e.g.
1) check to see if there is existing filter in syslog-ng.conf that we can use.
[root@ve13a:Active:In Sync] config awk '/ authpriv/,/^$/' /etc/syslog-ng/syslog-ng.conf
authpriv.* /var/log/secure
filter f_authpriv {
(facility(auth, authpriv) and level(notice..emerg))
or program(sshd)
or (facility(auth,authpriv) and (program(httpd) or program(tamd)))
or message("pam_audit")
;
};
2) craft syslog include configuration
sys syslog {
include "
destination d_loghost {
udp("200.200.200.101" port(514));
};
log {
source(s_syslog_pipe);
filter(f_authpriv);
destination(d_loghost);
};
"
}
3) merge the syslog include configuration into running configuration
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
sys syslog {
include "
destination d_loghost {
udp("200.200.200.101" port(514));
};
log {
source(s_syslog_pipe);
filter(f_authpriv);
destination(d_loghost);
};
"
}
Loading configuration...
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog {
include "
destination d_loghost {
udp(200.200.200.101 port(514));
};
log {
source(s_syslog_pipe);
filter(f_authpriv);
destination(d_loghost);
};
"
}
4) verify if only log we want is sent to remote syslog
// tcpdump
*please be noted that interface 0.0 is used here because remote syslog is connected via tmm interface (not mgmt interface)
[root@ve13a:Active:In Sync] config tcpdump -nni 0.0 -s0 host 200.200.200.101 and port 514 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:49:22.969608 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 209 out slot1/tmm0 lis=
0x0000: 4500 00ed e223 4000 4011 35da c8c8 c80b E....@.@.5.....
0x0010: c8c8 c865 96e4 0202 00d9 22ed 3c38 363e ...e......".<86>
0x0020: 4a61 6e20 2036 2031 303a 3439 3a32 3220 Jan..6.10:49:22.
0x0030: 7665 3133 6120 696e 666f 2073 7368 6428 ve13a.info.sshd(
0x0040: 7061 6d5f 6175 6469 7429 5b36 3135 335d pam_audit)[6153]
0x0050: 3a20 7573 6572 3d72 6f6f 7428 726f 6f74 :.user=root(root
0x0060: 2920 7061 7274 6974 696f 6e3d 5b41 6c6c ).partition=[All
0x0070: 5d20 6c65 7665 6c3d 4164 6d69 6e69 7374 ].level=Administ
0x0080: 7261 746f 7220 7474 793d 7373 6820 686f rator.tty=ssh.ho
0x0090: 7374 3d31 3732 2e31 362e 3230 342e 3333 st=172.16.204.33
0x00a0: 2061 7474 656d 7074 733d 3120 7374 6172 .attempts=1.star
0x00b0: 743d 2253 6174 204a 616e 2020 3620 3130 t="Sat.Jan..6.10
0x00c0: 3a34 393a 3231 2032 3031 3822 2065 6e64 :49:21.2018".end
0x00d0: 3d22 5361 7420 4a61 6e20 2036 2031 303a ="Sat.Jan..6.10:
0x00e0: 3439 3a32 3220 3230 3138 222e 0a01 0501 49:22.2018".....
0x00f0: 0000 0000 ....
10:49:22.969620 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 264 out slot1/tmm0 lis=
0x0000: 4500 0124 e224 4000 4011 35a2 c8c8 c80b E..$.$@.@.5.....
0x0010: c8c8 c865 96e4 0202 0110 2324 3c31 3334 ...e......$<134
0x0020: 3e4a 616e 2020 3620 3130 3a34 393a 3232 >Jan..6.10:49:22
0x0030: 2076 6531 3361 2069 6e66 6f20 7373 6864 .ve13a.info.sshd
0x0040: 2870 616d 5f61 7564 6974 295b 3631 3533 (pam_audit)[6153
0x0050: 5d3a 2030 3130 3730 3431 373a 363a 2041 ]:.01070417:6:.A
0x0060: 5544 4954 202d 2075 7365 7220 726f 6f74 UDIT.-.user.root
0x0070: 202d 2052 4157 3a20 7373 6864 2870 616d .-.RAW:.sshd(pam
0x0080: 5f61 7564 6974 293a 2075 7365 723d 726f _audit):.user=ro
0x0090: 6f74 2872 6f6f 7429 2070 6172 7469 7469 ot(root).partiti
0x00a0: 6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41 on=[All].level=A
0x00b0: 646d 696e 6973 7472 6174 6f72 2074 7479 dministrator.tty
0x00c0: 3d73 7368 2068 6f73 743d 3137 322e 3136 =ssh.host=172.16
0x00d0: 2e32 3034 2e33 3320 6174 7465 6d70 7473 .204.33.attempts
0x00e0: 3d31 2073 7461 7274 3d22 5361 7420 4a61 =1.start="Sat.Ja
0x00f0: 6e20 2036 2031 303a 3439 3a32 3120 3230 n..6.10:49:21.20
0x0100: 3138 2220 656e 643d 2253 6174 204a 616e 18".end="Sat.Jan
0x0110: 2020 3620 3130 3a34 393a 3232 2032 3031 ..6.10:49:22.201
0x0120: 3822 2e0a 0105 0100 0000 00 8".........
10:49:22.974077 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 178 out slot1/tmm0 lis=
0x0000: 4500 00ce e226 4000 4011 35f6 c8c8 c80b E....&@.@.5.....
0x0010: c8c8 c865 96e4 0202 00ba 22ce 3c38 363e ...e......".<86>
0x0020: 4a61 6e20 2036 2031 303a 3439 3a32 3220 Jan..6.10:49:22.
0x0030: 7665 3133 6120 696e 666f 2073 7368 6428 ve13a.info.sshd(
0x0040: 7061 6d5f 6175 6469 7429 5b36 3135 305d pam_audit)[6150]
0x0050: 3a20 7573 6572 3d72 6f6f 7428 726f 6f74 :.user=root(root
0x0060: 2920 7061 7274 6974 696f 6e3d 5b41 6c6c ).partition=[All
0x0070: 5d20 6c65 7665 6c3d 4164 6d69 6e69 7374 ].level=Administ
0x0080: 7261 746f 7220 7474 793d 7373 6820 686f rator.tty=ssh.ho
0x0090: 7374 3d31 3732 2e31 362e 3230 342e 3333 st=172.16.204.33
0x00a0: 2061 7474 656d 7074 733d 3120 7374 6172 .attempts=1.star
0x00b0: 743d 2253 6174 204a 616e 2020 3620 3130 t="Sat.Jan..6.10
0x00c0: 3a34 393a 3232 2032 3031 3822 2e0a 0105 :49:22.2018"....
0x00d0: 0100 0000 00 .....
10:49:22.974086 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 233 out slot1/tmm0 lis=
0x0000: 4500 0105 e227 4000 4011 35be c8c8 c80b E....'@.@.5.....
0x0010: c8c8 c865 96e4 0202 00f1 2305 3c31 3334 ...e.......<134
0x0020: 3e4a 616e 2020 3620 3130 3a34 393a 3232 >Jan..6.10:49:22
0x0030: 2076 6531 3361 2069 6e66 6f20 7373 6864 .ve13a.info.sshd
0x0040: 2870 616d 5f61 7564 6974 295b 3631 3530 (pam_audit)[6150
0x0050: 5d3a 2030 3130 3730 3431 373a 363a 2041 ]:.01070417:6:.A
0x0060: 5544 4954 202d 2075 7365 7220 726f 6f74 UDIT.-.user.root
0x0070: 202d 2052 4157 3a20 7373 6864 2870 616d .-.RAW:.sshd(pam
0x0080: 5f61 7564 6974 293a 2075 7365 723d 726f _audit):.user=ro
0x0090: 6f74 2872 6f6f 7429 2070 6172 7469 7469 ot(root).partiti
0x00a0: 6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41 on=[All].level=A
0x00b0: 646d 696e 6973 7472 6174 6f72 2074 7479 dministrator.tty
0x00c0: 3d73 7368 2068 6f73 743d 3137 322e 3136 =ssh.host=172.16
0x00d0: 2e32 3034 2e33 3320 6174 7465 6d70 7473 .204.33.attempts
0x00e0: 3d31 2073 7461 7274 3d22 5361 7420 4a61 =1.start="Sat.Ja
0x00f0: 6e20 2036 2031 303a 3439 3a32 3220 3230 n..6.10:49:22.20
0x0100: 3138 222e 0a01 0501 0000 0000 18".........
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
// remote syslog
Jan 6 10:49:22 ve13a info sshd(pam_audit)[6153]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:21 2018" end="Sat Jan 6 10:49:22 2018".
Jan 6 10:49:22 ve13a info sshd(pam_audit)[6153]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:21 2018" end="Sat Jan 6 10:49:22 2018".
Jan 6 10:49:22 ve13a info sshd(pam_audit)[6150]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:22 2018".
Jan 6 10:49:22 ve13a info sshd(pam_audit)[6150]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:22 2018".
note: to rest syslog include, use syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify sys syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }