[root@Kevin syslog-ng]# vim syslog-ng.conf ---之前的一篇文章里已经有单独说到这个了
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # 20090105
filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron) or program("kernel")); };
# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log local7.* /var/log/boot.log local7.* @172.16.16.18
其中有@标识的就是把日志发送到日志服务器的,例如:
cron.* @172.16.16.18
这一行表示把cron的日志发送到日志服务器172.16.16.18上面去.
原来的配置我并没有改动,因为这样就可以保持原来的日志一样写入到本地.方便查看.
完成配置后重启syslog服务
[root@Kevin syslog-ng]# service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ]
The following network configuration parameters of the SNARE unit is set to the following values:
Override detected DNS Name with:
Destination Snare Server address
Destination Port
Perform a scan of ALL objectives, and display the maximum criticality?
Allow SNARE to automatically set audit configuration?
Allow SNARE to automatically set file audit configuration?
Export Snare Log data to a file?
Enable active USB auditing? (This option requires the service to be fully restarted)
Enable SYSLOG Header?
SYSLOG Facility
SYSLOG Priority
Destination Snare Server address ---这个就是日志服务器的IP地址了.一般不用域名,怕解释不到.
Destination Port --- 这个就是日志服务器的端口了 一般默认是514
Destination Snare Server address
Destination Port
Allow SNARE to automatically set audit configuration?
Allow SNARE to automatically set file audit configuration?
这两个默认是打上勾的了.
Enable SYSLOG Header?
SYSLOG Facility
SYSLOG Priority
Enable Syslog Header一般把勾打上.下面两个就根据你的需要来设置了.
设置完成后再点下面的 Change Configureation 应用配置
还有一个重要的配置,那就是决定把什么样的日志发送到日志服务器呢?
再点左边的:,如下所示:
SNARE Filtering Objectives Configuration
The following filtering objectives of the SNARE unit are active:
Action Required
Criticality
Event ID Include/Exclude
Event ID Match
User Include/Exclude
User Match
General Match
Return
Event Src
Information
Include
Logon_Logoff
Include
*
*
Success Failure Error Information Warning
Security
Clear
Include
Process_Events
Include
*
cmd.exe
Success Failure Error Information Warning
Security
Warning
Include
User_Group_Management_Events
Include
*
*
Success Failure Error Information Warning
Security
Information
Include
Reboot_Events
Include
*
Success Failure
Security
Priority
Include
Security_Policy_Events
Include
*
Success Failure Error Information Warning
Security
Information
Include
*
Include
*
Success Failure Error Information Warning
System Application
Select this button to add a new objective.
这个修改就要看个人的需求是什么样的了,我这里就不多说了.
全部完成后记得点左边的: 来应用所有的配置!
当然Snare还有其它的功能,比如远程操控这个代理软件,自己多摸索吧 呵呵 .
三、防火墙配置
在日志服务器上要让iptables允许514端口通过,不然服务器无法接收到客户端的日志信息。
加两条规则,如下:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 514 --state NEW -j ACCEPT