Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syslog-ng.conf disables standard OS logging #488

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 5 comments

Comments

Projects
None yet
1 participant
@GoogleCodeExporter
Copy link

commented Mar 24, 2015

PLEASE NOTE!  This Issue Tracker is NOT intended for normal support
requests!  Support requests should go to the mailing list first.  Once
we've confirmed your issue on the mailing list, we may ask you to create a
ticket here.

If you have contacted the mailing list first and we've asked you to create
a ticket here, please answer the following questions:

What steps will reproduce the problem?
1. tail -f /var/log/messages
2. tail -f /var/log/maillog
3.

What is the expected output? What do you see instead?

Expected, to see logs from non-SO processes, but found empty files instead.


Are you using the new Security Onion 12.04?

Yes.

Did you install from the ISO image or did you install your own version of
Ubuntu and then add our PPA and packages?

ISO

Please provide any additional information below.

I presume OS logs can be put into ELSA, but failing that (this needs fine 
tuning) to get logs moving to /var/log, I added the following lines to 
/etc/syslog-ng/syslog-ng.conf:


# First some standard logfile
#
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };


# This files are the log come from the mail subsystem.
#
destination mail { file("/var/log/mail.log"); };
destination maillog { file("/var/log/maillog"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

# Some `catch-all' logfiles.
#
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
        and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

###############################################################
#
# log statements actually send logs somewhere, to a file, across the network, 
etc
#

log { source(s_syslog); filter(f_authpriv); destination(syslog); };
log { source(s_syslog); filter(f_syslog); destination(syslog); };
log { source(s_syslog); filter(f_cron); destination(cron); };
log { source(s_syslog); filter(f_daemon); destination(messages); };
log { source(s_syslog); filter(f_kern); destination(messages); };
log { source(s_syslog); filter(f_lpr); destination(lpr); };
log { source(s_syslog); filter(f_mail); destination(mail); };
log { source(s_syslog); filter(f_user); destination(messages); };
log { source(s_syslog); filter(f_uucp); destination(uucp); };
log { source(s_syslog); filter(f_mail); destination(maillog); };
log { source(s_syslog); filter(f_mail); filter(f_info); destination(mailinfo); 
};
log { source(s_syslog); filter(f_mail); filter(f_warn); destination(mailwarn); 
};
log { source(s_syslog); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(s_syslog); filter(f_debug); destination(debug); };
log { source(s_syslog); filter(f_messages); destination(messages); };
log { source(s_syslog); filter(f_emergency); destination(messages); };

Original issue reported on code.google.com by rfifa...@gmail.com on 17 Feb 2014 at 11:05

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Hi Richard,

Since syslog-ng sends all logs to ELSA, we intentionally avoid logging them to 
the "standard" filesystem locations since that would be duplication of effort.  
However, as you've noted, users can certainly add this configuration manually 
if they choose to do so.

Original comment by doug.bu...@gmail.com on 18 Feb 2014 at 12:21

  • Changed state: WontFix
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

That's fine, however, near as I can tell, the default syslog-ng.conf file
doesn't send them to ELSA either?

Original comment by rfifa...@gmail.com on 18 Feb 2014 at 1:43

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Here's a snippet from the default ELSA syslog-ng.conf:

log { 
    source(s_bro_conn);
    source(s_bro_http);
    source(s_bro_dns);
    source(s_bro_weird);
    source(s_bro_tunnels);
    source(s_bro_syslog);
    source(s_bro_ftp);
    source(s_bro_files);
    source(s_bro_dhcp);
    source(s_bro_notice);
    source(s_bro_smtp);
    source(s_bro_smtp_entities);
    source(s_bro_ssl);
    source(s_bro_irc);
    source(s_bro_software);    
    source(s_bro_ssh); 
    source(s_ossec);
    source(s_network);
    source(s_syslog);
    rewrite(r_host);
    rewrite(r_cisco_program);
    rewrite(r_snare);
    rewrite(r_pipes);
    parser(p_db);
    rewrite(r_extracted_host); 
    destination(d_elsa);
};

so all of the sources (including s_syslog) go to destination(d_elsa).

Original comment by doug.bu...@gmail.com on 18 Feb 2014 at 1:49

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Wow, apologies.  Chalk it up to a Monday I guess.  Not sure how I missed
this.  I even did a search in ELSA for what I expected to show up, but got
no results.

Rich

Original comment by rfifa...@gmail.com on 19 Feb 2014 at 5:33

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

No problem, Rich.  If you'd like to discuss/troubleshoot your ELSA query, 
please send an email to our mailing list.  Thanks!

Original comment by doug.bu...@gmail.com on 19 Feb 2014 at 6:22

  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.