_remote_r)); }; #log { source(s_remote); filter(f_kern); destination(d_remote_hosts_kernel); }; ## all hosts, user messages #destination d_remote_hosts_user { file("/var/log/syslog-ng.remote/${R_YEAR}/${R_MONTH}/${R_DAY}/${HOST}/user.log" template(t_remote_r)); }; #log { source(s_remote); filter(f_user); destination(d_remote_hosts_user); };