===== Setting Up syslog-ng Logging =====
You can use syslog-ng to log RSBAC log messages, which is much more convenient.
Disable logging to system log with the "rsbac_nosyslog" kernel flag, or
echo "debug nosyslog 1" > /proc/rsbac-info/debug at runtime.
You need the kernel option "CONFIG_RSBAC_RMSG_NOSYSLOG" compiled in for this to work properly.
Simply create a rc init script with these line to start syslog-ng:
/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng-rsbac.conf -p \
/var/run/syslog-ng-rsbac.pid
//The easiest way is to copy your distribution init script to customize or make your own.//
===== Configuration file =====
Create the corresponding configuration file
"/etc/syslog-ng/syslog-ng-rsbac.conf"
######
# options
options {
# disable the chained hostname format in logs
# (default is enabled)
chain_hostnames(0);
# the number of lines fitting in the output queue
log_fifo_size(2048);
# enable or disable directory creation for destination files
create_dirs(yes);
# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
# Replace secoff with whoever user you want to use for
# the policy protecting syslog-ng-rsbac
owner(secoff);
group(secoff);
perm(0600);
# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
# Replace secoff
dir_owner(secoff);
dir_group(secoff);
dir_perm(0700);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);
};
######
# sources
# all known message sources
source s_rsbac {
internal();
file("/proc/rsbac-info/rmsg" log_prefix("RSBAC: "));
};
######
# destinations
# some standard log files
destination df_rsbac_all { file(/secoff/log/security.log); };
destination df_rsbac_reg { file(/secoff/log/security-reg.log); };
destination df_rsbac_daz { file(/secoff/log/security-daz.log); };
destination df_rsbac_ff { file(/secoff/log/security-ff.log); };
destination df_rsbac_rc { file(/secoff/log/security-rc.log); };
destination df_rsbac_auth { file(/secoff/log/security-auth.log); };
destination df_rsbac_cap { file(/secoff/log/security-cap.log); };
destination df_rsbac_jail { file(/secoff/log/security-jail.log); };
destination df_rsbac_res { file(/secoff/log/security-res.log); };
######
# filters
# rc module messages
filter f_rsbac_reg { match("by REG$"); };
filter f_rsbac_daz { match("by DAZ$"); };
filter f_rsbac_ff { match("by FF$"); };
filter f_rsbac_rc { match("by RC$"); };
filter f_rsbac_auth { match("by AUTH$"); };
filter f_rsbac_cap { match("by CAP$"); };
filter f_rsbac_jail { match("by JAIL$"); };
filter f_rsbac_res { match("by RES$"); };
######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement
# these rules provide the same behavior as the commented original syslogd rules
log {
source(s_rsbac);
destination(df_rsbac_all);
};
log {
source(s_rsbac);
filter(f_rsbac_reg);
destination(df_rsbac_reg);
};
log {
source(s_rsbac);
filter(f_rsbac_daz);
destination(df_rsbac_daz);
};
log {
source(s_rsbac);
filter(f_rsbac_ff);
destination(df_rsbac_ff);
};
log {
source(s_rsbac);
filter(f_rsbac_rc);
destination(df_rsbac_rc);
};
log {
source(s_rsbac);
filter(f_rsbac_auth);
destination(df_rsbac_auth);
};
log {
source(s_rsbac);
filter(f_rsbac_cap);
destination(df_rsbac_cap);
};
log {
source(s_rsbac);
filter(f_rsbac_jail);
destination(df_rsbac_jail);
};
log {
source(s_rsbac);
filter(f_rsbac_res);
destination(df_rsbac_res);
};
And start it under secoff credentials!
\\
----
**Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\
**Back:** [[documentation:rsbac_handbook:configuration_basics:administration_examples|Administration Examples]]\\