分类: 系统运维
2008-12-17 22:04:06
# # Syslog-ng configuration file. Originally written by anonymous (I can't find # his name) Revised, and rewrited by me (SZALAY Attila) # revised again by Nate Campi ############################################################### # First, set some global options. options { # use_fqdn(yes); # use_dns(yes); # dns_cache(yes); keep_hostname(yes); long_hostnames(off); sync(1); log_fifo_size(1024); }; ############################################################### # # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # #source src { unix-stream("/dev/log"); internal(); }; source src { # don't read from /proc/kmsg and run klogd also (Linux) pipe("/proc/kmsg"); # file("/proc/kmsg") log_prefix("kernel: "); unix-stream("/dev/log"); # unix-stream("/chroot/named/dev/log"); internal(); udp(); # udp(ip("10.0.5.8") port(514)); tcp(port(5140) keep-alive(yes)); # tcp(ip("10.9.9.3") port(5140) keep-alive(yes)); }; ############################################################### # After that set destinations. # First some standard logfile # destination authlog { file("/var/log/auth.log"); }; destination syslog { file("/var/log/syslog"); }; destination cron { file("/var/log/cron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kern { file("/var/log/kern.log"); }; destination lpr { file("/var/log/lpr.log"); }; destination user { file("/var/log/user.log"); }; destination uucp { file("/var/log/uucp.log"); }; # This files are the log come from the mail subsystem. # destination mail { file("/var/log/mail.log"); }; destination maillog { file("/var/log/maillog"); }; destination mailinfo { file("/var/log/mail.info"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); }; # Logging for INN news system # destination newscrit { file("/var/log/news/news.crit"); }; destination newserr { file("/var/log/news/news.err"); }; destination newsnotice { file("/var/log/news/news.notice"); }; # Some `catch-all' logfiles. # destination debug { file("/var/log/debug"); }; destination messages { file("/var/log/messages"); }; # The root's console. # destination console { usertty("root"); }; # Virtual console. # destination console_all { file("/dev/tty8"); }; # The named pipe /dev/xconsole is for the nsole' utility. To use it, # you must invoke nsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # destination xconsole { pipe("/dev/xconsole"); }; # # scripts that accept syslog messages and mail them out # destination mail-alert { program("/usr/local/bin/syslog-mail"); }; destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); }; # # hack to get swatch to read from stdin # destination swatch { program("/usr/bin/swatch --read-pipe=\"cat /dev/fd/0\""); }; # # destination database # destination sqlsyslogd { program("/usr/local/sbin/sqlsyslogd -u sqlsyslogd -t logs sqlsyslogd -p"); }; ########################################## # Here's the filter options. With this rules, we can set which # message go where. filter f_attack_alert { match("attackalert"); }; filter f_ssh_login_attempt { program("sshd.*") and match("(Failed|Accepted)") and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)"); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(auth, authpriv) and not facility(mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_cnews { level(notice, err, crit) and facility(news); }; filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; ############################################################### # # log statements actually send logs somewhere, to a file, across the network, etc # #log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_authpriv); destination(syslog); }; log { source(src); filter(f_syslog); destination(syslog); }; #log { source(src); filter(f_cron); destination(cron); }; #log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_daemon); destination(messages); }; #log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_kern); destination(messages); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; #log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_user); destination(messages); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_mail); destination(maillog); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; log { source(src); filter(f_news); filter(f_err); destination(newserr); }; log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; #log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; #log { source(src); filter(f_cnews); destination(console_all); }; #log { source(src); filter(f_cother); destination(console_all); }; log { source(src); filter(f_cnews); destination(xconsole); }; log { source(src); filter(f_cother); destination(xconsole); }; # slap it into a MySQL database log { source(src); destination(sqlsyslogd); }; # find messages with "attackalert" in them, and send to the mail-alert script log { source(src); filter(f_attack_alert); destination(mail-alert-perl); }; # find messages reporting attempted ssh logins, and send to the mail-alert script log { source(src); filter(f_ssh_login_attempt); destination(mail-alert-perl); }; # send all logs to swatch for (near) real-time alerts log { source(src); destination(swatch); }; ## set up logging to loghost #destination loghost { # tcp("10.0.0.1" port(514)); #}; # send everything to loghost, too #log { # source(src); # destination(loghost); #}; # # automatic host sorting (usually used on a loghost) # # set it up destination std { file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); }; # log it log { source(src); destination(std); }; ###############################################################