Re: [syslog-ng]Configure syslog-ng to act as a central logging server
I will be logging from 10 firewalls, 20 linux boxes, 2 routers and a handful of workstations. Will this configuration file do the trick? source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix_stream("/dev/log"); internal(); }; destination hosts { file("/var/syslog/HOSTS/$HOST/$YEAR/$MONTH/$HOST-$FACILITY-$YEAR$MONTH$DAY" owner(root) group(root) perm(0755) dir_perm(0755) create_dirs(yes)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; log { source(s_sys); destination(hosts); }; Thanks, Ryan
Bill Nash <billn@billn.net> 03/31 10:26 am >>>
You'll need a log() directive that includes the destination. The basic path is: Log Source -> Optional Filter -> Destination. - billn On Thu, 31 Mar 2005, Ryan McCain wrote:
Bill,
So I can simply add this to my conf. file (modifying owner, group, perm, dir_perm of course) and it will start accepting logs from remote servers?
Where do I specify which hosts to accept logs from (I'd prefer not to use tcp wrappers)?
Thanks again, Ryan
Bill Nash <billn@billn.net> 03/31 10:15 am >>> On Thu, 31 Mar 2005, Ryan McCain wrote:
I'm starting to understand the syntax. However, what part of this statement tells syslog-ng to create a file for each host its receiving
logs from?
destination hosts { file("/var/syslog/HOSTS/$HOST/$YEAR/$MONTH/$HOST-$FACILITY-$YEAR$MONTH$DAY"
owner(bob) group(llamafood) perm(0755) dir_perm(0755) create_dirs(yes));
If the file doesn't exist, it will be created. If the directory doesn't
exist, you need the create_dirs directive.
- billn
participants (1)
-
Ryan McCain