Bienvenue invité
Le Forum
Vous n'êtes pas identifié.
#1 08 Oct 2004 11:13:04
[LOG] Syslog-ng (Non Résolu)
J'utilise le package syslog-ng au lieu de syslog pour avoir plus de precision dans ma gestion des logs. Par contre j'ai un petit probleme avec, mes logs de firewall se retrouve dans le fichier de destination + dans ma console, ca n'arrete pas de monté dans la console 
avec un dmesg on arrive a voir les logs firewall aussi ^^
Code:
#
# Configuration file for syslog-ng under Debian
#
# attempts at reproducing default syslog behavior
# the standard syslog levels are (in descending order of priority):
# emerg alert crit err warning notice info debug
# the aliases "error", "panic", and "warn" are deprecated
# the "none" priority found in the original syslogd configuration is
# only used in internal messages created by syslogd
######
# options
options {
#
long_hostnames(0);
# the time to wait before a died connection is re-established
# (default is 60)
time_reopen(10);
# the time to wait before an idle destination file is closed
# (default is 60)
time_reap(360);
# the number of lines buffered before written to file
# you might want to increase this if your disk isn't catching with
# all the log messages you get or if you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);
# the number of lines fitting in the output queue
log_fifo_size(2048);
# enable or disable directory creation for destination files
create_dirs(yes);
# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
#owner(root);
group(adm);
perm(0640);
# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
#dir_owner(root);
#dir_group(root);
dir_perm(0755);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);
# maximum length of message in bytes
# this is only limited by the program listening on the /dev/log Unix
# socket, glibc can handle arbitrary length log messages, but -- for
# example -- syslogd accepts only 1024 bytes
# (default is 2048)
#log_msg_size(2048);
};
######
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the above line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
};
######
# destinations
# some standard log files
destination df_auth { file("/var/log/auth.log"); };
destination df_syslog { file("/var/log/syslog"); };
destination df_cron { file("/var/log/cron.log"); };
destination df_daemon { file("/var/log/daemon.log"); };
destination df_kern { file("/var/log/kern.log"); };
destination df_lpr { file("/var/log/lpr.log"); };
destination df_mail { file("/var/log/mail.log"); };
destination df_user { file("/var/log/user.log"); };
destination df_uucp { file("/var/log/uucp.log"); };
destination df_firewall { file("/var/log/firewall/firewall.log"); };
destination df_pureftpd { file("/var/log/pure-ftpd/ftp.log"); };
destination df_spamd { file("/var/log/spam/spam.log"); };
destination df_ssh { file("/var/log/ssh/ssh.log"); };
# these files are meant for the mail and news systems log files
# and provide re-usable destinations for {mail,news,...}.info,
# {mail,news,...}.notice, etc.
destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
# some more classical and useful files found in standard syslog configurations
destination df_debug { file("/var/log/debug"); };
destination df_messages { file("/var/log/messages"); };
# pipes
# a console to view log messages under X
destination dp_xconsole { pipe("/dev/xconsole"); };
# consoles
# this will send messages to everyone logged in
destination du_all { usertty("*"); };
######
# filters
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };
# all messages except from the auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv) and not match(" ### Stealth Scan ### ") and not match(" ### XMAS Scan ### ") and not match(" ### SYN/RST Scan ### ") and not match(" ### Stealth FIN Scan ### ") and not match(" ### SYN/FIN Scan ### ") and not match(" ### Null Scan ### ") and not match(" ### Ping Scan ### ") and not match("## SCAN SYN/ACK ## ") and not match("## INPUT TCP sans SYN ## ") and not match("## INVALID INPUT ## ") and not match("## BAD INPUT ## ") and not match("## Connexion FTP ## ") and not match("## Connexion SSH ## ") and not match("## Identd ## ") and not match("pure-ftpd") and not match("spamd"); };
# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern) and not match(" ### Stealth Scan ### ") and not match(" ### XMAS Scan ### ") and not match(" ### SYN/RST Scan ### ") and not match(" ### Stealth FIN Scan ### ") and not match(" ### SYN/FIN Scan ### ") and not match(" ### Null Scan ### ") and not match(" ### Ping Scan ### ") and not match("## SCAN SYN/ACK ## ") and not match("## INPUT TCP sans SYN ## ") and not match("## INVALID INPUT ## ") and not match("## BAD INPUT ## ") and not match("## Connexion FTP ## ") and not match("## Connexion SSH ## ") and not match("## Identd ## ") and not match("pure-ftpd") and not match("spamd"); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
# some filters to select messages of priority greater or equal to info, warn,
# and err
# (equivalents of syslogd's *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };
# all messages of priority debug not coming from the auth, authpriv, news, and
# mail facilities
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news)and not match (".*IN=.*OUT=.*MAC=.*") and not match ("pure-ftpd*") and not match("spamd*") and not match("syslog-ng*:*STATS:*dropped"); };
# messages with priority emerg
filter f_emerg { level(emerg); };
# complex filter for messages usually sent to the xconsole
filter f_xconsole {
facility(daemon,mail)
or level(debug,info,notice,warn)
or (facility(news)
and level(crit,err,notice));
};
filter f_iptables { match("IN=.*OUT=.*MAC=.*"); };
filter f_pureftpd { match("pure-ftpd*"); };
filter f_spamd { match("spamd*"); };
filter f_ssh { match("sshd*"); };
######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement
# these rules provide the same behavior as the commented original syslogd rules
# auth,authpriv.* /var/log/auth.log
log {
source(s_all);
filter(f_auth);
destination(df_auth);
};
# *.*;auth,authpriv.none -/var/log/syslog
log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
};
# this is commented out in the default syslog.conf
# cron.* /var/log/cron.log
#log {
# source(s_all);
# filter(f_cron);
# destination(df_cron);
#};
# daemon.* -/var/log/daemon.log
log {
source(s_all);
filter(f_daemon);
destination(df_daemon);
};
# kern.* -/var/log/kern.log
log {
source(s_all);
filter(f_kern);
destination(df_kern);
};
# lpr.* -/var/log/lpr.log
log {
source(s_all);
filter(f_lpr);
destination(df_lpr);
};
# mail.* -/var/log/mail.log
log {
source(s_all);
filter(f_mail);
destination(df_mail);
};
# user.* -/var/log/user.log
log {
source(s_all);
filter(f_user);
destination(df_user);
};
# uucp.* /var/log/uucp.log
log {
source(s_all);
filter(f_uucp);
destination(df_uucp);
};
# mail.info -/var/log/mail.info
log {
source(s_all);
filter(f_mail);
filter(f_at_least_info);
destination(df_facility_dot_info);
};
# mail.warn -/var/log/mail.warn
log {
source(s_all);
filter(f_mail);
filter(f_at_least_warn);
destination(df_facility_dot_warn);
};
# mail.err /var/log/mail.err
log {
source(s_all);
filter(f_mail);
filter(f_at_least_err);
destination(df_facility_dot_err);
};
# news.crit /var/log/news/news.crit
log {
source(s_all);
filter(f_news);
filter(f_at_least_crit);
destination(df_facility_dot_crit);
};
# news.err /var/log/news/news.err
log {
source(s_all);
filter(f_news);
filter(f_at_least_err);
destination(df_facility_dot_err);
};
# news.notice /var/log/news/news.notice
log {
source(s_all);
filter(f_news);
filter(f_at_least_notice);
destination(df_facility_dot_notice);
};
# *.=debug;
# auth,authpriv.none;
# news.none;mail.none -/var/log/debug
log {
source(s_all);
filter(f_debug);
destination(df_debug);
};
# *.=info;*.=notice;*.=warn;
# auth,authpriv.none;
# cron,daemon.none;
# mail,news.none -/var/log/messages
log {
source(s_all);
filter(f_messages);
destination(df_messages);
};
# *.emerg *
log {
source(s_all);
filter(f_emerg);
destination(du_all);
};
# daemon.*;mail.*;
# news.crit;news.err;news.notice;
# *.=debug;*.=info;
# *.=notice;*.=warn |/dev/xconsole
log {
source(s_all);
filter(f_xconsole);
destination(dp_xconsole);
};
# Firewall
log {
source(s_all);
filter(f_iptables);
destination(df_firewall);
};
# FTP
log {
source(s_all);
filter(f_pureftpd);
destination(df_pureftpd);
};
# Spam
log {
source(s_all);
filter(f_spamd);
destination(df_spamd);
};
# SSH
log {
source(s_all);
filter(f_ssh);
destination(df_ssh);
};et voici une des regles iptables pour le log:
Code:
iptables -A INPUT -p TCP --tcp-flags ! ALL SYN -m state --state NEW -m limit --limit 3/s -j LOG --log-tcp-option --log-ip-options --log-level info --log-prefix "## INPUT TCP sans SYN ## "
Comment faire pour plus avoir mes logs firewall dans ma console et qu'il ne s'affiche plus avec la commande dmesg.
Merci 
There's no place like 127.0.0.1
Hors ligne
#2 09 Oct 2004 08:29:19
- Swebian
- Invité
Re: [LOG] Syslog-ng (Non Résolu)
Ha, le fameux thread du syslog, j'ai franchement pas réussi à t'aider la dernière fois, mais je vais quand même essayer de me renseigner.
Donc en fait, tu voudrais "trier" tes log avant la sortie avec dmesg ?
#4 10 Oct 2004 11:00:07
- Swebian
- Invité
Re: [LOG] Syslog-ng (Non Résolu)
Ben je veux surtout que ma console et la commande "dmesg" ne m'affiche plus les logs du firewall.
Salut,
Un mec m'a filé une info, comme quoi il fallait peut-être régler le LogLevel en moindre. Je sais vraiment pas si ça te sera utile, et comme j'ai pas ma Debian sous les mains, essaye toujours:
Under Debian, you can set KLOGD=“-c 5” in /etc/init.d/klogd to suppress info (log level 6) messages on the console.
#5 10 Oct 2004 13:58:37
Re: [LOG] Syslog-ng (Non Résolu)
Merci Swebian pour ta réponse sauf que j'ai plus le paquet klogd. Syslog-ng est en conflit avec "klogd et sysklogd" la preuve.
Code:
apt-get install klogd Lecture des listes de paquets... Fait Construction de l'arbre des dépendances... Fait Les paquets supplémentaires suivants seront installés : sysklogd Les paquets suivants seront ENLEVÉS : syslog-ng Les NOUVEAUX paquets suivants seront installés : klogd sysklogd 0 mis à jour, 2 nouvellement installés, 1 à enlever et 0 non mis à jour. Il est nécessaire de prendre 94,6ko dans les archives. Après dépaquetage, 246ko d'espace disque seront libérés. Souhaitez-vous continuer ? [O/n]
Alors je ne pense pas que c d'ici d'ou vient le prob.
There's no place like 127.0.0.1
Hors ligne