syslog-ng and stunnel part 1
OK... lets connect now machine 1, 2 and 3
1=main server
2=secondary server
3=log server
on the machine 1 we have a syslog sending data though UDP to machine 2 and since they are VMGuest to VMHost the packets dont touch wire so we are kinda ok... on the 2 to 3 path though we are going to use syslog-ng and stunnel since our logs DO touch wire.
after installing syslog-ng in both machines (2 and 3) we change the configuration files to:
machine 2 syslog-ng.conf:
this is pretty much it and ready to roll
before we roll we need to setup machine 3 and most of all stunnel on machines 2 and 3
machine 3 syslog-ng.conf:
now we are done with configuring syslog-ng
before we start it we need to hook up the stunnel so the encrypted channel is set up
move on to part 2
1=main server
2=secondary server
3=log server
on the machine 1 we have a syslog sending data though UDP to machine 2 and since they are VMGuest to VMHost the packets dont touch wire so we are kinda ok... on the 2 to 3 path though we are going to use syslog-ng and stunnel since our logs DO touch wire.
after installing syslog-ng in both machines (2 and 3) we change the configuration files to:
machine 2 syslog-ng.conf:
options {
sync (0);
time_reopen (10);
log_fifo_size (4096);
create_dirs (yes);
perm (0640);
dir_perm (0750);
long_hostnames (off);
use_dns (yes);
dns_cache_hosts(/etc/hosts);
use_fqdn (yes);
keep_hostname (yes);
stats_freq(86400);
};
source s_sys {
unix-stream ("/dev/log");
file("/proc/kmsg" log_prefix("kernel: "));
udp();
internal();
};
filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth { facility(auth); };
filter f_mail { facility(mail); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
destination d_default { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_cons { file("/dev/console"); };
destination d_user { usertty("*"); };
destination d_loghost {tcp("127.0.0.1" port(514));};
log { source(s_sys); filter(f_default); destination(d_default); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_sys); filter(f_emerg); destination(d_cons); destination(d_user); };
log { source(s_sys); destination(d_loghost); };
this is pretty much it and ready to roll
before we roll we need to setup machine 3 and most of all stunnel on machines 2 and 3
machine 3 syslog-ng.conf:
options {
sync (0);
time_reopen (10);
log_fifo_size (4096);
create_dirs (yes);
perm (0640);
dir_perm (0750);
long_hostnames (off);
use_dns (yes);
dns_cache_hosts(/etc/hosts);
use_fqdn (yes);
keep_hostname (yes);
stats_freq(86400);
};
source s_sys {
unix-stream ("/dev/log");
file("/proc/kmsg" log_prefix("kernel: "));
tcp (ip ("127.0.0.1") port(514) max-connections (1));
internal();
};
filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth { facility(auth); };
filter f_mail { facility(mail); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
destination d_default { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_cons { file("/dev/console"); };
destination d_user { usertty("*"); };
log { source(s_sys); filter(f_default); destination(d_default); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_sys); filter(f_emerg); destination(d_cons); destination(d_user); };
now we are done with configuring syslog-ng
before we start it we need to hook up the stunnel so the encrypted channel is set up
move on to part 2