[syslog-ng]Splitting routerlogs from servers

Michael Renner m.renner@inode.at
Thu, 28 Feb 2002 17:18:43 +0100


Hiya!

I've got a setup like this with many log hosts (~200, raising) and want to 
split the server logfiles from those of our routers. i've got a setup like 
this:

---

options { sync (0);
           log_fifo_size (1000);
           use_fqdn (yes);
           chain_hostnames(no);
           stats (86400);
         };

source src { unix-stream("/dev/log"); internal(); };
source net { udp(ip(0.0.0.0) port(514)); };
source srck { pipe("/proc/kmsg"); };

destination messages    { file("/var/log/local/$YEAR-$MONTH-$DAY" 
create_dirs(yes)); };
destination router      { file("/var/log/router/$HOST/$YEAR-$MONTH-$DAY" 
create_dirs(yes)); };
destination server      { file("/var/log/server/$HOST/$YEAR-$MONTH-$DAY" 
create_dirs(yes)); };
destination unknown     { file("/var/log/unknown/$HOST/$YEAR-$MONTH-$DAY" 
create_dirs(yes)); };

filter f_router         { 
facility(local1,local2,local3,local4,local5,local6,local7); };

filter f_server         { host("server1|server2|serverx|..."); };


log { source(src); source(srck); destination(messages); flags(final); };
log { source(net); filter(f_server); destination(server); flags(final); };
log { source(net); filter(f_router); destination(router); };
log { source(net); destination(unknown); flags(fallback); };

---

This is a very ugly setup because i always have to add new servers to the 
f_server filter, otherwise it would get logged in the router/unknown dir

Is there a better way to solve this with one ip address or should i add a 
secondary interface to the server and let the routers log to the second ip?


mfg

-- 

Renner Michael
Junior System Engineer

Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at
support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699