syslog-ng logserver using centOS/RHEL 5.1

My department has several linux computers and auditing the logs is very tiresome if they are all localized to each computer. While the vanilla syslog offers remote logging features it uses udp and thus many things can affect the chance of log messages reaching their destination. the message dropping problem is not as widespread in syslog-ng since it uses tcp to transmit log packets.

Compiling syslog-ng is required as the only syslog-ng binaries are licensed and require a contract to purchase. under rhel/centos the eventlog compilation goes as planed, but things start going wrong when auto configuring syslog-ng itself. it will complain. _configure: error: Cannot find eventlog version >= 0.2: is pkg-config in path? _this is a easy problem that can be fixed with running configure in the following way:

PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure –sysconfdir=/etc

this causes the syslog-ng.conf file to go to /etc/syslog-ng.conf and adhere to the layout choices of rhel/centos.

to get the init scripts working correctly copy the sample that comes with syslog-ng.

cp contrib/init.d.RedHat-7.3 /etc/init.d/syslog-ng

after that its time to configure syslog-ng on the loghost.

my syslog-ng.conf file looks something like this:

this syslog-ng file is for the log server

#everything is logged into /var/log
#and the remote hosts in /var/log/HOSTS/….

options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
stats(86400);
dir_perm(0755);
perm(0644);
};

#
# At around 1999 some distributions have changed from using SOCK_STREAM
# to SOCK_DGRAM sockets, see these posts about the issue:
#
# http://www.security-express.com/archives/bugtraq/1999-q4/0071.html
# http://marc.theaimsgroup.com/?l=sysklogd&m=96989685607952&w=2
#
# libc and syslog clients generally automatically detect the socket type,
# so you are free to decide which of unix-stream or unix-dgram you want to use.
#

#——————-
# source
#——————-
source int { file (”/proc/kmsg” log_prefix(”kernel: “)); unix-stream (”/dev/log”); internal(); };
source ext { udp(); };

#——————-
# destination
#——————-
destination alluser { usertty(”*”); };
destination auth { file(”/var/log/auth.log.$YEAR$MONTH”); };
destination authpriv { file(”/var/log/authpriv.log.$YEAR$MONTH”); };
destination lpr { file(”/var/log/lpr.log.$YEAR$MONTH”); };
destination boot { file(”/var/log/boot.log.$YEAR$MONTH”); };
destination console { file(”/dev/console”); };
destination cron { file(”/var/log/cron.log.$YEAR$MONTH”); };
destination daemon { file(”/var/log/daemon.log.$YEAR$MONTH”); };
destination kern { file(”/var/log/kernel.log.$YEAR$MONTH”); };
destination local0 { file(”/var/log/local0.log.$YEAR$MONTH”); };
destination local1 { file(”/var/log/local1.log.$YEAR$MONTH”); };
destination local2 { file(”/var/log/local2.log.$YEAR$MONTH”); };
destination local3 { file(”/var/log/local3.log.$YEAR$MONTH”); };
destination local4 { file(”/var/log/local4.log.$YEAR$MONTH”); };
destination local5 { file(”/var/log/local5.log.$YEAR$MONTH”); };
destination local6 { file(”/var/log/local6.log.$YEAR$MONTH”); };
destination local7 { file(”/var/log/local7.log.$YEAR$MONTH”); };
destination mail { file(”/var/log/mail.log.$YEAR$MONTH”); };
destination messages { file(”/var/log/messages.$YEAR$MONTH”); };
destination named { file(”/var/log/named.log.$YEAR$MONTH”); };
destination news { file(”/var/log/news.log.$YEAR$MONTH”); };
destination router { file(”/var/log/router.log.$YEAR$MONTH”); };
destination secure { file(”/var/log/secure.$YEAR$MONTH”); };
destination snmp { file(”/var/log/snmp.log.$YEAR$MONTH”); };
destination sshd { file(”/var/log/ssh.log.$YEAR$MONTH”); };
destination syslog { file(”/var/log/syslog.log.$YEAR$MONTH”); };
destination user { file(”/var/log/user.log.$YEAR$MONTH”); };

#——————-
# filter
#——————-
filter f_auth { facility(auth); };
filter f_authpriv { facility(authpriv); };
filter f_lpr { facility(lpr); };
filter f_console { level(warn..emerg) and facility(kern); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_emergency { level(emerg); };
filter f_kern { facility(kern); };
filter f_local0 { facility(local0); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
filter f_mail { facility(mail); };
filter f_messages { level(info..warn) and not facility(auth,authpriv,cron,lpr,mail,news,local1,local2); };
filter f_named { program(”named”); };
filter f_news { facility(news); };
filter f_secure { facility(auth,authpriv); };
filter f_sshd { program(”sshd”); };
filter f_syslog { program(”syslog-ng”); };
filter f_user { facility(user); };

#——————-
# log
#——————-
log { source(int); filter(f_auth); destination(auth); };
log { source(int); filter(f_authpriv); destination(authpriv); };
log { source(int); filter(f_lpr); destination(lpr); };
log { source(int); filter(f_console); destination(console); };
log { source(int); filter(f_cron); destination(cron); };
log { source(int); filter(f_daemon); destination(daemon); };
log { source(int); filter(f_emergency); destination(alluser); };
log { source(int); filter(f_kern); destination(kern); };
log { source(int); filter(f_local0); destination(local0); };
log { source(int); filter(f_local1); destination(snmp); };
log { source(int); filter(f_local2); destination(local2); };
log { source(int); filter(f_local3); destination(local3); };
log { source(int); filter(f_local4); destination(local4); };
log { source(int); filter(f_local5); destination(local5); };
log { source(int); filter(f_local6); destination(local6); };
log { source(int); filter(f_local7); destination(boot); };
log { source(int); filter(f_mail); destination(mail); };
log { source(int); filter(f_messages); destination(messages); };
log { source(int); filter(f_named); destination(named); };
log { source(int); filter(f_news); destination(news); };
log { source(int); filter(f_secure); destination(secure); };
log { source(int); filter(f_sshd); destination(sshd); };
log { source(int); filter(f_syslog); destination(syslog); };
log { source(int); filter(f_user); destination(user); };

log { source(ext); filter(f_local4); destination(router); };

#remote logging type stuff - pauls june 7th 2008
source s_remote {
tcp(port(514)); };
destination d_clients { file(”/var/log/HOSTS/$HOST”); };

destination r_auth { file(”/var/log/HOSTS/$HOST/auth.log.$YEAR$MONTH”); };
destination r_authpriv { file(”/var/log/HOSTS/$HOST/authpriv.log.$YEAR$MONTH”); };
destination r_lpr { file(”/var/log/HOSTS/$HOST/lpr.log.$YEAR$MONTH”); };
destination r_boot { file(”/var/log/HOSTS/$HOST/boot.log.$YEAR$MONTH”); };
destination r_cron { file(”/var/log/HOSTS/$HOST/cron.log.$YEAR$MONTH”); };
destination r_daemon { file(”/var/log/HOSTS/$HOST/daemon.log.$YEAR$MONTH”); };
destination r_kern { file(”/var/log/HOSTS/$HOST/kernel.log.$YEAR$MONTH”); };
destination r_local0 { file(”/var/log/HOSTS/$HOST/local0.log.$YEAR$MONTH”); };
destination r_local1 { file(”/var/log/HOSTS/$HOST/local1.log.$YEAR$MONTH”); };
destination r_local2 { file(”/var/log/HOSTS/$HOST/local2.log.$YEAR$MONTH”); };
destination r_local3 { file(”/var/log/HOSTS/$HOST/local3.log.$YEAR$MONTH”); };
destination r_local4 { file(”/var/log/HOSTS/$HOST/local4.log.$YEAR$MONTH”); };
destination r_local5 { file(”/var/log/HOSTS/$HOST/local5.log.$YEAR$MONTH”); };
destination r_local6 { file(”/var/log/HOSTS/$HOST/local6.log.$YEAR$MONTH”); };
destination r_local7 { file(”/var/log/HOSTS/$HOST/local7.log.$YEAR$MONTH”); };
destination r_mail { file(”/var/log/HOSTS/$HOST/mail.log.$YEAR$MONTH”); };
destination r_messages { file(”/var/log/HOSTS/$HOST/messages.$YEAR$MONTH”); };
destination r_named { file(”/var/log/HOSTS/$HOST/named.log.$YEAR$MONTH”); };
destination r_news { file(”/var/log/HOSTS/$HOST/news.log.$YEAR$MONTH”); };
destination r_secure { file(”/var/log/HOSTS/$HOST/secure.$YEAR$MONTH”); };
destination r_snmp { file(”/var/log/HOSTS/$HOST/snmp.log.$YEAR$MONTH”); };
destination r_sshd { file(”/var/log/HOSTS/$HOST/ssh.log.$YEAR$MONTH”); };
destination r_syslog { file(”/var/log/HOSTS/$HOST/syslog.log.$YEAR$MONTH”); };
destination r_user { file(”/var/log/HOSTS/$HOST/user.log.$YEAR$MONTH”); };
destination r_other { file(”/var/log/HOSTS/$HOST/other.log.$YEAR$MONTH”); };

#log { source(s_remote); destination(d_clients); };
log { source(s_remote); filter(f_auth); destination(r_auth); };
log { source(s_remote); filter(f_authpriv); destination(r_authpriv); };
log { source(s_remote); filter(f_lpr); destination(r_lpr); };
log { source(s_remote); filter(f_console); destination(r_other); };
log { source(s_remote); filter(f_cron); destination(r_cron); };
log { source(s_remote); filter(f_daemon); destination(r_daemon); };
log { source(s_remote); filter(f_emergency); destination(r_other); };
log { source(s_remote); filter(f_kern); destination(r_kern); };
log { source(s_remote); filter(f_local0); destination(r_local0); };
log { source(s_remote); filter(f_local1); destination(r_snmp); };
log { source(s_remote); filter(f_local2); destination(r_local2); };
log { source(s_remote); filter(f_local3); destination(r_local3); };
log { source(s_remote); filter(f_local4); destination(r_local4); };
log { source(s_remote); filter(f_local5); destination(r_local5); };
log { source(s_remote); filter(f_local6); destination(r_local6); };
log { source(s_remote); filter(f_local7); destination(r_boot); };
log { source(s_remote); filter(f_mail); destination(r_mail); };
log { source(s_remote); filter(f_messages); destination(r_messages); };
log { source(s_remote); filter(f_named); destination(r_named); };
log { source(s_remote); filter(f_news); destination(r_news); };
log { source(s_remote); filter(f_secure); destination(r_secure); };
log { source(s_remote); filter(f_sshd); destination(r_sshd); };
log { source(s_remote); filter(f_syslog); destination(r_syslog); };
log { source(s_remote); filter(f_user); destination(r_user); };

and on the logging clients like this:

#use this file on any linux hosts to have it upload its logs to the log server logger.
#this will also keep a local copy of the logs
#created june 8th 2008 pauls
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
stats(86400);
dir_perm(0755);
perm(0644);
};

#
# At around 1999 some distributions have changed from using SOCK_STREAM
# to SOCK_DGRAM sockets, see these posts about the issue:
#
# http://www.security-express.com/archives/bugtraq/1999-q4/0071.html
# http://marc.theaimsgroup.com/?l=sysklogd&m=96989685607952&w=2
#
# libc and syslog clients generally automatically detect the socket type,
# so you are free to decide which of unix-stream or unix-dgram you want to use.
#

#——————-
# source
#——————-
source int { file (”/proc/kmsg” log_prefix(”kernel: “)); unix-stream (”/dev/log”); internal(); };

#——————-
# destination
#——————-
destination alluser { usertty(”*”); };
destination auth { file(”/var/log/auth.log.$YEAR$MONTH”); };
destination authpriv { file(”/var/log/authpriv.log.$YEAR$MONTH”); };
destination lpr { file(”/var/log/lpr.log.$YEAR$MONTH”); };
destination boot { file(”/var/log/boot.log.$YEAR$MONTH”); };
destination console { file(”/dev/console”); };
destination cron { file(”/var/log/cron.log.$YEAR$MONTH”); };
destination daemon { file(”/var/log/daemon.log.$YEAR$MONTH”); };
destination kern { file(”/var/log/kernel.log.$YEAR$MONTH”); };
destination local0 { file(”/var/log/local0.log.$YEAR$MONTH”); };
destination local1 { file(”/var/log/local1.log.$YEAR$MONTH”); };
destination local2 { file(”/var/log/local2.log.$YEAR$MONTH”); };
destination local3 { file(”/var/log/local3.log.$YEAR$MONTH”); };
destination local4 { file(”/var/log/local4.log.$YEAR$MONTH”); };
destination local5 { file(”/var/log/local5.log.$YEAR$MONTH”); };
destination local6 { file(”/var/log/local6.log.$YEAR$MONTH”); };
destination local7 { file(”/var/log/local7.log.$YEAR$MONTH”); };
destination mail { file(”/var/log/mail.log.$YEAR$MONTH”); };
destination messages { file(”/var/log/messages.$YEAR$MONTH”); };
destination named { file(”/var/log/named.log.$YEAR$MONTH”); };
destination news { file(”/var/log/news.log.$YEAR$MONTH”); };
destination secure { file(”/var/log/secure.$YEAR$MONTH”); };
destination snmp { file(”/var/log/snmp.log.$YEAR$MONTH”); };
destination sshd { file(”/var/log/ssh.log.$YEAR$MONTH”); };
destination syslog { file(”/var/log/syslog.log.$YEAR$MONTH”); };
destination user { file(”/var/log/user.log.$YEAR$MONTH”); };

#——————-
# filter
#——————-
filter f_auth { facility(auth); };
filter f_authpriv { facility(authpriv); };
filter f_lpr { facility(lpr); };
filter f_console { level(warn..emerg) and facility(kern); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_emergency { level(emerg); };
filter f_kern { facility(kern); };
filter f_local0 { facility(local0); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
filter f_mail { facility(mail); };
filter f_messages { level(info..warn) and not facility(auth,authpriv,cron,lpr,mail,news,local1,local2); };
filter f_named { program(”named”); };
filter f_news { facility(news); };
filter f_secure { facility(auth,authpriv); };
filter f_sshd { program(”sshd”); };
filter f_syslog { program(”syslog-ng”); };
filter f_user { facility(user); };

#——————-
# log
#——————-
log { source(int); filter(f_auth); destination(auth); };
log { source(int); filter(f_authpriv); destination(authpriv); };
log { source(int); filter(f_lpr); destination(lpr); };
log { source(int); filter(f_console); destination(console); };
log { source(int); filter(f_cron); destination(cron); };
log { source(int); filter(f_daemon); destination(daemon); };
log { source(int); filter(f_emergency); destination(alluser); };
log { source(int); filter(f_kern); destination(kern); };
log { source(int); filter(f_local0); destination(local0); };
log { source(int); filter(f_local1); destination(snmp); };
log { source(int); filter(f_local2); destination(local2); };
log { source(int); filter(f_local3); destination(local3); };
log { source(int); filter(f_local4); destination(local4); };
log { source(int); filter(f_local5); destination(local5); };
log { source(int); filter(f_local6); destination(local6); };
log { source(int); filter(f_local7); destination(boot); };
log { source(int); filter(f_mail); destination(mail); };
log { source(int); filter(f_messages); destination(messages); };
log { source(int); filter(f_named); destination(named); };
log { source(int); filter(f_news); destination(news); };
log { source(int); filter(f_secure); destination(secure); };
log { source(int); filter(f_sshd); destination(sshd); };
log { source(int); filter(f_syslog); destination(syslog); };
log { source(int); filter(f_user); destination(user); };

#remote logging type stuff - pauls june 7th 2008
#
destination d_loghost {tcp(”logger.cs.lamar.edu” port(514));};
log { source(int); destination(d_loghost);};

after you get the config files setup you need to change the permissions on syslog-ng, start it, and then disable syslog.

remember that after you set this up you will need to set the correct permissions for the new log files to prevent unauthorized usage of the information.

also there is a need to create directories in /var/log/HOSTS for each machine uploading logs.

ref: http://www.kajukaju.net/centos/syslogng.php - note: linux transcends language

http://blog.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html