Syslog Cheat Sheet (v1.2)
https://www.aplura.com/cheatsheets
Syslog-ng Common Variables Rsyslog
Sending host $HOST Sending host fromhost
Sending host IP $SOURCEIP Sending host IP fromhost-ip
Priority text $PRIORITY Priority text pri-text
Facility text $FACILITY Facility text syslogfacility-text
Tag $TAGS Tag syslogtag
Program name $PROGRAM Program name programname
Time received ${R_DATE} Time received timegenerated
Message time ${DATE} Message time timereported
syslog-ng parameters rsyslog properties
Setup Listeners
source s_remote_all { input(type="imudp" port="514" ruleset="f_remote_all")
udp ( ip("0.0.0.0") port(514) ); input(type="imtcp" port="514" ruleset="f_remote_all")
tcp ( ip("0.0.0.0") port(514) ); }; input(type="imudp" port="1514" ruleset="f_firewall")
source s_firewall { input(type="imtcp" port="1514" ruleset="f_firewall")
udp ( ip("0.0.0.0") port(1514) );
tcp ( ip("0.0.0.0") port(1514) ); };
Filters (Optional)
# Syslog-ng filters are defined separately # Rsyslog filters go within the Output ruleset
and used within the log statement if ($fromhost-ip startswith '192.168.100.')
filter f_firewall_range { then { action(type="omfile"
netmask (192.168.100.0/255.255.255.0); }; DynaFile="d_firewall_log")
}
Rsyslog Expressions
Syslog-ng Filter Options gray, italicized
items are optional Rsyslog Control Structures
Organize Directories by Host
destination d_catch_all { file("/var/log/remote_syslog/ template(name="d_catch_all" type="string" string="/var/
catch_all/$HOST/$YEAR-$MONTH-$DAY.log"); }; log/remote_syslog/catch_all/%FROMHOST%/%$YEAR%-%$MONTH%-%
$DAY%.log")
destination d_firewall_log { file("/var/log/ template(name="d_firewall_log" type="string" string="/var/
remote_syslog/firewall/$HOST/$YEAR-$MONTH-$DAY.log"); }; log/remote_syslog/firewall/%FROMHOST%/%$YEAR%-%$MONTH%-%
$DAY%.log")
Set Output
log { source(s_remote_all); ruleset(name="f_remote_all") {
destination(d_catch_all); }; action(type="omfile" DynaFile="d_catch_all") }
log { source(s_firewall); filter(f_firewall_range); ruleset(name=“f_firewall”) {
destination(d_firewall_log); }; action(type="omfile" DynaFile="d_firewall_log") }
Performance Tuning
options { main_queue(
log_fifo_size (10000); queue.size="1000000" # Size of Queue
queue.debatchsize="1000" # process messages in batches
time_reap(20); queue.workerthreads="2" # 2 threads for the queue
flush_lines(10000); )
flush_timeout(1000); };
syslog_ng_tuning rsyslog_tuning
Permissions
chmod g+s /var/log/remote_syslog/ Set the SUID bit
POSIX ACLs setfacl -R -d -m g:splunk:rx /var/log/remote_syslog/ Set the default permissions
setfacl -R -m g:splunk:rx /var/log/remote_syslog/ Set the current permissions
setfacl -R -x g:splunk:rx /var/log/remote_syslog/ Remove POSIX permissions
chmod g-s /var/log/remote_syslog/ Remove SUID bit
chcon system_u:object_r:var_log_t:s0 /var/log/remote_syslog/ Set the selinux context
SELINUX restorecon -R -v /var/log/remote_syslog/ Apply to existing files
semanage port -a -t syslogd_port_t -p udp 1514 Allow port
Provided by Aplura, LLC. Splunk Consulting and Application Development Services sales@aplura.com • https://www.aplura.com
Syslog-ng is a registered trademark of Balabit SA. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
v1.2
Many Solutions, One Goal.
Syslog-ng
Common Syslog configurations Rsyslog
@version:3.2 gray, italicized $PreserveFQDN on
items are optional $CreateDirs on
options { # Sources
log_fifo_size (10000);
time_reap(20); main_queue(
queue.size="1000000"
flush_lines(10000); queue.debatchsize="1000"
flush_timeout(1000); queue.workerthreads="2")
create_dirs(yes); };
source s_remote_all { module(load="imtcp" MaxSessions="5000")
udp ( ip("0.0.0.0") port(514) ); module(load="imudp")
tcp ( ip("0.0.0.0") port(514) );
}; input(type="imudp" port="514" ruleset="f_remote_all")
source s_firewall { input(type="imtcp" port="514" ruleset="f_remote_all")
udp ( ip("0.0.0.0") port(1514) ); input(type="imudp" port="1514" ruleset="f_firewall")
tcp ( ip("0.0.0.0") port(1514) ); input(type="imtcp" port="1514" ruleset="f_firewall")
};
# Destinations
filter f_firewall_range { template(name="d_catch_all" type="string" string="/var/
netmask (192.168.100.0/255.255.255.0); }; log/remote_syslog/catch_all/%FROMHOST%/%$YEAR%-%
$MONTH%-%$DAY%.log")
destination d_catch_all { template(name="d_firewall_log" type="string" string="/
file("/var/log/remote_syslog/catch_all/$HOST/ var/log/remote_syslog/firewall/%FROMHOST%/%$YEAR%-%
$YEAR-$MONTH-$DAY.log"); $MONTH%-%$DAY%.log")
};
ruleset(name="f_remote_all" queue.type="LinkedList"
destination d_firewall_log { queue.size="100000") {
file("/var/log/remote_syslog/firewall/$HOST/ if ($fromhost-ip startswith '192.168.100.') then {
$YEAR-$MONTH-$DAY.log"); action(type="omfile" DynaFile="d_firewall_log")
}; stop
}
log { # Lets setup the catch all logging
source(s_remote_all); action(type="omfile" DynaFile="d_catch_all")
destination(d_catch_all); }; }
log { ruleset(name="f_firewall") {
source(s_firewall); filter(f_firewall_range); action(type="omfile" DynaFile="d_firewall_log") }
destination(d_firewall_log); };
syslog-ng documentation rsyslog documentation
For a more commented version of this config: For a more commented version of this config:
syslog-ng config rsyslog config
Check Syntax
syslog-ng --syntax-only rsyslogd -N1 -f /etc/rsyslog.conf
OS Tuning
Paramater Value Description
sysctl.conf fs.file-max 2097152 Increase file handles & inode cache
net.ipv4.tcp_max_syn_backlog 8192 Max syns without an ack
net.core.netdev_max_backlog 65536 Increase packet backlog queue
net.core.optmem_max 25165824 Max kernel memory buffer
net.ipv4.tcp_mem 65536 131072 262144 Buffer size range (TCP)
net.ipv4.udp_mem 65536 131072 262144 Buffer size range (UDP)
net.core.rmem_default 25165824 Socket receive buffer default
net.core.rmem_max 25165824 Max receive memory
net.ipv4.tcp_rmem 20480 12582912 25165824 Receive buffer size range (TCP)
net.ipv4.udp_rmem 20480 12582912 25165824 Receive buffer size range (UDP)
User Type Item Value Descrption
limits.conf root hard nofile 65536 Set the file handle limit
root soft nofile 10240 Set the file handle limit
syslog hard nofile 65536 Set the file handle limit
syslog hard nofile 10240 Set the file handle limit
Provided by Aplura, LLC. Splunk Consulting and Application Development Services. sales@aplura.com • https://www.aplura.com
Syslog-ng is a registered trademark of Balabit SA. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
Many Solutions, One Goal.
v1.2