path: root/app-admin/syslog-ng/files/syslog-ng.conf

# $Header: /home/wschlich/work/gentoo/autosetup/gentoo-autosetup-current/gentoo-autosetup.d/syslog-ng/RCS/syslog-ng.conf,v 1.2 2007/05/31 10:31:37 wschlich Exp wschlich $
# vim:nowrap:
# syslog-ng config created by
# - Wolfram Schlich <wschlich@gentoo.org>
# - Klaus Schleicher <ks@pegasus-edv.de>
# Distributed under the terms of the GNU General Public License v2
#
# see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/index.html

##
## global options
##
## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch09s06.html
##

options {
	
	## general settings
	time_reopen(10); # Reopen a dead connection after this many seconds
	time_reap(120); # Close an idle destination file after this many seconds
	time_sleep(5); # Wait these many milliseconds between poll iterations
	ts_format(rfc3164); # Timestamp format: rfc3164|rfc3339|bsd|iso
	log_fifo_size(1000); # Output queue size
	log_msg_size(8192); # Max size of a single message
	log_fetch_limit(1000); # The maximum number of messages fetched from a source during a single poll loop.
	flush_lines(10); # Buffer this many lines of output (0 to send to disk immediately)
	flush_timeout(1000); # Wait at most this many milliseconds before forcibly flushing the output buffer
	mark_freq(300); # MARK line logging interval
	stats_freq(0); # Stats logging interval (0 = disabled)
	
	## remote logging
	normalize_hostnames(yes); # Do normalize hostnames (transform to lower case)
	chain_hostnames(on); # Chain hostnames?
	keep_hostname(yes); # Keep the hostname the client sent?
	keep_timestamp(no); # Do not use the timestamp the client sent -- it might be wrong
	use_dns(yes); # Use DNS? Good for log servers.
	use_fqdn(no); # Use FQDNs? Good for log servers.
	dns_cache(yes); # Cache DNS results?
	dns_cache_size(1024); # Number of DNS lookup results to cache
	dns_cache_expire(3600); # Expire cached successful DNS lookup results after this many seconds
	dns_cache_expire_failed(60); # Expire cached failed DNS lookup results after this many seconds
	
	## log file handling
	create_dirs(yes); # Create directories for log files if they don't exist
	dir_owner("root"); # Owner of newly created directories
	dir_group("adm"); # Group of newly created directories
	dir_perm(0750); # Permissions of newly created directories
	owner("root"); # Owner of newly created log files
	group("adm"); # Group of newly created log files
	perm(0640); # Permissions of newly created log files

	## misc
	# Some program send log messages through a private implementation.
	# and sometimes that implementation is bad. If this happen syslog-ng
	# may recognise the program name as hostname. Whit this option
	# we tell the syslog-ng that if a hostname match this regexp than that
	# is not a real hostname.
	bad_hostname("^gconfd$");

};

##
## filters
##
## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s06.html
##

## standard syslog facilities
filter f_kern     { facility(kern);     };
filter f_auth     { facility(auth);     }; # -- note: 'security' is a deprecated alias
filter f_authpriv { facility(authpriv); };
filter f_syslog   { facility(syslog);   };
filter f_daemon   { facility(daemon);   };
filter f_cron     { facility(cron);     };
filter f_ftp      { facility(ftp);      };
filter f_lpr      { facility(lpr);      };
filter f_mail     { facility(mail);     };
filter f_news     { facility(news);     };
filter f_uucp     { facility(uucp);     };
filter f_user     { facility(user);     };
filter f_local0   { facility(local0);   };
filter f_local1   { facility(local1);   };
filter f_local2   { facility(local2);   };
filter f_local3   { facility(local3);   };
filter f_local4   { facility(local4);   };
filter f_local5   { facility(local5);   };
filter f_local6   { facility(local6);   };
filter f_local7   { facility(local7);   };

## standard syslog priorities: "exactly"
filter f_emerg    { priority(emerg);          }; # 0 -- note: 'panic' is a deprecated alias
filter f_alert    { priority(alert);          }; # 1
filter f_crit     { priority(crit);           }; # 2
filter f_err      { priority(err);            }; # 3 -- note: 'error' is a deprecated alias
filter f_warning  { priority(warning);        }; # 4 -- note: 'warn' is a deprecated alias
filter f_notice   { priority(notice);         }; # 5
filter f_info     { priority(info);           }; # 6
filter f_debug    { priority(debug);          }; # 7

## standard syslog priorities: "at least"
filter f_alert+   { priority(alert..emerg);   }; # 1-0
filter f_crit+    { priority(crit..emerg);    }; # 2-0
filter f_err+     { priority(err..emerg);     }; # 3-0
filter f_warning+ { priority(warning..emerg); }; # 4-0
filter f_notice+  { priority(notice..emerg);  }; # 5-0
filter f_info+    { priority(info..emerg);    }; # 6-0
filter f_debug+   { priority(debug..emerg);   }; # 7-0

##
## templates for the log messages
##
## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s07.html
##
## WARNING: syslog logfile analysis tools might stumble over non-standard
## formats! tools like mailgraph and tenshi just come to mind.
##
## for tenshi, it's easy to circumvent problems by either using the standard
## format for the tenshi fifo or by using the "logprefix" feature in tenshi.conf
## to match the custom format, e.g. when using facility and priority as alerting
## criteria.
##
## mailgraph probably needs to be patched for being able to deal with a
## non-standard log message format.
##

# macro quick-reference:
# - DATE: "Jun 13 15:58:00" (default syslog date)
# - FULLDATE: "2006 Jun 13 15:56:57"
# - ISODATE: "2006-06-13T15:56:51+02:00"
# - PRI: see http://www.faqs.org/rfcs/rfc3164.html, 4.1.1
# - TZOFFSET: "+02:00"

## default message format (standard syslog message format)
template t_default  { template("${DATE} ${HOST} ${MSG}\n"); template_escape(no); };

## log and admin console messagee formats
template t_logtty   { template("${DATE}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); };
template t_admintty { template("${DATE}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); };

## custom local message format (used by default throughout this configuration, also see t_remote_r)
template t_local    { template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${TZOFFSET}; ${HOST}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); };

## tenshi message format (tenshi.conf needs to be adjusted for this format!)
template t_tenshi   { template("${HOST}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); };

## mailgraph message format
template t_mgraph   { template("${DATE} ${HOST} ${MSG}\n"); template_escape(no); };

## remote reception message format (replaces time information of received messages with local system time)
template t_remote_r { template("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC} ${R_TZOFFSET}; ${HOST}/${SOURCEIP}; ${FACILITY}.${PRIORITY}; ${MSG}\n"); template_escape(no); };

## remote delivery message format (standard syslog protocol format)
template t_remote_d { template("<${PRI}>${DATE} ${HOST} ${MSG}\n"); template_escape(no); };

##
## local sources
##
## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s03.html
##

## local syslog messages + syslog-ng internal messages
source s_local {
	unix-stream("/dev/log" max-connections(1000));
	internal();
};

## kernel messages
source s_kernel {
	file("/proc/kmsg" flags(kernel) log_prefix("kernel: "));
};

##
## local destinations and log paths
##
## see http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s04.html
## and http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch03s05.html
##

#
# discard messages
#

## example for discarding certain messages using an empty destination and the final flag
#destination d_null { };
#filter f_null { match("I am a message that wants to be discarded"); };
#log { source(s_local); filter(f_null); destination(d_null); flags(final); };

#
# system specials
#

## kernel messages
destination d_kernel { file("/var/log/syslog-ng/kernel.log" template(t_local)); };
log { source(s_kernel); destination(d_kernel); };

## log console
destination d_logtty { file("/dev/tty10" template(t_logtty)); };
log { source(s_local); source(s_kernel); destination(d_logtty); };

## admin console
destination d_admintty { usertty("root"); };
log { source(s_local); filter(f_emerg); destination(d_admintty); };

## tenshi (log monitoring): log all messages to a fifo -- note: the fifo needs to be created with mkfifo first!
#destination d_tenshi { fifo("/var/log/tenshi.fifo" owner("root") group("tenshi") perm(0640) template(t_tenshi)); };
#log { source(s_local); source(s_kernel); destination(d_tenshi); };

## mailgraph: log all messages for facility 'mail' to a fifo -- note: the fifo needs to be created with mkfifo first!
#destination d_mgraph { fifo("/var/log/mgraph.fifo" owner("root") group("mgraph") perm(0640) template(t_mgraph)); };
#log { source(s_local); filter(f_mail); destination(d_mgraph); };

#
# application specific
#

## firewall (iptables, using custom iptables log prefixes)
destination d_firewall { file("/var/log/syslog-ng/firewall.log" template(t_local)); };
filter f_firewall { match("^kernel: ipt_FW ") or match("^kernel: ip4t_FW ") or match("^kernel: ip6t_FW "); };
log { source(s_kernel); filter(f_firewall); destination(d_firewall); };

## sudo
destination d_sudo { file("/var/log/syslog-ng/sudo.log" template(t_local)); };
filter f_sudo { program("^sudo$"); };
log { source(s_local); filter(f_sudo); destination(d_sudo); };

## sshd
destination d_sshd { file("/var/log/syslog-ng/sshd.log" template(t_local)); };
filter f_sshd { program("^sshd$") or program("^sftp-server$"); };
log { source(s_local); filter(f_sshd); destination(d_sshd); };

## cron
destination d_cron { file("/var/log/syslog-ng/cron.log" template(t_local)); };
filter f_cron { facility(cron); };
log { source(s_local); filter(f_cron); destination(d_cron); };

## xinetd
destination d_xinetd { file("/var/log/syslog-ng/xinetd.log" template(t_local)); };
filter f_xinetd { program("^xinetd$"); };
log { source(s_local); filter(f_xinetd); destination(d_xinetd); };

## postfix
destination d_postfix { file("/var/log/syslog-ng/postfix.log" template(t_local)); };
filter f_postfix { program("^postfix/") or program("^postgrey"); };
log { source(s_local); filter(f_postfix); destination(d_postfix); };

## fetchmail
destination d_fetchmail { file("/var/log/syslog-ng/fetchmail.log" template(t_local)); };
filter f_fetchmail { program("^fetchmail$"); };
log { source(s_local); filter(f_fetchmail); destination(d_fetchmail); };

## dovecot
destination d_dovecot { file("/var/log/syslog-ng/dovecot.log" template(t_local)); };
filter f_dovecot { program("^dovecot$"); };
log { source(s_local); filter(f_dovecot); destination(d_dovecot); };

## courier smtp/imap/pop3
destination d_courier { file("/var/log/syslog-ng/courier.log" template(t_local)); };
filter f_courier { program("^courier") or program("^pop3d$") or program("^pop3d-ssl$") or program("^imapd$") or program("^imapd-ssl$"); };
log { source(s_local); filter(f_courier); destination(d_courier); };

## uw-imap
#destination d_uwimap { file("/var/log/syslog-ng/uw-imap.log" template(t_local)); };
#filter f_uwimap { program("^ipop3d$") or program("^imapd$"); };
#log { source(s_local); filter(f_uwimap); destination(d_uwimap); };

## antivir
destination d_antivir { file("/var/log/syslog-ng/antivir.log" template(t_local)); };
filter f_antivir { program("^antivir$"); };
log { source(s_local); filter(f_antivir); destination(d_antivir); };

## antivir mailgate
destination d_avmailgate { file("/var/log/syslog-ng/avmailgate.log" template(t_local)); };
filter f_avmailgate { program("^avmailgate.bin$") or program("^avgated$") or program("^avgatefwd$"); };
log { source(s_local); filter(f_avmailgate); destination(d_avmailgate); };

## clamav
destination d_clamav { file("/var/log/syslog-ng/clamav.log" template(t_local)); };
filter f_clamav { program("^clamd$") or program("^freshclam$"); };
log { source(s_local); filter(f_clamav); destination(d_clamav); };

## amavis
## mark debug messages as final so they don't get into any other file
destination d_amavis { file("/var/log/syslog-ng/amavis.log" template(t_local)); };
filter f_amavis { program("^amavis$"); };
log { source(s_local); filter(f_amavis); filter(f_debug); destination(d_amavis); flags(final); };
log { source(s_local); filter(f_amavis); destination(d_amavis); };

## spamassassin
destination d_spamassassin { file("/var/log/syslog-ng/spamassassin.log" template(t_local)); };
filter f_spamassassin { program("^spamd$") or program("^spamc"); };
log { source(s_local); filter(f_spamassassin); destination(d_spamassassin); };

## ntpd
destination d_ntpd { file("/var/log/syslog-ng/ntpd.log" template(t_local)); };
filter f_ntpd { program("^ntpd$"); };
log { source(s_local); filter(f_ntpd); destination(d_ntpd); };

## OpenVPN
destination d_openvpn { file("/var/log/syslog-ng/openvpn.log" template(t_local)); };
filter f_openvpn { program("^openvpn"); };
log { source(s_local); filter(f_openvpn); destination(d_openvpn); };

## pppd
destination d_pppd { file("/var/log/syslog-ng/pppd.log" template(t_local)); };
filter f_pppd { program("^pppd$"); };
log { source(s_local); filter(f_pppd); destination(d_pppd); };

## pmacctd
destination d_pmacctd { file("/var/log/syslog-ng/pmacctd.log" template(t_local)); };
filter f_pmacctd { program("^pmacctd$"); };
log { source(s_local); filter(f_pmacctd); destination(d_pmacctd); };

## nagios
destination d_nagios { file("/var/log/syslog-ng/nagios.log" template(t_local)); };
filter f_nagios { program("^nagios$"); };
log { source(s_local); filter(f_nagios); destination(d_nagios); };

## named
destination d_named { file("/var/log/syslog-ng/named.log" template(t_local)); };
filter f_named { program("^named$"); };
log { source(s_local); filter(f_named); destination(d_named); };

## OpenLDAP SLAPD
## mark debug messages as final so they don't get into any other file
destination d_slapd { file("/var/log/syslog-ng/slapd.log" template(t_local)); };
filter f_slapd { program("^slapd$"); };
log { source(s_local); filter(f_slapd); filter(f_debug); destination(d_slapd); flags(final); };
log { source(s_local); filter(f_slapd); destination(d_slapd); };

## samba
destination d_samba { file("/var/log/syslog-ng/samba.log" template(t_local)); };
filter f_samba { program("^[ns]mbd$"); };
log { source(s_local); filter(f_samba); destination(d_samba); };

## jabberd
destination d_jabberd { file("/var/log/syslog-ng/jabberd.log" template(t_local)); };
filter f_jabberd { program("^jabberd/"); };
log { source(s_local); filter(f_jabberd); destination(d_jabberd); };

## php-cli
destination d_php { file("/var/log/syslog-ng/php.log" template(t_local)); };
filter f_php { program("^php$"); };
log { source(s_local); filter(f_php); destination(d_php); };

## hardened php
destination d_hphp { file("/var/log/syslog-ng/hphp.log" template(t_local)); };
filter f_hphp { program("^hphp$"); };
log { source(s_local); filter(f_hphp); destination(d_hphp); };

## hddtemp
destination d_hddtemp { file("/var/log/syslog-ng/hddtemp.log" template(t_local)); };
filter f_hddtemp { program("^hddtemp$"); };
log { source(s_local); filter(f_hddtemp); destination(d_hddtemp); };

## smartd (smartmontools)
destination d_smartd { file("/var/log/syslog-ng/smartd.log" template(t_local)); };
filter f_smartd { program("^smartd$"); };
log { source(s_local); filter(f_smartd); destination(d_smartd); };

## arpwatch
destination d_arpwatch { file("/var/log/syslog-ng/arpwatch.log" template(t_local)); };
filter f_arpwatch { program("^arpwatch$"); };
log { source(s_local); filter(f_arpwatch); destination(d_arpwatch); };

## DRBD
destination d_drbd { file("/var/log/syslog-ng/drbd.log" template(t_local)); };
filter f_drbd { match("^kernel: drbd([[:digit:]]+)?:"); };
log { source(s_kernel); filter(f_drbd); destination(d_drbd); };

## Linux-HA: attrd
destination d_ha_attrd { file("/var/log/syslog-ng/ha/attrd.log" template(t_local)); };
filter f_ha_attrd { program("^attrd$"); };
log { source(s_local); filter(f_ha_attrd); destination(d_ha_attrd); };

## Linux-HA: ccm
destination d_ha_ccm { file("/var/log/syslog-ng/ha/ccm.log" template(t_local)); };
filter f_ha_ccm { program("^ccm$"); };
log { source(s_local); filter(f_ha_ccm); destination(d_ha_ccm); };

## Linux-HA: cib
destination d_ha_cib { file("/var/log/syslog-ng/ha/cib.log" template(t_local)); };
filter f_ha_cib { program("^cib$"); };
log { source(s_local); filter(f_ha_cib); destination(d_ha_cib); };

## Linux-HA: cibmon
destination d_ha_cibmon { file("/var/log/syslog-ng/ha/cibmon.log" template(t_local)); };
filter f_ha_cibmon { program("^cibmon$"); };
log { source(s_local); filter(f_ha_cibmon); destination(d_ha_cibmon); };

## Linux-HA: crmd
destination d_ha_crmd { file("/var/log/syslog-ng/ha/crmd.log" template(t_local)); };
filter f_ha_crmd { program("^crmd$"); };
log { source(s_local); filter(f_ha_crmd); destination(d_ha_crmd); };

## Linux-HA: heartbeat
destination d_ha_heartbeat { file("/var/log/syslog-ng/ha/heartbeat.log" template(t_local)); };
filter f_ha_heartbeat { program("^heartbeat$"); };
log { source(s_local); filter(f_ha_heartbeat); destination(d_ha_heartbeat); };

## Linux-HA: ipfail
destination d_ha_ipfail { file("/var/log/syslog-ng/ha/ipfail.log" template(t_local)); };
filter f_ha_ipfail { program("^ipfail$"); };
log { source(s_local); filter(f_ha_ipfail); destination(d_ha_ipfail); };

## Linux-HA: logd
destination d_ha_logd { file("/var/log/syslog-ng/ha/logd.log" template(t_local)); };
filter f_ha_logd { program("^logd$"); };
log { source(s_local); filter(f_ha_logd); destination(d_ha_logd); };

## Linux-HA: lrmd
destination d_ha_lrmd { file("/var/log/syslog-ng/ha/lrmd.log" template(t_local)); };
filter f_ha_lrmd { program("^lrmd$"); };
log { source(s_local); filter(f_ha_lrmd); destination(d_ha_lrmd); };

## Linux-HA: pengine
destination d_ha_pengine { file("/var/log/syslog-ng/ha/pengine.log" template(t_local)); };
filter f_ha_pengine { program("^pengine$"); };
log { source(s_local); filter(f_ha_pengine); destination(d_ha_pengine); };

## Linux-HA: pingd
destination d_ha_pingd { file("/var/log/syslog-ng/ha/pingd.log" template(t_local)); };
filter f_ha_pingd { program("^pingd$"); };
log { source(s_local); filter(f_ha_pingd); destination(d_ha_pingd); };

## Linux-HA: stonithd
destination d_ha_stonithd { file("/var/log/syslog-ng/ha/stonithd.log" template(t_local)); };
filter f_ha_stonithd { program("^stonithd$"); };
log { source(s_local); filter(f_ha_stonithd); destination(d_ha_stonithd); };

## Linux-HA: tengine
destination d_ha_tengine { file("/var/log/syslog-ng/ha/tengine.log" template(t_local)); };
filter f_ha_tengine { program("^tengine$"); };
log { source(s_local); filter(f_ha_tengine); destination(d_ha_tengine); };

## Linux-HA: special discarding of debug and XML messages for any default destinations
#destination d_ha_discard { };
#filter f_ha_debug { facility(local0) and priority(debug); };
#log { source(s_local); filter(f_ha_debug); destination(d_ha_discard); flags(final); };
#filter f_ha_xml { facility(local0) and (match("log_data_element:") or match("log_cib_diff:") or match("retrieveCib:") or match("cibmon_diff:")); };
#log { source(s_local); filter(f_ha_xml); destination(d_ha_discard); flags(final); };

## gentoo hardened stuff
destination d_avc { file("/var/log/syslog-ng/avc.log" template(t_local)); };
destination d_audit { file("/var/log/syslog-ng/audit.log" template(t_local)); };
destination d_pax { file("/var/log/syslog-ng/pax.log" template(t_local)); };
destination d_grsec { file("/var/log/syslog-ng/grsec.log" template(t_local)); };
filter f_avc { match(".*avc:"); };
filter f_audit { match("^audit") and not match(".*avc:"); };
filter f_pax { match("^PAX:"); };
filter f_grsec { match("^grsec:"); };
log { source(s_kernel); filter(f_pax); destination(d_pax); };
log { source(s_kernel); filter(f_grsec); destination(d_grsec); };
log { source(s_kernel); filter(f_audit); destination(d_audit); };
log { source(s_kernel); filter(f_avc); destination(d_avc); };

#
# default: all messages (local syslog + kernel)
#
# should be at the end so that application specific messages with
# "final" flag are not logged
#

destination d_messages { file("/var/log/messages" template(t_local)); };
log { source(s_local); source(s_kernel); destination(d_messages); };

##
## remote delivery
##

## remote destination: syslog server directly via UDP (standard syslog)
#destination d_remote { udp("syslog.example.com" port(514) template(t_remote_d)); };
#log { source(s_local); source(s_kernel); destination(d_remote); };

## remote destination: syslog server via TCP and stunnel (for secured logging)
#destination d_remote { tcp("localhost" port(514) template(t_remote_d)); };
#log { source(s_local); source(s_kernel); destination(d_remote); };

##
## remote reception
##

## remote source
#source s_remote {
#	udp(localip("0.0.0.0") localport(514));
#	udp(localip("127.0.0.1") localport(514));
#	udp(localip("192.168.0.1") localport(514));
#	tcp(localip("0.0.0.0") localport(514) max-connections(5));
#	tcp(localip("127.0.0.1") localport(514) max-connections(50));
#	tcp(localip("192.168.0.1") localport(514) max-connections(50));
#};

## tenshi (log monitoring)
#log { source(s_remote); destination(d_tenshi); };

## all hosts, all messages
#destination d_remote_hosts { file("/var/log/syslog-ng.remote/${R_YEAR}/${R_MONTH}/${R_DAY}/${HOST}/messages" template(t_remote_r)); };
#log { source(s_remote); destination(d_remote_hosts); };

## all hosts, kernel messages
#destination d_remote_hosts_kernel { file("/var/log/syslog-ng.remote/${R_YEAR}/${R_MONTH}/${R_DAY}/${HOST}/kernel.log" template(t_remote_r)); };
#log { source(s_remote); filter(f_kern); destination(d_remote_hosts_kernel); };

## all hosts, user messages
#destination d_remote_hosts_user { file("/var/log/syslog-ng.remote/${R_YEAR}/${R_MONTH}/${R_DAY}/${HOST}/user.log" template(t_remote_r)); };
#log { source(s_remote); filter(f_user); destination(d_remote_hosts_user); };