Configuring Syslog-ng on Ubuntu
Syslog-ng is a replacement for the default syslog daemons you get with most Linux distributions. The advantage of syslog-ng is that the configuration is easier to understand, and it gives the sys-admin numerous advantages. Especially in complex environments.
Let's say we have a RADIUS environment which is able to send authentication and accounting information through syslog to external devices. And let's assume that a relevant part of this syslog information is needed by a department within a large cooperation.
Installing syslog-ng (on Ubuntu) is done by the following command:
# sudo apt-get install syslog-ng
Through the use of syslog-ng we can store, and/or forward syslog information based on the following (but not limited to):
- source IP address
- destination IP address
- syslog level
- content in the original syslog message by using regular expressions.
All this can be configured in the /etc/syslog-ng/syslog-ng.conf file.
- first the udp listener needs to be enabled:
- second, the destinations need to be configured. In this case a local file and a remote syslog server
- third, a filter that will be used to identify what info needs to be captured/forwarded
- and fourth, a log rule which uses the first three items, and does the actual work.
The following configuration entries are added to the default configuration file and are placed at the appropriate sections:
Adding the udp listener listening on all configured IP addresses and the default syslog port (514):
# Listening to incoming UDP Syslog connections
source s_udp { udp();
};
Add the syslog targets:
destination d_abc { file("/var/log/abc$YEAR$MONTH$R_DAY.log"); };
destination d_splunk { udp("1.2.3.4" port(514)); };
Create the filters that will be used to determine what to do with the received syslog message
filter f_s_xyz { ( host("2.3.4.5") and level(notice) and match("username=.*@domain\.local" value("MESSAGE") flags("utf8" "ignore-case")) ); };
And putting it all together
log { source(s_udp); filter(f_s_xyz); destination(d_abc); destination(d_splunk); };
And this does the following: Syslog information received from the s_udp listener and is matched by the original syslog sending host 2.3.4.5 with the syslog level notice and matches the regular expression username=.*@domain\.local (case insensitive!!!) is forwarded to the two destinations (d_abc and d_splunk).
As you might imaging, the variations on this are numerous.
More on the subject can be found in the document library of the creators of this syslog-ng daemon.
Reader Comments (1)
Whats the difference between syslog-ng filter and parser? I am trying to parse something coming to syslog-ng from a difference host and use that string in destination field to create directory? but it prohibits from starting syslog-ng? I am using like this:
parser p_service_name { @QSTRING:teststring:{}@ };
This is line 124 and when I start syslog-ng, This is what I get:
Starting system logging: syslog-ngsyntax error in /etc/syslog-ng/syslog-ng.conf at line 124