Re: Better Syslog server

From: Ian G Batten (I.G.Batten@ftel.co.uk)
Date: 03/20/03

  • Next message: Hal Flynn: "SecurityFocus Article Announcement"
    Date: Thu, 20 Mar 2003 16:47:57 +0000
    From: Ian G Batten <I.G.Batten@ftel.co.uk>
    To: Matt Harris <mdh@unix.si.edu>
    
    

    On Mon, 17 Mar 2003, Matt Harris wrote:

    > I've been looking a bit on google/sourceforge/etc to try and find a more
    > configurable and extensible syslog server, to no avail. Does anyone
    > know of such a thing? If nothing is out there already, I'll probably
    > embark on a project to do it myself. I'm thinking of a config format
    > somewhat like this:
    >
    > # commands for syslog facility "XXX"
    > Facility XXX {
    > # Send message to stdin of a script which can send alerts, etc
    > Severity emerg ACTION /usr/local/libexec/parse-emerg.sh
    > # 192.168.47.9 - sample dhcp server
    > Host "192.168.47.9" {
    > # log stuff from the dhcp server to a seperate file
    > Severity warn FILE /var/adm/dhcp.log
    > }
    > # send other stuff to a default file
    > Severity DEFAULT FILE /var/adm/xxx.log
    > }
    >
    > Of course, this is just an example off the top of my head of some of the
    > functionality I'd like - for example, piping out to a smart script,
    > sending to different files based on host that sent the message, etc
    > etc. I look forward to your input. Thanks, Matt.

    The code is a shambolic mess, but you might like to pick up
    http://www.batten.eu.org/~igb/syslogd.tar.gz at some point. On Linux is
    runs fine on its own, on Solaris you need /usr/sbin/syslogd -t running
    to pick up the stuff on the syslog door. I don't feed that back around
    into my code, I just take it out to a file, as the log of the logging
    machine isn't wildly interesting. You put the code in /var/syslogd/bin.

    /var/syslogd/syslogd.conf is something like:

    ignore imapd|pop3d|lpd/INFO
    ignore eric.ftel.co.uk/sendmail/*

    You get a tree built below /var/syslogd/messages broken down by date,
    host and facility. Each line is time-stamped to the microsecond to make
    sorting easier. You need hosts, protocols and services in
    /var/syslogd/etc as it all runs chroot'd to /var/syslogd, setuid syslog
    setgid syslog.

    I've hacked it up over the years, but it's been running in production
    here taking the logs from about a hundred machines, including big
    production mail systems, for the eighteen months.

    ian


  • Next message: Hal Flynn: "SecurityFocus Article Announcement"

    Relevant Pages

    • RE: Syslog
      ... > Are there standard applications that are assigned the local numbers? ... Cisco routers for example can choose any syslog facility you like. ... config files, or via http, or tftp files, or stored in nvram. ...
      (Focus-SUN)
    • Re: no sshd log exists
      ... the config explains preety clear. ... Use syslog and the resource auth of syslog. ... Mail has the best spam protection around http://mail.yahoo.com ...
      (SSH)
    • Re: Can a Cisco router act as a syslog *server*?
      ... Is it possible to config a Cisco 800 series router a as a syslog ... I know it can log to a syslog server, but can I use it the other way ... Can the cisco 857 be configured to accept syslog messages from other ...
      (comp.dcom.sys.cisco)
    • Re: Better Syslog server
      ... At 3/17/2003 06:18 AM, Matt Harris wrote: ... >configurable and extensible syslog server, ... I'm thinking of a config format ... log parsing tools. ...
      (Focus-SUN)