syslog-ng

[genebean]

Any chance of you all extending this for syslog-ng? Below is a slightly redacted version of what our config file on our central log server looks like just for reference.

[genebean@myLogServer ~]$ cat /etc/syslog-ng/syslog-ng.conf
@version:3.2

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
        perm (0640);
        group (logs);
        dir_group (logs);
        dir_perm (0750);

        flush_lines (1);
        time_reopen (10);
        log_fifo_size (4096);
#       long_hostnames (on);
        keep_hostname(no);
        chain_hostnames(no);
        stats_freq(3600);

        use_dns (yes);
        use_fqdn (yes);
        create_dirs (yes);
#       keep_hostname (yes);
};

source s_sys {
        file ("/proc/kmsg" program_override("kernel: "));
        unix-stream ("/dev/log");
        internal();
        # udp(ip(0.0.0.0) port(514));
};

source udpnet {
        udp();
};

destination smaug {
        udp("smaug.example.edu" template("<166>$DATE $HOST $MSGHDR$MSG\n") template_escape(no));
};

destination audiblemeh {
        udp("160.10.38.9");
};
destination local_sys {
        file("/remotelogs/servers/$HOST/$DAY/syslog.$HOUR");
};

destination remote_sys {
        file("/remotelogs/servers/$HOST/$DAY/syslog.$HOUR");
};

destination d_dhcpd {
        file("/remotelogs/filters/dhcpd/$DAY/dhcpd.$HOUR");
};

destination d_maconport {
        file("/remotelogs/filters/maconport/$DAY/maconport.$HOUR");
};

destination d_EAP_SUCCESS {
        file("/remotelogs/filters/EAP_SUCCESS/$DAY/EAP_SUCCESS.$HOUR");
};

destination d_usg_kdev {
        file("/remotelogs/filters/usg_kdev/$DAY/usg_kdev.$HOUR");
};

destination d_usg_xprod {
        file("/remotelogs/filters/usg_xprod/$DAY/usg_xprod.$HOUR");
};

destination d_fail2ban {
        file("/remotelogs/filters/fail2ban/$DAY/fail2ban.$HOUR");
};

filter f_maconport {
         message("added on port");
};

filter f_EAP_SUCCESS {
        message("DOT11-6-EAP_SUCCESS");
};

filter f_dhcpd {
        program("dhcpd");
};

filter f_usg_kdev {
        message("10.24.136.16[0-3]");
};

filter f_usg_xprod {
        message("10\.24\.96\.([7-9][0-9]|1(0[0-9]|1[0-8]))");
};

filter f_fail2ban.actions {
        program("fail2ban.actions");
};

log {
        source(s_sys);
        destination(local_sys);
};

# hosts
log {
        source(udpnet);
        destination(remote_sys);
};

# filtered logs
#
# filtered dhcpd
log {
        source(udpnet);
        filter(f_dhcpd);
        destination(d_dhcpd);
        destination(smaug);
};

log {
        source(udpnet);
        filter(f_EAP_SUCCESS);
        destination(d_EAP_SUCCESS);
};

log {
        source(udpnet);
        filter(f_EAP_SUCCESS);
        destination(audiblemeh);
};

log {
        source(udpnet);
        filter(f_maconport);
        destination(d_maconport);
};

log {
        source(udpnet);
        filter(f_usg_kdev);
        destination(d_usg_kdev);
};

log {
        source(udpnet);
        filter(f_usg_xprod);
        destination(d_usg_xprod);
};

log {
        source(udpnet);
        filter(f_fail2ban.actions);
        destination(d_fail2ban);
};

[raphink]

Hello,

There is no syslog-ng lens for Augeas yet, so the first step would be to write one.

Once we have a lens for syslog-ng, then we can extend the Augeasprovider to support it (although I'm not really sure, as the logic in syslog-ng is quite different).

[genebean]

Can you point me in the direction of how / where lenses are written?

[raphink]

See https://github.com/hercules-team/augeas/wiki#Lens_Development