HOWTO:Installing syslog-ng
From EnGardeWiki
This describes how to install and configure syslog-ng on EnGarde Secure Linux.
Introduction
syslog-ng, is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pairs; syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful. Forwarding logs over TCP and remembering all forwarding hops makes it ideal for firewalled environments. It can filter messages based on level and content, provide remote logging like syslog, handle logs from syslogd, write to a TTY, execute programs, and it can act as a logging server.
In order to demonstrate syslog-ng the example below is for a log server that shall recieve logs from two machines. In this case the two machines sending the logs are a router and an internet server, although both the router and internet server will be classed as clients in the following setup due to them both sending logs to the "log server".
The actual setup is a Netgear router and an EnGarde Secure Linux Server hosting websites, both are sending logs to another EnGarde Secure Linux Server for security purposes. To configure the router to send the logs is simple, just set the IP address of the server to recieve the logs in the section "Send to this Syslog server IP address" in the Netgear routers "Content Filtering" - "Logs" area of it's administration interface.
Setup terminology - Note: What will now be referred to as the server is the machine that will be the log server, the log server shall have the IP address 192.168.0.42. The client machine will have the IP address 192.168.0.10, the client router shall have the IP address 192.168.0.1.
Enable SSH Access To The Server
You will need to have SSH access as the "root" user to the EnGarde server that will be running syslog-ng. Refer to the EnGarde Secure Linux 3.0 Quick Start Guide section "6.5. Setting up Remote Access".
Installing the syslog-ng
syslog-ng is installed by default.
Firewall Information
syslog-ng uses the following ports : "UDP port 514" or "TCP port 1468". Listed below are example rules for either shorewall or IPtables allowing syslog-ng to opperate using "UDP port 514".
Note : The CLIENT and SERVER "rules" relate to the machines which the rules are to be activated on.
Shorewall
| RULE | ACTION | SOURCE | DEST | PROTO | DEST-PORT |
| CLIENT : Send to Server | ACCEPT | $FW | 192.168.0.42 | udp | 514 |
| SERVER : Recieve from Client | ACCEPT | 192.168.0.10 | $FW | udp | 514 |
| SERVER : Recieve from Router | ACCEPT | 192.168.0.1 | $FW | udp | 514 |
IPtables
Rule for Client :
$IPTABLES -t filter -A OUTPUT -p udp -d 192.168.0.42 --dport 514 -j ACCEPT
Rules for Server :
$IPTABLES -t filter -A INPUT -p udp -s 192.168.0.10 --dport 514 -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp -s 192.168.0.1 --dport 514 -j ACCEPT
Configuring syslog-ng to send logs to a remote server from a client
The configuration file for syslog-ng is /etc/syslog-ng.conf
Uncomment the following line and insert the machine address the logs are to be sent to :
destination loghost { udp("192.168.0.42" port(514)); };
Uncomment the following line :
log { source(src); filter(f_info); destination(loghost); };
To enable more comprehensive level of logging you may want to uncomment 2 more lines :
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_b-syslog); destination(syslog); };
To start syslog-ng issue the command /etc/init.d/sysklogd restart :
# /etc/init.d/sysklogd restart
Note : do not run klogd and syslog-ng fetching local kernel messages at the same time. It may cause syslog-ng to block which makes all logging local daemons unusable.
Configuring a server running syslog-ng to accept logs from a remote client
The configuration file for syslog-ng is /etc/syslog-ng.conf
Uncomment the following line :
source net { udp(); };
Uncomment the following line :
log { source(src); source(net); filter(f_messages); destination(messages); };
To start syslog-ng issue the command /etc/init.d/sysklogd restart :
# /etc/init.d/sysklogd restart
How to send specific items to a remote server
Logging of SELinux error messages using regexp
The SELinux error messages can be identified using the "match(regexp)" filter function, part of the SELinux error message is contains the letters "avc". This is what in this case is being used to capture the SELinux error messages.
Define the available log destination for SELinux error message logs as /var/log/avc.log :
destination avc { file("/var/log/avc.log"); };
Set the filter for "avc" :
filter f_avc { match("avc"); };
Define logging :
log { source(src); filter(f_avc); destination(avc); };
Send a copy of the new "avc" log to the server for remote host logging :
log { source(src); filter(f_avc); destination(loghost); };
Conclusion
At this point, you should be capable of using a basic installation of syslog-ng. There are many more combinations of both simple and advanced techniques and directives that can be used to log information from and to your server.
