[syslog-ng] Host Seperation

Chris Scheller schelcj@networkone.net
Wed, 8 Dec 1999 09:20:02 -0800 (PST)


last i heard the macro expansion is not able to create directories, just
files. Which is why you are seeing the errors you are.

Chris Scheller
Network One Internet, inc.
http://www.networkone.net/
System/Network Administration
1.888.GOT-NET1

On Thu, 9 Dec 1999, Nigel Bovey wrote:

> 
> Hi,
> 
> We run a rather large network, and are looking at running a secured
> machine for syslog, running syslog-ng hopefully.
> 
> Obviously, we want to seperate out the log files for each host. Due to the
> number of hosts, this looks most easily done with the latest beta having
> the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 .
> 
> I made a rough fast configuration (see below). The idea is that the files
> end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which
> I guessed (docs are rather vague on most things) would make it use long
> host names for comparisons.
> 
> To test, I didn't create the /syslog/name directories, and ran syslog-ng
> -d -v and it came up with "unable to open /syslog/max1/debug". Obviously
> this is incorrect as I wanted it to have a long host name. 
> 
> I thought the obvious method here, is to just remove hostnames all
> together, and use ip addresses (we use ip's for all radius related stuff,
> to stop dns dependency). So I remove resolv.conf and restart it with
> syslog-ng -d -v, this time it comes up with "unable to open
> /syslog/1.1.1.1/debug" which is fine.
> 
> So I create the directory 1.1.1.1 and restart the daemon, now it comes up
> with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch
> the names back on and try, and it writes the file fine under
> /syslog/max1/debug. Turn names off again, and once again it will not write
> the file.
> 
> Any ideas ? or is this a bug that may be fixed soon =) The program looks
> great from where I am standing, if I could sort out this problem.
> 
> My other annoyance, is that it does partial name matches, unless there is
> some way to turn this off that I havn't come across. Even with ip
> addresses, using host(1.1.1.1) matches 1.1.1.1 and
> 1.1.1.10,100,101 etc etc.
> 
> Any help greatly appreciated.
> 
> ---
> Nigel Bovey
> IHUG Network Operations Team
> 
> --------------------------------------------------------------------------
> 
> options { long_hostnames(on); sync(0); };
> 
> source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); };
> 
> # filters
> 
> filter f_auth { facility(auth, authpriv); };
> filter f_cron { facility(cron); };
> filter f_daemon { facility(daemon); };
> filter f_kern { facility(kern); };
> filter f_lpr { facility(lpr); };
> filter f_mail { facility(mail); };
> filter f_user { facility(user); };
> filter f_uucp { facility(cron); };
> filter f_news { facility(news); };
> filter f_debug { not facility(auth, authpriv, news, mail); };
> filter f_messages { level(info..warn); };
> filter f_emergency { level(emerg); };
> 
> # destinations
> 
> destination auth { file("/syslog/$HOST/auth"); };
> destination cron { file("/syslog/$HOST/cron"); };
> destination daemon { file("/syslog/$HOST/daemon"); };
> destination kern { file("/syslog/$HOST/kern"); };
> destination lpr { file("/syslog/$HOST/lpr"); };
> destination mail { file("/syslog/$HOST/mail"); };
> destination user { file("/syslog/$HOST/user"); };
> destination uucp { file("/syslog/$HOST/uucp"); };
> destination news { file("/syslog/$HOST/news"); };
> destination debug { file("/syslog/$HOST/debug"); };
> destination emergency { file("/syslog/$HOST/emergency"); };
> destination messages { file("/syslog/$HOST/messages"); };
> 
> # log statements
> 
> log { source(src); filter(f_auth); destination(auth); };
> log { source(src); filter(f_cron); destination(cron); };
> log { source(src); filter(f_daemon); destination(daemon); };
> log { source(src); filter(f_kern); destination(kern); };
> log { source(src); filter(f_lpr); destination(lpr); };
> log { source(src); filter(f_mail); destination(mail); };
> log { source(src); filter(f_user); destination(user); };
> log { source(src); filter(f_uucp); destination(uucp); };
> log { source(src); filter(f_news); destination(news); };
> log { source(src); filter(f_debug); destination(debug); };
> log { source(src); filter(f_messages); destination(messages); };
> log { source(src); filter(f_emergency); destination(emergency); };
> 
> 
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> http://lists.balabit.hu/mailman/listinfo/syslog-ng
>