[syslog-ng] decluttering, dissecting, retaining


#1

Thought to share some config for syslog-ng that

  • declutters the main log (filtering out netfilter from kernel, cron, sshd, dsnamsq, odhcpd, nikola)
  • dissects into separate file (netfilter, cron, sshd, dsnamsq, odhcpd, nikola)
  • retains logs on separate drive past reboot (Caution! - not recommended to use the device’s internal drive in order to avoid wear and tear)

Logs should be rotated of course.

syslog-ng.conf
log {
	source {
		internal();
		unix-dgram("/dev/log");
	  file("/proc/kmsg" program_override("kernel"));
	};

	source {
	  network(
			# interface(br-mgt)
			ip ("fd30:d64c:1eed:4c3a::12")
	  	transport("tcp")
	  	port(32873)
	  	ip-protocol(6)
			flags(syslog-protocol)
			# NOTE: TLS support
			#
			# the default-network-drivers() source driver opens the TLS
			# enabled ports as well, however without an actual key/cert
			# pair they will not operate and syslog-ng would display a
			# warning at startup.
			#
			#tls(key-file("/path/to/ssl-private-key") cert-file("/path/to/ssl-cert"))
	  );
	};

  log {
  	filter {
  		not (facility(kern) and match("DROP" value("MESSAGE")));
  		not (program(sshd) or program(cron));
  		not (program(odhcpd) or program(dnsmasq));
      not program(nikola);
  	};
  	destination {
  		file("/var/log/messages");
  		file("/logs/system/messages");
  	};
  };

  log {
  	filter {
  		facility(kern) and match("DROP" value("MESSAGE")) and match("wan" value("MESSAGE"));
  	};
  	destination {
  		file("/logs/security/netfilter/wan.log");
  		# file("/var/log/iptables" template("${ISODATE} ${MESSAGE}\n"));
  	};
  };

  log {
  	filter {
  		facility(kern) and match("DROP" value("MESSAGE")) and match("vpn_e" value("MESSAGE"));
  	};
  	destination {
  		file("/logs/security/netfilter/wg0.log");
  	};
  };

  log {
  	filter {
  		program(nikola);
  	};
  	destination {
  		file("/logs/security/netfilter/nikola.log");
  	};
  };

  log {
  	filter {
  		program(sshd);
  	};
  	destination {
  		file("/logs/security/sshd/sshd.log");
  	};
  };

  log {
  	filter {
  		program(cron);
  	};
  	destination {
  		file("/logs/cron/cron.log");
  	};
  };

  log {
  	filter {
  		program(dnsmasq) or program(odhcpd);
  	};
  	destination {
  		file("/logs/dhcp/dhcp.log");
  	};
  };
};