Postfix messages were logged in /var/log/messages. Here is how syslog-ng.conf was (before my changes): ---------------------------------------------------- # cat /etc/syslog-ng/syslog-ng.conf.orig @version: 3.0 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3,v 1.1 2010/04/06 02:11:35 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux options { chain_hostnames(no); # The default action of syslog-ng is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats_freq(43200); }; source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); }; destination messages { file("/var/log/messages"); }; # By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # ...if you intend to use /dev/console for programs like xconsole # you can comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); }; log { source(src); destination(messages); }; log { source(src); destination(console_all); }; ------------------------------------------------- I wanted to log postfix messages to a new file: /var/log/mail.log I changed /etc/syslog-ng/syslog-ng.conf like so: # diff syslog-ng.conf.orig syslog-ng.conf 15a16,23
filter mail { facility(mail); };
filter notmail { not facility(mail); };
22a31
destination mail { file("/var/log/mail.log"); }; 31,32c40,42 < log { source(src); destination(messages); }; < log { source(src); destination(console_all); };
log { source(src); filter(mail); destination(mail); }; log { source(src); filter(notmail); destination(messages); }; log { source(src); filter(notmail); destination(console_all); };
It worked, or at least I think so, by looking at both /var/log/messages and /var/log/mail.log. So ,my questions are: 1) Are my edits OK? Did I do anything wrong? 2) Should I have configured it otherwise, perhaps more efficiently? Thanks. Thanasis
Ya, thats fine. The only change I'd make is instead of log { source(src); filter(notmail); destination(messages); }; log { source(src); filter(notmail); destination(console_all); }; do log { source(src); filter(notmail); destination(messages); destination(console_all); }; That way it doesnt have to apply the filter three times, only twice. You could optimize it even further with the fallback flag, but unless you've got a really high volume of messages, you could probably just leave it as is. Sent: Tuesday, June 01, 2010 1:10:24 PM From: Thanasis <thanasis@asyr.hopto.org> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] log smtp mail messages to a specific file
Postfix messages were logged in /var/log/messages. Here is how syslog-ng.conf was (before my changes): ---------------------------------------------------- # cat /etc/syslog-ng/syslog-ng.conf.orig @version: 3.0 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3,v 1.1 2010/04/06 02:11:35 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux
options { chain_hostnames(no);
# The default action of syslog-ng is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats_freq(43200); };
source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # ...if you intend to use /dev/console for programs like xconsole # you can comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); };
log { source(src); destination(messages); }; log { source(src); destination(console_all); };
-------------------------------------------------
I wanted to log postfix messages to a new file: /var/log/mail.log I changed /etc/syslog-ng/syslog-ng.conf like so:
# diff syslog-ng.conf.orig syslog-ng.conf 15a16,23
filter mail { facility(mail); };
filter notmail { not facility(mail); };
22a31
destination mail { file("/var/log/mail.log"); };
31,32c40,42 < log { source(src); destination(messages); }; < log { source(src); destination(console_all); }; ---
log { source(src); filter(mail); destination(mail); }; log { source(src); filter(notmail); destination(messages); }; log { source(src); filter(notmail); destination(console_all); };
----------------------------------------------------------------------
It worked, or at least I think so, by looking at both /var/log/messages and /var/log/mail.log.
So ,my questions are: 1) Are my edits OK? Did I do anything wrong? 2) Should I have configured it otherwise, perhaps more efficiently?
Thanks. Thanasis
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Tuesday 01 June 2010 21:10:24 Thanasis wrote:
Postfix messages were logged in /var/log/messages.
[snip]
I wanted to log postfix messages to a new file: /var/log/mail.log I changed /etc/syslog-ng/syslog-ng.conf like so:
# diff syslog-ng.conf.orig syslog-ng.conf 15a16,23
filter mail {
facility(mail);
};
filter notmail {
not facility(mail);
};
22a31
destination mail { file("/var/log/mail.log"); };
31,32c40,42 < log { source(src); destination(messages); }; < log { source(src); destination(console_all); }; ---
log { source(src); filter(mail); destination(mail); }; log { source(src); filter(notmail); destination(messages); }; log { source(src); filter(notmail); destination(console_all); };
----------------------------------------------------------------------
It worked, or at least I think so, by looking at both /var/log/messages and /var/log/mail.log.
So ,my questions are: 1) Are my edits OK? Did I do anything wrong? 2) Should I have configured it otherwise, perhaps more efficiently?
Hi, Your edits are fine, that will work. It gets complex, but that is unavoidable. Your method has the advantage that you can re-arrange the order of your config stanzas and the end result will be the same. There is a slightly more efficient way, and that is to use the "final" option in your mail log statement and leave everything else as it was, with the messages log statement at the end. Processing stops when a final is reached, meaning that mail logs will never reach the config that sends them to messages. I don't recommend this route for your case though, as: - The order of log statements becomes critical, so not only do you have to specify your filters correctly, you also have to *place* them correctly too. - Other people maintaining your config have to know you did this and take it into account. There are few things more annoying than being forced to understand the whole thing completely to just modify one part of it - You *will* forget you did this! (ask me how I know this....) and you will break stuff. A mistake in a config means lost logs. Lost logs means you never get them back... There are cases where "final" is appropriate (I use it myself) but it has to be used carefully and with caution -- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions +27 11 575 7585 Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
So, a more compact (and more efficient) edit would be: # diff syslog-ng.conf.orig syslog-ng.conf 15a16,19
filter mail { facility(mail); };
22a27
destination mail { file("/var/log/mail.log"); }; 31,32c36,37 < log { source(src); destination(messages); }; < log { source(src); destination(console_all); };
log { source(src); filter(mail); destination(mail); flags(final); }; log { source(src); destination(messages); destination(console_all); };
Thank you (both) for your suggestions (and warnings)! ;-)
Yes, that is perfectly valid and should work as you intend. Sent: Tuesday, June 01, 2010 3:40:54 PM From: Thanasis <thanasis@asyr.hopto.org> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] log smtp mail messages to a specific file
So, a more compact (and more efficient) edit would be:
# diff syslog-ng.conf.orig syslog-ng.conf 15a16,19
filter mail { facility(mail); };
22a27
destination mail { file("/var/log/mail.log"); };
31,32c36,37 < log { source(src); destination(messages); }; < log { source(src); destination(console_all); }; ---
log { source(src); filter(mail); destination(mail); flags(final); }; log { source(src); destination(messages); destination(console_all); };
Thank you (both) for your suggestions (and warnings)! ;-) ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (3)
-
Alan McKinnon
-
Patrick H.
-
Thanasis