<div dir="ltr"><div>Hello all.</div>
<div> </div>
<div>After playing around with syslog-ng all afternoon, needless to say I'm a little confused and frustrated. I have managed to get it running on most of my Linux boxes and it to accept data from a couple of them still running syslog which is what I want. The issue I'm facing is the config file I found do to the wonders of Google is splitting the information based on host but not into separate files like I'm use to with syslog aka cron, messages, syslog etc.. what i'm looking for output is the following:</div>
<div> </div>
<div>ls -shl /var/log/HOSTS/<a href="http://peter.domain.com/2008/08">peter.domain.com/2008/08</a></div>
<div>4.0K -rw------- 1 root root 866 2008-08-10 20:46 auth.log<br> 0 -rw-r--r-- 1 root root 0 2008-08-10 17:22 cron.log<br> 0 -rw-r--r-- 1 root root 0 2008-08-10 17:22 daemon.log<br>4.0K -rw------- 1 root root 2.8K 2008-08-10 18:26 debug<br>
8.0K -rw-r--r-- 1 root root 6.6K 2008-08-10 14:36 dmesg<br> 0 -rw-r----- 1 root root 0 2002-04-06 19:13 maillog<br> 12K -rw------- 1 root root 8.2K 2008-08-10 20:05 messages<br> 0 -rw-r--r-- 1 root root 0 2008-08-10 18:22 ntpd<br>
0 -rw-r----- 1 root root 0 1994-05-09 03:06 secure<br> 0 -rw-r----- 1 root root 0 2002-03-09 00:29 spooler<br> 12K -rw------- 1 root root 8.6K 2008-08-10 20:05 syslog<br></div>
<div> </div>
<div>Currently i'm getting the following:</div>
<div>ls -shl /var/log/HOSTS/<a href="http://peter.domain.com/2008/08">peter.domain.com/2008/08</a></div>
<div>12K -rw------- 1 root root 11K 2008-08-10 21:31 10<br></div>
<div>which contains all the results. I'll post the file I'm using below any help would be useful</div>
<div> </div>
<div><span lang="EN-CA">
<p>###############################################################<br># First, set some global options.<br><br>options { <br>use_fqdn(yes); <br>use_dns(yes); <br>dns_cache(yes); <br>keep_hostname(yes); <br>long_hostnames(off); <br>
sync(1); <br>log_fifo_size(1024); <br>};</p>
<p>###############################################################<br>#<br># Logs may come from unix stream, and UDP:514<br>#<br>source src { <br>pipe("/proc/kmsg"); <br>unix-stream("/dev/log"); <br>internal(); <br>
udp(ip("<a href="http://192.168.2.3">192.168.2.3</a>") port(514)); <br>tcp(ip("<a href="http://192.168.2.3">192.168.2.3</a>") port(514) keep-alive(yes)); <br>};</p>
<p>###############################################################<br># First some standard logfile<br>#</p>
<p>destination authlog { file("/var/log/auth.log"); };<br>destination syslog { file("/var/log/syslog"); };<br>destination cron { file("/var/log/cron.log"); };<br>destination daemon { file("/var/log/daemon.log"); };<br>
destination user { file("/var/log/user.log"); };<br>#destination debug { file("/var/log/debug"); };<br>destination messages { file("/var/log/messages"); };</p>
<p>##########################################<br># Here's the filter options. With this rules, we can set which <br># message go where.<br><br>filter f_authpriv { facility(auth, authpriv); };<br>filter f_syslog { not facility(auth, authpriv) and not facility(mail); };<br>
filter f_cron { facility(cron); };<br>filter f_daemon { facility(daemon); };<br>filter f_kern { facility(kern); };<br>#filter f_mail { facility(mail); };<br>filter f_user { facility(user); };<br>#filter f_news { facility(news); };<br>
#filter f_debug { not facility(auth, authpriv, news, mail); };<br>filter f_messages { level(info .. warn) <br> and not facility(auth, authpriv, cron, daemon, mail, news); };<br>filter f_emergency { level(emerg); };<br>
filter f_info { level(info); };<br>filter f_notice { level(notice); };<br>filter f_warn { level(warn); };<br>filter f_crit { level(crit); };<br>filter f_err { level(err); };</p>
<p>###############################################################<br>#<br># log statements actually send logs somewhere, to a file, across the network, etc<br>#</p>
<p>log { source(src); filter(f_authpriv); destination(authlog); };<br>log { source(src); filter(f_authpriv); destination(std); };<br>log { source(src); filter(f_syslog); destination(std); };<br>log { source(src); filter(f_cron); destination(std); };<br>
log { source(src); filter(f_daemon); destination(std); };<br>log { source(src); filter(f_daemon); destination(std); };<br>log { source(src); filter(f_kern); destination(std); };<br>log { source(src); filter(f_user); destination(std); };<br>
#log { source(src); filter(f_debug); destination(std); };<br>log { source(src); filter(f_messages); destination(std); };</p>
<p>## set up logging to loghost<br>#destination loghost {<br># tcp("<a href="http://10.0.0.1">10.0.0.1</a>" port(514));<br>#};<br><br># send everything to loghost, too<br>#log { <br># source(src); <br># destination(loghost); <br>
#};<br><br>#<br># automatic host sorting (usually used on a loghost)<br>#<br># set it up<br>destination std { <br>file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" <br>owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)<br>
); <br>};</p>
<p># log it<br>log { <br>source(src); <br>destination(std); <br>};</p></span><br></div></div>