10.5. System logging

Syslog-ng is the native and recommended logging service for Zorp. Its configuration is stored in the /etc/syslog-ng/syslog-ng.conf file.

For more detailed information and instructions on system logging, see chapter Syslog-ng, the Syslog reference manual accessible from Appendix A, and the installed manual pages for both syslog-ng (the utility) and syslog-ng.conf (the configuration file).

After editing and saving the syslog-ng.conf file manually, restart the service by running the /etc/init.d/syslog-ng script with the restart/reload arguments. Its default configuration under Zorp routes all relevant system, ISC BIND 9 and NTP messages to the /var/log/messages file and also to the console, /dev/tty8.

If you have a separate, central syslog-ng server for collecting messages from critical network hosts, such as the firewall(s), you can route (log) messages using the following steps.

  1. Set up a new destination of TCP or UDP type, with the IP address of your syslog-ng server, in syslog-ng.conf on the firewall.

    Example 10.1. Specifying the target IP address of a TCP destination

    The IP address of the syslog-ng server is 10.20.30.40 in this example.

    destination d_tcp { tcp("10.20.30.40" port(1999); localport(999)); };

    Supplying port information is optional; if port number is not set, the default ports are used.

  2. Decide what sources (s1, s2 here) shall be logged to the syslog-ng server and set up a log path accordingly. Note that filters are optional.

    log { source(s1); source(s2); filter(f1); destination(d_tcp); };
  3. Define a source on the syslog-ng server with the IP address of the firewall sending log messages.

    Note

    Specify the port numbers carefully. The corresponding ports must match on both sides.