Skip to content

Instantly share code, notes, and snippets.

@anthonygtellez

anthonygtellez/syslog-ng.conf

Last active July 27, 2021 23:00
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save anthonygtellez/7edd44cf5571609c70b4 to your computer and use it in GitHub Desktop.
Save anthonygtellez/7edd44cf5571609c70b4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
syslog-ng.conf
@version:3.2
# ===============================================================================================
# Configuration file for syslog-ng, customized for remote logging
# ===============================================================================================
# Options
# Note about $HOST / HOST
# Description: The name of the source host where the message originates from.
# If the message traverses several hosts and the chain_hostnames() option is on, the first host in the chain is used.
# If the keep_hostname() option is disabled (keep_hostname(no)), the value of the $HOST macro will be the DNS hostname of the host that sent the message to syslog-ng OSE (that is, the DNS hostname of the last hop). In this case the $HOST and $HOST_FROM macros will have the same value.
# If the keep_hostname() option is enabled (keep_hostname(yes)), the value of the $HOST macro will be the hostname retrieved from the log message. That way the name of the original sender host can be used, even if there are log relays between the sender and the server.
# -----------------------------------------------------------------------------------------------
options {
# If the log message is forwarded to the logserver via a relay, and the
# chain_hostnames() option is 'yes', the relay adds its own hostname to
# the hostname of the client, separated with a / character.
chain_hostnames(no);
# Check client hostnames for valid DNS characters
check_hostname (yes);
# Specify whether to trust hostname in the log message.
# If "yes", then it is left unchanged, if "no" the server replaces
# it with client's DNS lookup value.
keep_hostname (no);
# Use DNS fully qualified domain names (FQDN)
# for the names of log file folders
use_fqdn (no);
use_dns (no);
# Set permissions on newly created 'messages' files
owner("root");
group("root");
perm(0755);
# Set permissions on newly created directories
dir_owner("root");
dir_group("root");
dir_perm(0755);
create_dirs(yes);
# Maximum length of a message in bytes.
log_msg_size(18192);
};
# ===============================================================================================
# Source
# Template:
# Source: s_<identity> { <source type definition> };
# ANY IP on TCP Port 514: tcp(ip(0.0.0.0) port(514));
# ANY IP on UDP Port 514: udp(ip(0.0.0.0) port(514));
# Syslog Localhost logs: internal();
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#source s_snmptrapd {
# file("/var/log/syslog-ng/snmp/wodc-sec-ws-mgt/raw_messages" default-facility(daemon) follow_freq(1) flags(no-parse));
#};
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
source s_local {
internal();
};
# ===============================================================================================
# Filters
# Templates:
# Filter: filter f_<identity> { <sourcetype> };
# Source type 'host();': host("^<posix_regex>$");
# Source type 'message();': message("^<posix_regex>$");
# Source type 'netmask(ip/mask);': netmask(192.168.1.0/24);
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
filter f_blue_coat_proxy {
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$");
};
filter f_trip_wire {
host("^XX\.XX\.XX\.XX$");
};
filter f_palo_alto {
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$");
};
filter f_juniper_fw {
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$");
};
filter f_rsa {
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$");
};
filter f_rsa_netscout {
host("^XX\.XX\.XX\.XX$");
};
filter f_web_sense {
host("^XX\.XX\.XX\.XX$");
};
filter f_cisco_asa {
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") ;
};
filter f_avaya_switch {
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") or
host("^XX\.XX\.XX\.XX$") ;
};
filter f_separatedbyhosts {
host("^$");
};
# ===============================================================================================
# Destinations
# Template:
# destination d_<identity> {file("/var/log/syslog-ng/<identity>/$HOST/$YEAR-$MONTH-$DAY/messages");};
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#destination d_source_syslog {file("/var/log/syslog-ng/unknown/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_loghost {udp("XX.XX.XX.XX"port(514)spoof_source(yes));};
destination d_separatedbyhosts {file("/var/log/syslog-ng/unknown/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_blue_coat_proxy {file("/var/log/syslog-ng/blue_coat_proxy/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_trip_wire {file("/var/log/syslog-ng/trip_wire/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_palo_alto {file("/var/log/syslog-ng/palo_alto/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_cisco_asa {file("/var/log/syslog-ng/cisco_asa/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_juniper_fw {file("/var/log/syslog-ng/juniper_fw/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_rsa {file("/var/log/syslog-ng/rsa/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_rsa_netscout {file("/var/log/syslog-ng/rsa_netscout/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_web_sense {file("/var/log/syslog-ng/web_sense/$HOST/$YEAR-$MONTH-$DAY/messages");};
destination d_avaya_switch {file("/var/log/syslog-ng/avaya_switch/$HOST/$YEAR-$MONTH-$DAY/messages");};
# ===============================================================================================
# Log Action
# Template:
# log{ source( s_<identity); filter(f_<identity); destination(d_<identity>); flags();}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#log { source(s_snmptrapd); destination(d_snmp); flags(final); };
#log { source(s_local); destination(d_source_syslog); flags(final); };
log { source(s_remote); destination(d_loghost); flags(catchall); };
log { source(s_remote); filter(f_palo_alto); destination(d_palo_alto); flags(final); };
log { source(s_remote); filter(f_trip_wire); destination(d_trip_wire); flags(final); };
log { source(s_remote); filter(f_juniper_fw); destination(d_juniper_fw); flags(final); };
log { source(s_remote); filter(f_cisco_asa); destination(d_cisco_asa); flags(final); };
log { source(s_remote); filter(f_rsa); destination(d_rsa); flags(final); };
log { source(s_remote); filter(f_rsa_netscout); destination(d_rsa_netscout); flags(final); };
log { source(s_remote); filter(f_web_sense); destination(d_web_sense); flags(final); };
log { source(s_remote); filter(f_blue_coat_proxy); destination(d_blue_coat_proxy); flags(final); };
log { source(s_remote); filter(f_trip_wire); destination(d_trip_wire); flags(final); };
log { source(s_remote); filter(f_avaya_switch); destination(d_avaya_switch); flags(final); };
log { source(s_remote); destination(d_separatedbyhosts); flags(fallback); };
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment