For remote syslog logging of the general log files, I set:
Quote:
How do I setup the remote syslog logging of apache logs? Do I just add a line in the httpd.conf file to for example ?:
Quote:
I installed syslog-ng so I can receive remote logs. this is working however since I disabled syslog on my syslog-ng server I am not logging in /var/log/messages cron and some others.locally)I know this is because my syslog-ng.conf only references remote and not local.How can I edit the syslog-ng.conf file so that I can receive remote and local? I tried this however when adding in portions of the default config, I only receive local and not remote logs anymore. I am forwarding my config.
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
[code]....
I'm having trouble getting my pix firewall to log to syslog server. Here are the steps I took:
1) Added the following line to /etc/sysconfig/syslog:
SYSLOG_OPTIONS "-m 0 -r514"
**for some reason, without the 514, syslog doesn't listen
[code]....
i installed php-syslog-ng 2.9.8m in RHEL5 box. I saw logs from the local machine once the cron execute in every one minute.I dont need to appear those in my syslog console. I want to disable these from my linux box.How can i archive this
View 1 Replies View RelatedCentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -
Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...
The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.
configure syslog server on ubuntu now i want to export logs of windows and ubuntu desktop to the syslog server
View 6 Replies View RelatedI'm guessing its possible but I can't seem to find any documentation on how to do this.I've tried playing with entries at the top of my syslog.conf file like:
*.* @172.20.10.1 # 1 server, works file
*.* @172.20.10.1,172.20.20.11 # doesn't work
*.* @172.20.10.1 172.20.20.11 # nor this
*.* @172.20.10.1,@172.20.20.11 # nor this
*.* @172.20.10.1 @172.20.20.11 # nor this
Im stuck on why iptables wont log to syslog.Syslog is working fine and log every other event on the server.Here is my Configs:
/etc/syslog.conf
Code:
*.* /var/log/iptables
[code]...
I'm running Ubuntu Desktop 9.10. How do I get it to forward its logs to a syslog server (its running on a different machine)?
View 2 Replies View RelatedThere was an useful discussion on "how to stop logging cron to syslog". The useful answer is to update the line targeting syslog in /etc/syslog.conf to say something like:
Code:
*.*;auth,authpriv.none,mail.none,cron.none -/var/log/syslog
the significant part being that cron.none means that cron will not log to syslog.
There was discussion about whether this was a good thing to do, but omitted to suggest that adding/ uncommenting the following line would mean that no information would be lost but that syslog would be less cluttered as a source of monitoring info:
Code:
cron.* -/var/log/cron.log
You've still got all your cron-related log items available in cron.log if and when you need them. To make the new /etc/syslog.conf lines effective you should also, with root privileges:
Code:
touch /var/log/cron.log
chown syslog:adm /var/log/cron.log
and restart syslog. In my case:
Code:
/etc/init.d/sysklogd restart
Currently Im having a syslog server that consolidate firewall logs on port 514 udp. Im also having a IDS device that I wish to push its logs to this particular syslog server so that I can retrieve my IDS logs on this server as well.
Is it possible to do so?Having syslog listening on port 514 for both firewall and IDS logs? If it is possible will the logs be recorded in a single log file?Or will it be recorded in a separate log file ie. firewall.log, IDS.log etc?? I wish to have them in separate individual log files or else there will be hard time segregating the log entries in a single file. Can anyone advice on how to achieve this??
I am searching that how i can configure syslogs/rsyslog to receive third party tools or softwares logs. For example i have a program that generates logs like when it is started and logs about its services, alerts if there are any alarms etc. I want to forward these logs using syslogs/rsyslog. Is their any possibility how can i achieve that
View 2 Replies View RelatedOS CentOS 5.4 I have a DNS server that is logging all named and dns requests to the chrooted named directory. By default named logs to /var/log/messages but I want to isolate all the dns queries and requests to separate files. I know I can add entries to /etc/syslog.conf to "roll" the logs and logrotate should pick them up but fuzzy as to the syntax. I don't know what "tag" to use in the first fieild. for example
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none/var/log/messages
Here is the logging section of my named.conf
# pwd
# /var/named/chroot/etc
logging
{
[code]....
I'm looking into setting up logging for Samba that logs every file downloaded, uploaded, renamed, deleted, etc, etc. It's currently working, but I'm trying to get it to output to /var/log/samba/audit.log and it's still outputtin Here are my current settings:
[Code]...
I am facing a problem while trying to log SSH messages in a separate file, say, /var/log/ssh_logs. I have tried modifying the syslog-ng.conf file as follows:
filter f_ssh { facility(auth, authpriv) and match("sshd[[0-9]+]:"); };
destination d_ssh { file ("/var/logs/sshd_logs"); };
log {
[code]....
But still I am not able to get the ssh logs in the new file. They continue to go to /var/log/auth.
how does one configure a Ubuntu 10.4 machine to write its logs to a syslog server?
View 1 Replies View RelatedIs there an easy way to prevent the logging of commands run into syslog as post-shell expansion?
I.e log a command of "ls *.log" as just that, rather than "ls a.log b.log c.log d.log" It makes rather a mess of the log files.
turn up the level of logging that my DHCP Server is writing to SYSLOG?I can't seem to find a syslog.conf file to edit.
View 1 Replies View Relatedin the directory of /var/log , i see some directory like apache2 , apt , gdm , i wonder does all these folders was made under the syslogd ? i mean do these utilities use syslogd to log their messages or they use their own systems , for example apache use syslog or use its own library?
View 1 Replies View RelatedI'm having two problems with remote syslogging with this configuration in syslog.conf:
*.info;authpriv.*;cron.* @myhost.dnsalias.com
As you can see the logging is made to an host with dynamic ip, and as soon as the ip changes the logging seems to stop.
Another thing is that it only seems to log the first part (*.info), the other ones don't appear.
I am running a syslogd on my ubuntu 10.10 system. I have a apache2 server on the same machine. I have configured my apache2.conf file to send the error logs to the local syslog server.
The config is as under :-
LogLevel notice
ErrorLog syslog:local1
I have also configured the /etc/syslog.conf as under :-
local1.info /var/log/apache2/error_logs
I have created a file in the /var/log/apache2 dir with the ownerships and permissions as under:-
-rwxrwxrwx 1 syslog adm 77 2011-08-11 18:14 /var/log/apache2/error_logs
Next I restarted the sysklogd and apache2 servers with a service command as under:-
sudo service sysklogd restart
sudo service apache2 restart
I thereafter observed the /var/log/apache2/error_logs file and found the entries for apache2 closing down and coming up as under:-
Aug 11 18:14:14 cc apache2[4940]: [notice] caught SIGTERM, shutting down
Aug 11 18:14:19 cc apache2[5282]: [notice] ModSecurity for Apache/2.5.12 [URL] configured.
Aug 11 18:14:19 cc apache2[5282]: [notice] Original server signature: Apache/2.2.16 (Ubuntu) mod_ssl/2.2.16 OpenSSL/0.9.8o
Aug 11 18:14:20 cc apache2[5285]: [notice] Apache/2.2.16 (Ubuntu) mod_ssl/2.2.16 OpenSSL/0.9.8o Microsoft-IIS/5.0 configured -- resuming normal operations
Now the problem is I donot get any other messages thereafter. So it is hardly useful. How can I increase the logged messages from apache. I tried the facility:
local1.*
Then restarted the sysklogd and apache2, but the contents of the /var/log/error_logs file remained similar. Next, I followed the link. I created the perl script for recording access logs of apache2. I then restarted the apache2 and sysklogd. when I opened my website from a browser, the access log did not work. I think I am getting something wrong with the facility value , in apache2.conf it is ErrorLog syslog:local1 ! but the script is suggesting that it should be local2 in the line 4
openlog('apache','cons','pid','local2');
I therefore changed the script to local1 in above line. But still no access log?
I have a Tomato router and it has the capability to have its logs go to a external server. syslog is the obvious choice for this. So I enabled remote logging on my linux server's syslogd (syslogd -r) and I can see all of the logs in /var/log/syslog. What I want to do is take everything that comes from the IP of my router (10.0.0.1) and divert it to its own file like /var/log/tomato to avoid polluting my syslog with external logs.
I can't find any examples of someone doing this. My only solution is to get a script together that strips out any line in /var/log/syslog with 10.0.0.1 in it and puts the line into /var/log/tomato and have the script run as a cron job, but that seems unnecessarily messy.
Unless someone knows that there is a solution, I'm 95% sure that syslog doesn't support this after reading more in-depth of the man page. So I need to migrate to syslog-ng or make a crazy script that runs with cron.
I wish to prevent the samba messages (mainly nmbd and winbindd) from appearing in the system log (/var/log/messages). I want to allow samba logging to the standard samba logfiles, but prevent the syslog getting clogged up by samba. I added syslog = 0 to smb.conf and reloaded the config but the messages were still appearing. I also tried the following (and restarted the syslog via /sbin/service syslog restart) # Suppress messages from samba.
nmbd.* /dev/null
smbd.* /dev/null
winbindd.* /dev/null
For interests sake the messages I'm getting are below (I'm not concerned about the messages themselves, I can chase them up at my leisure via the samba logs) Mar 18 09:58:29 SERVER nmbd[3808]: query_name_response: Multiple (2) responses received for a query on subnet xx.yy.z.zz for name DOMAIN<1d>. Mar 18 09:58:29 SERVER nmbd[3808]: This response was from IP xx.yy.z.zz, reporting an IP address of xx.yy.z.zz.
Just installed CentOS 5.4 selecting Server configuration where web server was installed.
After install, I browsed to the ip of the box and no apache test page shows up. /var/log/httpd/error_log doesn't show any browse attempts.
service httpd start
OK
try again and no browsing.
Did a :
yum install httpd
it installed httpd.i386 along some other dependencies.
Did a:
service httpd restart
OK
and still not browsing.
basics of getting apache running and configured on a fresh server?
I want to login to my company's server (remote) from my room. I have the server address, so I use this command to login :
Code:
#ssh root@X.X.X.X
It waits for a very long time and then returns with error connection timed out port 22.
I configured these settings in the remote server :
Code:
#/etc/init.d/iptables stop
Then I connect via ssh from my home but still the same error.
Then in the config file /etc/ssh/sshd_config, I uncomment the line : ListenAddress 0.0.0.0
I connect via ssh again from home but still the same error.
The connection is not denied in hosts.deny and hosts.allow.
How do I get the connection up and running?
In a squeeze box, I installed awstats and it's working like a charm. Its cron job update the awstats database every 10 minutes (as it runs as root). But I would like to be able to update the statistics from the browser as well. So I setup everything as required and I gave "read" access to "others" to every apache log file. Now, a couple of questions came to my mind:
1. Am I compromising server's security giving "read" access to "others" to apache log files?
2. Instead of giving "read" access to "others", I could add www-data user to adm group (as apache log files are owned by root:adm and permissions are rw-r----). Is this more secure than giving "read" access to "others"? 3. If the option would be giving "read" access to "others" at the end, a log file would be owned by root:adm and its permissions be rw-r--r--. As apache rotates its log files, when Apache create a new log file, does it preserve the permissions (rw-r--r--) or create it with the default permissions (rw-r-----)?
Does anyone know of any software that can monitor the Apache logs for certain phrases or keywords then send an alert when found? For example I know an attempt to hack has been made when I see log entries like this....
/admin/
/admin/phpadmin/
/phpadmin/
But by the time I see it, the attempt has long since failed or succeeded. What I need is a way for my server to alert me WHILE someone is entering these phrases. I realize there may be a "hit" to performance but my server is not that busy anyway (except for hackers).
I noticed i have quite a few logs that end with .[number] for example "syslog.1" "mail.info.1" etc, why is this and why are they there since almost nothing is logged in them ??
Question 2: on my server im running a script like imagebam and imageshack with hosts images so i have quite a few apache requests to my server. I am wonder why apache takes up so much CPU for some of the requests? in Htop some requests take up 1.2% CPU while other take up 3-5% etc, so the total load is about 1.50 0.58 0.84 to 2.61 1.08 1.14 with about 128-150 apache requests all the time while sometimes the CPU load can be almost 0 with the same ammount of requests. is this normal? what could cause this in apache ?? the server is just running apache2. MYSQL is running on another server.
Setup a new machine with Apache, identical setup to all the other machines I got, yet this one is logging hostnames instead of IPs.
"HostnameLookups" are "Off" and LogFormat settings are identical to all the other machines:
Code:
Added a new LogFormat directive:
Code:
And told the virtual hosts to use it:
Code:
This solved the problem, though I'm at a loss as to why I've got this behavior on just this one box and none of the others. OS is Debian Lenny, same version of Apache installed via Debian package.
My understanding from Apache doc [url] is that when "HostnameLookups" are "Off, "%h" will yield IP instead of hostname..
Code:
It features support for HTTPS, virtual hosting, CGI, SSI, IPv6, easy scripting and database integration, request/response filtering, many flexible authentication schemes, and more. Homepage: [url]
I'm having issues setting up rsyslog to receive syslog from another server and only log to one file. I'm receiving the syslog from the remote side, however its putting the entries into more than one log file.
I configured /etc/rsyslog.conf to enable udp, and I have implemented a filter to log only from that IP address, and then stop processing more rules, but it seems to continue on.
I have found that the remote syslog events are using local0 and local1. There are two custom rsyslog config files in /etc/rsyslog.d that handle those two facilities. If I use that same if statement at the beginning of those custom config files, I can get it to work. Seems like a hack though.
Not working:
I put my if statement before the include statement, thinking I could stop it from hitting the custom rules.
Code:
Select all# /etc/rsyslog.conf Configuration file for rsyslog v3.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
[Code] ....
This works:
A custom config file in /etc/rsyslog.d
Code: Select allif $fromhost-ip == '<my ip>' then /var/log/<my directory>/syslog.log
& ~
local0.* /var/log/<a log file for local0>.log
This is on a WD Mycloud device:
Code: Select allLinux WDMyCloud 3.2.26 #1 SMP Tue Jun 17 15:53:22 PDT 2014 wd-2.2-rel armv7l
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.