Central logging with new syslog-ng targets

Started by banym, August 16, 2019, 02:13:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 16, 2019, 02:13:36 PM
Are there some best practices how to implement central loggin with multiple firewalls using new syslog-ng?

I plan to setup a graylog instance for all loggs to be collected.


  • Are the loggs tagged with the hostnames of the machines so I can point multiple firewalls to one log-server and still be able to review them by hostname?
  • If I have a HA-Cluster how are the loggs processed from both machines? Do they need to be configured by machine or is thet loggin switched as the secondary becommes active?

Regards,

Dominik
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
August 16, 2019, 08:28:33 PM #1
syslog already includes the source host(name) in each log message, just read RFC3164 and RFC5424.
The is a Logstash plugin for parsing the firewall logs by Fabian: https://github.com/fabianfrz/logstash-filter-opnsensefilter
August 16, 2019, 09:10:27 PM #2
Well o.k I do have the hostname in source but thats not the FQDN only the hostname.
I combine it in my filters with the IP so I can identify the logs for now for each host.

Since I have multible firewalls named fw1 for example only the FQDN would differ.

For now it works to seperate the logs. Will check how the HA-Cluster the next days.

Thanks for the references to the RFCS.

Regards,

Dominik
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
August 29, 2019, 09:10:40 PM #3
The 19.7.3 release notes mention that the fqdn is now sent.
Naming firewalls differently would still by my preferred option.
August 30, 2019, 09:27:36 AM #4
Thank you for the hint. Saw it already but had no time to start updating on of the firewalls to verify it is what I need.  :)
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
Print
Go Up Pages1
User actions