Skip to content

Instantly share code, notes, and snippets.

@anthonygtellez
Last active September 21, 2023 19:51
Show Gist options
  • Save anthonygtellez/2b40100ed0be1cb236d6 to your computer and use it in GitHub Desktop.
Save anthonygtellez/2b40100ed0be1cb236d6 to your computer and use it in GitHub Desktop.
syslog-ng filter by port, create a folder for daily message
@version:3.2
# ===============================================================================================
# Configuration file for syslog-ng, customized for remote logging
# ===============================================================================================
# Options
# Note about $HOST / HOST
# Description: The name of the source host where the message originates from.
# If the message traverses several hosts and the chain_hostnames() option is on, the first host in the chain is used.
# If the keep_hostname() option is disabled (keep_hostname(no)), the value of the $HOST macro will be the DNS hostname of the host that sent the message to syslog-ng OSE (that is, the DNS hostname of the last hop). In this case the $HOST and $HOST_FROM macros will have the same value.
# If the keep_hostname() option is enabled (keep_hostname(yes)), the value of the $HOST macro will be the hostname retrieved from the log message. That way the name of the original sender host can be used, even if there are log relays between the sender and the server.
# -----------------------------------------------------------------------------------------------
options {
# If the log message is forwarded to the logserver via a relay, and the
# chain_hostnames() option is 'yes', the relay adds its own hostname to
# the hostname of the client, separated with a / character.
chain_hostnames(no);
# Check client hostnames for valid DNS characters
check_hostname (yes);
# Specify whether to trust hostname in the log message.
# If "yes", then it is left unchanged, if "no" the server replaces
# it with client's DNS lookup value.
keep_hostname (no);
# Use DNS fully qualified domain names (FQDN)
# for the names of log file folders
use_fqdn (no);
use_dns (no);
# Set permissions on newly created 'messages' files
owner("root");
group("root");
perm(0755);
# Set permissions on newly created directories
dir_owner("root");
dir_group("root");
dir_perm(0755);
create_dirs(yes);
# Maximum length of a message in bytes.
log_msg_size(18192);
};
# ===============================================================================================
# Source
# Template:
# Source: s_<identity> { <source type definition> };
# ANY IP on TCP Port 514: tcp(ip(0.0.0.0) port(514));
# ANY IP on UDP Port 514: udp(ip(0.0.0.0) port(514));
# Syslog Localhost logs: internal();
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#source s_snmptrapd {
# file("/var/log/syslog-ng/snmp/wodc-sec-ws-mgt/raw_messages" default-facility(daemon) follow_freq(1) flags(no-parse));
#};
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
source s_blue_coat_proxy {
tcp(ip(0.0.0.0) port(51400));
udp(ip(0.0.0.0) port(51400));
};
source s_trip_wire {
tcp(ip(0.0.0.0) port(51401));
udp(ip(0.0.0.0) port(51401));
};
source s_palo_alto {
tcp(ip(0.0.0.0) port(51402));
udp(ip(0.0.0.0) port(51402));
};
source s_juniper_fw {
tcp(ip(0.0.0.0) port(51403));
udp(ip(0.0.0.0) port(51403));
};
source s_rsa {
tcp(ip(0.0.0.0) port(51404));
udp(ip(0.0.0.0) port(51404));
};
source s_rsa_netscout {
tcp(ip(0.0.0.0) port(51405));
udp(ip(0.0.0.0) port(51405));
};
source s_web_sense {
tcp(ip(0.0.0.0) port(51406));
udp(ip(0.0.0.0) port(51406));
};
source s_cisco_asa {
tcp(ip(0.0.0.0) port(51407));
udp(ip(0.0.0.0) port(51407));
};
source s_avaya_switch {
tcp(ip(0.0.0.0) port(51408));
udp(ip(0.0.0.0) port(51408));
};
source s_local {
internal();
};
# ===============================================================================================
# Filters
# Templates:
# Filter: filter f_<identity> { <sourcetype> };
# Source type 'host();': host("^<posix_regex>$");
# Source type 'message();': message("^<posix_regex>$");
# Source type 'netmask(ip/mask);': netmask(192.168.1.0/24);
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
filter f_separatedbyhosts {
host("^$");
};
# ===============================================================================================
# Destinations
# Template:
# destination d_<identity> {file("/var/log/syslog-ng/<identity>/$HOST/$YEAR-$MONTH-$DAY/message");};
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#destination d_source_syslog {file("/var/log/syslog-ng/unknown/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_loghost {udp("XX.XX.XX.XX"port(514)spoof_source(yes));};
destination d_separatedbyhosts {file("/var/log/syslog-ng/unknown/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_blue_coat_proxy {file("/var/log/syslog-ng/blue_coat_proxy/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_trip_wire {file("/var/log/syslog-ng/trip_wire/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_palo_alto {file("/var/log/syslog-ng/palo_alto/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_cisco_asa {file("/var/log/syslog-ng/cisco_asa/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_juniper_fw {file("/var/log/syslog-ng/juniper_fw/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_rsa {file("/var/log/syslog-ng/rsa/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_rsa_netscout {file("/var/log/syslog-ng/rsa_netscout/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_web_sense {file("/var/log/syslog-ng/web_sense/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_avaya_switch {file("/var/log/syslog-ng/avaya_switch/$HOST/$YEAR-$MONTH-$DAY/messages");};
# ===============================================================================================
# Log Action
# Template:
# log{ source( s_<identity); filter(f_<identity); destination(d_<identity>); flags();}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#log { source(s_snmptrapd); destination(d_snmp); flags(final); };
#log { source(s_local); destination(d_source_syslog); flags(final); };
log { source(s_remote); destination(d_loghost); flags(catchall); };
log { source(s_palo_alto); destination(d_palo_alto); flags(final); };
log { source(s_trip_wire); destination(d_trip_wire); flags(final); };
log { source(s_juniper_fw); destination(d_juniper_fw); flags(final); };
log { source(s_cisco_asa); destination(d_cisco_asa); flags(final); };
log { source(s_rsa); destination(d_rsa); flags(final); };
log { source(s_rsa_netscout); destination(d_rsa_netscout); flags(final); };
log { source(s_web_sense); destination(d_web_sense); flags(final); };
log { source(s_blue_coat_proxy); destination(d_blue_coat_proxy); flags(final); };
log { source(s_trip_wire); destination(d_trip_wire); flags(final); };
log { source(s_ravaya_switch); destination(d_avaya_switch); flags(final); };
log { source(s_remote); destination(d_separatedbyhosts); flags(fallback); };
@matspekkie
Copy link

line 165 contains an typo. source(s_ravaya_switch); should be source(s_avaya_switch);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment