@version:3.18.1
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

options {
    flush_lines (0);
    stats_freq (3600);
    stats-level (1);    # Trying to debug lost messags June 25, 2019
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (yes);
    dns_cache_expire(1800);
    dns_cache_size(1000);
    use_fqdn (no);
    create_dirs (yes);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
    # udp(ip(0.0.0.0) port(514));
};

source s_net { syslog(ip(0.0.0.0) transport("udp") port(514)); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

destination d_local {
        file("/unixdata/syslog/log/byhost/$HOST/$YEAR-$MONTH/$DAY.log"
                template("${DATE} ${HOST} ${FACILITY}:${PRIORITY} ${MSGHDR}${MESSAGE}\n")
                owner("syslog")
                group("syslog")
                perm(0775)
                dir_owner("syslog")
                dir_group("syslog")
                dir_perm(0775)
                );
        file ("/unixdata/syslog/log/tivoli/syslog.log"
                template("$DATE $HOST $PROGRAM $FACILITY $PRIORITY $LEVEL $TAG $MSG\n")
                owner("syslog")
                group("syslog")
                perm(0775)
                dir_owner("syslog")
                dir_group("syslog")
                dir_perm(0775)
                );
};

# 08/15/2018 Added new destination for Office of Information Security (OIS)
#            Forking the 'auth' and 'authpriv' messages to LogRhythm
#            Worked with Dale Lyke in OIS.
#            Bryan K., Bob M., Frank R.
destination d_LogRhythm {
        syslog(
                "rolrlog.mayo.edu"
                transport("udp")
                port(514)
        );
};

destination d_udp{udp("10.128.36.80" port(514));};

log { source(s_net); source(s_sys); destination(d_local); };
log { source(s_sys); destination(d_udp); };
log { source(s_net); source(s_sys); filter(f_auth); destination(d_LogRhythm); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv) 
                        or facility(cron)); };
filter f_auth       { facility(authpriv) or facility(auth); }; 
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news) 
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };


# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"


# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: