[syslog-ng] Chroot/Vserver config

[Alexander Clouter]

Hi,

Ed W <lists at wildgooses.com> [20070903 22:24:13 +0100]:
>
> I am setting up a bunch of vserver machines on a single host (basically
> just a fancy chroot setup) - just looking for advice on a decent setup.
> 
> 1) Would prefer not to run multiple instances of syslogd in each vserver
> if possible (no special reason, just seems pointless).
> 2) Each vserver runs multiple processes, so need a fairly fully featured
> set of logging for each
> 3) Want to keep the logs readonly, or basically untouchable in the vservers
> 
> So I tried
> 
> a) setting up the host system to run the /vserver/xxx/dev/log as it's source
> b) using destinations of the form: "/var/log/$HOST/messages",
> "/var/log/$HOST/mail.log", etc
> 
> However, this doesn't seem to work because $HOST always shows the same
> name for every vhost (actually it has the name of the host server)
> 
> [snipped]
>
> What I really want is some way that I can set some MACRO in the
> "source{}" stanza and then use that later on in my destinations{} - is
> this possible?  Any other ways to achieve this?  Actually I can't find
> any way to define custom macros, but this feature would seem to solve a
> lot of configuration scenarios?
>
For my multicast logging I wanted to be lazy and log depending on the 
*destination* IP address[1] rather than the source IP; in multicast you group 
the services together under a single multicast group address (for example all 
mail server logging goes to 239.234.234.32).

I cobbled together a patch that lets you use $DESTIP as a macro.

http://marc.info/?l=syslog-ng&m=116136122419201&w=2
http://marc.info/?l=syslog-ng&m=118545979625151&w=2

I keep lightly prodding Bazsi to re-write it properly[2] and I am sure he 
will someday but is this the sort of thing useful to you.  If you bind to 
each vserver IP seperately on your host machine[3] you should find using 
$DESTIP in your macro's works nicely.

To map IP's to friendly names I would recommend softlinks in the filesystem 
personally.

Cheers

Alex

[1] this keeps the syslog-ng.conf file very simple and I do not have to 
	specify and keep up to date a list of source addresses; it is all 
	mapped to a single destination group address
[2] but it is complicated as to do it properly you would have to use 
	IP(V6)_PKTINFO, or for *BSD people its IP_RECVDSTADDR and from 
	when I was looking through the code there is not much opportunity to 
	get this kind of data to the macro sub-system without some framework 
	reworking/rejuggling
[3] so seperate 'udp(ip(w.x.y.x) port(514));' in the source{} section for 
	each vserver IP otherwise this patch will set $DESTIP to '0.0.0.0'