I'm actually writing logs out to syslog as local6 facility using log4j. Then using rsyslog, I am forwarding those logs to the syslog-ng server using 'local6.* @centrallogserverhost'. So when syslog-ng receives those logs, it writes them out to a file named local5.$DAY according to my destination configuration. So, I don't know that $PROGRAM would accurately record the name. Will give it a shot and see. -----Original Message----- From: Martin Holste [mcholste@gmail.com] Received: Friday, 25 Mar 2011, 12:21pm To: Syslog-ng users' and developers' mailing list [syslog-ng@lists.balabit.hu] CC: Steve Smith [ssmith@xpressdocs.com] Subject: Re: [syslog-ng] Rewrite facility names of remote logs Is "tomcat" the $PROGRAM or the $FACILITY name? I would think it would be $PROGRAM like "ssh" or "apache." On Fri, Mar 25, 2011 at 9:44 AM, Steve Smith <ssmith@xpressdocs.com> wrote:
I’ve setup Syslog-NG to receive logs from other servers which have been configured as follows - Tomcat servers are forwarding logs as facility6 to rsyslog, which then forwards to central log server. Apache servers are forwarding logs as faility5 to rsyslog which then forwards to central log server.
When I receive these logs on the central log server, they are written to files as their facility name, i.e. local6.$DAY. Is there a way to change or re-write the facility name on the fly so that instead of local6.$DAY I can get the file written as tomcat.$DAY?
Here is the configuration I’m using to store the logs -
destination d_net { file("/var/log/hosts/$YEAR/$MONTH/$HOST/$FACILITY.$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); };
log { source(s_net); destination(d_net); };
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html