In this tip, we'll introduce you to syslog-ng (syslog next generation), an open source audit trail processing tool created by BalaBit IT Security that can be used as an alternative to standard UNIX system logging software. We'll show you how to configure syslog-ng for use with VShell for UNIX and give you two filtering examples to log specific VShell log entries to unique files.

Filtering VShell Log Files With syslog-ng

System administrators and IT professionals: gone are the days when we only used log files as a simple troubleshooting tool. In an increasingly internet-driven business environment, log files today are as valuable as "gold in them, there hills". They are now used as evidence to document wrong doing, for audit trails, and to keep your finger on the pulse of your networks.

If you're struggling with using syslog to manage the log files on your network and perform further analysis or audits, you might want to take a look at syslog-ng, the open source audit trail processing tool available from BalaBit IT Security. syslog-ng has many advantages over syslog including more powerful configuration options, filtering based on message content, and better network forwarding.

This tip assumes that you've already installed syslog-ng on your VShell server according to BalaBit IT's instructions. You can get the latest, stable version of libol and syslog-ng from the BalaBit IT website.

With syslog-ng, you can set up filters, send log entries to both your local machine and to a centralized secure logging server (using SSH port-forwarding), log to a mysql database, or rewrite log messages into a specific format. In this tip, we'll illustrate two examples of using filtering to log specific VShell log entries to unique files. At the end of this tip, we've provided additional resources that you can use to explore some of syslog-ng's other capabilities.

Let's suppose you are sending all your syslog data to a centralized logging facility to be analyzed by your security team. Now, suppose that you have a helpdesk or operations person in charge of managing and troubleshooting any problems that might arise on VShell. That helpdesk person needs access to the VShell log information, but you don't want to give them access to the central logs.

The syslog-ng configuration has five main sections (Options, Source, Destination, Filter, and Log). The Options section allows you to define options specific to the program itself. The Source and Destination sections allow you to define where log information comes from and where it will go. The Filter section allows you to define specific information to pull out of the incoming stream of information. The Log statements then tie together the source, destination, and filter information into specific logs.

The two destinationstatements below would instruct syslog-ng to place specific VShell log messages in two separate destinations (in this example, the destinations are files). (When using plain syslogd, these log messages are placed in "messages.log"). The first statement creates a destination named "program_vshell" that points to the file "/var/log/vshell.log". The second statement creates a destination named "vshell_sftp" that points to a file called "/var/log/vshell_sftp.log".

syslog-ng.conf example destination statements:
destination program_vshell { file("/var/log/vshell.log"); };
destination vshell_sftp { file("/var/log/vshell_sftp.log"); };

Below are two different filtering examples. The first filter is named "f_vshell" and instructs syslog-ng to filter out those messages with the program named vshell. The second example creates a filter named "f_vshell_sftp", which will filter out log messages that belong to the program named vshell and any of those messages that contain the string ": sftp," (which in this case are all secure file transfer log messages).

syslog-ng.conf example filter statements:
filter f_vshell { program(vshell); };
filter f_vshell_sftp { program (vshell) and match(": sftp,"); };

You then tie them all together with log expressions to make sure the desired events end up in the right files or destinations. The first log statement below instructs syslog-ng to take anything coming from the source(src) that matches the filter(f_vshell) and send it to the destination(program_vshell).

syslog-ng.conf example log statements:
log { source(src); filter(f_vshell); destination(program_vshell); };
log { source(src); filter(f_vshell_sftp); destination(vshell_sftp); };

Here is the sample config file in its entirety: syslog-ng.conf.text (for this config file to work properly, you should save the file without the .txt extension).

Aggregating, managing, and analyzing log files can be a daunting task. The information in this tip should give you a head start with the syslog-ng tool and some simple ideas to help minimize the complexity of this task, allowing you to be more proactive with log file management. If you can spare a day plus travel, you should seriously consider attending the SANS one-day, hands-on course, System Log Aggregation & Analysis, by Marcus Ranum. It is a fantastic "roll up your sleeves" day filled with examples of this tool and many others.

For further information about syslog-ng see the following resources:

Visit the syslog-ng FAQ — http://www.campin.net/syslog-ng/faq.html
Read the Central Loghost Mini-HOWTO — http://www.campin.net/newlogcheck.html
Attend the SANS one-day course, "System Log Aggregation & Analysis Hands-on" by Marcus Ranum.
Read the December 2004 Sys Admin Magazine article, "Centralized Logging for UNIX, Windows, and Network Devices," by Corey Ramsden for excellent instructions.