[syslog-ng] Re: syslog-ng question

Balazs Scheidler bazsi@balabit.hu
Mon, 11 Oct 1999 22:08:18 +0200 

On Wed, Oct 06, 1999 at 10:48:38PM -0400, Peter Choynowski wrote:
> 
> I am just starting to look at syslog-ng, and after reading the
> documentation, I suspect it will not be able to do what I am after :(  I
> am trying to setup a log host for a large network, and want to have
> messages from each host placed in different directory e.g.  for host duey
> the directory might be:
> 
> /var/log/duey
> 
> and all the messages from duey would go into files under there.  The
> problem is that I have a large number of hosts, and having to specify each
> host with host("xxx") is not practical ( hosts are added all the time, and
> it would be too much effort to add it each time ).
> 
> I guess my question has to do with ability of having macros that would be
> defined for each log line ie. lets say %h would get set to host, %ip to
> ip, %f to facility, ... - this way the destination could be written using
> the macros e.g.
> 
> log { 	source(...); 
> 	filter(facility(auth));
> 	destination(file("/var/log/%h/%f.log)); ... }

This is a planned feature. A lot of people have asked for this.

> 
> If you can think of doing the above ( even if I have to do a simple hack
> to the source let me know if it is possible and not too difficult ).

it's quite difficult, since you have to keep a cache of recently opened
files, and close them automatically after a time interval.

> The other question I have has to do with syslog-ng resist message flood
> type attacks - can you deal with that, and is there a way to alert admins
> using sendmail of a possible attack ?

not yet.

> 
> How about dealing with growing logs and if they are about to fill up a
> partition - maybe an option should exist to alert admins if the partition
> becomes full to some user specified % or some given number of MB is left
> free.

This can be accomplished by other tools, a simple shell script called from
cron would suffice.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt