We run a rather large network, and are looking at running a secured machine for syslog, running syslog-ng hopefully.
Obviously, we want to seperate out the log files for each host. Due to the number of hosts, this looks most easily done with the latest beta having the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 .
I made a rough fast configuration (see below). The idea is that the files end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which I guessed (docs are rather vague on most things) would make it use long host names for comparisons.
log_hostnames() means that each hop on which the message traverses gets added to the host field: Message on host1, from source src: src@host1 As this message is forwarded to host2, the _source_ hostname is appended: src@host1/host1, then if it is again forwarded to host3: src@host1/host1/host2 and so on. This is needed if the message passes several firewalls. The $HOST macro always uses the first hostname.
To test, I didn't create the /syslog/name directories, and ran syslog-ng -d -v and it came up with "unable to open /syslog/max1/debug". Obviously this is incorrect as I wanted it to have a long host name.
I thought the obvious method here, is to just remove hostnames all together, and use ip addresses (we use ip's for all radius related stuff, to stop dns dependency). So I remove resolv.conf and restart it with syslog-ng -d -v, this time it comes up with "unable to open /syslog/1.1.1.1/debug" which is fine.
So I create the directory 1.1.1.1 and restart the daemon, now it comes up with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch the names back on and try, and it writes the file fine under /syslog/max1/debug. Turn names off again, and once again it will not write the file.
Any ideas ? or is this a bug that may be fixed soon =) The program looks great from where I am standing, if I could sort out this problem.
If I understand correctly the above, if names can be resolved, everything works well. If they cannot, syslog-ng gives you "unable to write to file, because it's a directory"
My other annoyance, is that it does partial name matches, unless there is some way to turn this off that I havn't come across. Even with ip addresses, using host(1.1.1.1) matches 1.1.1.1 and 1.1.1.10,100,101 etc etc.
You should use regular expressions here, host("^1\.1\.1\.1$") should match only 1.1.1.1. I would disable DNS, and add all logging hosts to the /etc/hosts file, because otherwise syslog-ng may block on DNS lookups. Maybe I'll have to add an option to disable DNS lookups completely, because it may easily lead to DoS attacks. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt