@version: 3.3
@include "scl.conf"
#
# see http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/index.html
#
##
## global options
##
## see http://www.balabit.com/dl/html/syslog-ng-v3.3-guide-admin-en.html/ch08s09.html
##
options {
## general settings
time_reopen(10); # Reopen a dead connection after this many seconds
time_reap(120); # Close an idle destination file after this many seconds
ts_format(rfc3164); # Timestamp format: rfc3164|rfc3339|bsd|iso
log_fifo_size(1000000); # Output queue size
log_msg_size(8192); # Max size of a single message
flush_lines(10); # Buffer this many lines of output (0 to send to disk immediately)
flush_timeout(1000); # Wait at most this many milliseconds before forcibly flushing the output buffer
mark_freq(300); # MARK line logging interval
stats_freq(0); # Stats logging interval (0 = disabled)
## remote logging
normalize_hostnames(yes); # Do normalize hostnames (transform to lower case)
chain_hostnames(on); # Chain hostnames?
keep_hostname(yes); # Keep the hostname the client sent?
keep_timestamp(no); # Do not use the timestamp the client sent -- it might be wrong
use_dns(yes); # Use DNS? Good for log servers.
use_fqdn(no); # Use FQDNs? Good for log servers.
dns_cache(yes); # Cache DNS results?
dns_cache_size(1024); # Number of DNS lookup results to cache
dns_cache_expire(3600); # Expire cached successful DNS lookup results after this many seconds
dns_cache_expire_failed(60); # Expire cached failed DNS lookup results after this many seconds
## log file handling
create_dirs(yes); # Create directories for log files if they don't exist
dir_owner("root"); # Owner of newly created directories
dir_group("adm"); # Group of newly created directories
dir_perm(0750); # Permissions of newly created directories
owner("root"); # Owner of newly created log files
group("adm"); # Group of newly created log files
perm(0640); # Permissions of newly created log files
## misc
# Some program send log messages through a private implementation.
# and sometimes that implementation is bad. If this happen syslog-ng
# may recognise the program name as hostname. Whit this option
# we tell the syslog-ng that if a hostname match this regexp than that
# is not a real hostname.
bad_hostname("^gconfd$");
};
##
## filters
##
## see http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s06.html
##
## standard syslog facilities
filter f_kern { facility(kern); };
filter f_auth { facility(auth); }; # -- note: 'security' is a deprecated alias
filter f_authpriv { facility(authpriv); };
filter f_syslog { facility(syslog); };
filter f_daemon { facility(daemon); };
filter f_cron { facility(cron); };
filter f_ftp { facility(ftp); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_uucp { facility(uucp); };
filter f_user { facility(user); };
filter f_local0 { facility(local0); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
## standard syslog priorities: "exactly"
filter f_emerg { priority(emerg); }; # 0 -- note: 'panic' is a deprecated alias
filter f_alert { priority(alert); }; # 1
filter f_crit { priority(crit); }; # 2
filter f_err { priority(err); }; # 3 -- note: 'error' is a deprecated alias
filter f_warning { priority(warning); }; # 4 -- note: 'warn' is a deprecated alias
filter f_notice { priority(notice); }; # 5
filter f_info { priority(info); }; # 6
filter f_debug { priority(debug); }; # 7
## standard syslog priorities: "at least"
filter f_alert+ { priority(alert..emerg); }; # 1-0
filter f_crit+ { priority(crit..emerg); }; # 2-0
filter f_err+ { priority(err..emerg); }; # 3-0
filter f_warning+ { priority(warning..emerg); }; # 4-0
filter f_notice+ { priority(notice..emerg); }; # 5-0
filter f_info+ { priority(info..emerg); }; # 6-0
filter f_debug+ { priority(debug..emerg); }; # 7-0
##
## templates for the log messages
##
## see http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s07.html
##
## WARNING: syslog logfile analysis tools might stumble over non-standard
## formats! tools like mailgraph and tenshi just come to mind.
##
## for tenshi, it's easy to circumvent problems by either using the standard
## format for the tenshi fifo or by using the "logprefix" feature in tenshi.conf
## to match the custom format, e.g. when using facility and priority as alerting
## criteria.
##
## mailgraph probably needs to be patched for being able to deal with a
## non-standard log message format.
##
# macro quick-reference:
# - DATE: "Jun 13 15:58:00" (default syslog date)
# - FULLDATE: "2006 Jun 13 15:56:57"
# - ISODATE: "2006-06-13T15:56:51+02:00"
# - PRI: see http://www.faqs.org/rfcs/rfc3164.html, 4.1.1
# - TZOFFSET: "+02:00"
## default message format (standard syslog message format)
#template t_default { template("${DATE} ${HOST} ${MSGHDR}${MSG}\n"); template_escape(no); };
## default message format (standard syslog-ng-3.0 message format)
template t_default { template("${ISODATE} ${HOST} ${MSGHDR}${MSG}\n"); template_escape(no); };
## log and admin console messagee formats
template t_logtty { template("${DATE}; ${FACILITY}.${PRIORITY}; ${MSGHDR}${MSG}\n"); template_escape(no); };
template t_admintty { template("${DATE}; ${FACILITY}.${PRIORITY}; ${MSGHDR}${MSG}\n"); template_escape(no); };
## custom local message format (used by default throughout this configuration, also see t_remote_r)
template t_local { template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${TZOFFSET}; ${HOST}; ${FACILITY}.${PRIORITY}; ${MSGHDR}${MSG}\n"); templ
ate_escape(no); };
## tenshi message format (tenshi.conf needs to be adjusted for this format!)
template t_tenshi { template("${HOST}; ${FACILITY}.${PRIORITY}; ${MSGHDR}${MSG}\n"); template_escape(no); };
## mailgraph message format
template t_mgraph { template("${DATE} ${HOST} ${MSGHDR}${MSG}\n"); template_escape(no); };
## remote reception message format (replaces time information of received messages with local system time)
template t_remote_r { template("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC} ${R_TZOFFSET}; ${HOST}/${SOURCEIP}; ${FACILITY}.${PRIORITY};
${MSGHDR}${MSG}\n"); template_escape(no); };
## remote delivery message format (standard syslog protocol format)
template t_remote_d { template("<${PRI}>${DATE} ${HOST} ${MSGHDR}${MSG}\n"); template_escape(no); };
##
## local sources
##
## see http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html
## and http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s01.html
##
## local syslog messages + syslog-ng internal messages
source s_local {
unix-stream("/dev/log");
#unix-stream("/dev/log" max-connections(1000));
internal();
};
## kernel messages
source s_kernel {
file("/proc/kmsg" flags(kernel) program_override("kernel"));
};
##
## local destinations and log paths
##
## see http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s04.html
## and http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s05.html
## and http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s02.html
## and http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s03.html
##
#
# discard messages
#
## example for discarding certain messages using an empty destination and the final flag
#destination d_null { };
#filter f_null { message("I am a message that wants to be discarded"); };
#log { source(s_local); filter(f_null); destination(d_null); flags(final); };
#
# system specials
#
## kernel messages
destination d_kernel { file("/var/log/syslog-ng/kernel.log" template(t_local)); };
log { source(s_kernel); destination(d_kernel); };
## log console
destination d_logtty { file("/dev/tty3" template(t_logtty)); };
log { source(s_local); source(s_kernel); destination(d_logtty); };
## admin console
destination d_admintty { usertty("root"); };
log { source(s_local); filter(f_emerg); destination(d_admintty); };
#
# application specific
#
## firewall (iptables, using custom iptables log prefixes)
destination d_firewall { file("/var/log/syslog-ng/firewall.log" template(t_local)); };
filter f_firewall { message("^FW: ") or message("^ip4t_FW ") or message("^ip6t_FW "); };
log { source(s_kernel); filter(f_firewall); destination(d_firewall); };
## sudo
destination d_sudo { file("/var/log/syslog-ng/sudo.log" template(t_local)); };
filter f_sudo { program("^sudo$"); };
log { source(s_local); filter(f_sudo); destination(d_sudo); };
## sshd
destination d_sshd { file("/var/log/syslog-ng/sshd.log" template(t_local)); };
filter f_sshd { program("^sshd$") or program("^sftp-server$"); };
log { source(s_local); filter(f_sshd); destination(d_sshd); };
## cron
destination d_cron { file("/var/log/syslog-ng/cron.log" template(t_local)); };
filter f_cron { facility(cron); };
log { source(s_local); filter(f_cron); destination(d_cron); };
## ntpd
destination d_ntpd { file("/var/log/syslog-ng/ntpd.log" template(t_local)); };
filter f_ntpd { program("^ntpd$"); };
log { source(s_local); filter(f_ntpd); destination(d_ntpd); };
## named
destination d_named { file("/var/log/syslog-ng/named.log" template(t_local)); };
filter f_named { program("^named$"); };
log { source(s_local); filter(f_named); destination(d_named); };
## OpenLDAP SLAPD
## mark debug messages as final so they don't get into any other file
destination d_slapd { file("/var/log/syslog-ng/slapd.log" template(t_local)); };
filter f_slapd { program("^slapd$"); };
log { source(s_local); filter(f_slapd); filter(f_debug); destination(d_slapd); flags(final); };
log { source(s_local); filter(f_slapd); destination(d_slapd); };
## PSAD
destination psadpipe { pipe("/var/lib/psad/psadfifo"); };
filter f_kerninfo { facility(kern); };
log { source(s_local); filter(f_kerninfo); destination(psadpipe); };
#
# default: all messages (local syslog + kernel)
#
# should be at the end so that application specific messages with
# "final" flag are not logged
#
destination d_messages { file("/var/log/messages" template(t_local)); };
log { source(s_local); source(s_kernel); destination(d_messages); };