[syslog-ng] Host Seperation
Nigel Bovey
nigelb@staff.ihug.co.nz
Thu, 9 Dec 1999 05:55:16 +1300 (NZDT)
Hi,
We run a rather large network, and are looking at running a secured
machine for syslog, running syslog-ng hopefully.
Obviously, we want to seperate out the log files for each host. Due to the
number of hosts, this looks most easily done with the latest beta having
the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 .
I made a rough fast configuration (see below). The idea is that the files
end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which
I guessed (docs are rather vague on most things) would make it use long
host names for comparisons.
To test, I didn't create the /syslog/name directories, and ran syslog-ng
-d -v and it came up with "unable to open /syslog/max1/debug". Obviously
this is incorrect as I wanted it to have a long host name.
I thought the obvious method here, is to just remove hostnames all
together, and use ip addresses (we use ip's for all radius related stuff,
to stop dns dependency). So I remove resolv.conf and restart it with
syslog-ng -d -v, this time it comes up with "unable to open
/syslog/1.1.1.1/debug" which is fine.
So I create the directory 1.1.1.1 and restart the daemon, now it comes up
with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch
the names back on and try, and it writes the file fine under
/syslog/max1/debug. Turn names off again, and once again it will not write
the file.
Any ideas ? or is this a bug that may be fixed soon =) The program looks
great from where I am standing, if I could sort out this problem.
My other annoyance, is that it does partial name matches, unless there is
some way to turn this off that I havn't come across. Even with ip
addresses, using host(1.1.1.1) matches 1.1.1.1 and
1.1.1.10,100,101 etc etc.
Any help greatly appreciated.
---
Nigel Bovey
IHUG Network Operations Team
--------------------------------------------------------------------------
options { long_hostnames(on); sync(0); };
source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); };
# filters
filter f_auth { facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn); };
filter f_emergency { level(emerg); };
# destinations
destination auth { file("/syslog/$HOST/auth"); };
destination cron { file("/syslog/$HOST/cron"); };
destination daemon { file("/syslog/$HOST/daemon"); };
destination kern { file("/syslog/$HOST/kern"); };
destination lpr { file("/syslog/$HOST/lpr"); };
destination mail { file("/syslog/$HOST/mail"); };
destination user { file("/syslog/$HOST/user"); };
destination uucp { file("/syslog/$HOST/uucp"); };
destination news { file("/syslog/$HOST/news"); };
destination debug { file("/syslog/$HOST/debug"); };
destination emergency { file("/syslog/$HOST/emergency"); };
destination messages { file("/syslog/$HOST/messages"); };
# log statements
log { source(src); filter(f_auth); destination(auth); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_news); destination(news); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(emergency); };