Hi,<br><br> I'm now have a syslog-ng to collect the syslog of 2 sites, 1 is in China and another is in US, the host <b><i>vip-syslog</i></b> is in China, and US send the the messages to <i><b>vip-syslog</b></i> through a special tunnel, (for reliability, I can build a proxy with disk buffering to relay the syslog messages). Now <i><b>vip-syslog</b></i> can recevied the messages and works well, but I still suffer a problem.<br>
<br> This is the syslog-ng.conf:<br><br>#cat /etc/syslog-ng/syslog-ng.conf <br>#<br># configuration file for syslog-ng, customized for remote logging<br>#<br><br>source s_internal { internal(); };<br>destination d_syslognglog { file("/var/log/syslog-ng.log"); };<br>
log { source(s_internal); destination(d_syslognglog); };<br><br>options {<br> ts_format(rfc3164);<br> chain_hostnames(no);<br> use_dns(yes);<br> dns_cache(yes);<br> dns_cache_hosts(/etc/syslog-ng/hosts);<br>
use_fqdn(no);<br> perm(0644);<br> dir_perm(0700);<br> flush_lines(128);<br> flush_timeout(500);<br> log_msg_size(16384);<br> use_time_recvd(no);<br> # recv_time_zone(-07:00);<br>
# send_time_zone(-07:00);<br>};<br><br># ---------------------------------------------------------------------<br># Local sources, filters and destinations are commented out<br># If you want to replace sysklogd simply uncomment the following<br>
# parts and disable sysklogd<br>#<br># Local sources<br>#<br>source s_local {<br> unix-dgram("/dev/log");<br> file("/proc/kmsg" log_prefix("kernel:"));<br>};<br>#<br># ---------------------------------------------------------------------<br>
# Local filters<br>#<br>filter f_messages { level(info..emerg); };<br>filter f_secure { facility(authpriv); };<br>filter f_mail { facility(mail); };<br>filter f_cron { facility(cron); };<br>filter f_emerg { level(emerg); };<br>
filter f_spooler { level(crit..emerg) and facility(uucp, news); };<br>filter f_local7 { facility(local7); };<br>#<br># ---------------------------------------------------------------------<br># Local destinations<br>#<br>
destination d_messages { file("/var/log/messages"); };<br>destination d_secure { file("/var/log/secure"); };<br>destination d_maillog { file("/var/log/maillog"); };<br>destination d_cron { file("/var/log/cron"); };<br>
destination d_console { usertty("root"); };<br>destination d_spooler { file("/var/log/spooler"); };<br>destination d_bootlog { file("/var/log/boot.log"); };<br>#<br># ---------------------------------------------------------------------<br>
# Local logs - order DOES matter !<br>#<br>log { source(s_local); filter(f_emerg); destination(d_console); };<br>log { source(s_local); filter(f_secure); destination(d_secure); flags(final); };<br>log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); };<br>
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };<br>log { source(s_local); filter(f_spooler); destination(d_spooler); };<br>log { source(s_local); filter(f_local7); destination(d_bootlog); };<br>
log { source(s_local); filter(f_messages); destination(d_messages); };<br><br><br># ---------------------------------------------------------------------<br># Remote logging<br># <br># Remote sources<br>#<br>source s_remote {<br>
tcp(ip(0.0.0.0) port(514));<br> udp(ip(0.0.0.0) port(514));<br>};<br><br># ---------------------------------------------------------------------<br># Remote destinations<br>#<br>template t_message {<br> # template("$STAMP $HOST $PROGRAM[$PID] $MSG\n"); template_escape(no);<br>
template("$S_STAMP $HOST $MSG\n"); template_escape(no);<br>};<br><br>template t_apache {<br> template("$MSGONLY\n"); template_escape(no);<br>};<br><br># ---------------------------------<br>
# Global site with US timezone:<br>destination d_en_alarm {<br> file("/var/log/syslog-ng/$S_YEAR-$S_MONTH-$S_DAY/$HOST/alarm" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes) time_zone(-07:00) template(t_message));<br>
# program("sec.pl")<br>};<br><br>destination d_en_necessary {<br> file("/var/log/syslog-ng/$S_YEAR-$S_MONTH-$S_DAY/$HOST/necessary" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes) time_zone(-07:00) template(t_message));<br>
};<br><br>destination d_en_cookie_log {<br> file("/var/log/syslog-ng/$S_YEAR-$S_MONTH-$S_DAY/$HOST/cookie_log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes) time_zone(-07:00) template(t_apache));<br>
};<br><br># ---------------------------------<br># China site with Beijing timezone:<br>destination d_cn_alarm {<br> file("/var/log/syslog-ng/$S_YEAR-$S_MONTH-$S_DAY/$HOST/alarm" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes) template(t_message));<br>
};<br><br>destination d_cn_necessary {<br> file("/var/log/syslog-ng/$S_YEAR-$S_MONTH-$S_DAY/$HOST/necessary" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes) template(t_message));<br>
};<br><br>destination d_cn_cookie_log {<br> file("/var/log/syslog-ng/$S_YEAR-$S_MONTH-$S_DAY/$HOST/cookie_log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes) template(t_apache));<br>
};<br><br>destination d_null { file("/dev/null"); };<br><br>destination d_sec {<br> program("/etc/syslog-ng/sec.pl -input=\"-\" -conf=/etc/syslog-ng/sec.conf");<br>};<br><br># ---------------------------------------------------------------------<br>
# Remote filters<br>#<br>filter f_en_host { host("(^hz|^us|^hk)_"); };<br>#<br># Used by data warehouse(dw):<br>filter f_cn_local1 { facility(local1); };<br>filter f_en_local2 { facility(local2); };<br>filter f_en_dw { filter(f_en_host) and filter(f_en_local2); };<br>
filter f_cn_dw { not filter(f_en_host) and filter(f_cn_local1); };<br><br># Used by system admins and security admins:<br>filter f_en_sys { filter(f_en_host) and not filter(f_en_local2); };<br>filter f_cn_sys { not filter(f_en_host) and not filter(f_cn_local1); };<br>
<br>filter f_necessary {<br> match("necessary")<br> or match("important");<br> ......<br>};<br>filter f_alarm {<br> match("(?i)(error|fail)");<br> ......<br>
};<br><br>......<br><br># ---------------------------------------------------------------------<br># Remote log path<br>#<br>log { source(s_remote); filter(f_en_sys); filter(f_necessary); destination(d_en_necessary); };<br>
log { source(s_remote); filter(f_cn_sys); filter(f_necessary); destination(d_cn_necessary); };<br>log { source(s_remote); filter(f_en_sys); filter(f_alarm); destination(d_en_alarm); };<br># log { source(s_remote); filter(f_en_sys); filter(f_necessary); destination(d_en_alarm); };<br>
# --> This will not generate duplicated message!<br>log { source(s_remote); filter(f_cn_sys); filter(f_alarm); destination(d_cn_alarm); };<br>log { source(s_remote); filter(f_cn_dw); destination(d_cn_cookie_log); };<br>
log { source(s_remote); filter(f_en_dw); destination(d_en_cookie_log); };<br>log { source(s_remote); destination(d_null); };<br><br><br> NOW as you can see, I want the message to be logged to the dir:<br>/var/log/syslog-ng/$S_YEAR-$S_MONTH-$S_DAY/$HOST/<br>
<br> The logs of China is OK, but the US is not since a timezone translating must be performed. Now the message timestamp in the logfile is right, but the dir name is not, for example:<br>#head /var/log/syslog-ng/2009-05-22/us_search63/alarm <br>
May 21 10:50:27 us_search63 kernel: isupdate[7157]: segfault at 0000000000000010 rip 000000000041adad rsp 00007fffaa3cf560 error 4<br>May 21 18:09:55 us_search63 snmpd[26753]: /etc/snmp/snmpd.conf: line 433: Error: WARNING: This output format is being deprecated - Please use the 'extend' directive instead <br>
May 21 18:09:55 us_search63 snmpd[26753]: /etc/snmp/snmpd.conf: line 434: Error: WARNING: This output format is being deprecated - Please use the 'extend' directive instead <br>May 21 18:09:55 us_search63 snmpd[26753]: /etc/snmp/snmpd.conf: line 435: Error: WARNING: This output format is being deprecated - Please use the 'extend' directive instead <br>
May 21 18:09:56 us_search63 snmpd[26753]: /etc/snmp/snmpd.conf: line 436: Error: WARNING: This output format is being deprecated - Please use the 'extend' directive instead <br><br> As you can see, the dir of 2009-05-22 has the records of May 21, which is not what I want.<br>
<br> I have tried the MACROS of $DAY, $S_DAY and $R_DAY, seems can not solve this problem.<br><br> Any suggestions?<br><br> Thanks.<br><br>