Configuring Syslog-ng on Ubuntu

Syslog-ng is a replacement for the default syslog daemons you get with most Linux distributions. The advantage of syslog-ng is that the configuration is easier to understand, and it gives the sys-admin numerous advantages. Especially in complex environments.

Let's say we have a RADIUS environment which is able to send authentication and accounting information through syslog to external devices. And let's assume that a relevant part of this syslog information is needed by a department within a large cooperation.

Installing syslog-ng (on Ubuntu) is done by the following command:

# sudo apt-get install syslog-ng

Through the use of syslog-ng we can store, and/or forward syslog information based on the following (but not limited to):

  • source IP address
  • destination IP address
  • syslog level
  • content in the original syslog message by using regular expressions.

All this can be configured in the /etc/syslog-ng/syslog-ng.conf file.

  • first the udp listener needs to be enabled:
  • second, the destinations need to be configured. In this case a local file and a remote syslog server
  • third, a filter that will be used to identify what info needs to be captured/forwarded
  • and fourth, a log rule which uses the first three items, and does the actual work.

The following configuration entries are added to the default configuration file and are placed at the appropriate sections:

First you need to modify the options sections to allow the creation of directories when needed. This is used to create directories based on host IP's to store the logging in.

options {
  create_dirs(yes);
  flush_lines(0);
  use_dns(yes);
  use_fqdn(yes);
  owner(root);
  group(adm);
  dir_owner(root);
  dir_group(adm);
  perm(0640);
  dir_perm(0750);
  stats_freq(0);
  bad_hostname("^gconfd$");
  keep_hostname(yes);
  };

Adding the udp listener listening on all configured IP addresses and the default syslog port (514):

# Listening to incoming UDP Syslog connections
source s_network { udp( ip("<IP_ADDRESS>") ); tcp( ip("IP_ADDRESS")); };

Add the syslog targets:

destination d_abc { file("/var/log/$HOST/$YEAR$MONTH$DAY.log"); };
destination d_splunk { udp("1.2.3.4" port(514)); };

Create the filters that will be used to determine what to do with the received syslog message

filter f_s_xyz { ( host("2.3.4.5") and level(notice) and match("username=.*@domain\.local" value("MESSAGE") flags("utf8" "ignore-case")) ); };

And putting it all together:

log { source(s_udp); filter(f_s_xyz); destination(d_abc); destination(d_splunk); };

And this does the following: Syslog information received from the s_udp listener and is matched by the original syslog sending host 2.3.4.5 with the syslog level notice and matches the regular expression username=.*@domain\.local (case insensitive!!!) is forwarded to the two destinations (d_abc and d_splunk).

As you might imaging, the variations on this are numerous.

More on the subject can be found in the document library of the creators of this syslog-ng daemon.

Posted on August 26, 2011 and filed under Linux, Tips'n Tricks.