No replies
48 Posts

Pinned topic Redhat Linux syslog-ng configuration

‏2009-09-16T05:26:17Z |

I am facing a problem in auditing redhat linux through syslog-ng. I am getting some logs which are not relevant. I want file access, user logins, grant and revoke privileges, changing permissions, creation of user and groups and similar operations to be audited.

I have the syslog-ng.conf file configured, but I am not able to specify the source log file from which the logs should be read. I identified that /var/log/audit/audit.log contains logs for most of the operations I mentioned above.

I am pasting the contents of the syslog-ng.conf file for reference :

Contents of /etc/syslog-ng/syslog.conf

  1. syslog-ng configuration file.
  1. This should behave pretty much like the original syslog on RedHat. But
  2. it could be configured a lot smarter.
  1. See syslog-ng(8) and syslog-ng.conf(5) for more information.

options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
# udp(ip( port(514));

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

source s_udp {
udp(ip("") port(514));

#filter f_ism_hosts { host("gbredhat"); };

destination d_local{
template("<$PRI>$DATE $HOST $MSG\n")

log { source(s_udp); destination(d_local); };

log { source(s_sys); destination(d_local); };
In the above script, if I include the line "file ("/var/log/audit/audit.log");" in the source s_sys section, then I can see some logs but not relevant ones.

So please help me in regard, as I am not able to see the logs for the corresponding operations perfomed. If you have any documents that has details about these configurations, please mention the link for the same, it will be of great help.

Thanks in Advance!

Thanks & Regards,