file("/proc/kmsg" program_override("kernel: "));
Dear all, I just started using syslog-ng to pipe log files to Loggly.com. I have a couple of questions. First of all, why is there a `: ` after kernel here? file("/proc/kmsg" program_override("kernel: ")); I have seen people do it differently, like so: file("/proc/kmsg" program_override("kernel)); Does this matter? And more general, what does the entire rule do exactly? The following is my syslog-ng.conf file: https://gist.github.com/2819768 As you can see, I have a lot of log files. Is this the proper way of doing this? Doesn't it cost a lot of resources for syslog-ng to check all these files for changes? Finally, where can I find the documentation? Eg. I would like to learn about the specifics of follow_freq and what the parameter actually implies. Thanks a lot for your help. Kind regards, Tom
Tom <tommedema@gmail.com> writes:
Dear all,
I just started using syslog-ng to pipe log files to Loggly.com.
I have a couple of questions.
First of all, why is there a `: ` after kernel here?
I do not know why there is a ': ' - my reading of the program_override() docs (see the admin guide link below) suggests that it should be 'kernel' alone.
file("/proc/kmsg" program_override("kernel: "));
I have seen people do it differently, like so:
file("/proc/kmsg" program_override("kernel));
Does this matter? And more general, what does the entire rule do exactly?
program_override() does as the name suggests: it makes the logs coming from /proc/kmsg appear as if they were sent by a program called "kernel" (if I remember correctly, kmsg does not have a program field by default).
The following is my syslog-ng.conf file:
https://gist.github.com/2819768
As you can see, I have a lot of log files. Is this the proper way of doing this? Doesn't it cost a lot of resources for syslog-ng to check all these files for changes?
That's not really a lot, but nevertheless, until such time that wildcard source supports lands in syslog-ng OSE, the way you do it is the proper way. As for the cost of watching changes: it's not all that high. On modern systems, epoll() or similar will be used, which was meant to make it efficient to watch a high number of sources for changes. Each active file adds a little bit of extra work, to be sure, but under a couple of hundred files, it shouldn't matter much, if at all.
Finally, where can I find the documentation? Eg. I would like to learn about the specifics of follow_freq and what the parameter actually implies.
We have a detailed admin guide available at: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guid... The man pages shipped with syslog-ng itself should mention it too. -- |8]
Hi, On Tue, May 29, 2012 at 11:21 AM, Gergely Nagy <algernon@balabit.hu> wrote:
Tom <tommedema@gmail.com> writes:
Dear all,
I just started using syslog-ng to pipe log files to Loggly.com.
I have a couple of questions.
First of all, why is there a `: ` after kernel here?
I do not know why there is a ': ' - my reading of the program_override() docs (see the admin guide link below) suggests that it should be 'kernel' alone.
It's a relic from the syslog-ng 2.x era... log_prefix("kernel: ") was needed to have the same messages logged as klogd/syslogd used to write, however log_prefix() left the header untouched so was a partial solution. People replacing log_prefix with program_override should be aware that the trailing doublecolon/ space should get removed from the configs. hth, Sandor
participants (3)
-
Gergely Nagy
-
Sandor Geller
-
Tom