Thought to share some config for syslog-ng
that
- declutters the main log (filtering out
netfilter
from kernel,cron
,sshd
,dsnamsq
,odhcpd
,nikola
) - dissects into separate file (
netfilter
,cron
,sshd
,dsnamsq
,odhcpd
,nikola
) - retains logs on separate drive past reboot (Caution! - not recommended to use the device’s internal drive in order to avoid wear and tear)
Logs should be rotated of course.
syslog-ng.conf
log {
source {
internal();
unix-dgram("/dev/log");
file("/proc/kmsg" program_override("kernel"));
};
source {
network(
# interface(br-mgt)
ip ("fd30:d64c:1eed:4c3a::12")
transport("tcp")
port(32873)
ip-protocol(6)
flags(syslog-protocol)
# NOTE: TLS support
#
# the default-network-drivers() source driver opens the TLS
# enabled ports as well, however without an actual key/cert
# pair they will not operate and syslog-ng would display a
# warning at startup.
#
#tls(key-file("/path/to/ssl-private-key") cert-file("/path/to/ssl-cert"))
);
};
log {
filter {
not (facility(kern) and match("DROP" value("MESSAGE")));
not (program(sshd) or program(cron));
not (program(odhcpd) or program(dnsmasq));
not program(nikola);
};
destination {
file("/var/log/messages");
file("/logs/system/messages");
};
};
log {
filter {
facility(kern) and match("DROP" value("MESSAGE")) and match("wan" value("MESSAGE"));
};
destination {
file("/logs/security/netfilter/wan.log");
# file("/var/log/iptables" template("${ISODATE} ${MESSAGE}\n"));
};
};
log {
filter {
facility(kern) and match("DROP" value("MESSAGE")) and match("vpn_e" value("MESSAGE"));
};
destination {
file("/logs/security/netfilter/wg0.log");
};
};
log {
filter {
program(nikola);
};
destination {
file("/logs/security/netfilter/nikola.log");
};
};
log {
filter {
program(sshd);
};
destination {
file("/logs/security/sshd/sshd.log");
};
};
log {
filter {
program(cron);
};
destination {
file("/logs/cron/cron.log");
};
};
log {
filter {
program(dnsmasq) or program(odhcpd);
};
destination {
file("/logs/dhcp/dhcp.log");
};
};
};