I loaded the syslog.inc above without errors. With that said this is what i have configured so far -
[root@LAB-Practice-LB2:Active] config b syslog include SYSLOG - Include Data: destination d_messages { file("/var/log/messages" create_dirs(yes)); udp("10.1.32.34" port (514)); }; destination d_audit { file("/var/log/audit" create_dirs(yes)); program("/usr/bin/audit_forwarder"); udp("10.1.32.34" port (514)); }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); udp("10.1.32.34" port (514)); };
When I checked my syslog server I'm still seeing messages as follows
5/25/11
12:21:25.000 PM May 25 12:21:25 10.1.29.55 May 25 12:21:25 LAB-Practice-LB2 logger: [ssl_req][25/May/2011:12:21:25 -0400] 10.1.29.54 TLSv1 DHE-RSA-AES256-SHA "POST /iControl/iControlPortal.cgi HTTP/1.1" 437
host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options
They appear to be coming from the following:
[root@LAB-Practice-LB2:Active] httpd pwd
/var/log/httpd
[root@LAB-Practice-LB2:Active] httpd ls -lrt
total 1712
-rw-r--r-- 1 root root 0 Jul 7 2005 access_log
-rw-r--r-- 1 root root 724 May 25 11:02 httpd_errors
-rw-r--r-- 1 root root 505968 May 25 12:28 ssl_request_log
-rw-r--r-- 1 root root 469392 May 25 12:28 ssl_access_log
Also I see messages from crond:
12:34:01.000 PM May 25 12:34:01 10.1.29.55 May 25 12:34:01 LAB-Practice-LB2 crond[8984]: (syscheck) CMD (/usr/bin/system_check -q)
host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options
Would it be better to filter all and then allow the ones you've provided. I'm very new to the syslogging so thank you in advance for your patience. I do appreciate your time and insight.