AUTHOR:         Jim Gifford <lfs-hints at jg555.com>

DATE: 		2004-05-18

LICENSE: 	GNU Free Documentation License Version 1.2

SYNOPSIS: 	Setup syslog-ng for LFS

DESCRIPTION:	This will describe on how to replace syslog
		and klog with syslog-ng.

PREREQUISITES:	NONE

HINT:

Introduction to syslog-ng

Download location for syslog-ng
			http://www.balabit.com/downloads/syslog-ng/1.6/src
syslog-ng Version used		1.6.4

Download location for libol
			http://www.balabit.com/downloads/libol/0.3
libol library used		0.3.13

syslog-ng is a a syslogd replacement, but with new functionality. The
original syslogd allows messages only to be sorted based on prioiry/facility
pairs. Syslog-ng adds the posibility to filter based on message contents using
regular expressions. The new configuration shceme is intuitive and powerful.
Forwarding logs over TCP and remembering all forwarding hops makes it ideal
for firewall environments.

---
Installation of syslog-ng

Install syslog-ng's libol by running the following commands:

./configure --prefix=/usr --enable-shared &&
make &&
make install

---
Install syslog-ng by running the following commmands|

./configure --prefix=/usr --sysconfdir=/etc &&
make &&
make install

----
Configuring syslog-ng

Config files

/etc/syslog-ng/syslog-ng.conf

Create the syslog-ng.conf file by running:

mkdir -p /etc/syslog-ng
cat > /etc/syslog-ng/syslog-ng.conf << "EOF"
# Begin /etc/syslog-ng/syslog-ng.conf

#
# Syslog-ng configuration for Linux from Scratch
#

options { 	sync (0);
		time_reopen (10);
		log_fifo_size (1000);
		long_hostnames(off); 
		use_dns (no);
		use_fqdn (no);
		create_dirs (no);
		keep_hostname (yes);
	};

source src {	unix-stream("/dev/log");
		internal();
		pipe("/proc/kmsg");
	    };

destination authlog { file("/var/log/authorize.log"); };
destination syslog { file("/var/log/syslog.log"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kernel { file("/var/log/kernel.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
destination mail { file("/var/log/mail.log"); };
destination news { file("/var/log/news.log"); };
destination debug { file("/var/log/debug.log"); };
destination messages { file("/var/log/messages.log"); };
destination everything { file("/var/log/everything.log"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kernel { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); };
filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };

filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kernel); destination(kernel); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_news); destination(news); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_everything); destination(everything); };
log { source(src); destination(console_all); };

# END /etc/syslog-ng/syslog-ng.conf
EOF

---
Configuration information

Please note that this only is a sample configuration and you
will MOST CERTAINLY have to edit this to suite your needs. This
should work with most configuration. For more configuration
information check man syslog-ng or go to the syslog-ng web site at
http://www.balabit.com/products/syslog_ng/reference/book1.html for
the basic docuemenation

---
Make syslog-ng start on bootup

Create the /etc/rc.d/init.d/syslog-ng by running:

cat > /etc/rc.d/init.d/syslog-ng << "EOF"
#!/bin/sh
# Begin $rc_base/init.d/syslog-ng - Syslog-ng loader

# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org

source /etc/sysconfig/rc
source $rc_functions

case "$1" in
	start)
		echo "Starting System Log..."
		loadproc syslog-ng
		;;
	stop)
		echo "Stopping System Log..."
		killproc syslog-ng
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	status)
		statusproc syslog-ng
		;;

	*)
		echo "Usage: $0 {start|stop|restart|status}"
		exit 1
		;;
esac

# End $rc_base/init.d/syslog-ng
EOF

---
Make the script executable and create the appropriate symlinks by
running:

chmod 755 /etc/rc.d/init.d/syslog-ng &&
ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc0.d/K40syslog-ng &&
ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc1.d/K80syslog-ng &&
ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc2.d/S10syslog-ng &&
ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc3.d/S10syslog-ng &&
ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc4.d/S10syslog-ng &&
ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc5.d/S10syslog-ng &&
ln -s /etc/rc.d/init.d/syslog-ng /etc/rc.d/rc6.d/K40syslog-ng

---
Last step

You will need to prevent sysklogd from starting

rm /etc/rc.d/rc0.d/K40sysklogd &&
rm /etc/rc.d/rc1.d/K80sysklogd &&
rm /etc/rc.d/rc2.d/S10sysklogd &&
rm /etc/rc.d/rc3.d/S10sysklogd &&
rm /etc/rc.d/rc4.d/S10sysklogd &&
rm /etc/rc.d/rc5.d/S10sysklogd &&
rm /etc/rc.d/rc6.d/K40sysklogd


---
Extra: Logging of Iptables Information

Add the following information to log all iptables information
into it's own file called /var/log/iptables.log

destination iptables { file("/var/log/iptables.log"); };
filter f_iptables { match("IN="); };
log { source(src); filter(f_iptables); destination(iptables); };


VERSION:        1.9

CHANGELOG:      1.9 Updated to New Version
		1.8 Fixed Typo reported by Joern Wittek
		1.7 Updated to New Versions and Links
		1.6 Fixes from DJ Lucas
		1.5 Updated CVS Location
		1.4 Fixed Typos
		1.3 Update to New Hint Format Completed
                1.2 Fixed Typos
                1.1 Updated download locations
                1.0 Initial Version

 New Version of this document can be viewed from http://cvs.jg555.com/viewcvs.cgi/lfs-hints