Hi, I have been tried with your configuration. I'm very happy, it succeed and my syslog-ng running like a charm. You are very helpful. Right now, I can sleep well. Thank you very much. On Fri, Sep 12, 2008 at 5:10 PM, Geller, Sandor (IT) < Sandor.Geller@morganstanley.com> wrote:
Hi,
# # This sample configuration file is essentially equilivent to the stock # FreeBSD /etc/syslog.conf file. #
# # options # options { long_hostnames(off); sync(0); };
# # sources # source src { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); udp(); internal(); file("/dev/klog"); };
You have a single source definition having multiple sources. As syslog-ng can't differentiate between these sources later, all logs arriving from any of the sources above would give a match. So I'd recomment moving at least the udp() source to a separate source definition, like
source src { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); internal(); file("/dev/klog"); };
source s_remote { udp(); tcp(); };
And use these sources in the log sections. This way syslog-ng can distinguish between the locally- and the remotely-generated logs.
# # destinations # #destination local0.info { #file("/var/log/remote/servers/$HOST/$YEAR/$MONTH/$DAY/pflogd/ pflogd.log" #owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) #); #};
destination messages { file("/var/log/remote/messages"); }; destination localhost { file("/var/log/remote/syslog-ng.all"); }; destination security { file("/var/log/remote/security"); }; destination authlog { file("/var/log/remote/auth.log"); }; destination maillog { file("/var/log/remote/maillog"); }; destination lpd-errs { file("/var/log/remote/lpd-errs"); }; destination xferlog { file("/var/log/remote/xferlog"); }; destination cron { file("/var/log/remote/cron"); }; destination debuglog { file("/var/log/remote/debug.log"); }; destination consolelog { file("/var/log/remote/console.log"); }; destination all { file("/var/log/remote/all.log"); }; destination newscrit { file("/var/log/news/news.crit"); }; destination newserr { file("/var/log/news/news.err"); }; destination newsnotice { file("/var/log/news/news.notice"); }; destination slip { file("/var/log/remote/slip.log"); }; destination ppp { file("/var/log/remote/ppp.log"); }; destination console { file("/dev/console"); }; destination allusers { usertty("*"); }; #destination loghost { udp("loghost" port(514)); }; #destination local0 { file("/var/log/remote/pflog.txt"); }; destination local0 { file("/var/log/remote/local0.log"); }; #destination local1 { file("/var/log/remote/alert"); }; destination local1 { file("/var/log/remote/local1.log"); };
#log { # source(tcp); source(internal); source(udp); source(unix); # source(s_tcp); source(s_internal); source(s_udp); source(s_unix); # filter(f_local0); filter(f_local1); # destination(df_local1); # };
In this commented part you have two filters which mutually exclude each other. As syslog-ng uses logical and operation this log section won't work.
# # log facility filters # filter f_auth { facility(auth); }; filter f_authpriv { facility(authpriv); }; filter f_not_authpriv { not facility(authpriv); }; filter f_console { facility(console); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_ftp { facility(ftp); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_security { facility(security); };
You should remove security. It's just an alias to auth
filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; #filter f_local0 { facility(local0); }; #filter f_local00 { facility(local0); }; #filter f_local1 { facility(local1); }; #filter f_local01 { facility(local1) or facility(local1); }; filter f_local2 { facility(local2); }; filter f_local3 { facility(local3); }; filter f_local4 { facility(local4); }; filter f_local5 { facility(local5); }; filter f_local6 { facility(local6); }; filter f_local7 { facility(local7); };
# # log level filters # filter f_emerg { level(emerg); }; filter f_alert { level(alert..emerg); }; filter f_crit { level(crit..emerg); }; filter f_err { level(err..emerg); }; filter f_warning { level(warning..emerg); }; filter f_notice { level(notice..emerg); }; filter f_info { level(info..emerg); }; filter f_debug { level(debug..emerg); }; filter f_is_debug { level(debug); };
# # program filters # filter f_ppp { program("ppp"); }; filter f_slip { program("startslip"); };
Better to use anchors to avoid false matches: program("^ppp$")
# # *.err;kern.warning;auth.notice;mail.crit /dev/console # log { source(src); filter(f_err); destination(console); }; log { source(src); filter(f_kern); filter(f_warning); destination(console); }; log { source(src); filter(f_auth); filter(f_notice); destination(console); }; log { source(src); filter(f_mail); filter(f_crit); destination(console); };
# # *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages # log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); }; log { source(src); filter(f_kern); filter(f_debug); destination(messages); }; log { source(src); filter(f_lpr); filter(f_info); destination(messages); }; log { source(src); filter(f_mail); filter(f_crit); destination(messages); }; log { source(src); filter(f_news); filter(f_err); destination(messages); };
# # security.* /var/log/security # log { source(src); filter(f_security); destination(security); };
# # auth.info;authpriv.info /var/log/auth.log log { source(src); filter(f_auth); filter(f_info); destination(authlog); }; log { source(src); filter(f_authpriv); filter(f_info); destination(authlog); };
# # mail.info /var/log/maillog # log { source(src); filter(f_mail); filter(f_info); destination(maillog); };
# # lpr.info /var/log/lpd-errs # log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); };
# # ftp.info /var/log/xferlog # log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); };
# # cron.* /var/log/cron # log { source(src); filter(f_cron); destination(cron); };
# # *.=debug /var/log/debug.log # log { source(src); filter(f_is_debug); destination(debuglog); };
# # *.emerg * # log { source(src); filter(f_emerg); destination(allusers); };
# # uncomment this to log all writes to /dev/console to /var/log/console.log # console.info /var/log/console.log # #log { source(src); filter(f_console); filter(f_info); destination(consolelog); };
# # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work # *.* /var/log/all.log # #log { source(src); destination(all); };
# # uncomment this to enable logging to a remote loghost named loghost # *.* @loghost # #log { source(src); destination(loghost); };
# # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice # #log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; #log { source(src); filter(f_news); filter(f_err); destination(newserr); }; #log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
# # !startslip # *.* /var/log/slip.log # log { source(src); filter(f_slip); destination(slip); };
# # !ppp # *.* /var/log/ppp.log # log { source(src); filter(f_ppp); destination(ppp); };
As you're not logging local0 or local1, the config needs to be extended. First uncomment the f_local0 and f_local1 filters above, and add something like this to your config:
# local0.info
log { source(src); filter(f_local0); filter(f_info); destination(local0); };
# local1.info
log { source(src); filter(f_local1); filter(f_info); destination(local1); };
Before making any changes I'd think about whether I need to separate the local and remote logs, and when yes then I'd update the log{} sections to refer to the appropriate source definition.
Regards,
Sandor --------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- MUHAMMAD AZIZUL DARUS http://www.foodmalaysia.net http://www.myfelis.com http://yourubuntulinux.blogspot.com http://opensource-2u.blogspot.com http://photograph2u.blogspot.com http://malaysiataste.blogspot.com http://jomshopping.blogspot.com http://jahitan-manik.blogspot.com http://nissan-maniac.blogspot.com http://narutoslash.blogspot.com/