Syslog-ng

Syslog-ng - Linux et OS Alternatifs

Marsh Posté le 05-10-2004 à 10:44:32    

Salut,
 
J'utilise le package syslog-ng au lieu de syslog pour avoir plus de precision dans ma gestion des logs. Par contre j'ai un petit probleme avec, mes logs de firewall se retrouve dans le fichier de destination + dans ma console, ca n'arrete pas de monté dans la console :o avec un dmesg on arrive a voir les logs firewall aussi ^^  
 

Code :
  1. #
  2. # Configuration file for syslog-ng under Debian
  3. #
  4. # attempts at reproducing default syslog behavior
  6. # the standard syslog levels are (in descending order of priority):
  7. # emerg alert crit err warning notice info debug
  8. # the aliases "error", "panic", and "warn" are deprecated
  9. # the "none" priority found in the original syslogd configuration is
  10. # only used in internal messages created by syslogd
  13. ######
  14. # options
  16. options {
  17.         #
  18.         long_hostnames(0);
  20.         # the time to wait before a died connection is re-established
  21.         # (default is 60)
  22.         time_reopen(10);
  24.         # the time to wait before an idle destination file is closed
  25.         # (default is 60)
  26.         time_reap(360);
  28.         # the number of lines buffered before written to file
  29.         # you might want to increase this if your disk isn't catching with
  30.         # all the log messages you get or if you want less disk activity
  31.         # (say on a laptop)
  32.         # (default is 0)
  33.         #sync(0);
  35.         # the number of lines fitting in the output queue
  36.         log_fifo_size(2048);
  38.         # enable or disable directory creation for destination files
  39.         create_dirs(yes);
  41.         # default owner, group, and permissions for log files
  42.         # (defaults are 0, 0, 0600)
  43.         #owner(root);
  44.         group(adm);
  45.         perm(0640);
  47.         # default owner, group, and permissions for created directories
  48.         # (defaults are 0, 0, 0700)
  49.         #dir_owner(root);
  50.         #dir_group(root);
  51.         dir_perm(0755);
  53.         # enable or disable DNS usage
  54.         # syslog-ng blocks on DNS queries, so enabling DNS may lead to
  55.         # a Denial of Service attack
  56.         # (default is yes)
  57.         use_dns(no);
  59.         # maximum length of message in bytes
  60.         # this is only limited by the program listening on the /dev/log Unix
  61.         # socket, glibc can handle arbitrary length log messages, but -- for
  62.         # example -- syslogd accepts only 1024 bytes
  63.         # (default is 2048)
  64.         #log_msg_size(2048);
  65. };
  68. ######
  69. # sources
  71. # all known message sources
  72. source s_all {
  73.         # message generated by Syslog-NG
  74.         internal();
  75.         # standard Linux log source (this is the default place for the syslog()
  76.         # function to send logs to)
  77.         unix-stream("/dev/log" );
  78.         # messages from the kernel
  79.         file("/proc/kmsg" log_prefix("kernel: " ));
  80.         # use the above line if you want to receive remote UDP logging messages
  81.         # (this is equivalent to the "-r" syslogd flag)
  82.         # udp();
  83. };
  86. ######
  87. # destinations
  89. # some standard log files
  90. destination df_auth { file("/var/log/auth.log" ); };
  91. destination df_syslog { file("/var/log/syslog" ); };
  92. destination df_cron { file("/var/log/cron.log" ); };
  93. destination df_daemon { file("/var/log/daemon.log" ); };
  94. destination df_kern { file("/var/log/kern.log" ); };
  95. destination df_lpr { file("/var/log/lpr.log" ); };
  96. destination df_mail { file("/var/log/mail.log" ); };
  97. destination df_user { file("/var/log/user.log" ); };
  98. destination df_uucp { file("/var/log/uucp.log" ); };
  100. destination df_firewall { file("/var/log/firewall/firewall.log" ); };
  101. destination df_pureftpd { file("/var/log/pure-ftpd/ftp.log" ); };
  102. destination df_spamd { file("/var/log/spam/spam.log" ); };
  103. destination df_ssh { file("/var/log/ssh/ssh.log" ); };
  105. # these files are meant for the mail and news systems log files
  106. # and provide re-usable destinations for {mail,news,...}.info,
  107. # {mail,news,...}.notice, etc.
  108. destination df_facility_dot_info { file("/var/log/$FACILITY.info" ); };
  109. destination df_facility_dot_notice { file("/var/log/$FACILITY.notice" ); };
  110. destination df_facility_dot_warn { file("/var/log/$FACILITY.warn" ); };
  111. destination df_facility_dot_err { file("/var/log/$FACILITY.err" ); };
  112. destination df_facility_dot_crit { file("/var/log/$FACILITY.crit" ); };
  114. # some more classical and useful files found in standard syslog configurations
  115. destination df_debug { file("/var/log/debug" ); };
  116. destination df_messages { file("/var/log/messages" ); };
  118. # pipes
  119. # a console to view log messages under X
  120. destination dp_xconsole { pipe("/dev/xconsole" ); };
  122. # consoles
  123. # this will send messages to everyone logged in
  124. destination du_all { usertty("*" ); };
  127. ######
  128. # filters
  130. # all messages from the auth and authpriv facilities
  131. filter f_auth { facility(auth, authpriv); };
  133. # all messages except from the auth and authpriv facilities
  134. filter f_syslog { not facility(auth, authpriv) and not match(" ### Stealth Scan ### " ) and not match(" ### XMAS Scan ### " ) and not match(" ### SYN/RST Scan ### " ) and not match(" ### Stealth FIN Scan ### " ) and not match(" ### SYN/FIN Scan ### " ) and not match(" ### Null Scan ### " ) and not match(" ### Ping Scan ### " ) and not match("## SCAN SYN/ACK ## " ) and not match("## INPUT TCP sans SYN ## " ) and not match("## INVALID INPUT ## " ) and not match("## BAD INPUT ## " ) and not match("## Connexion FTP ## " ) and not match("## Connexion SSH ## " ) and not match("## Identd ## " ) and not match("pure-ftpd" ) and not match("spamd" ); };
  136. # respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
  137. # and uucp facilities
  138. filter f_cron { facility(cron); };
  139. filter f_daemon { facility(daemon); };
  140. filter f_kern { facility(kern) and not match(" ### Stealth Scan ### " ) and not match(" ### XMAS Scan ### " ) and not match(" ### SYN/RST Scan ### " ) and not match(" ### Stealth FIN Scan ### " ) and not match(" ### SYN/FIN Scan ### " ) and not match(" ### Null Scan ### " ) and not match(" ### Ping Scan ### " ) and not match("## SCAN SYN/ACK ## " ) and not match("## INPUT TCP sans SYN ## " ) and not match("## INVALID INPUT ## " ) and not match("## BAD INPUT ## " ) and not match("## Connexion FTP ## " ) and not match("## Connexion SSH ## " )  and not match("## Identd ## " ) and not match("pure-ftpd" ) and not match("spamd" ); };
  141. filter f_lpr { facility(lpr); };
  142. filter f_mail { facility(mail); };
  143. filter f_news { facility(news); };
  144. filter f_user { facility(user); };
  145. filter f_uucp { facility(uucp); };
  147. # some filters to select messages of priority greater or equal to info, warn,
  148. # and err
  149. # (equivalents of syslogd's *.info, *.warn, and *.err)
  150. filter f_at_least_info { level(info..emerg); };
  151. filter f_at_least_notice { level(notice..emerg); };
  152. filter f_at_least_warn { level(warn..emerg); };
  153. filter f_at_least_err { level(err..emerg); };
  154. filter f_at_least_crit { level(crit..emerg); };
  156. # all messages of priority debug not coming from the auth, authpriv, news, and
  157. # mail facilities
  158. filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
  160. # all messages of info, notice, or warn priority not coming form the auth,
  161. # authpriv, cron, daemon, mail, and news facilities
  162. filter f_messages {
  163.         level(info,notice,warn)
  164.             and not facility(auth,authpriv,cron,daemon,mail,news)and not match (".*IN=.*OUT=.*MAC=.*" ) and not match ("pure-ftpd*" ) and not match("spamd*" ) and not match("syslog-ng*:*STATS:*dropped" ); };
  167. # messages with priority emerg
  168. filter f_emerg { level(emerg); };
  170. # complex filter for messages usually sent to the xconsole
  171. filter f_xconsole {
  172.     facility(daemon,mail)
  173.         or level(debug,info,notice,warn)
  174.         or (facility(news)
  175.                 and level(crit,err,notice));
  176. };
  178. filter f_iptables { match("IN=.*OUT=.*MAC=.*" ); };
  179. filter f_pureftpd { match("pure-ftpd*" ); };
  180. filter f_spamd { match("spamd*" ); };
  181. filter f_ssh { match("sshd*" ); };
  183. ######
  184. # logs
  185. # order matters if you use "flags(final);" to mark the end of processing in a
  186. # "log" statement
  188. # these rules provide the same behavior as the commented original syslogd rules
  190. # auth,authpriv.*                 /var/log/auth.log
  191. log {
  192.         source(s_all);
  193.         filter(f_auth);
  194.         destination(df_auth);
  195. };
  197. # *.*;auth,authpriv.none          -/var/log/syslog
  198. log {
  199.         source(s_all);
  200.         filter(f_syslog);
  201.         destination(df_syslog);
  202. };
  204. # this is commented out in the default syslog.conf
  205. # cron.*                         /var/log/cron.log
  206. #log {
  207. #        source(s_all);
  208. #        filter(f_cron);
  209. #        destination(df_cron);
  210. #};
  212. # daemon.*                        -/var/log/daemon.log
  213. log {
  214.         source(s_all);
  215.         filter(f_daemon);
  216.         destination(df_daemon);
  217. };
  219. # kern.*                          -/var/log/kern.log
  220. log {
  221.         source(s_all);
  222.         filter(f_kern);
  223.         destination(df_kern);
  224. };
  226. # lpr.*                           -/var/log/lpr.log
  227. log {
  228.         source(s_all);
  229.         filter(f_lpr);
  230.         destination(df_lpr);
  231. };
  233. # mail.*                          -/var/log/mail.log
  234. log {
  235.         source(s_all);
  236.         filter(f_mail);
  237.         destination(df_mail);
  238. };
  240. # user.*                          -/var/log/user.log
  241. log {
  242.         source(s_all);
  243.         filter(f_user);
  244.         destination(df_user);
  245. };
  247. # uucp.*                          /var/log/uucp.log
  248. log {
  249.         source(s_all);
  250.         filter(f_uucp);
  251.         destination(df_uucp);
  252. };
  254. # mail.info                       -/var/log/mail.info
  255. log {
  256.         source(s_all);
  257.         filter(f_mail);
  258.         filter(f_at_least_info);
  259.         destination(df_facility_dot_info);
  260. };
  262. # mail.warn                       -/var/log/mail.warn
  263. log {
  264.         source(s_all);
  265.         filter(f_mail);
  266.         filter(f_at_least_warn);
  267.         destination(df_facility_dot_warn);
  268. };
  270. # mail.err                        /var/log/mail.err
  271. log {
  272.         source(s_all);
  273.         filter(f_mail);
  274.         filter(f_at_least_err);
  275.         destination(df_facility_dot_err);
  276. };
  278. # news.crit                       /var/log/news/news.crit
  279. log {
  280.         source(s_all);
  281.         filter(f_news);
  282.         filter(f_at_least_crit);
  283.         destination(df_facility_dot_crit);
  284. };
  286. # news.err                        /var/log/news/news.err
  287. log {
  288.         source(s_all);
  289.         filter(f_news);
  290.         filter(f_at_least_err);
  291.         destination(df_facility_dot_err);
  292. };
  294. # news.notice                     /var/log/news/news.notice
  295. log {
  296.         source(s_all);
  297.         filter(f_news);
  298.         filter(f_at_least_notice);
  299.         destination(df_facility_dot_notice);
  300. };
  303. # *.=debug;\
  304. #         auth,authpriv.none;\
  305. #         news.none;mail.none     -/var/log/debug
  306. log {
  307.         source(s_all);
  308.         filter(f_debug);
  309.         destination(df_debug);
  310. };
  313. # *.=info;*.=notice;*.=warn;\
  314. #         auth,authpriv.none;\
  315. #         cron,daemon.none;\
  316. #         mail,news.none          -/var/log/messages
  317. log {
  318.         source(s_all);
  319.         filter(f_messages);
  320.         destination(df_messages);
  321. };
  323. # *.emerg                         *
  324. log {
  325.         source(s_all);
  326.         filter(f_emerg);
  327.         destination(du_all);
  328. };
  331. # daemon.*;mail.*;\
  332. #         news.crit;news.err;news.notice;\
  333. #         *.=debug;*.=info;\
  334. #         *.=notice;*.=warn       |/dev/xconsole
  335. log {
  336.         source(s_all);
  337.         filter(f_xconsole);
  338.         destination(dp_xconsole);
  339. };
  341. # Firewall
  342. log {
  343.    source(s_all);
  344.    filter(f_iptables);
  345.    destination(df_firewall);
  346. };
  348. # FTP
  349. log {
  350.    source(s_all);
  351.    filter(f_pureftpd);
  352.    destination(df_pureftpd);
  353. };
  355. # Spam
  356. log {
  357.    source(s_all);
  358.    filter(f_spamd);
  359.    destination(df_spamd);
  360. };
  362. # SSH
  363. log {
  364.    source(s_all);
  365.    filter(f_ssh);
  366.    destination(df_ssh);
  367. };


 
et voici une des regles iptables pour le log:  
 

Code :
  1. iptables -A INPUT -p TCP --tcp-flags ! ALL SYN -m state --state NEW -m limit --limit 3/s -j LOG --log-tcp-option  --log-ip-options --log-level info --log-prefix "## INPUT TCP sans SYN ## "


 
Comment faire pour plus avoir mes logs firewall dans ma console et qu'il ne s'affiche plus avec la commande dmesg.
 
Merci


---------------
I dont have any solution, but I certainly admire the problem
Reply

Marsh Posté le 05-10-2004 à 10:44:32   

Reply

Marsh Posté le 05-10-2004 à 11:42:01    

installe ULOGD, et tu mets -j ULOG, t'auras tout dans les logs de ulog. (/var/log/ulogd.syslogmenu)

Reply

Marsh Posté le 05-10-2004 à 16:51:18    

Je ne peux pas, avec ulogd j'avais un grand prob, la date des logs était tjrs: Jan  1 01:00:00  

Code :
  1. Jan  1 01:00:00 Jupiter ## Connexion FTP ## IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=48 TOS=00 PREC=0x00 TTL=116 ID=12491 DF PROTO=TCP SPT=3242 DPT=21 SEQ=3110156186 ACK=0 WINDOW=16384 SYN URGP=0
  2. Jan  1 01:00:00 Jupiter ## INPUT TCP sans SYN ## IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=40 TOS=00 PREC=0x00 TTL=247 ID
  3. =51214 CE PROTO=TCP SPT=3922 DPT=445 SEQ=2627438016 ACK=0 WINDOW=0 RST URGP=0
  4. Jan  1 01:00:00 Jupiter ## BAD INPUT ## IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=40 TOS=00 PREC=0x00 TTL=247 ID=51214 CE
  5. PROTO=TCP SPT=3922 DPT=445 SEQ=2627438016 ACK=0 WINDOW=0 RST URGP=0
  6. Jan  1 01:00:00 Jupiter ## INPUT TCP sans SYN ## IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=40 TOS=00 PREC=0x00 TTL=247 ID
  7. =51592 CE PROTO=TCP SPT=3922 DPT=445 SEQ=2627438016 ACK=0 WINDOW=0 RST URGP=0
  8. Jan  1 01:00:00 Jupiter ## BAD INPUT ## IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=40 TOS=00 PREC=0x00 TTL=247 ID=51592 CE
  9. PROTO=TCP SPT=3922 DPT=445 SEQ=2627438016 ACK=0 WINDOW=0 RST URGP=0
  10. Jan  1 01:00:00 Jupiter ## INPUT TCP sans SYN ## IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=40 TOS=00 PREC=0x00 TTL=247 ID
  11. =52113 CE PROTO=TCP SPT=3922 DPT=445 SEQ=2627438016 ACK=0 WINDOW=0 RST URGP=0
  12. Jan  1 01:00:00 Jupiter #### SYN/FIN Scan #### IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=40 TOS=00 PREC=0x00 TTL=28 ID=39
  13. 426 CE PROTO=TCP SPT=21 DPT=21 SEQ=707015513 ACK=1005711576 WINDOW=1028 SYN FIN URGP=0
  14. Jan  1 01:00:00 Jupiter ## INPUT TCP sans SYN ## IN=eth0 OUT= MAC=***  SRC=*** DST=*** LEN=40 TOS=00 PREC=0x00 TTL=28 ID=
  15. 39426 CE PROTO=TCP SPT=21 DPT=21 SEQ=707015513 ACK=1005711576 WINDOW=1028 SYN FIN URGP=0


---------------
I dont have any solution, but I certainly admire the problem
Reply

Marsh Posté le 05-10-2004 à 17:55:24    

dmesg -n 1 ?


---------------
Intermittent du GNU
Reply

Marsh Posté le 05-10-2004 à 19:08:04    

Citation :

> > > I tried my logging rules with '--log-prefix "IPTables DROP:"'
> > > and use syslog-ng to filter them. If you google for iptables
> > > and syslog-ng there's some more help.
> > > What _I_ didn't figure out is, how to stop iptables from
> > > logging to standard-out;M syslog-ng seems only to additionally
> > > write it to my specified file.
> >  
> > Right, this is done by klogd.
> >  
> > man klogd
> >  
>  
> I typically add "-c 4" in KLOGD (/etc/init.d/klogd) to avoid the
> iptables logging to console.


Reply

Marsh Posté le 05-10-2004 à 19:47:14    

Ben le paquet klogd s'install avec syslogd. Syslog-ng depend pas de klogd et si jamais j'essaye de l'installé  

Code :
  1. Les paquets supplémentaires suivants seront installés :
  2.   sysklogd
  3. Les paquets suivants seront ENLEVÉS :
  4.   syslog-ng
  5. Les NOUVEAUX paquets suivants seront installés :
  6.   klogd sysklogd


 
Je pense pas que mon probleme a qlq chose avec klogd

Reply

Marsh Posté le 06-10-2004 à 10:56:47    

UP  :jap:


---------------
I dont have any solution, but I certainly admire the problem
Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed