I believe your program filter will only work on the local host. The central server will only have the loglevel and facility to sort with. Russell On Mon, Feb 16, 2004 at 03:51:19PM -0600, Jeffrey Forman wrote:
I have just setup syslog-ng to log about 15 machines to a central log host, and i absolutely love it, but i have a question. right now i'm splitting the logs like this on the loghost destination hosts { file("/mnt/backups/logs/$HOST/$YEAR/$MONTH/$FACILITY$YEAR$MONTH" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
but that only splits the logs via facility. there are more logs being written on the client log machines, which are configured like this
destination messages { file("/var/log/messages"); }; destination ssh { file("/var/log/ssh.log"); }; destination cron { file("/var/log/cron.log"); }; destination auth { file("/var/log/auth.log"); }; destination syslog { file("/var/log/syslog.log"); }; destination xinetd { file("/var/log/xinetd.log"); }; destination rsync { file("/var/log/rsync.log"); }; destination cfengine { file("/var/log/cfengine.log"); };
filter f_ssh { program("sshd"); }; filter f_cron { program("cron"); }; filter f_auth { program("su") or program("sudo"); }; filter f_syslog { program("syslog-ng"); }; filter f_xinetd { program("xinetd"); }; filter f_rsync { program("rsyncd"); }; filter f_cfengine { program("cfengine"); }; filter f_messages { ...}; // with messages getting everything else
log { source(src); filter(f_ssh); destination(ssh); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_auth); destination(auth); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_xinetd); destination(xinetd); }; log { source(src); filter(f_rsync); destination(rsync); }; log { source(src); filter(f_cfengine); destination(cfengine); }; log { source(src); filter(f_messages); destination(messages); };
what i would like to do is log the files as they are being logged locally on the client machines, the same way on the loghost. do i have to change the destination? how do i get the same file names, etc, that are being logged, but on the loghost? any help is greatly appreciated.
-Jeffrey --
-------------------------- Jeffrey Forman Gentoo Infrastructure Team jforman@gentoo.org --------------------------