mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-10 17:30:51 +08:00
104 lines
2.5 KiB
Text
104 lines
2.5 KiB
Text
# Example configuration file for syslog-ng
|
|
# The default s_src source is supposed to exist and contain at least system()
|
|
# This file should be copied to your /etc/syslog-ng/conf.d directory
|
|
#
|
|
# Don't forget to logrotate! (included in logrotate.d/bastion-syslog)
|
|
#
|
|
# Also don't forget to exclude bastion logs from system-wide logs, by excluding
|
|
# the filter(f_bastion) from those, under debian it usually means:
|
|
#
|
|
# filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug) and not filter(f_bastion); };
|
|
# filter f_messages { level(info,notice,warn) and
|
|
# not facility(auth,authpriv,cron,daemon,mail,news) and not filter(f_bastion); };
|
|
|
|
|
|
# we define destinations, might be a good idea to log to a remote syslog in addition to locally
|
|
|
|
destination d_bastion_all {
|
|
file("/var/log/bastion/bastion.log"
|
|
perm(0640) dir_perm(0750) create_dirs(yes)
|
|
);
|
|
};
|
|
|
|
destination d_bastion_warn {
|
|
file("/var/log/bastion/bastion-warn.log"
|
|
perm(0640) dir_perm(0750) create_dirs(yes)
|
|
);
|
|
};
|
|
|
|
destination d_bastion_die {
|
|
file("/var/log/bastion/bastion-die.log"
|
|
perm(0640) dir_perm(0750) create_dirs(yes)
|
|
);
|
|
};
|
|
|
|
destination d_bastion_security {
|
|
file("/var/log/bastion/bastion-security.log"
|
|
perm(0640) dir_perm(0750) create_dirs(yes)
|
|
);
|
|
};
|
|
|
|
# this filter catches all bastion syslogs
|
|
|
|
filter f_bastion {
|
|
facility(local7);
|
|
match("bastion" value("PROGRAM") type("string"));
|
|
};
|
|
|
|
# split message just to get the msgtype and filter on it
|
|
|
|
parser p_bastion_msg {
|
|
csv-parser(columns("BASTION.MSGTYPE", "BASTION.PAYLOAD")
|
|
delimiters(" ")
|
|
flags(greedy)
|
|
flags(escape-none)
|
|
);
|
|
};
|
|
|
|
# then the 3 specific message types
|
|
|
|
filter f_bastion_warn {
|
|
filter(f_bastion);
|
|
match("warn" value("BASTION.MSGTYPE") type("string"));
|
|
};
|
|
|
|
filter f_bastion_die {
|
|
filter(f_bastion);
|
|
match("die" value("BASTION.MSGTYPE") type("string"));
|
|
};
|
|
|
|
filter f_bastion_security {
|
|
filter(f_bastion);
|
|
match("security" value("BASTION.MSGTYPE") type("string"));
|
|
};
|
|
|
|
# finally, we use our filters and destinations here
|
|
|
|
log {
|
|
source(s_src);
|
|
parser(p_bastion_msg);
|
|
filter(f_bastion);
|
|
destination(d_bastion_all);
|
|
};
|
|
|
|
log {
|
|
source(s_src);
|
|
parser(p_bastion_msg);
|
|
filter(f_bastion_warn);
|
|
destination(d_bastion_warn);
|
|
};
|
|
|
|
log {
|
|
source(s_src);
|
|
parser(p_bastion_msg);
|
|
filter(f_bastion_die);
|
|
destination(d_bastion_die);
|
|
};
|
|
|
|
log {
|
|
source(s_src);
|
|
parser(p_bastion_msg);
|
|
filter(f_bastion_security);
|
|
destination(d_bastion_security);
|
|
};
|
|
|