[syslog-ng]syslog server config question

Mark Schipper mschipper@lightsurf.com
Fri, 3 Jan 2003 18:17:50 -0800


syslog-ng seems to work quite well for sorting logs by facility and/or
priority to the nth degree....but I'm struggling to do something that one
would expect to be fairly simple (perhaps it is, and I'm even more
simple...). I'm trying to setup a syslog server that sorts input by hostname
and throws that input into /var/log/HOSTS/$hostname file. It's strictly for
a backup copy of each system log for audit puposes in case a host is
compromised, but I'd prefer to have each host have its own file. Easier to
find stuff that way.

I was expecting to setup the syslog servers syslog.conf file (not using
syslog-ng) to pipe to a shell or perl script that did the parsing, but
everything I ran across looked like it was aimed at intrusion detection. A
quick search convinced me that syslog-ng was my best bet so I compiled and
replaced syslogd with syslog-ng, but it is still logging my client logs to
/var/log/messages (yes, I killed syslogd first), even though I setup the
following at the end of the syslog-ng.conf file:

# automatic host sorting (usually used on a loghost)
#
destination std {

file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$D
AY"
                owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes)
        );
};

# log it
log {
        source(src);
        destination(std);
};



I obviously need to spend some more time on this, but perhaps someone has a
quick suggestion or knows of a better way to do what I'm looking for. In the
meantime I'll read 'til my eyes bleed.......

I'm not on the list, so please reply to mschipper@lightsurf.com

Thanks.