Sunday, November 25, 2007

Syslog-ng For Dummies (or SCADA Folks)

Continuing on the cleaning up my home network (aka Dummy!) theme , I decided to turn on remote syslog from one of my routers. We use syslog-ng on a lot of our boxes at work, but I've never actually configured it on any my Debian/Ubuntu boxes at home. How hard could it be? (HINT: A hell of a lot easier than on *BSD or *&$%*! Solaris)

1) Install the package

apt-get install syslog-ng

This removes the default syslogd and creates a nice config file in /etc/syslog-ng/syslog.conf that mirrors (I think) your old syslog.conf

2) Enable remote UDP syslog:

Uncomment the udp() line in s_all

3) Add a destination

destination my_cisco { file ("/var/log/851.log"); };

4) Add the filter to grab stuff from my router

filter f_my_cisco { host(""); };

5) Put them all together at the end of the file:

log {

Oh if you are wondering about the SCADA/Dummy in the title. It refers to a thread on Server Monitoring on the SCADA Mailing list and the frequent tendency for control system folks to do a "default deny" and reject mature technologies (firewall, AV, IDS) or practices (patching security vulnerabilities or public disclosure of vulns by CERT/CC) as "office" or "IT" and therefore completely inappropriate for consideration in control system devices, applications, servers, networks, etc. Or perhaps it is just the light, or lack thereof, this far North.


Jason Meltzer said...

For all the people at Suncor/Syncrude/etc. in Ft. Mac and here in the 'chuck... you might not be far off with the SAD thing.

Matt Franz said...


Sunlight is a powerful thing! Hey, very cool blog!

And somebody actually got PDB working, cool!