====== Syslog-ng (ng=next generation) ==

[[http://mewbies.com/how_to_log_users_using_syslog-ng_tutorial.htm|mewbies.com]]
Last update on 06 Aug '10

[[http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/|site]],
[[http://linux.die.net/man/8/syslog-ng|man page]],
[[http://www.campin.net/syslog-ng/faq.html|FAQ]].

This is not just used to log users but a replacement to your syslog.
From the syslog-ng information:

"The application can operate in server or agent mode, and - apart from UDP - supports the reliable TCP and the encrypted TLS protocols. That way **syslog-ng** can be used to create flexible and reliable logging infrastructure even in heterogeneous environments. **syslog-ng** reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file."

Note that syslog-ng is a logger only. It does not report. It is up to you to use a method to parse/view your logs. Find a list of a variety of log analysis programs to help you do this under my tutorial section 'LOG
ANALYZERS-PARSERS'. Syslog-ng messages can be piped into a MySQL database for a beautiful web based graphical interface using LogZilla (formerly php-syslog-ng, tutorial HERE), or using Splunk, (tutorial HERE).

===== INSTALL: ==

View [[http://www.campin.net/syslog-ng/chroot-jail.html|HERE]], or [[http://eagain.net/articles/syslog-ng-chroot/|HERE]] if you want to install in chroot jail, otherwise:
  su
  aptitude update
  aptitude install syslog-ng
  y

Output will be similar to:
  [snip]
  The following NEW packages will be installed:
  libevtlog0{a} syslog-ng
  The following packages will be REMOVED:
  klogd{a} sysklogd{a}
  [snip]
  Removing klogd ...
  Stopping kernel log daemon....
  Removing sysklogd ...
  Stopping system log daemon....
  [snip]
  Setting up libevtlog0 (0.2.8~1-2) ...
  Setting up syslog-ng (2.0.9-4.1) ...
  Starting system logging: syslog-ng.
  [snip]

  ps x
  13395 ?        Ss     0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid

Syslog-ng will be installed with the service to run after reboot (2-5), you need not manually set it.
If you like to view its settings:
  sysv-rc-conf

It will have this:
  syslog-ng [ ] [X] [X] [X] [X] [ ] [ ] [ ]

Syslog-ng is highly configurable. Such things as alert you, filters, logging sent to multiple destinations such as another server to prevent tampering of the logs, log or not log x programs, log per host, etc. View HERE for all syslog-ng.conf default settings in an easy to view format. There are many other settings you can add to suit your needs.

===== FILES: ==

Default configuration file is here, read it, make changes to suit your needs:
  cat /etc/syslog-ng/syslog-ng.conf

Can set variables here also:
  cat /etc/default/syslog-ng

Process ID:
  cat /var/run/syslog-ng.pid

Log:
  /var/log/syslog

And of course it will now take over the writing the normal syslog logs:
  /var/log/auth.log
  /var/log/daemon.log
  /var/log/debug
  /var/log/kern.log
  /var/log/mail.err
  /var/log/mail.log
  /var/log/messages
  /var/log/user.log
  /var/log/uucp.log

===== COMMANDS: ==

  man syslog-ng

To restart syslog-ng:
  /etc/init.d/syslog-ng restart

===== CRON LOGS: ==

A feature of syslog-ng is that you can have your cron jobs log to a separate file, instead of mixing with the other logs.
To enable this feature:
  pico /etc/syslog-ng/syslog-ng.conf

Has this:
  # this is commented out in the default syslog.conf
  # cron.*                         /var/log/cron.log
  #log {
  #    source(s_all);
  #    filter(f_cron);
  #    destination(df_cron);
  #};

Change to:
  # this is commented out in the default syslog.conf
  # cron.*                         /var/log/cron.log
  log {
      source(s_all);
      filter(f_cron);
      destination(df_cron);
  };


  /etc/init.d/syslog-ng restart

Wait until a cron job has been run, then you'll have the file 'cron.log':
  ls -al /var/log/cron*
  cat /var/log/cron.log

syslog-ng will rotate cron.log as well, you needn't do anything, it's
already stated in its rotation script:
cat /etc/logrotate.d/syslog-ng

===== LOG ROTATION TROUBLE SHOOTING NOTE: ==

Syslog-ng will install its own logrotation script. IF you have previously set up custom settings for any your standard Debian logs, check if syslog-ng has also created a setting for any of these logs here:
  cat /etc/logrotate.d/syslog-ng

For example I had added my own settings for auth.log and then after installing syslog-ng I noticed root had received e-mails stating:
  /etc/cron.daily/logrotate:
  error: /etc/logrotate.conf:41 duplicate log entry for /var/log/auth.log
  run-parts: /etc/cron.daily/logrotate exited with return code 1

To find the culprit of this error I did:
  grep -r auth.log /etc/*

Which then I discoverd syslog-ng had this file listed in its rotation. So then I removed my custom settings (on /etc/logrotate.conf) and added them
to syslog-ng rotation settings like this:
  pico /etc/logrotate.d/syslog-ng

Has this:
  /var/log/auth.log {
      rotate 4
      missingok
      notifempty
      weekly
      compress
  }

I changed it to:
  /var/log/auth.log {
      rotate 3
      notifempty
      daily
      delaycompress
      compress
      create 640 root adm
      mailfirst
      mail my_email@gmail.com
  }

Then you'll need to restart syslog-ng:
  /etc/init.d/syslog-ng restart

If you want to test logrotation without actually rotating:
  logrotate --debug --force /etc/logrotate.d/syslog-ng

You might see an error stating no such file:
  [snip]
  error: failed to open /var/log/auth.log.1.gz for mailing: No such file or
  directory
  [snip]

Then to rotate manually:
  logrotate --force -v /etc/logrotate.d/syslog-ng

Which might also produce an error IF auth.log has grown larger then your e-mail client is set up to send- that is IF you have it set up to be e-mailed out:
  [snip]
  Can't send mail: sendmail process failed with error code 1
  [snip]

So then I just ran the manual rotation one more time to make sure all worked now that size was down (rotation made a new file):
  logrotate --force -v /etc/logrotate.d/syslog-ng

Received my e-mail again noticed that with the different settings it had, it left 2 stragglers from 10 days previous (when the error started):
  ls -al /var/log
  1 root adm     5305 2010-07-28 11:00 auth.log
  1 root adm    36891 2010-07-18 06:47 auth.log.0
  1 root adm     4561 2010-07-28 10:59 auth.log.1
  1 root adm  1292972 2010-07-18 06:25 auth.log.2
  1 root adm     3775 2010-07-28 10:57 auth.log.2.gz
  1 root adm      508 2010-07-28 10:24 auth.log.3.gz

Or you might have received the error:
  old log /var/log/auth.log.0.gz does not exist

So then I did:
  gzip /var/log/auth.log.0
  gzip /var/log/auth.log.2
  y

  logrotate --force -v /etc/logrotate.d/syslog-ng

And all is fine now:
  ls -al /var/log/auth.*

Then download auth.log.2.gz if you need it for your records before it is rotated out.