[syslog-ng]Sorting based on incoming hostname

Ed Ravin eravin@panix.com
Thu, 14 Feb 2002 21:43:23 -0500 (EST)


Konstantin Riabitsev writes:
> ... Say, I have Solaris boxes
> and Linux boxes on my network, and I want them all to log to one
> loghost. However, I would like to separate the incoming logs by system
> type. I had this idea: Solaris boxes would log to log-sol.domain.com,
> while Linux boxes would log to log-lnx.domain.com, which are both
> CNAME's to loghost.domain.com.

Instead of CNAMEs, make them separate virtual IP numbers on the same box.
Then set up separate sources in syslog-ng to listen on the
seperate IP addresses, and since they are in separate streams,
you can do whatever you like with them.  For example:

  source linuxlogs   { tcp(ip(192.168.1.10) port(1999); ); };
  source solarislogs { tcp(ip(192.168.1.99) port(1999); ); };

> Would it be possible for syslog-ng to put all solaris logs in
> /var/log/solaris and linux logs into /var/log/linux, based entirely on
> which hostname they arrived at?

The traffic is sent by IP number, not hostname, which is why you'd
have to use separate IP addresses.  You should be able to filter
on the source hostname, since you know in advance which parts of your
network are Linux and which parts are Solaris, but I think my way
is cleaner.

	-- Ed