All,

I am working on creating a logging host for some network hardware. Being new to lunix and syslog-ng I am a little confused to how to keep the remote syslog messages from showing up in the system log files. I had to rem out the messages and and localmessages do to they are filling to fast. Any advice would be greatly appreciated.

Don R.

rushd-linux:/home/rushd # cat /etc/syslog-ng/syslog-ng.conf
#
# /etc/syslog-ng/syslog-ng.conf
#
# Automatically generated by SuSEconfig on Thu Aug 17 16:58:59 PDT 2006.
#
# PLEASE DO NOT EDIT THIS FILE!
#
# you can modify /etc/syslog-ng/syslog-ng.conf.in instead
#
#
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#

#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the following line will be replaced by the
        # socket list generated by SuSEconfig using
        # variables from /etc/sysconfig/syslog:
        #
        unix-dgram("/dev/log");

        #
        # uncomment to process log messages from network:
        #
        udp(ip("0.0.0.0") port(514));
};

#
# Filter definitions
#
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };

filter f_console { level(warn) and facility(kern) and not filter(f_iptables)
or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

filter f_cron { facility(cron); };

filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };

filter f_acpid { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };

#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { file("/dev/tty10" group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };

#
# News-messages in separate files:
#
destination newscrit { file("/var/log/news/news.crit"
owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr { file("/var/log/news/news.err"
owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };

#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };

#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };

#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };

#
# Some boot scripts use/require local[1-7]:
#
##destination localmessages { file("/var/log/localmessages"); };
##log { source(src); filter(f_local); destination(localmessages); };

#
# All messages except iptables and the facilities news and mail:
#
##destination messages { file("/var/log/messages"); };
##log { source(src); filter(f_messages); destination(messages); };

#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };

#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

destination logip {
file("/data/logs/HOSTS/$HOST_FROM/$FACILITY/$YEAR$MONTH/$FACILITY$YEAR$MONTH$DAY"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) );
};

log {
source(src);
destination(logip);
};
rushd-linux:/home/rushd #