[c-nsp] Cisco boxes and Syslog-ng

Andrew Fort afort at choqolat.org
Mon Sep 12 22:32:22 EDT 2005 

Joost greene wrote:
> Hello,
> 
> I have different sets of devices, dslams, nas, core routers, customer 
> routers,...
> 
> i want to syslog them all, i want to make each device log to a file 
> separately to ease it up for NOC, someone suggested syslog-ng, frankly, i 
> got quickly lost in its docs, the syntax isnt clear, how can i just easily 
> specify to let it log per source into different files ?
> 
> Regards,
> Joost

this is a 1.6 config that works for me, this is just the parts for 
listening to udp/514 (and all my options).  note the non-standard log 
template format used (advantage of the format chosen is that $ISODATE 
can be sorted eaisly), software that feeds on the logs will require 
preprocessing to get it back into the BSD 'standard'.

it'll create a file per day, per device, and it looks kinda like this. 
play with the destination d_file_net file line to change this.

$ ls /var/log/NET/sw1.cor.example.com/2005/09/
20050901_sw1.cor.example.com
20050902_sw1.cor.example.com
20050903_sw1.cor.example.com
20050904_sw1.cor.example.com
20050905_sw1.cor.example.com
20050906_sw1.cor.example.com
20050907_sw1.cor.example.com
20050908_sw1.cor.example.com
20050909_sw1.cor.example.com
20050910_sw1.cor.example.com
20050911_sw1.cor.example.com
20050912_sw1.cor.example.com
20050913_sw1.cor.example.com

there's also some desintations for sending to named pipes (useful for 
mysql to read to populate a database, or for the simple event correlator 
to read to do event correlation/alarming for things you don't get traps 
for).

you'll need RDNS setup for your routers, but the hostnames will then 
appear correctly in the log filename and the log file themselves.

cheers,
-andrew

---snip---

options {
	group(logs);
	dir_group(logs);
	perm(0640);
	dir_perm(0750);

	use_time_recvd(yes);

	use_fqdn(yes);
	keep_hostname(no);
	chain_hostnames(no);

	stats(3600);
	log_fifo_size(8192);

	time_reopen(5);
	sync(1);
};

source s_514 {
	udp(ip(0.0.0.0) port(514));
	tcp(ip(0.0.0.0) port(514) max-connections(100));
};

destination d_file_net {
         file("/var/log/NET/$HOST/$YEAR/$MONTH/$YEAR$MONTH$DAY\_$HOST"
         template("$ISODATE $HOST <$FACILITY.$PRIORITY> $MSG\n")
         template_escape(no)
         owner(root)
         group(logs)
         perm(0640)
         dir_perm(0750)
         create_dirs(yes));
};

## destination: named pipe for SEC

destination d_pipe_sec {
	pipe("/var/log/sec.pipe"
	template("$ISODATE $HOST <$FACILITY.$PRIORITY> $MSG\n")
	template_escape(no));
};

## local console 11 (alt+f11) for machine room action

destination tty11 {
         file("/dev/tty11");
};

# destination: mysql named pipe

destination d_mysql_net {
	pipe("/var/log/syslog-ng-mysql.pipe"
	template("INSERT INTO logs (host, facility, priority, level, tag, date, 
time, program, msg)
		  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', 
'$YEAR-$MONTH-$DAY',
			   '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
		  template-escape(yes));
};

log {
	source(s_514);
	destination(d_file_net);
	destination(d_mysql_net);
	destination(tty11);
	destination(d_pipe_sec);
};

---snip---

More information about the cisco-nsp mailing list