# SYSLOG-NG setup by Harry Hoffman <hhoffman@ip-solutions.net>
#
options { use_fqdn(yes); keep_hostname(no); use_dns(yes); long_hostnames(on); sync(3); log_fifo_size(1000); };
source src { pipe("/proc/kmsg"); unix-stream("/dev/log"); internal(); udp(); tcp(ip("127.0.0.1") port(514) keep-alive(yes)); };

destination console { usertty("root"); };
destination console_all { file("/dev/tty8"); };
destination xconsole { pipe("/dev/xconsole"); };
destination mail-alert { program("/usr/local/bin/syslog-mail"); };
destination swatch { program("/usr/bin/swatch -c /etc/swatchrc --read-pipe=\"cat /dev/fd/0\""); };
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };


filter f_loghost_ssh { host("loghost") and program("sshd.*") and match("(uthenticat|ailed|ccepted|enied|illegal)"); };
filter f_ssh_access { program("sshd.*") and match("(Failed|enied|illegal|uthenticat)"); };
filter f_telnet_access { program("login.*") and match("(login|root)"); };
filter f_attack_alert { match("attackalert"); };

log { source(src); filter(f_loghost_ssh); destination(mail-alert); };
log { source(src); destination(swatch); };
#log { source(src); filter(f_ssh_access); destination(mail-alert); };
log { source(src); filter(f_telnet_access); destination(mail-alert); };
log { source(src); destination(hosts); };