-
Notifications
You must be signed in to change notification settings - Fork 0
Notes: Sagan Configuration
These notes are CentOS7 specific, you may find for packages there are other names.
Please take note i'm not taking the easy way, ALL rules have been downloaded.
So, ALL rules are present and most are enabled in /usr/local/etc/sagan.conf
The below will create a user:group and some files required to start cleanly
version 1.1.0 (stable: December 2017)
useradd -N sagan
groupadd sagan
usermod -G sagan sagan
touch /var/run/sagan.fifo
mkdir /var/run/sagan
touch /var/run/sagan/sagan-counters.shared
chown sagan:sagan /var/run/sagan -R
chown sagan:sagan /var/run/sagan.fifo -Rmkdir /var/log/sagan/
touch /var/log/sagan/alert
chown sagan:sagan /var/log/sagan/ -R
Now you can just run sagan and it will start cleanly
version 1.1.8 (December 2017)
Many errors will pop-up since not all software or configuration is in place yet.
This self-learning set of notes means all is targeted at a single (local)host.
If you have not yet configured syslog it is using a fifo
now make it listen on a IP:Port pair, below enables UDP only
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$TCPServerAddress 127.0.0.1
#$InputTCPServerRun 514
Next enable sagan for rsyslog
create and edit /etc/rsyslog.d/sagan.conf
and insert the below lines
# The standard "input" template Sagan uses. Basically the message 'format' Sagan understands. The template is _one_ line.
$template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n"
# The FIFO/named pipe location. This is what Sagan will read.
*.* |/var/run/sagan.fifo;sagan
then
systemctl restart rsyslog
welcome to the blues, commandline.be at your service