[syslog-ng] syslog server

John.Dickinson at nominet.org.uk John.Dickinson at nominet.org.uk
Wed Oct 19 16:40:39 CEST 2005 

I have a central syslog server receiving log messages from clients. I want 
to store the messages on the clients and the server (with different 
rotation/archiving setting). From what I have seen I will need to have all 
the syslog configuration on both the client and the server. Is there 
anyway to simplify this?

As an example:

I have something like this on the client (along with other filters and 
destinations)

filter f_emerg   { level (emerg);            };
filter f_alert   { level (alert .. emerg);   };
filter f_crit    { level (crit .. emerg);    };
filter f_err     { level (err .. emerg);     };
filter f_warning { level (warning .. emerg); };
filter f_notice  { level (notice .. emerg);  };
filter f_info    { level (info .. emerg);    };
filter f_debug   { level (debug .. emerg);   };
filter f_kern   { facility (kern);   };
filter f_user   { facility (user);   };
filter f_mail   { facility (mail);   };
filter f_daemon { facility (daemon); };
filter f_auth   { facility (auth);   };
filter f_syslog { facility (syslog); };
filter f_lpr    { facility (lpr);    };
filter f_news   { facility (news);   };
filter f_uucp   { facility (uucp);   };
filter f_cron   { facility (cron);   };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); }; 
filter f_kern_debug     { filter (f_kern) and filter (f_debug);    };
filter f_daemon_notice  { filter (f_daemon) and filter (f_notice); }; 
filter f_mail_crit      { filter (f_mail) and filter (f_crit);     }; 
filter f_syslog         { filter (f_err) or filter (f_kern_debug) or 
filter (f_daemon_notice) or filter (f_mail_crit); };
destination d_syslog    { file ("/var/log/syslog");  };
destination d_log_server { tcp ("127.0.0.1" port (514) tcp-keep-alive(yes) 
log_fifo_size(10000)); };
log { source (s_local); filter (f_syslog); destination (d_syslog); };
log { source (s_local); filter (f_syslog); destination (d_log_server);  };

On the server I want to get all the messages in a file with the same name 
as they are in on the client. Do I have to repeat all these filters again 
on the server or is there a way to find what log statement they matched on 
the client?

Basically, I dont want to be repeating the config everywhere because it 
will become a maintenance nightmare.

John

More information about the syslog-ng mailing list