How To Install Syslog Ng On Ubuntu
This post shows a guideline for a basic installation of the open source syslog-ng daemon in order to store syslog messages from various devices in a separate file for each device.
I am using such an installation for my firewalls, routers, etc., to take an annal with all of its messages. After on, I can grep through these logfiles and search for specific events. Of course it does not provide whatsoever built-in filter or correlation features – it is obviously not a SIEM. However, as a outset footstep it'southward better than nothing. ;)
Prerequisites
This tutorial relies on a blank Linux (server) installation such as shown here. I am using an Ubuntu server. I furthermore presume that the reader is enlightened of its devices that are capable of sending syslog letters. That is: I am merely showing the syslog-ng installation and no further details on how to ship syslog messages from various devices to the server.
Installation
The first step is to install the syslog-ng package. I am using an Ubuntu server:
| sudo apt - get install syslog - ng |
[UPDATE] On a fresh 64-flake Ubuntu 14.04.2 LTS, I got an error while trying to install syslog-ng. The following answer found in the Internet works:
| apt - get install syslog - ng syslog - ng - core |
[/UPDATE]
The default configuration file is /etc/syslog-ng/syslog-ng.conf . On Ubuntu, it has already a few lines that generate logfiles at /var/log/ , e.g., the basic logfile "syslog", which can be tailed with tail -f /var/log/syslog to see incoming letters from the system itself.
Configuration
I will now show the bones configuration of syslog-ng in society to:
- take an ain folder for each device with
- a new file every mean solar day, nested in folders for year and month.
This requires a "source", "filter" and "destination" which are so jump together. For more detailed configuration commands, this wiki from archlinux gives many good examples.
ane) Source
Since the concluding line in the "syslog-ng.conf" config file ( / etc / syslog - ng / syslog - ng .conf ) is @ include "/etc/syslog-ng/conf.d/" , all configuration files in the folder "conf.d" will be processed, as well. Therefore, I generated a new configuration file called "firewalls.conf" in that subfolder sudo nano / etc / syslog - ng / conf .d / firewalls .conf . It has the post-obit lines in information technology:
(Note: Supercede USERNAME and USERGROUP with the name and group of the account from which the logfiles should be wrote to the deejay such as "root" and "root".)
| 1 2 3 four five six vii 8 nine 10 11 12 13 fourteen 15 16 17 18 nineteen 20 21 22 23 24 | ################################################## options { create_dirs ( yes ) ; possessor ( USERNAME ) ; group ( USERGROUP ) ; perm ( 0644 ) ; dir_owner ( USERNAME ) ; dir_group ( USERGROUP ) ; dir_perm ( 0755 ) ; } ; ################################################## source s_udp { network ( ip - protocol ( vi ) transport ( "udp" ) port ( 514 ) ) ; network ( transport ( "udp" ) port ( 514 ) ) ; } ; |
This "source s_udp" object is quite generic and simply listens on udp port 514 on both Internet Protocols (IPv6 and legacy IP) for incoming syslog messages. Information technology must appear simply once in the config file.
2a) Generic Destination
The simpliest way to generate a dissimilar folder for every device is to use the following destination (without a specific filter). This adds a folder with the "$HOST" attribute, which is most commonly the IP accost of the logging device. With this few lines, no more than filters/destinations are required to log from many devices. (Cheers to the comment from "T", who ticked me to search for this solution):
| ################################################## destination d_host - specific { file ( "/var/log/firewalls/$HOST/$YEAR/$MONTH/$HOST-$Twelvemonth-$MONTH-$DAY.log" ) ; } ; log { source ( s_udp ) ; destination ( d_host - specific ) ; } ; |
or 2b) Specific Filter & Destination
Another manner is to write a filter for incoming log messages in order to save them in a specific destination folder. Following is the template. The only lines to modify are the two UPPER Example variables without the $ sign (i.east., NAMEOFTHEFIREWALL and IPOFTHEFIREWALL):
| #Template for a new firewall in the firewalls.conf file #Entries to be inverse: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL ################################################## filter f_NAMEOFTHEFIREWALL { host ( "IPOFTHEFIREWALL" ) ; } ; destination d_NAMEOFTHEFIREWALL { file ( "/var/log/firewalls/NAMEOFTHEFIREWALL/$Twelvemonth/$MONTH/$Year-$MONTH-$DAY.NAMEOFTHEFIREWALL.log" ) ; } ; log { source ( s_udp ) ; filter ( f_NAMEOFTHEFIREWALL ) ; destination ( d_NAMEOFTHEFIREWALL ) ; } ; |
That is:
- the filter "f_NAMEOFTHEFIREWALL" filters upon the source IP accost from the sending device,
- the destination "d_NAMEOFTHEFIREWALL" is set to the hierarchical path,
- and finally the "log" sequence takes any letters from the source and uses the filter to shop into the destination path.
These few lines in the template tin appear many times in the config file. (Remember: the source s_udp must appear only once.) Then you tin can copy & paste information technology for every syslog device.
Final Restart
A restart of the syslog-ng daemon is required to take the only added configuration active:
| sudo service syslog - ng restart |
After that, netstat -tulpen shows a few lines which reveal that the port 514 is listening on IPv6 and legacy IP:
| weberjoh @ jw - nb10 - syslog - mirror : ~ $ sudo netstat - tulpen | grep syslog udp 0 0 0.0.0.0 : 514 0.0.0.0 : * 0 6083099 5050 / syslog - ng udp6 0 0 :: : 514 :: : * 0 6083098 5050 / syslog - ng |
That is, all devices are now logging into the syslog-ng server, in my example the /var/log/firewalls directory:
| ane 2 iii 4 v 6 7 8 9 10 eleven 12 13 14 fifteen 16 17 | weberjoh @ jw - nb10 - syslog - mirror : ~ $ ls - ahl / var / log / firewalls / total 100K drwxr - xr - 10 25 root root four.0K May 9 10 : 50 . drwxrwxr - ten 17 root syslog 4.0K May 9 06 : 39 . . drwxr - xr - 10 4 root root iv.0K Jan 1 00 : 00 192.168.110.fifteen drwxr - xr - x 4 root root 4.0K Jan one 00 : 00 192.168.110.20 drwxr - xr - ten 4 root root 4.0K Jan 19 12 : 24 192.168.120.xx drwxr - xr - ten 4 root root 4.0K January iv x : 05 192.168.120.seven drwxr - xr - ten 4 root root iv.0K January sixteen 10 : 08 192.168.121.x drwxr - xr - 10 three root root 4.0K Jan 13 12 : xviii 192.168.121.twenty drwxr - xr - x 4 root root 4.0K May five 05 : 25 192.168.121.30 drwxr - xr - ten 3 root root 4.0K May 9 10 : 42 2003 : 51 : 6012 : 120 :: 2 drwxr - xr - x 3 root root 4.0K May 9 10 : 33 2003 : 51 : 6012 : 120 :: 24 drwxr - xr - x 3 root root 4.0K May 9 10 : 35 2003 : 51 : 6012 : 120 :: 25 drwxr - xr - x 3 root root 4.0K May ix x : 33 2003 : 51 : 6012 : 121 :: 1 drwxr - xr - x 3 root root 4.0K May ix x : 48 2003 : 51 : 6012 : 121 :: 10 drwxr - xr - 10 iii root root four.0K May ix 10 : l 2003 : 51 : 6012 : 121 :: 40 |
The paths are quite long just structured, eastward.thousand.:
| / var / log / firewalls / fd - wv - fw02 / 2014 / 07 / 2014 - 07 - 21.fd - wv - fw02 .log |
Examples
This is how syslog messages from a Palo Alto firewall look similar when changing some policy rules:
| Jul 21 16 : 14 : 01 192.168.120.2 ane , 2014 / 07 / 21 16 : 14 : 01 , 001234567891 , CONFIG , 0 , 0 , 2014 / 07 / 21 sixteen : 14 : 01 , 192.168.125.41 , , edit , weberjoh , Web , Succeeded , vsys vsys1 rulebase security rules Ping Untrust Trust Deny , 2429 , 0x0 Jul 21 xvi : xiv : 58 192.168.120.2 1 , 2014 / 07 / 21 sixteen : 14 : 58 , 001234567891 , CONFIG , 0 , 0 , 2014 / 07 / 21 16 : fourteen : 58 , 192.168.125.41 , , edit , weberjoh , Spider web , Succeeded , vsys vsys1 rulebase security rules GlobalProtect an Untrust , 2430 , 0x0 Jul 21 16 : 16 : 22 192.168.120.ii 1 , 2014 / 07 / 21 16 : sixteen : 22 , 001234567891 , CONFIG , 0 , 0 , 2014 / 07 / 21 xvi : 16 : 22 , 192.168.125.41 , , edit , weberjoh , Web , Succeeded , vsys vsys1 rulebase security rules SMTP ESA to Postfix , 2431 , 0x0 Jul 21 16 : xviii : 06 192.168.120.2 i , 2014 / 07 / 21 xvi : 18 : 06 , 001234567891 , CONFIG , 0 , 0 , 2014 / 07 / 21 sixteen : 18 : 06 , 192.168.125.41 , , edit , weberjoh , Web , Succeeded , vsys vsys1 log - settings profiles lfp - standard , 2432 , 0x0 Jul 21 xvi : xix : 35 192.168.120.ii ane , 2014 / 07 / 21 16 : xix : 35 , 001234567891 , SYSTEM , full general , 0 , 2014 / 07 / 21 16 : xix : 35 , , general , , 0 , 0 , general , informational , "Commit job started, user=weberjoh, command=commit, client type=2, ." , 240518390879 , 0x0 Jul 21 16 : 19 : 35 192.168.120.ii 1 , 2014 / 07 / 21 16 : 19 : 35 , 001234567891 , CONFIG , 0 , 0 , 2014 / 07 / 21 sixteen : xix : 35 , 192.168.125.41 , , commit , weberjoh , Web , Submitted , , 2433 , 0x0 |
This are some Juniper ScreenOS logs during agile Internet connections:
| Jul 21 16 : 37 : 45 172.16.1.1 fd - wv - fw01 : NetScreen device_id = fd - wv - fw01 [ Root ] arrangement - notification - 00257 ( traffic ) : start_time = "2014-07-21 16:37:42" elapsing = 3 policy_id = 2 service = http proto = half dozen src zone = DMZ dst zone = Untrust activeness = Permit sent = 304 rcvd = 148 src = 192.168.110.17 dst = 62.138.108.130 src_port = 53709 dst_port = 80 src - xlated ip = 192.168.110.17 port = 53709 dst - xlated ip = 62.138.108.130 port = 80 session_id = 6290 reason = Shut - TCP FIN Jul 21 16 : 37 : 45 172.16.one.one fd - wv - fw01 : NetScreen device_id = fd - wv - fw01 [ Root ] system - notification - 00257 ( traffic ) : start_time = "2014-07-21 16:37:12" duration = 33 policy_id = one service = https proto = 6 src zone = Trust dst zone = Untrust action = Allow sent = 5699 rcvd = 7283 src = 192.168.125.41 dst = 193.24.224.29 src_port = 10221 dst_port = 443 src - xlated ip = 192.168.125.41 port = 10221 dst - xlated ip = 193.24.224.29 port = 443 session_id = 6023 reason = Close - TCP RST Jul 21 sixteen : 37 : 45 172.16.1.1 fd - wv - fw01 : NetScreen device_id = fd - wv - fw01 [ Root ] arrangement - notification - 00257 ( traffic ) : start_time = "2014-07-21 16:37:12" duration = 33 policy_id = 1 service = https proto = 6 src zone = Trust dst zone = Untrust action = Permit sent = 4947 rcvd = 6531 src = 192.168.125.41 dst = 193.24.224.29 src_port = 10219 dst_port = 443 src - xlated ip = 192.168.125.41 port = 10219 dst - xlated ip = 193.24.224.29 port = 443 session_id = 7902 reason = Close - TCP RST Jul 21 16 : 37 : 45 172.16.1.one fd - wv - fw01 : NetScreen device_id = fd - wv - fw01 [ Root ] arrangement - notification - 00257 ( traffic ) : start_time = "2014-07-21 16:37:12" duration = 33 policy_id = 1 service = https proto = vi src zone = Trust dst zone = Untrust action = Permit sent = 4707 rcvd = 6297 src = 192.168.125.41 dst = 193.24.224.29 src_port = 10220 dst_port = 443 src - xlated ip = 192.168.125.41 port = 10220 dst - xlated ip = 193.24.224.29 port = 443 session_id = 7667 reason = Close - TCP RST |
And this are some Cisco router log letters:
| May nine 08 : xxx : 49 2003 : 51 : 6012 : 121 :: 2 : % SYS - 5 - CONFIG_I : Configured from panel by weberjoh on vty0 ( 2003 : 51 : 6012 : 110 :: B15 : 22 ) May 9 08 : thirty : fifty 2003 : 51 : 6012 : 121 :: ii : % SYS - half-dozen - LOGGINGHOST_STARTSTOP : Logging to host 2003 : 51 : 6012 : 120 :: 10 port 514 started - CLI initiated May 9 08 : 31 : 01 2003 : 51 : 6012 : 121 :: ii : % IPV6_ACL - 6 - ACCESSLOGNP : list snmp - access - v6 / 10 permitted 41 2003 : 51 : 6012 : 120 :: xiii -> :: , x packets May ix 08 : 32 : 25 2003 : 51 : 6012 : 121 :: 2 : % SYS - 6 - LOGGINGHOST_STARTSTOP : Logging to host 192.168.120.10 port 514 stopped - CLI initiated May 9 08 : 32 : 44 2003 : 51 : 6012 : 121 :: 2 : % SYS - five - CONFIG_I : Configured from panel by weberjoh on vty0 ( 2003 : 51 : 6012 : 110 :: B15 : 22 ) May ix 08 : 36 : 01 2003 : 51 : 6012 : 121 :: 2 : % IPV6_ACL - six - ACCESSLOGNP : list snmp - admission - v6 / 10 permitted 41 2003 : 51 : 6012 : 120 :: 13 -> :: , 10 packets May 9 08 : 41 : 01 2003 : 51 : 6012 : 121 :: 2 : % IPV6_ACL - half dozen - ACCESSLOGNP : listing snmp - access - v6 / 10 permitted 41 2003 : 51 : 6012 : 120 :: 13 -> :: , 10 packets May 9 08 : 46 : 01 2003 : 51 : 6012 : 121 :: two : % IPV6_ACL - 6 - ACCESSLOGNP : list snmp - admission - v6 / 10 permitted 41 2003 : 51 : 6012 : 120 :: thirteen -> :: , 10 packets May 9 08 : 46 : 51 2003 : 51 : 6012 : 121 :: 2 : % IPV6_ACL - 6 - ACCESSLOGP : list vty - access - v6 / 10 permitted tcp 2003 : 51 : 6012 : 110 :: B15 : 22 ( 56418 ) -> :: ( 22 ) , 1 packet May ix 08 : 46 : 51 2003 : 51 : 6012 : 121 :: ii : % IPV6_ACL - 6 - ACCESSLOGP : listing vty - access - v6 / 10 permitted tcp 2003 : 51 : 6012 : 110 :: B15 : 22 ( 56418 ) -> 2003 : 51 : 6012 : 121 :: 2 ( 22 ) , i package May 9 09 : 16 : 27 2003 : 51 : 6012 : 121 :: 2 : % IPV6_ACL - 6 - ACCESSLOGP : list vty - admission - v6 / ten permitted tcp 2003 : 51 : 6012 : 110 :: B15 : 22 ( 56428 ) -> :: ( 22 ) , 1 packet May 9 09 : sixteen : 27 2003 : 51 : 6012 : 121 :: 2 : % IPV6_ACL - 6 - ACCESSLOGP : list vty - access - v6 / ten permitted tcp 2003 : 51 : 6012 : 110 :: B15 : 22 ( 56428 ) -> 2003 : 51 : 6012 : 121 :: 2 ( 22 ) , one packet May 9 09 : 16 : 33 2003 : 51 : 6012 : 121 :: 2 : % RADIUS - 4 - RADIUS_DEAD : RADIUS server 2001 : DB8 :: 1812 : 1812 , 1813 is not responding . May ix 09 : 16 : 33 2003 : 51 : 6012 : 121 :: two : % RADIUS - iv - RADIUS_ALIVE : RADIUS server 2001 : DB8 :: 1812 : 1812 , 1813 is being marked alive . |
That's it. ;)
Featured image: "Erika 9 typewriter" by dr. shordzi is licensed under CC BY-SA 2.0.
Source: https://weberblog.net/basic-syslog-ng-installation/
Posted by: cannadygles1968.blogspot.com
0 Response to "How To Install Syslog Ng On Ubuntu"
Post a Comment