On Thu, Nov 3, 2011 at 9:27 AM, Gergely Nagy <algernon@balabit.hu> wrote:
Miguel Alvarez <miguellvrz9@gmail.com> writes:
After being less than impressed with the stability of rsyslog, I just discovered syslog-ng and it looks really impressive but a bit overwhelming!
I have a simple configuration with my existing rsyslog set up where it's performing normal system syslog responsibilities but also tagging other log files and then forwarding them to a centralized log server. The examples I've seen for syslog-ng are making my head swim so I was hoping someone would be able to point me in the right direction on how to do the same with syslog-ng.
I don't quite understand the "tagging other log files" part, I'm afraid (but my rsyslog knowledge is... *ahem* lacking). Could you perhaps share the rsyslog config with us?
We could then see about how to convert it to a similar syslog-ng.conf.
(By the way, an rsyslog.conf->syslog-ng.conf converter has been requested before, and one of these days, I might get around to write it, especially if there's bigger interest in such a tool.)
Thank you for the quick reply, Gergely! Sorry, I should have elaborated on the tagging other files part. I have a system that runs snort as well as bro. Snort writes its alert file to /var/log/snort/alert . Bro writes to a few files such as /var/log/bro/conn.log and /var/log/bro/http.log . Right now, I have rsyslog tagging each with a description of the given alert file so they can be filtered on the remote log server side. "[SNORT]" for snort, "[BRO-CONN]" and "[BRO-HTTP]" for bro's conn.log and http.log respectively. Here are the rsyslog configuration sections for those three logs: $InputFileName /var/log/snort/alert $InputFileTag [SNORT] $InputFileStateFile snortalertstate $InputFilePollInterval 5 $InputFileFacility local7 $InputFileSeverity info $InputRunFileMonitor $InputFileName /var/log/bro/conn.log $InputFileTag [BRO-CONN] $InputFileStateFile bro-conn $InputFilePollInterval 5 $InputFileFacility local7 $InputFileSeverity local $inputRunFileMonitor $InputFileName /var/log/bro/http.log $InputFileTag [BRO-HTTP] $InputFileStateFile bro-http $InputFilePollInterval 5 $InputFileFacility local7 $InputFileSeverity info $InputRunFileMonitor I've attached the entire rsyslog.conf to this email but the "$InputFileStateFile" file is like barnyard's waldo file where it keeps track of where it is in the logs so it doesn't resend the already sent log messages. I think a rsyslog.conf > syslog-ng.conf tool would be hugely helpful! Especially since some linux distros like ubuntu I think are shipping with rsyslog as the default log server now and if the only real barrier to migrating to syslog-ng is eased to the point where it's a non-issue, you'd likely have a lot more adoptees! Just my $0.02 anyway :-) Thank you again for the help!