windowsのイベントログをsyslog-ngで集める

くわぞう
(2006年5月19日 17:12) |

ntsyslog日本語版syslog-ngを組み合わせてみようと思い立ったわけです。

以前は、VBScriptで作ったツールで毎日のタスクでcsvファイルにして保存してました。
その手間(手間じゃないけど)がなくなるのはうれしいことです。

ただ、Windowsのログは手ごわかったです。
以下のログ中の文字列を$HOSTとして認識してしまうのです。
例:ese、microsoft、msexchangeis、ntds、removable、rpc、secure、server、service、symantec、web
これはNTSyslogの仕様なのか、Windowsのイベントログの仕様なのかはわかりませんが、
このままじゃどうしようもないので、Windowsのログはlocal0.debugなどにそれぞれ割り振りました。
その結果、このようなsyslog-ngの設定ファイルになりました。

options {
        sync (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_dns (yes);
        use_fqdn (no);
        create_dirs (yes);
        keep_hostname (yes);
        stats(86400);
        dir_perm(0750);
        perm(0640);
        owner(root);
        group(root);
};



#
# configuration file for syslog-ng, customized for remote logging
#



source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };



# Local sources, filters and destinations are commented out
# If you want to replace sysklogd simply uncomment the following
# parts and disable sysklogd
#
# Local sources
#
source s_local {
        unix-stream ("/dev/log");
        pipe ("/proc/kmsg" log_prefix ("kernel:"));
};
#
# Local filters
#
filter f_messages { level(info..emerg); };
filter f_secure { facility(authpriv); };
filter f_maillog { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
#
# Local destinations
#
destination d_messages { file("/var/log/messages"); };
destination d_secure { file("/var/log/secure"); };
destination d_maillog { file("/var/log/maillog"); };
destination d_cron { file("/var/log/cron"); };
destination d_console { usertty("root"); };
destination d_spooler { file("/var/log/spooler"); };
destination d_bootlog { file("/var/log/boot.log"); };
#
# Local logs - order DOES matter !
#
log { source(s_local); filter(f_emerg); destination(d_console); };
log { source(s_local); filter(f_secure); destination(d_secure); flags(final); };
log { source(s_local); filter(f_maillog); destination(d_maillog); flags(final); };
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log { source(s_local); filter(f_spooler); destination(d_spooler); };
log { source(s_local); filter(f_local7); destination(d_bootlog); };
log { source(s_local); filter(f_messages); destination(d_messages); };



#
# Remote logging
#
source s_remote {
        tcp(ip(0.0.0.0) port(514));
        udp(ip(0.0.0.0) port(514));
};



#
# ネットワーク機器のフィルタ
#
filter f_internet-gw { host("internet-gw"); };
filter f_firewall { host("firewall"); };
filter f_L3Switch { host("L3Switch"); };
filter f_pppoe-router { host("pppoe-router"); };
filter f_subnet-gw { host("subnet-gw"); };



#
# Windows Serverのフィルタ
# ネットワーク機器のログとかぶらないようにしています。
#
filter f_domain_controler_1_application      { facility(local0) and level(debug) and not host("firewall"); };
filter f_domain_controler_1_directory        { facility(local0) and level(info) and not host("firewall"); };
filter f_domain_controler_1_dns              { facility(local0) and level(notice) and not host("firewall"); };
filter f_domain_controler_1_file_replication { facility(local0) and level(warning) and not host("firewall"); };
filter f_domain_controler_1_security         { facility(local0) and level(error) and not host("firewall"); };
filter f_domain_controler_1_system           { facility(local0) and level(crit) and not host("firewall"); };



filter f_domain_controler_2_application      { facility(local1) and level(emerg) and not host("internet-gw"); };
filter f_domain_controler_2_directory        { facility(local1) and level(info) and not host("internet-gw"); };
filter f_domain_controler_2_dns              { facility(local1) and level(notice) and not host("internet-gw"); };
filter f_domain_controler_2_file_replication { facility(local1) and level(warning) and not host("internet-gw"); };
filter f_domain_controler_2_security         { facility(local1) and level(error) and not host("internet-gw"); };
filter f_domain_controler_2_system           { facility(local1) and level(crit) and not host("internet-gw"); };



filter f_exchange_1_application      { facility(local2) and level(debug) and not host("subnet-gw"); };
filter f_exchange_1_security         { facility(local2) and level(info) and not host("subnet-gw"); };
filter f_exchange_1_system           { facility(local2) and level(notice) and not host("subnet-gw"); };



filter f_exchange_2_application      { facility(local2) and level(warning) and not host("subnet-gw"); };
filter f_exchange_2_security         { facility(local2) and level(error) and not host("subnet-gw"); };
filter f_exchange_2_system           { facility(local2) and level(crit) and not host("subnet-gw"); };



filter f_Citrix_1_application      { facility(local4) and level(debug) and not host("pppoe-router"); };
filter f_Citrix_1_security         { facility(local4) and level(info) and not host("pppoe-router"); };
filter f_Citrix_1_system           { facility(local4) and level(notice) and not host("pppoe-router"); };



filter f_Citrix_2_application      { facility(local4) and level(warning) and not host("pppoe-router"); };
filter f_Citrix_2_security         { facility(local4) and level(error) and not host("pppoe-router"); };
filter f_Citrix_2_system           { facility(local4) and level(crit) and not host("pppoe-router"); };



filter f_exchange_front_application      { facility(local5) and level(debug); };
filter f_exchange_front_security         { facility(local5) and level(error); };
filter f_exchange_front_system           { facility(local5) and level(crit); };
filter f_exchange_front_virtual          { facility(local5) and level(alert); };



filter f_isa2004_application      { facility(local6) and level(debug); };
filter f_isa2004_security         { facility(local6) and level(info); };
filter f_isa2004_system           { facility(local6) and level(notice); };



filter f_citrix_gateway_application      { facility(local6) and level(warning); };
filter f_citrix_gateway_security         { facility(local6) and level(error); };
filter f_citrix_gateway_system           { facility(local6) and level(crit); };
filter f_citrix_gateway_secure_gateway   { facility(local6) and level(alert); };




#
# ネットワーク機器のログの出力先
#



destination d_internet-gw { file("/var/log/syslog-ng/internet-gw/$YEAR$MONTH$DAY.log"); };
destination d_firewall { file("/var/log/syslog-ng/firewall/$YEAR$MONTH$DAY.log"); };
destination d_L3Switch { file("/var/log/syslog-ng/L3Switch/$YEAR$MONTH$DAY.log"); };
destination d_pppoe-router { file("/var/log/syslog-ng/PPPoE-router/$YEAR$MONTH$DAY.log"); };
destination d_subnet-gw { file("/var/log/syslog-ng/subnet-gw/$YEAR$MONTH$DAY.log"); };



#
# Windows Serverのログの出力先
#
destination d_domain_controler_1_application         { file("/var/log/syslog-ng/domain_controler_1/application/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_directory           { file("/var/log/syslog-ng/domain_controler_1/directory/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_dns                 { file("/var/log/syslog-ng/domain_controler_1/dns/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_file_replication    { file("/var/log/syslog-ng/domain_controler_1/file_replication/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_security            { file("/var/log/syslog-ng/domain_controler_1/security/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_system              { file("/var/log/syslog-ng/domain_controler_1/system/$YEAR$MONTH$DAY.log"); };



destination d_domain_controler_2_application         { file("/var/log/syslog-ng/domain_controler_2/application/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_directory           { file("/var/log/syslog-ng/domain_controler_2/directory/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_dns                 { file("/var/log/syslog-ng/domain_controler_2/dns/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_file_replication    { file("/var/log/syslog-ng/domain_controler_2/file_replication/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_security            { file("/var/log/syslog-ng/domain_controler_2/security/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_system              { file("/var/log/syslog-ng/domain_controler_2/system/$YEAR$MONTH$DAY.log"); };



destination d_exchange_1_application         { file("/var/log/syslog-ng/exchange_1/application/$YEAR$MONTH$DAY.log"); };
destination d_exchange_1_security            { file("/var/log/syslog-ng/exchange_1/security/$YEAR$MONTH$DAY.log"); };
destination d_exchange_1_system              { file("/var/log/syslog-ng/exchange_1/system/$YEAR$MONTH$DAY.log"); };



destination d_exchange_2_application         { file("/var/log/syslog-ng/exchange_2/application/$YEAR$MONTH$DAY.log"); };
destination d_exchange_2_security            { file("/var/log/syslog-ng/exchange_2/security/$YEAR$MONTH$DAY.log"); };
destination d_exchange_2_system              { file("/var/log/syslog-ng/exchange_2/system/$YEAR$MONTH$DAY.log"); };



destination d_Citrix_1_application         { file("/var/log/syslog-ng/Citrix_1/application/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_1_security            { file("/var/log/syslog-ng/Citrix_1/security/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_1_system              { file("/var/log/syslog-ng/Citrix_1/system/$YEAR$MONTH$DAY.log"); };



destination d_Citrix_2_application         { file("/var/log/syslog-ng/Citrix_2/application/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_2_security            { file("/var/log/syslog-ng/Citrix_2/security/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_2_system              { file("/var/log/syslog-ng/Citrix_2/system/$YEAR$MONTH$DAY.log"); };



destination d_exchange_front_application         { file("/var/log/syslog-ng/exchange_front/application/$YEAR$MONTH$DAY.log"); };
destination d_exchange_front_security            { file("/var/log/syslog-ng/exchange_front/security/$YEAR$MONTH$DAY.log"); };
destination d_exchange_front_system              { file("/var/log/syslog-ng/exchange_front/system/$YEAR$MONTH$DAY.log"); };
destination d_exchange_front_virtual             { file("/var/log/syslog-ng/exchange_front/virtual/$YEAR$MONTH$DAY.log"); };



destination d_isa2004_application         { file("/var/log/syslog-ng/isa2004/application/$YEAR$MONTH$DAY.log"); };
destination d_isa2004_security            { file("/var/log/syslog-ng/isa2004/security/$YEAR$MONTH$DAY.log"); };
destination d_isa2004_system              { file("/var/log/syslog-ng/isa2004/system/$YEAR$MONTH$DAY.log"); };



destination d_citrix_gateway_application         { file("/var/log/syslog-ng/citrix_gateway/application/$YEAR$MONTH$DAY.log"); };
destination d_citrix_gateway_security            { file("/var/log/syslog-ng/citrix_gateway/security/$YEAR$MONTH$DAY.log"); };
destination d_citrix_gateway_system              { file("/var/log/syslog-ng/citrix_gateway/system/$YEAR$MONTH$DAY.log"); };
destination d_citrix_gateway_secure_gateway      { file("/var/log/syslog-ng/citrix_gateway/secure_gateway/$YEAR$MONTH$DAY.log"); };




#
# ネットワーク機器のログの設定
#
log { source(s_remote); filter(f_internet-gw); destination(d_internet-gw); };
log { source(s_remote); filter(f_firewall); destination(d_firewall); };
log { source(s_remote); filter(f_L3Switch); destination(d_L3Switch); };
log { source(s_remote); filter(f_pppoe-router); destination(d_pppoe-router); };
log { source(s_remote); filter(f_subnet-gw); destination(d_subnet-gw); };




#
# Windows Serverのログの設定
#
log { source(s_remote); filter(f_domain_controler_1_application); destination(d_domain_controler_1_application); };
log { source(s_remote); filter(f_domain_controler_1_directory); destination(d_domain_controler_1_directory); };
log { source(s_remote); filter(f_domain_controler_1_dns); destination(d_domain_controler_1_dns); };
log { source(s_remote); filter(f_domain_controler_1_file_replication); destination(d_domain_controler_1_file_replication); };
log { source(s_remote); filter(f_domain_controler_1_security); destination(d_domain_controler_1_security); };
log { source(s_remote); filter(f_domain_controler_1_system); destination(d_domain_controler_1_system); };



log { source(s_remote); filter(f_domain_controler_2_application); destination(d_domain_controler_2_application); };
log { source(s_remote); filter(f_domain_controler_2_directory); destination(d_domain_controler_2_directory); };
log { source(s_remote); filter(f_domain_controler_2_dns); destination(d_domain_controler_2_dns); };
log { source(s_remote); filter(f_domain_controler_2_file_replication); destination(d_domain_controler_2_file_replication); };
log { source(s_remote); filter(f_domain_controler_2_security); destination(d_domain_controler_2_security); };
log { source(s_remote); filter(f_domain_controler_2_system); destination(d_domain_controler_2_system); };



log { source(s_remote); filter(f_exchange_1_application); destination(d_exchange_1_application); };
log { source(s_remote); filter(f_exchange_1_security); destination(d_exchange_1_security); };
log { source(s_remote); filter(f_exchange_1_system); destination(d_exchange_1_system); };



log { source(s_remote); filter(f_exchange_2_application); destination(d_exchange_2_application); };
log { source(s_remote); filter(f_exchange_2_security); destination(d_exchange_2_security); };
log { source(s_remote); filter(f_exchange_2_system); destination(d_exchange_2_system); };



log { source(s_remote); filter(f_Citrix_1_application); destination(d_Citrix_1_application); };
log { source(s_remote); filter(f_Citrix_1_security); destination(d_Citrix_1_security); };
log { source(s_remote); filter(f_Citrix_1_system); destination(d_Citrix_1_system); };



log { source(s_remote); filter(f_Citrix_2_application); destination(d_Citrix_2_application); };
log { source(s_remote); filter(f_Citrix_2_security); destination(d_Citrix_2_security); };
log { source(s_remote); filter(f_Citrix_2_system); destination(d_Citrix_2_system); };



log { source(s_remote); filter(f_exchange_front_application); destination(d_exchange_front_application); };
log { source(s_remote); filter(f_exchange_front_security); destination(d_exchange_front_security); };
log { source(s_remote); filter(f_exchange_front_system); destination(d_exchange_front_system); };
log { source(s_remote); filter(f_exchange_front_virtual); destination(d_exchange_front_virtual); };



log { source(s_remote); filter(f_isa2004_application); destination(d_isa2004_application); };
log { source(s_remote); filter(f_isa2004_security); destination(d_isa2004_security); };
log { source(s_remote); filter(f_isa2004_system); destination(d_isa2004_system); };



log { source(s_remote); filter(f_citrix_gateway_application); destination(d_citrix_gateway_application); };
log { source(s_remote); filter(f_citrix_gateway_security); destination(d_citrix_gateway_security); };
log { source(s_remote); filter(f_citrix_gateway_system); destination(d_citrix_gateway_system); };
log { source(s_remote); filter(f_citrix_gateway_secure_gateway); destination(d_citrix_gateway_secure_gateway); };



#
# とりあえず捕まえたログはtestディレクトリに入れておいて設定を確かめるためのおまけの行。
#
destination d_separatedbyhosts {
        file("/var/log/syslog-ng/test/$HOST-$YEAR$MONTH$DAY.log");
};



log { source(s_remote); destination(d_separatedbyhosts); };

カテゴリ:

このブログ記事について

このページは、くわぞうが2006年5月19日 17:12に書いたブログ記事です。

ひとつ前のブログ記事は「単一ホスト宛へのStatic Route の記述」です。

次のブログ記事は「「アカウントログオンイベントの監査」と「ログオン イベントの監査」の違い」です。

最近のコンテンツはインデックスページで見られます。過去に書かれたものはアーカイブのページで見られます。

Powered by Movable Type 4.1

検索

最近のブログ記事

カテゴリ