Using syslog-ng as a central loghost

Today I woke up and found out that syslog-ng 3.0 supports native tls for securing your log transport. In the past I have used syslog-ng in combination with stunnel.

I configured my loghost to log all messages to /var/log/hosts/$hostname/$year/$month/, I reconfigured the servers on my lan to use the unencrypted transport (s_remote) and my servers somewhere on the internet to use the secure transport (s_tls)

@version: 3.0

options {
	chain_hostnames(no);
	stats_freq(43200);
	create_dirs (yes);
};

source s_local {
    unix-stream("/dev/log" max-connections(256));
    internal();
    file("/proc/kmsg");
};

source s_remote {
	tcp();
	udp();
};

source s_tls {
	syslog(ip(0.0.0.0) port(2009)
		transport("tls")
		tls( key_file("/etc/syslog-ng/key.d/syslog-ng-server.key") cert_file("/etc/syslog-ng/cert.d/syslog-ng-server.cert")
	peer_verify(optional-untrusted)) );
};

destination d_console_all { file("/dev/tty12"); };
destination d_messages { file("/var/log/hosts/$HOST/$YEAR/$MONTH/messages"); };
destination d_auth { file("/var/log/hosts/$HOST/$YEAR/$MONTH/auth.log"); };

filter f_auth { facility(auth, authpriv); };

log { source(s_local); destination(d_console_all); };

log { source(s_local); filter(f_auth); destination(d_auth); };
log { source(s_remote); filter(f_auth); destination(d_auth); };
log { source(s_tls); filter(f_auth); destination(d_auth); };

log { source(s_remote); destination(d_messages); };
log { source(s_local); destination(d_messages); };
log { source(s_tls); destination(d_messages); };

There is also a copy of splunk running on my loghost, to query and log-mine my logging, I am quite happy with this setup and will be adding notification to my logging using the “program” directive of syslog-ng soon.

Related posts:

1. A central loghost As promised in my previous post, my configuration for a...
2. Fun with puppet and rsyslog Today I switched from syslog-ng to rsyslog, I am also...

Related posts brought to you by Yet Another Related Posts Plugin.