Forum Discussion
Configure Syslog-ng to Only Show Logins & Log Outs
e.g.
1) check to see if there is existing filter in syslog-ng.conf that we can use.
[root@ve13a:Active:In Sync] config  awk '/ authpriv/,/^$/' /etc/syslog-ng/syslog-ng.conf
 authpriv.*                                    /var/log/secure
filter f_authpriv {
    (facility(auth, authpriv) and level(notice..emerg))
    or program(sshd)
    or (facility(auth,authpriv) and (program(httpd) or program(tamd)))
    or message("pam_audit")
    ;
};
2) craft syslog include configuration
sys syslog {
  include "
    destination d_loghost {
      udp("200.200.200.101" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}
3) merge the syslog include configuration into running configuration
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
sys syslog {
  include "
    destination d_loghost {
      udp("200.200.200.101" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}
Loading configuration...
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog {
    include "
    destination d_loghost {
      udp(200.200.200.101 port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}
4) verify if only log we want is sent to remote syslog
// tcpdump
*please be noted that interface 0.0 is used here because remote syslog is connected via tmm interface (not mgmt interface)
[root@ve13a:Active:In Sync] config  tcpdump -nni 0.0 -s0 host 200.200.200.101 and port 514 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:49:22.969608 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 209 out slot1/tmm0 lis=
        0x0000:  4500 00ed e223 4000 4011 35da c8c8 c80b  E....@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00d9 22ed 3c38 363e  ...e......".<86>
        0x0020:  4a61 6e20 2036 2031 303a 3439 3a32 3220  Jan..6.10:49:22.
        0x0030:  7665 3133 6120 696e 666f 2073 7368 6428  ve13a.info.sshd(
        0x0040:  7061 6d5f 6175 6469 7429 5b36 3135 335d  pam_audit)[6153]
        0x0050:  3a20 7573 6572 3d72 6f6f 7428 726f 6f74  :.user=root(root
        0x0060:  2920 7061 7274 6974 696f 6e3d 5b41 6c6c  ).partition=[All
        0x0070:  5d20 6c65 7665 6c3d 4164 6d69 6e69 7374  ].level=Administ
        0x0080:  7261 746f 7220 7474 793d 7373 6820 686f  rator.tty=ssh.ho
        0x0090:  7374 3d31 3732 2e31 362e 3230 342e 3333  st=172.16.204.33
        0x00a0:  2061 7474 656d 7074 733d 3120 7374 6172  .attempts=1.star
        0x00b0:  743d 2253 6174 204a 616e 2020 3620 3130  t="Sat.Jan..6.10
        0x00c0:  3a34 393a 3231 2032 3031 3822 2065 6e64  :49:21.2018".end
        0x00d0:  3d22 5361 7420 4a61 6e20 2036 2031 303a  ="Sat.Jan..6.10:
        0x00e0:  3439 3a32 3220 3230 3138 222e 0a01 0501  49:22.2018".....
        0x00f0:  0000 0000                                ....
10:49:22.969620 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 264 out slot1/tmm0 lis=
        0x0000:  4500 0124 e224 4000 4011 35a2 c8c8 c80b  E..$.$@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 0110 2324 3c31 3334  ...e......$<134
        0x0020:  3e4a 616e 2020 3620 3130 3a34 393a 3232  >Jan..6.10:49:22
        0x0030:  2076 6531 3361 2069 6e66 6f20 7373 6864  .ve13a.info.sshd
        0x0040:  2870 616d 5f61 7564 6974 295b 3631 3533  (pam_audit)[6153
        0x0050:  5d3a 2030 3130 3730 3431 373a 363a 2041  ]:.01070417:6:.A
        0x0060:  5544 4954 202d 2075 7365 7220 726f 6f74  UDIT.-.user.root
        0x0070:  202d 2052 4157 3a20 7373 6864 2870 616d  .-.RAW:.sshd(pam
        0x0080:  5f61 7564 6974 293a 2075 7365 723d 726f  _audit):.user=ro
        0x0090:  6f74 2872 6f6f 7429 2070 6172 7469 7469  ot(root).partiti
        0x00a0:  6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41  on=[All].level=A
        0x00b0:  646d 696e 6973 7472 6174 6f72 2074 7479  dministrator.tty
        0x00c0:  3d73 7368 2068 6f73 743d 3137 322e 3136  =ssh.host=172.16
        0x00d0:  2e32 3034 2e33 3320 6174 7465 6d70 7473  .204.33.attempts
        0x00e0:  3d31 2073 7461 7274 3d22 5361 7420 4a61  =1.start="Sat.Ja
        0x00f0:  6e20 2036 2031 303a 3439 3a32 3120 3230  n..6.10:49:21.20
        0x0100:  3138 2220 656e 643d 2253 6174 204a 616e  18".end="Sat.Jan
        0x0110:  2020 3620 3130 3a34 393a 3232 2032 3031  ..6.10:49:22.201
        0x0120:  3822 2e0a 0105 0100 0000 00              8".........
10:49:22.974077 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 178 out slot1/tmm0 lis=
        0x0000:  4500 00ce e226 4000 4011 35f6 c8c8 c80b  E....&@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00ba 22ce 3c38 363e  ...e......".<86>
        0x0020:  4a61 6e20 2036 2031 303a 3439 3a32 3220  Jan..6.10:49:22.
        0x0030:  7665 3133 6120 696e 666f 2073 7368 6428  ve13a.info.sshd(
        0x0040:  7061 6d5f 6175 6469 7429 5b36 3135 305d  pam_audit)[6150]
        0x0050:  3a20 7573 6572 3d72 6f6f 7428 726f 6f74  :.user=root(root
        0x0060:  2920 7061 7274 6974 696f 6e3d 5b41 6c6c  ).partition=[All
        0x0070:  5d20 6c65 7665 6c3d 4164 6d69 6e69 7374  ].level=Administ
        0x0080:  7261 746f 7220 7474 793d 7373 6820 686f  rator.tty=ssh.ho
        0x0090:  7374 3d31 3732 2e31 362e 3230 342e 3333  st=172.16.204.33
        0x00a0:  2061 7474 656d 7074 733d 3120 7374 6172  .attempts=1.star
        0x00b0:  743d 2253 6174 204a 616e 2020 3620 3130  t="Sat.Jan..6.10
        0x00c0:  3a34 393a 3232 2032 3031 3822 2e0a 0105  :49:22.2018"....
        0x00d0:  0100 0000 00                             .....
10:49:22.974086 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 233 out slot1/tmm0 lis=
        0x0000:  4500 0105 e227 4000 4011 35be c8c8 c80b  E....'@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00f1 2305 3c31 3334  ...e.......<134
        0x0020:  3e4a 616e 2020 3620 3130 3a34 393a 3232  >Jan..6.10:49:22
        0x0030:  2076 6531 3361 2069 6e66 6f20 7373 6864  .ve13a.info.sshd
        0x0040:  2870 616d 5f61 7564 6974 295b 3631 3530  (pam_audit)[6150
        0x0050:  5d3a 2030 3130 3730 3431 373a 363a 2041  ]:.01070417:6:.A
        0x0060:  5544 4954 202d 2075 7365 7220 726f 6f74  UDIT.-.user.root
        0x0070:  202d 2052 4157 3a20 7373 6864 2870 616d  .-.RAW:.sshd(pam
        0x0080:  5f61 7564 6974 293a 2075 7365 723d 726f  _audit):.user=ro
        0x0090:  6f74 2872 6f6f 7429 2070 6172 7469 7469  ot(root).partiti
        0x00a0:  6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41  on=[All].level=A
        0x00b0:  646d 696e 6973 7472 6174 6f72 2074 7479  dministrator.tty
        0x00c0:  3d73 7368 2068 6f73 743d 3137 322e 3136  =ssh.host=172.16
        0x00d0:  2e32 3034 2e33 3320 6174 7465 6d70 7473  .204.33.attempts
        0x00e0:  3d31 2073 7461 7274 3d22 5361 7420 4a61  =1.start="Sat.Ja
        0x00f0:  6e20 2036 2031 303a 3439 3a32 3220 3230  n..6.10:49:22.20
        0x0100:  3138 222e 0a01 0501 0000 0000            18".........
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
// remote syslog
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6153]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:21 2018" end="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6153]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:21 2018" end="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6150]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6150]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:22 2018".
note: to rest syslog include, use syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify sys syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }
- mario365_345588Jan 08, 2018Nimbostratus That worked! Thanks! I have one more request. I also need to log config changes from both CLI & GUI to the same syslog server. I have a guess on how its done (see below) but I'm not sure if I'm over simplifying it? Could you show me how to add more filters? Thank you. sys syslog { include " destination d_loghost { udp("192.168.152.36" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); filter(f_auditing); destination(d_loghost); }; " } 
- nitassJan 08, 2018Employee hope this helps. HOW CAN TWO OR MORE FILTERS BE COMBINED? 
 https://www.balabit.com/wiki/syslog-ng-faq-filters
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com