I am running a Debian (lenny; In etch also this should work fine) and I got syslog-ng installed replacing the older, sysklogd package. syslog-ng is the next generation log daemon which has added features, noticeably in the log filtering area. But all I wanted was to get start with collecting and logging logs from my Netscreen firewall. So this is what I did.
Installed necessary packages using apt
apt-get install syslog-ng syslog-summary
(I am yet to try out syslog-summary )
Added the following to the configuration file of syslog-ng (/etc/syslog-ng/syslog-ng.conf)
In the source s_all{}, uncommented "udp();"
under the default destinations, added "destination df_netscreen { file("/var/log/netscreen.log"); };"
Under the default filters, added "filter f_netscreen { facility(LOCAL0); };"
Added to the end of the configuration file, the meat of the new log entry,
log { source(s_all); filter(f_netscreen); destination(df_netscreen); };
And then restarted the syslog-ng service.
sudo /etc/init.d/syslog-ng restart
That much did the main work of setting up the log server.
| "f_netscreen" & "df_netscreen" These are mere identifiers and since I am setting this up to get my Juniper Netscreen25 logs to be accumulated here, I gave the name "*netscreen*". "LOCAL0" This is the log facility I used on the Juniper Netscreen25 for setting it up to send the logs to the newly set up log server. Hence the string "LOCAL0" appeared in the facility description in the filter syntax. |
Since my firewall log size grows madly, I had to set up the logrotate to save my computer from running out of space. Adding a file called "netscreen" in the "/etc/logrotate.d" folder with contents as below did the magic for me.
/var/log/netscreen.log {
rotate 6
weekly
compress
missingok
notifempty
}
This will rotate my firewall logs weekly and each will be kept until 6 weekly rotations before getting deleted. Read through "man logrotate" for more detailed information on setting up logrotate for your logfile and its always good to restart the crond "sudo /etc/init.d/cron restart" since logrotate uses cron.daily to get itself running every day.
update (2008-04-11): Adding the remote log facility "LOCAL0" to the "not" list of "f_messages" filter will avoid accumulating the remote logs in "/var/log/messages". (Addition is in 'bold letters', below)
filter f_messages {
level(info,notice,warn)
and not facility(LOCAL0,auth,authpriv,cron,daemon,mail,news);
};
Most importantly, by default syslog-ng does not seem to enable the cron log. I found it only when I wanted to check why the logrotate did not worked. I had to un-comment the below in "/etc/syslog-ng/syslog-ng.conf".
#log { source(s_all); filter(f_cron); destination(df_cron); };
3 comments:
If you are running Lenny, you'd to check out rsyslog:
http://packages.debian.org/lenny/rsyslog
There is a discussion also between DD about integration of rsyslog for Lenny ;)
Braincrapped, Edi,
I will definitely give a try with rsyslog. The first read in the package home page shows it has all the features of syslog-ng, I am yet to go deep and findout what are the additions featured by rsyslog.
Thank you so much for the link !
Post a Comment