Syslog + Large File Support

[mmXmm]

A bit of a 2-parter, some noobie linux admin stuff...

I have my firewall dumping logs to an Ubuntu machine via syslog. I got syslog setup and accepting the logs, and that's great. I configured syslog to save all the logs coming from the firewall to a seperate log file, SSG140.log.

Right now, I'm logging... a lot, everything the firewall touches. I want to get a good feel for the traffic, and develop the appropriate rule-set before I quit logging the uninteresting traffic. Logs are getting big fast.

So, the questions:
Can I configure syslog to log just to the desired log (SSG140.log), rather than logging to /var/log/syslog, /var/log/messages, and /var/log/SSG140.log. I really don't want all that firewall traffic mucking up those other logs; but, it seems to be some sort of default configuration.

How do I tell ubuntu to let me create files larger than 2GB? Right now as soon as the logs hit 1.99999GB they just stop, nothing more gets logged for the day, until logrotate does it's thing and compresses the previous day.

 

[Annihilannic]

syslog filters log entries based on their facility (e.g. kern, user, daemon, local0, etc) and level (alert, crit, debug, info, etc).

What facility and level combination is your router using to log its messages? Are they sufficiently unique for you to filter based on that (sometimes they will be using the same facility.level combinations as some system messages, which makes this difficult). You may be able to choose the facility and level in the router's syslog configuration, if so I'd suggest using one of the local0 through local7 facilities as they are for customised usage like this.

There's nothing preventing you from running logrotate more frequently than once a day if you wish.

What type of filesystem are the logs on? Have you tried creating files larger than 2GB manually (i.e. it may just be a syslog limitation)?

Annihilannic.

 

[elgrandeperro]

You probably want it to put the logs in a separate file. Like anni says, you need to somehow get the router to log to a different facility, then send that facility on to your logging system. Unfortunately, there isn't a way within syslog to say "If this log comes from this host, put it in a different file". There is only "if this is facility X, or if this is level > X". The extended syslog has ! and =, but I don't think they will help in this case, unless you want to parse by log level.

So I would use a unused local facility (I think there are 0-9), and I wish there were 0-99.

 

[mmXmm]

Well...

We had a power outage, and our generator apparently is not doing it's job. The computer crashed - and the HDD is corrupted.

But, thanks for the help, I'll put it to use once I have a replacement running!

Thanks!

 

[IRudebwoy]

Consider using syslog-ng. You can do something like this to break out logs by host name.

source src_intranet { tcp(ip("0.0.0.0") port(514) ); udp(ip("0.0.0.0") port(514) ); };
filter bender_host { host("bender"); };
destination bender_messages { file("/var/log/bender.log"); };
log { source(src_intranet); filter(bender_host);  destination(bender_messages); };

or by a unique string.

filter bender_dhcp { host("bender") and match("dhcpd"); };
destination bender_dhcplog { file("/var/log/bender-dhcp.log"); };
log { source(src_intranet); filter(bender_dhcp);  destination(bender_dhcplog); };

Have Fun!