Chinaunix首页 | 论坛 | 博客
  • 博客访问: 383939
  • 博文数量: 87
  • 博客积分: 2810
  • 博客等级: 少校
  • 技术积分: 825
  • 用 户 组: 普通用户
  • 注册时间: 2008-10-28 22:34
文章分类

全部博文(87)

文章存档

2010年(25)

2009年(43)

2008年(19)

分类: 系统运维

2008-12-17 22:04:06

#
# Syslog-ng configuration file. Originally written by anonymous (I can't find
# his name) Revised, and rewrited by me (SZALAY Attila )
# revised again by Nate Campi 

###############################################################
# First, set some global options.

options { 
#	use_fqdn(yes); 
#	use_dns(yes); 
#	dns_cache(yes); 
	keep_hostname(yes); 
	long_hostnames(off); 
	sync(1); 
	log_fifo_size(1024); 
};

###############################################################
#
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
#source src { unix-stream("/dev/log"); internal(); };


source src { 
#	don't read from /proc/kmsg and run klogd also (Linux)
	pipe("/proc/kmsg"); 
#	file("/proc/kmsg") log_prefix("kernel: "); 
	unix-stream("/dev/log"); 
#	unix-stream("/chroot/named/dev/log"); 
	internal(); 
	udp();
#	udp(ip("10.0.5.8") port(514)); 
	tcp(port(5140) keep-alive(yes)); 
#	tcp(ip("10.9.9.3") port(5140) keep-alive(yes)); 
};


###############################################################
# After that set destinations.

# First some standard logfile
#
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };


# This files are the log come from the mail subsystem.
#
destination mail { file("/var/log/mail.log"); };
destination maillog { file("/var/log/maillog"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

# Logging for INN news system
#
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };

# Some `catch-all' logfiles.
#
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };

# The root's console.
#
destination console { usertty("root"); };

# Virtual console.
#
destination console_all { file("/dev/tty8"); };

# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
# you must invoke nsole' with the -file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
destination xconsole { pipe("/dev/xconsole"); };

#
# scripts that accept syslog messages and mail them out
#
destination mail-alert { program("/usr/local/bin/syslog-mail"); };
destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); };

#
# hack to get swatch to read from stdin
#
destination swatch { program("/usr/bin/swatch --read-pipe=\"cat /dev/fd/0\""); };

#
# destination database
#
destination sqlsyslogd { 
	program("/usr/local/sbin/sqlsyslogd -u sqlsyslogd -t logs sqlsyslogd -p"); 
};

##########################################

# Here's the filter options. With this rules, we can set which 
# message go where.

filter f_attack_alert { 
	match("attackalert"); 
};

filter f_ssh_login_attempt { 
	program("sshd.*") 
	and match("(Failed|Accepted)") 
	and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)"); 
};

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn) 
	and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

###############################################################
#
# log statements actually send logs somewhere, to a file, across the network, etc
#

#log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_authpriv); destination(syslog); };
log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
#log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_daemon); destination(messages); };
#log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_kern); destination(messages); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
#log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_user); destination(messages); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); destination(maillog); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
#log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

#log { source(src); filter(f_cnews); destination(console_all); };
#log { source(src); filter(f_cother); destination(console_all); };

log { source(src); filter(f_cnews); destination(xconsole); };
log { source(src); filter(f_cother); destination(xconsole); };


# slap it into a MySQL database
log { 
	source(src); 
	destination(sqlsyslogd); 
};

# find messages with "attackalert" in them, and send to the mail-alert script
log { 
	source(src); 
	filter(f_attack_alert); 
	destination(mail-alert-perl); 
};

# find messages reporting attempted ssh logins, and send to the mail-alert script
log { 
	source(src); 
	filter(f_ssh_login_attempt); 
	destination(mail-alert-perl); 
};

# send all logs to swatch for (near) real-time alerts
log { 
	source(src); 
	destination(swatch); 
};


## set up logging to loghost
#destination loghost {
#	tcp("10.0.0.1" port(514));
#};

# send everything to loghost, too
#log { 
#	source(src); 
#	destination(loghost); 
#};

#
# automatic host sorting (usually used on a loghost)
#

# set it up
destination std { 
	file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" 
		owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
	); 
};

# log it
log { 
	source(src); 
	destination(std); 
};

###############################################################
阅读(1073) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~