Goal1
By default so only logs into elkstack, not to a file! We want a file too so we can tail -f file|ccze on a console and look cool like in the movies!
Goal is minimal editing of /etc/syslog-ng.conf which gets blown away after so updates, so
make sure security onion /etc/syslog-ng.conf has
@include "/etc/syslog-ng/conf.d/*.conf"add a /etc/syslog-ng/conf.d/cool.conf file:
destination d_remotesyslog { file("/var/log/remotesyslog"); };log {source(s_network);destination(d_remotesyslog); };
then tail -f /var/log/remotesyslog|ccze shows remote systems logs on console
sources:
https://serverfault.com/questions/825556/avoid-logging-in-var-log-syslog-only-using-etc-syslog-ng-conf-d
