SYSLOG - Fichier de configuration de syslog-NG

De PedroWiki

Introduction

Le fichier de configuration de syslog-ng est constitué de plusieurs rubriques:

  1. Les options globales au serveur.
  2. Les sources de données de log.
  3. Les filtres applicables à ces sources.
  4. La description des logs eux même.

Dans le cadre de la mise en place du serveur syslog-ng à l'INSA, nous avons pris le partit de placer la directive udp() non dans les options mais uniquement dans la source qui nous intéresse.

Options

options {
        # disable the chained hostname format in logs
        # (default is enabled)
        chain_hostnames(0);

        # the time to wait before a died connection is re-established
        # (default is 60)
        time_reopen(10);

        # the time to wait before an idle destination file is closed
        # (default is 60)
        time_reap(360);

        # the number of lines buffered before written to file
        # you might want to increase this if your disk isn't catching with
        # all the log messages you get or if you want less disk activity
        # (say on a laptop)
        # (default is 0)
        #sync(0);

        # the number of lines fitting in the output queue
        log_fifo_size(2048);

        # enable or disable directory creation for destination files
        create_dirs(yes);

        # default owner, group, and permissions for log files
        # (defaults are 0, 0, 0600)
        #owner(root);
        group(adm);
        perm(0640);

        # default owner, group, and permissions for created directories
        # (defaults are 0, 0, 0700)
        #dir_owner(root);
        #dir_group(root);
        dir_perm(0755);

        # enable or disable DNS usage
        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
        # a Denial of Service attack
        # (default is yes)
        use_dns(no);
        #use_dns(yes);
	#dns_cache(yes);

        # maximum length of message in bytes
        # this is only limited by the program listening on the /dev/log Unix
        # socket, glibc can handle arbitrary length log messages, but -- for
        # example -- syslogd accepts only 1024 bytes
        # (default is 2048)
        #log_msg_size(2048);

	#Disable statistic log messages.
	stats_freq(0);
};

Sources

# all known message sources
source s_all {
        # message generated by Syslog-NG
        internal();
        # standard Linux log source (this is the default place for the syslog()
        # function to send logs to)
        unix-stream("/dev/log");
        # messages from the kernel
        file("/proc/kmsg" log_prefix("kernel: "));
        # use the following line if you want to receive remote UDP logging messages
        # (this is equivalent to the "-r" syslogd flag)
        #udp();
};

source s_ent {
        unix-stream("/dev/log");
        udp();
};

Destinations

Les destinations "fichier":
destination df_ent_portal { file("/var/log/ent/portal.log"); };
destination df_ent_stats { file("/var/log/ent/stats.log"); };

Les destination "base de donnée":
destination d_mysql {
 program("/usr/bin/mysql -usyslogadmin -p********* syslog-ng"
 template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg)
 VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',   '$PROGRAM', '$MSG' );\n")
 template-escape(yes));
};

Filtres

Nécessité de modifier le filtre suivant, pour ne pas avoir nos logs dans /var/log/syslog.
# all messages except from the auth and authpriv facilities
#filter f_syslog { not facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv, local4, local5); };

Nécessité de modifier le filtre suivant, pour ne pas avoir nos logs dans /var/log/messages. 
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
#filter f_messages {
#        level(info,notice,warn)
#            and not facility(auth,authpriv,cron,daemon,mail,news);
#};
filter f_messages {
        level(info,notice,warn)
            and not facility(auth,authpriv,cron,daemon,mail,news,local4,local5);
};

filter f_chapi { host( "10.5.1.3" ); };
filter f_chapo { host( "10.5.1.6" ); };
filter f_chapu { host( "10.5.1.12" ); };
filter f_ent_stats { facility(local4); };
filter f_ent_portal { facility(local5); };

Logs

Fichier portal.log:
log {
        source(s_ent);
	filter(f_chapo);
	filter(f_ent_portal);
	destination(df_ent_portal);
	destination(d_mysql);
};

Fichier stats.log:
log {
        source(s_ent);
	filter(f_chapo);
	filter(f_ent_stats);
	destination(df_ent_stats);
};