User Tools
linux:syslog-ng
Differences
This shows you the differences between two versions of the page.
|
linux:syslog-ng [2013-02-12 12:13] kokkez created |
linux:syslog-ng [2013-02-12 12:30] (current) kokkez |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Syslog-ng (ng=next generation) == | ====== Syslog-ng (ng=next generation) == | ||
| - | site is HERE, man page HERE, FAQ is HERE. | + | [[http://mewbies.com/how_to_log_users_using_syslog-ng_tutorial.htm|mewbies.com]] |
| - | This is not just used to log users but a replacement to your syslog. From | + | Last update on 06 Aug '10 |
| - | the syslog-ng information: "The application can operate in server or agent | + | |
| - | mode, and - apart from UDP - supports the reliable TCP and the encrypted | + | |
| - | TLS protocols. That way syslog-ng can be used to create flexible and | + | |
| - | reliable logging infrastructure even in heterogeneous environments." | + | |
| - | "syslog-ng reads and logs messages to the system console, log files, other | + | |
| - | machines and/or users as specified by its configuration file." | + | |
| - | Note that syslog-ng is a logger only. It does not report. It is up to you | + | [[http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/|site]], |
| - | to use a method to parse/view your logs. Find a list of a variety of log | + | [[http://linux.die.net/man/8/syslog-ng|man page]], |
| - | analysis programs to help you do this under my tutorial section 'LOG | + | [[http://www.campin.net/syslog-ng/faq.html|FAQ]]. |
| - | ANALYZERS-PARSERS'. Syslog-ng messages can be piped into a MySQL data | + | |
| - | base for a beautiful web based graphical interface using LogZilla | + | |
| - | (formerly php-syslog-ng, tutorial HERE), or using Splunk, (tutorial HERE). | + | |
| - | INSTALL: | + | This is not just used to log users but a replacement to your syslog. |
| - | ```````` | + | From the syslog-ng information: |
| - | View HERE, or HERE if you want to install in chroot jail, otherwise: | + | |
| - | su | + | "The application can operate in server or agent mode, and - apart from UDP - supports the reliable TCP and the encrypted TLS protocols. That way **syslog-ng** can be used to create flexible and reliable logging infrastructure even in heterogeneous environments. **syslog-ng** reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file." |
| - | aptitude update | + | |
| - | aptitude install syslog-ng | + | Note that syslog-ng is a logger only. It does not report. It is up to you to use a method to parse/view your logs. Find a list of a variety of log analysis programs to help you do this under my tutorial section 'LOG |
| - | y | + | ANALYZERS-PARSERS'. Syslog-ng messages can be piped into a MySQL database for a beautiful web based graphical interface using LogZilla (formerly php-syslog-ng, tutorial HERE), or using Splunk, (tutorial HERE). |
| + | |||
| + | ===== INSTALL: == | ||
| + | |||
| + | View [[http://www.campin.net/syslog-ng/chroot-jail.html|HERE]], or [[http://eagain.net/articles/syslog-ng-chroot/|HERE]] if you want to install in chroot jail, otherwise: | ||
| + | su | ||
| + | aptitude update | ||
| + | aptitude install syslog-ng | ||
| + | y | ||
| Output will be similar to: | Output will be similar to: | ||
| - | [snip] | + | [snip] |
| - | The following NEW packages will be installed: | + | The following NEW packages will be installed: |
| - | libevtlog0{a} syslog-ng | + | libevtlog0{a} syslog-ng |
| - | The following packages will be REMOVED: | + | The following packages will be REMOVED: |
| - | klogd{a} sysklogd{a} | + | klogd{a} sysklogd{a} |
| - | [snip] | + | [snip] |
| - | Removing klogd ... | + | Removing klogd ... |
| - | Stopping kernel log daemon.... | + | Stopping kernel log daemon.... |
| - | Removing sysklogd ... | + | Removing sysklogd ... |
| - | Stopping system log daemon.... | + | Stopping system log daemon.... |
| - | [snip] | + | [snip] |
| - | Setting up libevtlog0 (0.2.8~1-2) ... | + | Setting up libevtlog0 (0.2.8~1-2) ... |
| - | Setting up syslog-ng (2.0.9-4.1) ... | + | Setting up syslog-ng (2.0.9-4.1) ... |
| - | Starting system logging: syslog-ng. | + | Starting system logging: syslog-ng. |
| - | [snip] | + | [snip] |
| + | |||
| + | ps x | ||
| + | 13395 ? Ss 0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid | ||
| - | ps x | + | Syslog-ng will be installed with the service to run after reboot (2-5), you need not manually set it. |
| - | 13395 ? Ss 0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid | + | If you like to view its settings: |
| + | sysv-rc-conf | ||
| - | Syslog-ng will be installed with the service to run after reboot (2-5), | ||
| - | you need not manually set it. If you like to view its settings: | ||
| - | sysv-rc-conf | ||
| It will have this: | It will have this: | ||
| - | syslog-ng [ ] [X] [X] [X] [X] [ ] [ ] [ ] | + | syslog-ng [ ] [X] [X] [X] [X] [ ] [ ] [ ] |
| - | Syslog-ng is highly configurable. Such things as alert you, filters, | + | Syslog-ng is highly configurable. Such things as alert you, filters, logging sent to multiple destinations such as another server to prevent tampering of the logs, log or not log x programs, log per host, etc. View HERE for all syslog-ng.conf default settings in an easy to view format. There are many other settings you can add to suit your needs. |
| - | logging sent to multiple destinations such as another server to prevent | + | |
| - | tampering of the logs, log or not log x programs, log per host, etc. View | + | ===== FILES: == |
| - | HERE for all syslog-ng.conf default settings in an easy to view format. | + | |
| - | There are many other settings you can add to suit your needs. | + | Default configuration file is here, read it, make changes to suit your needs: |
| + | cat /etc/syslog-ng/syslog-ng.conf | ||
| - | FILES: | ||
| - | `````` | ||
| - | Default configuration file is here, read it, make changes to suit your | ||
| - | needs: | ||
| - | cat /etc/syslog-ng/syslog-ng.conf | ||
| Can set variables here also: | Can set variables here also: | ||
| - | cat /etc/default/syslog-ng | + | cat /etc/default/syslog-ng |
| Process ID: | Process ID: | ||
| - | cat /var/run/syslog-ng.pid | + | cat /var/run/syslog-ng.pid |
| Log: | Log: | ||
| - | /var/log/syslog | + | /var/log/syslog |
| And of course it will now take over the writing the normal syslog logs: | And of course it will now take over the writing the normal syslog logs: | ||
| - | /var/log/auth.log | + | /var/log/auth.log |
| - | /var/log/daemon.log | + | /var/log/daemon.log |
| - | /var/log/debug | + | /var/log/debug |
| - | /var/log/kern.log | + | /var/log/kern.log |
| - | /var/log/mail.err | + | /var/log/mail.err |
| - | /var/log/mail.log | + | /var/log/mail.log |
| - | /var/log/messages | + | /var/log/messages |
| - | /var/log/user.log | + | /var/log/user.log |
| - | /var/log/uucp.log | + | /var/log/uucp.log |
| + | |||
| + | ===== COMMANDS: == | ||
| + | |||
| + | man syslog-ng | ||
| - | COMMANDS: | ||
| - | ````````` | ||
| - | man syslog-ng | ||
| To restart syslog-ng: | To restart syslog-ng: | ||
| - | /etc/init.d/syslog-ng restart | + | /etc/init.d/syslog-ng restart |
| + | |||
| + | ===== CRON LOGS: == | ||
| + | |||
| + | A feature of syslog-ng is that you can have your cron jobs log to a separate file, instead of mixing with the other logs. | ||
| + | To enable this feature: | ||
| + | pico /etc/syslog-ng/syslog-ng.conf | ||
| - | CRON LOGS: | ||
| - | `````````` | ||
| - | A feature of syslog-ng is that you can have your cron jobs log to a | ||
| - | separate file, instead of mixing with the other logs. To enable this | ||
| - | feature: | ||
| - | pico /etc/syslog-ng/syslog-ng.conf | ||
| Has this: | Has this: | ||
| - | # this is commented out in the default syslog.conf | + | # this is commented out in the default syslog.conf |
| - | # cron.* /var/log/cron.log | + | # cron.* /var/log/cron.log |
| - | #log { | + | #log { |
| - | # source(s_all); | + | # source(s_all); |
| - | # filter(f_cron); | + | # filter(f_cron); |
| - | # destination(df_cron); | + | # destination(df_cron); |
| - | #}; | + | #}; |
| Change to: | Change to: | ||
| - | # this is commented out in the default syslog.conf | + | # this is commented out in the default syslog.conf |
| - | # cron.* /var/log/cron.log | + | # cron.* /var/log/cron.log |
| - | log { | + | log { |
| - | source(s_all); | + | source(s_all); |
| - | filter(f_cron); | + | filter(f_cron); |
| - | destination(df_cron); | + | destination(df_cron); |
| - | }; | + | }; |
| - | /etc/init.d/syslog-ng restart | + | /etc/init.d/syslog-ng restart |
| Wait until a cron job has been run, then you'll have the file 'cron.log': | Wait until a cron job has been run, then you'll have the file 'cron.log': | ||
| - | ls -al /var/log/cron* | + | ls -al /var/log/cron* |
| - | cat /var/log/cron.log | + | cat /var/log/cron.log |
| syslog-ng will rotate cron.log as well, you needn't do anything, it's | syslog-ng will rotate cron.log as well, you needn't do anything, it's | ||
| Line 119: | Line 120: | ||
| cat /etc/logrotate.d/syslog-ng | cat /etc/logrotate.d/syslog-ng | ||
| - | LOG ROTATION TROUBLE SHOOTING NOTE: | + | ===== LOG ROTATION TROUBLE SHOOTING NOTE: == |
| - | ``````````````````````````````````` | + | |
| - | Syslog-ng will install its own logrotation script. IF you have | + | Syslog-ng will install its own logrotation script. IF you have previously set up custom settings for any your standard Debian logs, check if syslog-ng has also created a setting for any of these logs here: |
| - | previously set up custom settings for any your standard Debian logs, check | + | cat /etc/logrotate.d/syslog-ng |
| - | if syslog-ng has also created a setting for any of these logs here: | + | |
| - | cat /etc/logrotate.d/syslog-ng | + | For example I had added my own settings for auth.log and then after installing syslog-ng I noticed root had received e-mails stating: |
| - | For example I had added my own settings for auth.log and then after | + | /etc/cron.daily/logrotate: |
| - | installing syslog-ng I noticed root had received e-mails stating: | + | error: /etc/logrotate.conf:41 duplicate log entry for /var/log/auth.log |
| - | /etc/cron.daily/logrotate: | + | run-parts: /etc/cron.daily/logrotate exited with return code 1 |
| - | error: /etc/logrotate.conf:41 duplicate log entry for /var/log/auth.log | + | |
| - | run-parts: /etc/cron.daily/logrotate exited with return code 1 | + | |
| To find the culprit of this error I did: | To find the culprit of this error I did: | ||
| - | grep -r auth.log /etc/* | + | grep -r auth.log /etc/* |
| - | Which then I discoverd syslog-ng had this file listed in its rotation. So | + | Which then I discoverd syslog-ng had this file listed in its rotation. So then I removed my custom settings (on /etc/logrotate.conf) and added them |
| - | then I removed my custom settings (on /etc/logrotate.conf) and added them | + | |
| to syslog-ng rotation settings like this: | to syslog-ng rotation settings like this: | ||
| - | pico /etc/logrotate.d/syslog-ng | + | pico /etc/logrotate.d/syslog-ng |
| Has this: | Has this: | ||
| - | /var/log/auth.log { | + | /var/log/auth.log { |
| - | rotate 4 | + | rotate 4 |
| - | missingok | + | missingok |
| - | notifempty | + | notifempty |
| - | weekly | + | weekly |
| - | compress | + | compress |
| - | } | + | } |
| I changed it to: | I changed it to: | ||
| - | /var/log/auth.log { | + | /var/log/auth.log { |
| - | rotate 3 | + | rotate 3 |
| - | notifempty | + | notifempty |
| - | daily | + | daily |
| - | delaycompress | + | delaycompress |
| - | compress | + | compress |
| - | create 640 root adm | + | create 640 root adm |
| - | mailfirst | + | mailfirst |
| - | mail my_email@gmail.com | + | mail my_email@gmail.com |
| - | } | + | } |
| Then you'll need to restart syslog-ng: | Then you'll need to restart syslog-ng: | ||
| - | /etc/init.d/syslog-ng restart | + | /etc/init.d/syslog-ng restart |
| If you want to test logrotation without actually rotating: | If you want to test logrotation without actually rotating: | ||
| - | logrotate --debug --force /etc/logrotate.d/syslog-ng | + | logrotate --debug --force /etc/logrotate.d/syslog-ng |
| You might see an error stating no such file: | You might see an error stating no such file: | ||
| - | [snip] | + | [snip] |
| - | error: failed to open /var/log/auth.log.1.gz for mailing: No such file or | + | error: failed to open /var/log/auth.log.1.gz for mailing: No such file or |
| - | directory | + | directory |
| - | [snip] | + | [snip] |
| Then to rotate manually: | Then to rotate manually: | ||
| - | logrotate --force -v /etc/logrotate.d/syslog-ng | + | logrotate --force -v /etc/logrotate.d/syslog-ng |
| - | Which might also produce an error IF auth.log has grown larger then your | + | |
| - | e-mail client is set up to send- that is IF you have it set up to be | + | |
| - | e-mailed out: | + | |
| - | [snip] | + | |
| - | Can't send mail: sendmail process failed with error code 1 | + | |
| - | [snip] | + | |
| - | So then I just ran the manual rotation one more time to make sure all | + | Which might also produce an error IF auth.log has grown larger then your e-mail client is set up to send- that is IF you have it set up to be e-mailed out: |
| - | worked now that size was down (rotation made a new file): | + | [snip] |
| - | logrotate --force -v /etc/logrotate.d/syslog-ng | + | Can't send mail: sendmail process failed with error code 1 |
| - | Received my e-mail again noticed that with the different settings it had, | + | [snip] |
| - | it left 2 stragglers from 10 days previous (when the error started): | + | |
| - | ls -al /var/log | + | So then I just ran the manual rotation one more time to make sure all worked now that size was down (rotation made a new file): |
| - | 1 root adm 5305 2010-07-28 11:00 auth.log | + | logrotate --force -v /etc/logrotate.d/syslog-ng |
| - | 1 root adm 36891 2010-07-18 06:47 auth.log.0 | + | |
| - | 1 root adm 4561 2010-07-28 10:59 auth.log.1 | + | Received my e-mail again noticed that with the different settings it had, it left 2 stragglers from 10 days previous (when the error started): |
| - | 1 root adm 1292972 2010-07-18 06:25 auth.log.2 | + | ls -al /var/log |
| - | 1 root adm 3775 2010-07-28 10:57 auth.log.2.gz | + | 1 root adm 5305 2010-07-28 11:00 auth.log |
| - | 1 root adm 508 2010-07-28 10:24 auth.log.3.gz | + | 1 root adm 36891 2010-07-18 06:47 auth.log.0 |
| + | 1 root adm 4561 2010-07-28 10:59 auth.log.1 | ||
| + | 1 root adm 1292972 2010-07-18 06:25 auth.log.2 | ||
| + | 1 root adm 3775 2010-07-28 10:57 auth.log.2.gz | ||
| + | 1 root adm 508 2010-07-28 10:24 auth.log.3.gz | ||
| Or you might have received the error: | Or you might have received the error: | ||
| - | old log /var/log/auth.log.0.gz does not exist | + | old log /var/log/auth.log.0.gz does not exist |
| So then I did: | So then I did: | ||
| - | gzip /var/log/auth.log.0 | + | gzip /var/log/auth.log.0 |
| - | gzip /var/log/auth.log.2 | + | gzip /var/log/auth.log.2 |
| - | y | + | y |
| + | |||
| + | logrotate --force -v /etc/logrotate.d/syslog-ng | ||
| - | logrotate --force -v /etc/logrotate.d/syslog-ng | ||
| And all is fine now: | And all is fine now: | ||
| - | ls -al /var/log/auth.* | + | ls -al /var/log/auth.* |
| - | Then download auth.log.2.gz if you need it for your records before it is | + | |
| - | rotated out. | + | |
| - | //---------------------------------------------------------------------- | + | Then download auth.log.2.gz if you need it for your records before it is rotated out. |
| - | If you find mistakes, have suggestions, and or questions please post at | ||
| - | mewbies forum HERE - thank you. | ||
| - | Last update on 06 Aug '10 | ||
linux/syslog-ng.1360667615.txt.gz · Last modified: 2013-02-12 12:13 by kokkez
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
