[syslog-ng]splitting logs on central log host?

Russell Adams syslog-ng@lists.balabit.hu
Mon, 16 Feb 2004 16:26:32 -0600 

I believe your program filter will only work on the local host. The
central server will only have the loglevel and facility to sort with.

Russell

On Mon, Feb 16, 2004 at 03:51:19PM -0600, Jeffrey Forman wrote:
> I have just setup syslog-ng to log about 15 machines to a central log
> host, and i absolutely love it, but i have a question. right now i'm
> splitting the logs like this on the loghost
> destination hosts {
>    file("/mnt/backups/logs/$HOST/$YEAR/$MONTH/$FACILITY$YEAR$MONTH"
>    owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
> };
> 
> but that only splits the logs via facility. there are more logs being
> written on the client log machines, which are configured like this
> 
> destination messages { file("/var/log/messages"); };
> destination ssh { file("/var/log/ssh.log"); };
> destination cron { file("/var/log/cron.log"); };
> destination auth { file("/var/log/auth.log"); };
> destination syslog { file("/var/log/syslog.log"); };
> destination xinetd { file("/var/log/xinetd.log"); };
> destination rsync { file("/var/log/rsync.log"); };
> destination cfengine { file("/var/log/cfengine.log"); };
> 
> filter f_ssh { program("sshd"); };
> filter f_cron { program("cron"); };
> filter f_auth { program("su") or program("sudo"); };
> filter f_syslog { program("syslog-ng"); };
> filter f_xinetd { program("xinetd"); };
> filter f_rsync { program("rsyncd"); };
> filter f_cfengine { program("cfengine"); };
> filter f_messages { ...}; // with messages getting everything else
> 
> log { source(src); filter(f_ssh); destination(ssh); };
> log { source(src); filter(f_cron); destination(cron); };
> log { source(src); filter(f_auth); destination(auth); };
> log { source(src); filter(f_syslog); destination(syslog); };
> log { source(src); filter(f_xinetd); destination(xinetd); };
> log { source(src); filter(f_rsync); destination(rsync); };
> log { source(src); filter(f_cfengine); destination(cfengine); };
> log { source(src); filter(f_messages); destination(messages); };
> 
> what i would like to do is log the files as they are being logged
> locally on the client machines, the same way on the loghost. do i have
> to change the destination? how do i get the same file names, etc, that
> are being logged, but on the loghost? any help is greatly appreciated.
> 
> -Jeffrey
> -- 
> 
> 
> --------------------------
> Jeffrey Forman
> Gentoo Infrastructure Team
> jforman@gentoo.org
> --------------------------