From 07bedee34d9ded6f86904c7e4b4e02464ff8cb14 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Thu, 15 Sep 2016 00:47:34 +0100 Subject: added tools --- tools/syslog-ng.html | 261 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 261 insertions(+) create mode 100644 tools/syslog-ng.html (limited to 'tools/syslog-ng.html') diff --git a/tools/syslog-ng.html b/tools/syslog-ng.html new file mode 100644 index 0000000..20bb1b1 --- /dev/null +++ b/tools/syslog-ng.html @@ -0,0 +1,261 @@ + + + + + 1. Syslog-ng + + +

1. Syslog-ng

+ +

Syslog-ng offers more than sysklogd, for example, we + can log messages to different files based on pattern. It + is possible to have both syslog-ng and sysklog, I will + only configure syslog-ng and remove sysklog.

+ +

A simple way to "watch" log files is to use tail, with + exception of faillog, see man faillog for more information.

+ + 
+        $ cd /var/log
+        $ sudo tail -f messages kernel cron auth
+
+ +

1.1. Install event log

+ + 
+        $ mkdir eventlog
+        $ vim Pkgfile
+
+ + 
+        # Description: replacement of the simple syslog() API
+        # URL:         http://www.balabit.com/network-security/syslog-ng/opensource-logging-system
+        # Maintainer:  Thomas Penteker, tek at serverop dot de
+        #
+        # Depends on:
+
+        name=eventlog
+        version=0.2.12
+        release=1
+        source=(http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/${name}_${version}.tar.gz)
+
+        build() {
+        cd $name-$version
+
+        ./configure \
+        --prefix=/usr \
+        --disable-nls \
+        --mandir=/usr/man
+
+        make && make DESTDIR=$PKG install
+        rm -rf $PKG/usr/doc
+        }
+
+ + 
+        $ fakeroot pkgmk -d
+        $ sudo pkgadd /usr/ports/packages/eventlog#0.2.12-1.pkg.tar.gz
+
+ +

1.2. Install syslog-ng

+ + 
+        $ cd ..
+        $ mkdir syslog-ng
+        $ vim Pkgfile
+
+ + 
+        # Description: alternate syslogging daemon
+        # URL:         http://www.balabit.com/network-security/syslog-ng/opensource-logging-system
+        # Packager:    Silvino Silva, silvino at bk dot ru
+        # Depends on:  eventlog, glib, libwrap
+
+        name=syslog-ng
+        version=3.5.6
+        release=1
+        source=(http://balabit.com/downloads/files/syslog-ng/sources/$version/source/${name}_${version}.tar.gz
+        syslog-ng.rc syslog-ng.conf)
+
+        build() {
+           cd $name-$version
+
+           ./configure \
+              --prefix=/usr \
+              --sysconfdir=/etc \
+              --libexecdir=/var/libexec \
+              --localstatedir=/var \
+              --mandir=/usr/man \
+              --enable-dynamic-linking \
+              --sbindir=/sbin \
+              --enable-tcp-wraper
+
+
+           make && make DESTDIR=$PKG install
+           rm -rf $PKG/usr/doc
+           rm -rf $PKG/usr/share/include/scl/syslogconf/README
+           install -D -m 644 ../syslog-ng.conf $PKG/etc/syslog-ng.conf
+           install -D -m 755 ../syslog-ng.rc $PKG/etc/rc.d/syslog-ng
+        }
+
+ + 
+        $ sudo prt-get depinst glib
+        $ pkgmk -um
+        $ pkgmk -uf
+        $ fakeroot pkgmk -d
+        $ sudo pkgadd /usr/ports/packages/syslog-ng#3.5.6-1.pkg.tar.gz
+
+ +

Change /etc/rc.conf, replace sysklog with syslog-ng;

+ + 
+        #
+        # /etc/rc.conf: system configuration
+        #
+
+        FONT=default
+        KEYMAP=dvorak
+        TIMEZONE="Europe/Lisbon"
+        HOSTNAME=box
+        SYSLOG=syslog-ng
+        SERVICES=(syslog-ng lo net crond)
+
+        # End of file
+
+ +

1.3. Syslog-ng RC

+ + 
+        $ vim syslog-ng.rc
+
+ + 
+        #!/bin/sh
+        #
+        # /etc/rc.d/syslog-ng: start/stop syslog-ng logging daemon
+        #
+
+        case $1 in
+        start)
+          /sbin/syslog-ng -f /etc/syslog-ng.conf -p /var/run/syslog-ng.pid
+          ;;
+        stop)
+          killall -q /sbin/syslog-ng
+          rm -f /var/run/syslog-ng.pid
+          ;;
+        restart)
+          $0 stop
+          sleep 2
+          $0 start
+          ;;
+        *)
+          echo "usage: $0 [start|stop|restart]"
+          ;;
+        esac
+
+ +

1.4. Syslog-ng configuration

+ +

Example of /etc/syslog-ng.conf + that configures syslog-ng matching tools already installed in the system + and some that are part of tools.

+ +

Description off global options used;

+ +
+
chain-hostnames()
+ +
Accepted values: yes | no
+
Default: no
+ +
Description: Enable or disable the chained hostname format. + If the log message is forwarded to the log server via a relay, + and the chain-hostnames() option is enabled, the relay adds its + own hostname to the hostname of the client, separated with + a / character.
+ +
create-dirs()
+ +
Accepted values: yes | no
+
Default: no
+ +
Description: Enable or disable directory creation for + destination files.
+ +
use-dns()
+ +
Type: yes, no, persist_only
+
Default: yes
+ +
Description: Enable or disable DNS usage. The persist_only + option attempts to resolve hostnames locally from file (for example + from /etc/hosts). The syslog-ng OSE application blocks on DNS + queries, so enabling DNS may lead to a Denial of Service attack.
+ +
stats_freq()
+ +
Accepted values: number
+
Default: 600
+ +
Description: The period between two STATS messages in seconds. + STATS are log messages sent by syslog-ng, containing statistics + about dropped log messages. Set to 0 to disable the STATS + messages.
+ +
perm()
+ +
Accepted values: permission value
+
Default: 0600
+ +
Description: The default permission for output files. + By default, syslog-ng changes the privileges of accessed files + (for example /dev/null) to root.root 0600. To disable modifying + privileges, use this option with the -1 value.
+ +
log-fifo-size()
+ +
Accepted values: number
+
Default: 10000
+ +
Description: The number of messages that the output queue + can store.
+ +
log-msg-size()
+ +
Accepted values: number
+
Default: 8192
+ +
Description: Maximum length of a message in bytes. This + length includes the entire message (the data structure and + individual fields). The maximal value that can be set is 268435456 + bytes (256MB). For messages using the IETF-syslog message format + (RFC5424), the maximal size of the value of an SDATA field is + 64kB.
+ +
flush-lines()
+ +
Type: number
+
Default: Use global setting.
+ +
Description: Specifies how many lines are flushed to a + destination at a time. The syslog-ng OSE application waits for + this number of lines to accumulate and sends them off in a single + batch. Increasing this number increases throughput as more + messages are sent in a single batch, but also increases message + latency.
+
+ + 
+        $ sudo sh /etc/rc.d/syslog-ng start
+        $ sudo sh /etc/rc.d/sysklogd stop
+
+ +

This is part of the c9-doc Manual. +Copyright (C) 2016 +Silvino Silva. +See the file Gnu Free Documentation License +for copying conditions.

+ + + -- cgit 1.4.1-2-gfad0