syslog-ng and Lire
Ag. System Administrator
sysadmin at agent.co.il
Wed Nov 5 12:38:07 CET 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
I'm using centralised syslog-ng server. The format of the logs is:
Snort:
Nov 5 14:24:43 server's.full.name at server_short_name/name_on_machine
snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc
activity] [Priority: 3]: <eth1> {ICMP} xxx.xx.xx.xxx -> xxx.xx.xxx.233
Kernel:
Nov 5 06:15:09 server's.full.name at server_short_name/name_on_machine
kernel: Drop packet IN=eth0 OUT=
MAC=00:30:xx:28:xx:c0:00:b0:4a:xx:32:00:xx:00 SRC=65.37.4.95
DST=xxx.xx.xx.108 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=22622 DF
PROTO=TCP SPT=4380 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Mail:
Nov 5 12:21:10 server's.full.name at server_short_name/name_on_machine
sendmail[10801]: hA5ALAnY010801: from=<nagios at xxxx.xxx.com>, size=0,
class=0, nrcpts=0, proto=SMTP, daemon=Daemon0, relay=xxms.xxxxx.com
[xxx.xxx.xxx.xxx]
etc....
When i make snort's report, second (Volume's Traffic Reports) and third
(Denied Packets Reports) pages is empty :(
Today i'll check other reports (mail, kernel) - but i'm pretty sure that
i'll have same (or similar) problems...
The question is: what i need to change (except syslog-ng config's ;) to
make it work?
Also, is it possible to make reports for each server's.full.name or
server_short_name? (except greping these from logs)
If you need more entry's from logs - let me know.
Thank You,
Danny
PS: sorry for bad english - it's not my mother lang.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/qOEcwOz6rWkLhRQRAs8KAJ4kdvTe3RwIhNdNuwgPPskxRo77NgCfYrut
C1ukxoghPRuW55Lr1UmQx3E=
=usdN
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to development-request at logreport.org with a subject of
"unsubscribe". Trouble? Send an email with subject "help" to
development-request at logreport.org
More information about the Development
mailing list