On Wed, Oct 06, 1999 at 10:48:38PM -0400, Peter Choynowski wrote:

I am just starting to look at syslog-ng, and after reading the documentation, I suspect it will not be able to do what I am after :( I am trying to setup a log host for a large network, and want to have messages from each host placed in different directory e.g. for host duey the directory might be:

/var/log/duey

and all the messages from duey would go into files under there. The problem is that I have a large number of hosts, and having to specify each host with host("xxx") is not practical ( hosts are added all the time, and it would be too much effort to add it each time ).

I guess my question has to do with ability of having macros that would be defined for each log line ie. lets say %h would get set to host, %ip to ip, %f to facility, ... - this way the destination could be written using the macros e.g.

log { source(...); filter(facility(auth)); destination(file("/var/log/%h/%f.log)); ... }

This is a planned feature. A lot of people have asked for this.

If you can think of doing the above ( even if I have to do a simple hack to the source let me know if it is possible and not too difficult ).

it's quite difficult, since you have to keep a cache of recently opened files, and close them automatically after a time interval.

The other question I have has to do with syslog-ng resist message flood type attacks - can you deal with that, and is there a way to alert admins using sendmail of a possible attack ?

not yet.

How about dealing with growing logs and if they are about to fill up a partition - maybe an option should exist to alert admins if the partition becomes full to some user specified % or some given number of MB is left free.

This can be accomplished by other tools, a simple shell script called from cron would suffice. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt