Central logging with new syslog-ng targets

[banym]

Are there some best practices how to implement central loggin with multiple firewalls using new syslog-ng?

I plan to setup a graylog instance for all loggs to be collected.

• Are the loggs tagged with the hostnames of the machines so I can point multiple firewalls to one log-server and still be able to review them by hostname?
• If I have a HA-Cluster how are the loggs processed from both machines? Do they need to be configured by machine or is thet loggin switched as the secondary becommes active?

Regards,

Dominik

[abraxxa]

syslog already includes the source host(name) in each log message, just read RFC3164 and RFC5424.
The is a Logstash plugin for parsing the firewall logs by Fabian: https://github.com/fabianfrz/logstash-filter-opnsensefilter

[banym]

Well o.k I do have the hostname in source but thats not the FQDN only the hostname.
I combine it in my filters with the IP so I can identify the logs for now for each host.

Since I have multible firewalls named fw1 for example only the FQDN would differ.

For now it works to seperate the logs. Will check how the HA-Cluster the next days.

Thanks for the references to the RFCS.

Regards,

Dominik

[abraxxa]

The 19.7.3 release notes mention that the fqdn is now sent.
Naming firewalls differently would still by my preferred option.

[banym]

Thank you for the hint. Saw it already but had no time to start updating on of the firewalls to verify it is what I need.