[syslog-ng] some questions

[Balazs Scheidler]

> I see that version 14 version does not support "sync" now (
> -/var/log/xxx.log alternative in standard syslogd).  As a rule a big
> logging may incredible slow down logstation without  "-" mode. It's too
> bad for central logstation.

I'll add sync as soon as I have a little time.

> 
> Next. Standard syslogd writes "host" field correct - corresponding to
> client name, but remote client's messages in syslog-ng always looks like
> "srcname/syslog-ng_server_name". It's too hard for admin to separate
> logfiles visually.

Yes, there's a problem in hostname generation in current versions, it's
fixed here in my local copy, but the source is in a bit of flux now, and I
didn't want to release it.

> 
> For last :)
> Can somebody give me _working_ example of log separating by remote
> hostname or IP address. It's not trivial for me :)

There are two ways doing this:

modifying the /etc/services file to make your syslogd to log to a different
port (instead of 514). Each client hosts log to a different port number,
then declare a source for each client:

source c1 { udp 0.0.0.0,514; };
source c2 { udp 0.0.0.0,515; };
etc.

Each computer's log come from a distinct source.

Another solution is to use the new host() filter:

source src { udp 0.0.0.0,514; };    # each computer logs to this source

filter f_c1 { host("hostname1"); };
filter f_c2 { host("hostname2"); };

log { source src; filter f_c1; destination c1; };
...

-- 
Bazsi
PGP key: http://www.balabit.hu/pgpkey.txt, or finger bazsi@balabit.hu