Setting Up syslog-ng Logging

You can use syslog-ng to log RSBAC log messages, which is much more convenient. Disable logging to system log with the “rsbac_nosyslog” kernel flag, or echo “debug nosyslog 1” > /proc/rsbac-info/debug at runtime. You need the kernel option “CONFIG_RSBAC_RMSG_NOSYSLOG” compiled in for this to work properly.

Simply create a rc init script with these line to start syslog-ng:

 /sbin/syslog-ng -f /etc/syslog-ng/syslog-ng-rsbac.conf -p \
/var/run/syslog-ng-rsbac.pid

The easiest way is to copy your distribution init script to customize or make your own.

Configuration file

Create the corresponding configuration file

“/etc/syslog-ng/syslog-ng-rsbac.conf”

######
# options

options {
        # disable the chained hostname format in logs
        # (default is enabled)
        chain_hostnames(0);

        # the number of lines fitting in the output queue
        log_fifo_size(2048);

        # enable or disable directory creation for destination files
        create_dirs(yes);

        # default owner, group, and permissions for log files
        # (defaults are 0, 0, 0600)
        # Replace secoff with whoever user you want to  use for
        # the policy protecting syslog-ng-rsbac
        owner(secoff);
        group(secoff);
        perm(0600);

        # default owner, group, and permissions for created directories
        # (defaults are 0, 0, 0700)
        # Replace secoff
        dir_owner(secoff);
        dir_group(secoff);
        dir_perm(0700);

        # enable or disable DNS usage
        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
        # a Denial of Service attack
        # (default is yes)
        use_dns(no);
};

######
# sources

# all known message sources
source s_rsbac {
        internal();
	file("/proc/rsbac-info/rmsg" log_prefix("RSBAC: "));
};

######
# destinations

# some standard log files
destination df_rsbac_all  { file(/secoff/log/security.log); };
destination df_rsbac_reg  { file(/secoff/log/security-reg.log); };
destination df_rsbac_daz  { file(/secoff/log/security-daz.log); };
destination df_rsbac_ff   { file(/secoff/log/security-ff.log); };
destination df_rsbac_rc   { file(/secoff/log/security-rc.log); };
destination df_rsbac_auth { file(/secoff/log/security-auth.log); };
destination df_rsbac_cap  { file(/secoff/log/security-cap.log); };
destination df_rsbac_jail { file(/secoff/log/security-jail.log); };
destination df_rsbac_res  { file(/secoff/log/security-res.log); };

######
# filters

# rc module messages
filter f_rsbac_reg  { match("by REG$"); };
filter f_rsbac_daz  { match("by DAZ$"); };
filter f_rsbac_ff   { match("by FF$"); };
filter f_rsbac_rc   { match("by RC$"); };
filter f_rsbac_auth { match("by AUTH$"); };
filter f_rsbac_cap  { match("by CAP$"); };
filter f_rsbac_jail { match("by JAIL$"); };
filter f_rsbac_res  { match("by RES$"); };



######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement

# these rules provide the same behavior as the commented original syslogd rules

log {
	source(s_rsbac);
	destination(df_rsbac_all);
};

log {
	source(s_rsbac);
	filter(f_rsbac_reg);
	destination(df_rsbac_reg);
};

log {
        source(s_rsbac);
        filter(f_rsbac_daz);
        destination(df_rsbac_daz);
};

log {
        source(s_rsbac);
        filter(f_rsbac_ff);
        destination(df_rsbac_ff);
};

log {
        source(s_rsbac);
        filter(f_rsbac_rc);
        destination(df_rsbac_rc);
};

log {
        source(s_rsbac);
        filter(f_rsbac_auth);
        destination(df_rsbac_auth);
};

log {
        source(s_rsbac);
        filter(f_rsbac_cap);
        destination(df_rsbac_cap);
};

log {
        source(s_rsbac);
        filter(f_rsbac_jail);
        destination(df_rsbac_jail);
};

log {
        source(s_rsbac);
        filter(f_rsbac_res);
        destination(df_rsbac_res);
};

And start it under secoff credentials!



Table of Contents: RSBAC Handbook
Back: Administration Examples