1

I recently set up a central syslog server. Logs are organized in files, in folder named after the client machines (using DNS), and scanned with logcheck.

Some of the client machines have more than one OS (namely Linux and Windows), and end up having the same IP address and hostname. The result is that Windows logs (messages) and Linux logs did end up in the same file, making me and logcheck quite unhappy. I am interested in keeping the logs for different OS separate.

My solution has been to have syslog listen on multiple ports, and to configure syslog/rsyslog on the Linux and Windows client machines to use a different port number. This way I can easily redirect logs in appropriate files according to their source.

However, I am not quite convinced about the elegance of the solution - nmap can detect the client OS through the fingerprint of the stack TCP/IP.

Is there a way of configuring Syslog-ng to redirect the incoming data according to the OS of a client machine?

Matteo Giani
  • 103
  • 2
  • 10

1 Answers1

2

Your approach with different ports for linux and windows machines is not bad at all.

Alternatives:

  • using program as destination in syslog-ng (for example your custom script which checks the current OS of client machine and write to linux.log or windows.log) - slow and unreliable.
  • using match(...) in syslog-ng filter to distinguish between linux and windows syslog strings (not sure it can be easy and reliable unless you can put some marker substring into client's syslog) and use such filter to select destination log file.

Both can hardly be recommended.

Yet another trick can be using tcp transport for syslog from linux clients and udp - from windows. Than you can configure file destinations with filter on protocol.

Yuri Lachin
  • 176
  • 4
  • Thanks for your suggestions - I'd say the second one is probably a bit better. I would still prefer not to have to write markers, but it can definitely work. – Matteo Giani Feb 20 '18 at 11:08