The syslog-ng PE application can store log messages securely in encrypted, compressed and timestamped binary files. Timestamps can be requested from an external Timestamping Authority (TSA).
Logstore files consist of individual chunks, every chunk can be encrypted, compressed, and timestamped separately. Chunks contain compressed log messages and header information needed for retrieving messages from the logstore file.
The syslog-ng PE application generates an SHA-1 hash for every chunk to verify the integrity of the chunk. The hashes of the chunks are chained together to prevent injecting chunks into the logstore file. The syslog-ng PE application can encrypt the logstore using various algorithms, using the aes128 encryption algorithm in CBC mode and the hmac-sha1 hashing (HMAC) algorithm as default.
In the following example, a simple logstore destination is added which stores logs with maximum compression.
To store messages in encrypted files
-
Open the /opt/syslog-ng/etc/syslog-ng.conf configuration file in a text editor
-
Locate the line starting with destination d_messages
-
Add the following line right below:
destination d_logstore {
logstore("/var/log/messages.lgs" compress(9) );
};
-
Locate the line containing destination(d_messages)
-
Add the following line right below:
destination(d_logstore)
-
Restart syslog-ng for the configuration changes to take effect
-
Validating the changes
You can verify that logs are arriving to the logstore using the following command:
/opt/syslog-ng/bin/logcat /var/log/messages.lgs
As mentioned earlier, syslog-ng PE can be turned into a relay. This functionality is often used on larger networks, or when logs are collected from network devices using UDP and forwarded to a central location using the more reliable TCP or ALTP protocols. When used as a relay, syslog-ng PE does not store the logs locally, but forwards them immediately to the central syslog-ng PE server.
In this example, a syslog-ng PE Linux client is reconfigured as a relay.
To configure syslog-ng PE as a relay
-
Open /opt/syslog-ng/etc/syslog-ng.conf in a text editor
-
Remove the current log statement: starting with line log {, delete everything until the end of the file
-
Add a new UDP source for router logs:
source s_udp {udp();};
-
Add a new log path for storing local logs locally:
log { source(s_local); destination(d_messages); };
-
Add a new log path for sending both local messages and logs collected from the UDP source to the central server:
log {
source(s_local);
source(s_udp);
destination(d_logserver);
};
-
Validating the changes
Test the relay by executing the following command on the relay machine:
/opt/syslog-ng/bin/loggen -i -D localhost 514
It generates about a thousand messages a second and sends to the UDP port of the local syslog-ng PE relay. Executing tail /var/log/messages should not show any of the generated messages on the relay, but doing the same on the server machine should show a large number of similar lines:
Sep 20 21:18:09 relayhost prg00000[1234]: seq: 0000009458, thread: 0000, runid: 1379704679, stamp: 2013-09-20T21:18:09 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
Example syslog-ng PE configuration
The following is an example configuration that the installer generates during the installation process:
@version: 7.0
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# https://syslog-ng.com/documentation
#
@include "scl.conf"
options {
};
######
# sources
source s_local {
# message generated by Syslog-NG
internal();
system();
};
######
# destinations
destination d_messages { file("/var/log/messages"); };
destination d_logserver { tcp("192.168.1.1"); };
log {
source(s_local);
destination(d_messages);
destination(d_logserver);
};