We do the opposite. We wanted to use the message matching rules of syslog-ng to essentially rewrite the facility.level (priority) of messages and then log them again. To accomplish this, we have a "normal" syslog-ng running that listens on the localhost:514 port that then logs to the local files, and to a central syslog-ng server. We then start a second instance of syslog-ng within the startup script for the applications, such as apache. - check for and create the named pipe(s) - start syslong-ng specific to this application - start the application that logs to the named pipe(s) This instance of syslog-ng parses the messages and relogs via syslog to localhost with a new set of priorities. This allows local syslog files to contain the appriopriate facitliy.level of messages as well as our central syslog-ng server. It also allows for a very complicated set of match rules for a given application without making an overly complicated syslong-ng configuration file. Basically you end up with one configuration file per application. This is just our syslog architecture, so your milage may vary. Evan. On Wed, 22 Mar 2006, Cary, Kim wrote:

Date: Wed, 22 Mar 2006 09:11:26 -0800 From: "Cary, Kim" <Kim.Cary@pepperdine.edu> Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Creating a named pipe (FIFO)

We create our pipes by placing the appropriate commands in the syslog-ng startup file (/etc/init.d/syslog-ng).

[Actually, we test to see if the pipe already exists; if not, we create it. We do this creation in /var/run and here the pipe needs to be recreated after every boot. We don't want to recreate it when we restart the process (syslog-ng) that is feeding it, since recreating it requires us to bounce the process that is reading from it (fisq.pl)].

Kim Cary Infrastructure Security Administrator M-F 7-4 ~ 310 506 6655

-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria