<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN
class=792595416-21082006>All,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=792595416-21082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=792595416-21082006>I am working on
creating a logging host for some network hardware. Being new to lunix and
syslog-ng I am a little confused to how to keep the remote syslog messages from
showing up in the system log files. I had to rem out the messages and and
localmessages do to they are filling to fast. Any advice would be greatly
appreciated.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=792595416-21082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=792595416-21082006>Don
R.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>rushd-linux:/home/rushd # cat
/etc/syslog-ng/syslog-ng.conf<BR>#<BR># /etc/syslog-ng/syslog-ng.conf<BR>#<BR>#
Automatically generated by SuSEconfig on Thu Aug 17 16:58:59 PDT 2006.<BR>#<BR>#
PLEASE DO NOT EDIT THIS FILE!<BR>#<BR># you can modify
/etc/syslog-ng/syslog-ng.conf.in instead<BR>#<BR>#<BR>#<BR># File format
description can be found in syslog-ng.conf(5)<BR># and
/usr/share/doc/packages/syslog-ng/syslog-ng.txt.<BR>#</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>#<BR># Global options.<BR>#<BR>options {
long_hostnames(off); sync(0); perm(0640); stats(3600); };</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>#<BR># 'src' is our main source definition. you can
add<BR># more sources driver definitions to it, or define<BR># your own sources,
i.e.:<BR>#<BR>#source my_src { .... };<BR>#<BR>source src
{<BR>
#<BR> # include internal syslog-ng
messages<BR> # note: the internal()
soure is required!<BR>
#<BR> internal();</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
#<BR> # the following line will be
replaced by the<BR> # socket list
generated by SuSEconfig using<BR> #
variables from
/etc/sysconfig/syslog:<BR>
#<BR>
unix-dgram("/dev/log");</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
#<BR> # uncomment to process log
messages from network:<BR>
#<BR> udp(ip("0.0.0.0")
port(514));<BR>};</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2>
<DIV><BR>#<BR># Filter definitions<BR>#<BR>filter f_iptables {
facility(kern) and match("IN=") and match("OUT="); };</DIV>
<DIV> </DIV>
<DIV>filter f_console { level(warn) and facility(kern) and not
filter(f_iptables)<BR>
or level(err) and not facility(authpriv); };</DIV>
<DIV> </DIV>
<DIV>filter f_newsnotice { level(notice) and facility(news); };<BR>filter
f_newscrit { level(crit) and facility(news);
};<BR>filter f_newserr { level(err) and
facility(news); };<BR>filter f_news {
facility(news); };</DIV>
<DIV> </DIV>
<DIV>filter f_mailinfo { level(info)
and facility(mail); };<BR>filter f_mailwarn {
level(warn) and facility(mail); };<BR>filter
f_mailerr { level(err, crit) and facility(mail); };<BR>filter
f_mail { facility(mail); };</DIV>
<DIV> </DIV>
<DIV>filter f_cron { facility(cron);
};</DIV>
<DIV> </DIV>
<DIV>filter f_local { facility(local0, local1,
local2,
local3,<BR>
local4, local5, local6, local7); };</DIV>
<DIV> </DIV>
<DIV>filter f_acpid { match('^\[acpid\]:');
};<BR>filter f_netmgm { match('^NetworkManager:');
};</DIV>
<DIV> </DIV>
<DIV>filter f_messages { not facility(news, mail) and not
filter(f_iptables); };<BR>filter f_warn {
level(warn, err, crit) and not filter(f_iptables); };<BR>filter
f_alert { level(alert); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Most warning and errors on tty10 and on the xconsole
pipe:<BR>#<BR>destination console { file("/dev/tty10"
group(tty) perm(0620)); };<BR>log { source(src); filter(f_console);
destination(console); };</DIV>
<DIV> </DIV>
<DIV>destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400));
};<BR>log { source(src); filter(f_console); destination(xconsole); };</DIV>
<DIV> </DIV>
<DIV># Enable this, if you want that root is informed immediately,<BR># e.g. of
logins:<BR>#<BR>#destination root { usertty("root"); };<BR>#log { source(src);
filter(f_alert); destination(root); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># News-messages in separate files:<BR>#<BR>destination
newscrit {
file("/var/log/news/news.crit"<BR>
owner(news) group(news)); };<BR>log { source(src); filter(f_newscrit);
destination(newscrit); };</DIV>
<DIV> </DIV>
<DIV>destination newserr {
file("/var/log/news/news.err"<BR>
owner(news) group(news)); };<BR>log { source(src); filter(f_newserr);
destination(newserr); };</DIV>
<DIV> </DIV>
<DIV>destination newsnotice {
file("/var/log/news/news.notice"<BR>
owner(news) group(news)); };<BR>log { source(src); filter(f_newsnotice);
destination(newsnotice); };</DIV>
<DIV> </DIV>
<DIV>#<BR># and optionally also all in one file:<BR># (don't forget to provide
logrotation config)<BR>#<BR>#destination news { file("/var/log/news.all");
};<BR>#log { source(src); filter(f_news); destination(news); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Mail-messages in separate files:<BR>#<BR>destination mailinfo {
file("/var/log/mail.info"); };<BR>log { source(src); filter(f_mailinfo);
destination(mailinfo); };</DIV>
<DIV> </DIV>
<DIV>destination mailwarn { file("/var/log/mail.warn"); };<BR>log { source(src);
filter(f_mailwarn); destination(mailwarn); };</DIV>
<DIV> </DIV>
<DIV>destination mailerr { file("/var/log/mail.err" fsync(yes)); };<BR>log
{ source(src); filter(f_mailerr); destination(mailerr); };</DIV>
<DIV> </DIV>
<DIV>#<BR># and also all in one file:<BR>#<BR>destination mail {
file("/var/log/mail"); };<BR>log { source(src); filter(f_mail);
destination(mail); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># acpid messages in one file:<BR>#<BR>destination acpid {
file("/var/log/acpid"); };<BR>log { source(src); filter(f_acpid);
destination(acpid); flags(final); };</DIV>
<DIV> </DIV>
<DIV>#<BR># NetworkManager messages in one file:<BR>#<BR>destination netmgm {
file("/var/log/NetworkManager"); };<BR>log { source(src); filter(f_netmgm);
destination(netmgm); flags(final); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Cron-messages in one file:<BR># (don't forget to provide
logrotation config)<BR>#<BR>#destination cron { file("/var/log/cron");
};<BR>#log { source(src); filter(f_cron); destination(cron); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Some boot scripts use/require local[1-7]:<BR>#<BR>##destination
localmessages { file("/var/log/localmessages"); };<BR>##log { source(src);
filter(f_local); destination(localmessages); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># All messages except iptables and the facilities news and
mail:<BR>#<BR>##destination messages { file("/var/log/messages"); };<BR>##log {
source(src); filter(f_messages); destination(messages); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Firewall (iptables) messages in one file:<BR>#<BR>destination
firewall { file("/var/log/firewall"); };<BR>log { source(src);
filter(f_iptables); destination(firewall); };</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Warnings (except iptables) in one file:<BR>#<BR>destination warn
{ file("/var/log/warn" fsync(yes)); };<BR>log { source(src); filter(f_warn);
destination(warn); };</DIV>
<DIV> </DIV>
<DIV>#<BR># Enable this, if you want to keep all messages in one file:<BR>#
(don't forget to provide logrotation config)<BR>#<BR>#destination allmessages {
file("/var/log/allmessages"); };<BR>#log { source(src);
destination(allmessages); };</DIV>
<DIV> </DIV>
<DIV>destination logip {<BR>
file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$MONTH$DAY"<BR>
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);<BR>};</DIV>
<DIV> </DIV>
<DIV>log {<BR>
source(src);<BR>
destination(logip);<BR>};<BR>rushd-linux:/home/rushd
#<BR></FONT></DIV></BODY></HTML>