syslog-ng config 範例

[root@localhost syslog-ng]# cat syslog-ng.conf
@version:3.5
@include “scl.conf”

# syslog-ng configuration file.

# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.

# See syslog-ng(8) and syslog-ng.conf(5) for more information.

# Note: it also sources additional configuration files (*.conf)
# located in /etc/syslog-ng/conf.d/

options {
flush_lines (2000);
#time_reopen (10);
log_fifo_size (1000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
owner(“root”);
group(“adm”);
perm(0640);
stats_freq(0);
bad_hostname(“^gconfd$”);
};

source s_sys {
system();
internal();
# udp(ip(0.0.0.0) port(514));
};

source s_net {
#tcp(port(514) flags(syslog-protocol));
udp(port(514) flags(syslog-protocol));
};

destination d_librenms {
program(“/opt/librenms/syslog.php” template (“$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$R_YEAR-$R_MONTH-$R_DAY $R_HOUR:$R_MIN:$R_SEC||$MSG||$PROGRAMn”) template-escape(yes));
};

destination d_cons { file(“/dev/console”); };
destination d_mesg { file(“/var/log/messages”); };
destination d_auth { file(“/var/log/secure”); };
destination d_mail { file(“/var/log/maillog” flush_lines(10)); };
destination d_spol { file(“/var/log/spooler”); };
destination d_boot { file(“/var/log/boot.log”); };
destination d_cron { file(“/var/log/cron”); };
destination d_kern { file(“/var/log/kern”); };
destination d_mlal { usertty(“*”); };

destination d_firewall_system { file(“/var/log/syslog-ng_remote/IP_${SOURCEIP}_SystemLog”); };
destination d_firewall_traffic { file(“/var/log/syslog-ng_remote/IP_${SOURCEIP}_TrafficLog”); };
destination d_imperva_SecurityEvent { file(“/var/log/syslog-ng_remote/IP_${SOURCEIP}_SecurityEvent”); };

filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };

filter f_firewall_1_traffic {(host(172.28.10.254))};
filter f_firewall_1_system {(host(172.28.10.254)and not match(“traffic”))};
filter f_firewall_2_traffic {(host(172.28.100.38))};
filter f_firewall_2_system {(host(172.28.100.38)and not match(“TRAFFIC”))};
filter f_imperva_SecurityEvent {(host(172.28.11.200))};
filter f_imperva_SystemEvent {(host(172.28.11.200)and match(“SystemEvent”))};

filter f_noLogToLibrenms1 {(host(172.28.11.200)) };
filter f_noLogToLibrenms2 {(host(172.28.10.254)) };
filter f_noLogToLibrenms3 {(host(172.28.100.38)) };

log {source(s_net);filter(f_firewall_1_traffic);destination(d_firewall_traffic); };
log {source(s_net);filter(f_firewall_1_system);destination(d_firewall_system); };
log {source(s_net);filter(f_firewall_2_traffic);destination(d_firewall_traffic); };
log {source(s_net);filter(f_firewall_2_system);destination(d_firewall_system);;};
log {source(s_net);filter(f_imperva_SecurityEvent);destination(d_imperva_SecurityEvent); };
log {source(s_net);filter(f_imperva_SystemEvent);destination(d_firewall_system);;};
log {source(s_net); filter(f_firewall_1_system); destination(d_librenms);};
log {source(s_net); filter(f_firewall_2_system); destination(d_librenms);};
log {source(s_net); filter(f_imperva_SystemEvent); destination(d_librenms);};

log {
source(s_net);
source(s_sys);
filter(f_noLogToLibrenms1);
filter(f_noLogToLibrenms2);
filter(f_noLogToLibrenms3);
destination(d_librenms);

};

# Source additional configuration files (.conf extension only)
@include “/etc/syslog-ng/conf.d/*.conf”

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: