I have split out the logging with the following.
 

destination logip {
        file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$MONTH$DAY"
        owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)  );
};

 

log {
        source(src);
        destination(logip);
};

What I can't figure out is how to keep the messages from show up in the following.

 

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };

# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

 

They look like they are coming in as local4.  So would I just add local4 in the "not facility" of the f_messages filter?


From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of William Bell
Sent: Monday, August 21, 2006 10:41 AM
To: Syslog-ng users' and developers' mailing list
Subject: RE: [syslog-ng] Newbie Question

You should probably create multiple sources. Like:

 

source remote { udp(ip("0.0.0.0") port(514)); };

 

Then send the remote files to a nice archive directive destination ala:

 

destination remotelogs {

   file("/var/REMOTE/$HOST.log"

   owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes));

};

 

Finish it up with its own log directive like:

 

log { source(remote); destination(remotelogs); };

 

 

Adding any filters you want to the log directive above. I hope this helps.

 

William L. Bell II

CWIE Security Dept.

From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Donald Rush
Sent: Monday, August 21, 2006 10:18 AM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] Newbie Question

 

All,

 

I am working on creating a logging host for some network hardware.  Being new to lunix and syslog-ng I am a little confused to how to keep the remote syslog messages from showing up in the system log files.  I had to rem out the messages and and localmessages do to they are filling to fast.  Any advice would be greatly appreciated.

 

Don R.

 

 

rushd-linux:/home/rushd # cat /etc/syslog-ng/syslog-ng.conf
#
# /etc/syslog-ng/syslog-ng.conf
#
# Automatically generated by SuSEconfig on Thu Aug 17 16:58:59 PDT 2006.
#
# PLEASE DO NOT EDIT THIS FILE!
#
# you can modify /etc/syslog-ng/syslog-ng.conf.in instead
#
#
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#

 

#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };

 

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

 

        #
        # the following line will be replaced by the
        # socket list generated by SuSEconfig using
        # variables from /etc/sysconfig/syslog:
        #
        unix-dgram("/dev/log");

 

        #
        # uncomment to process log messages from network:
        #
        udp(ip("0.0.0.0") port(514));
};

 


#
# Filter definitions
#
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

 

filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };

 

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

 

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

 

filter f_cron       { facility(cron); };

 

filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };

 

filter f_acpid      { match('^\[acpid\]:'); };
filter f_netmgm     { match('^NetworkManager:'); };

 

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };

 


#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console  { file("/dev/tty10"    group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

 

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

 

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };

 


#
# News-messages in separate files:
#
destination newscrit   { file("/var/log/news/news.crit"
                              owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

 

destination newserr    { file("/var/log/news/news.err"
                              owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

 

destination newsnotice { file("/var/log/news/news.notice"
                              owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

 

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };

 


#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

 

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

 

destination mailerr  { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr);  destination(mailerr); };

 

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };

 


#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };

 

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };

 


#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };

 


#
# Some boot scripts use/require local[1-7]:
#
##destination localmessages { file("/var/log/localmessages"); };
##log { source(src); filter(f_local); destination(localmessages); };

 


#
# All messages except iptables and the facilities news and mail:
#
##destination messages { file("/var/log/messages"); };
##log { source(src); filter(f_messages); destination(messages); };

 


#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };

 


#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

 

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

 

destination logip {
        file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$MONTH$DAY"
        owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)  );
};

 

log {
        source(src);
        destination(logip);
};
rushd-linux:/home/rushd #