The syslogging capability that comes standard with Debian gets the job done, but offers little for flexibility. I needed something that would allow simple replication of certain log entries to a vendor's syslog server. BalaBit's syslog-ng is an excellent replacement. And dead easy to install:
apt-get install syslog-ng
This removes the old syslog programs, installs the new ones, and starts things up. The configuration
file, although in a different format, attempts to replicate the functionality of the previous programs
quite well. The configuration is found in /etc/syslog-ng/syslog-ng.conf. The documentation is straight forward and useful. After taking a quick look at it,the
configuration file makes sense, and is easy to add configuration items.
In the configuration file, I added the following to the options section:
use_dns(yes);
use_fqdn(yes);
to add some lookups, even though it may not be recommeded in high volume environments. In the source
s_all section, I added:
udp();
in order to allow messages from the Cisco devices. In order forward syslog messages from specific
devices to a vendor in order to correlate network problems, I added the
following lines:
# external destination for log messages (will require a port opening on firewall)
destination du_externallog { udp("192.2.0.5"); };
# specific device list
filter f_devicesforvendor { host("router1") or host("router2"); };
# perform the logging to vendor
log {
source(s_all);
filter(f_devicesforvendor);
destination(du_externallog);
}