[syslog-ng] logging statistics

Sandor Geller wildy at balabit.hu
Mon Jun 19 14:23:26 CEST 2006 

Wolfram Schlich wrote:

> Well, syslog-ng has a global option stats_freq() -- see
> http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html#id2526962
> 
> Such a stats log message looks like this:
> --8<--
> syslog-ng[7359]: Log statistics; processed='source(SrcName)=NumMsgs', processed='destination(DstName)=NumMgs'
> --8<--
> If you have more than one source/destination, more ", processed=" entries
> are appended.
> 
> Please keep in mind that if you have many sources/destinations (like I do),
> the stats log message is chopped after log_msg_size() bytes, which is 8192
> by default!

This behaviour is going to be changed in the future, there was a
discussion about the possible solutions already. The current proposal is
to create a separate logfile which will be simply appended, so the
statistic information (and maybe other internal messages) won't be
handled as the other logs.

> You could use those stats log messages to generate your own more
> comprehensive stats.
> 
> You could even log those stats messages to a special logfile to
> process them specially, like this:
> 
> --8<--
>  options {
>   stats_freq(600);
>   log_msg_size(16384);
>  };
> 
>  template t_stats {
>   template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${TZOFFSET}; ${MSG}\n");
>   template_escape(no);
>  };
> 
>  source s_local {
>   unix-stream("/dev/log" max-connections(1000));
>   internal();
>  };
> 
>  destination d_stats {
>   file("/var/log/syslog-ng/stats.log" template(t_stats));
>  };
> 
>  filter f_stats {
>   facility("syslog");
>   priority("notice");
>   program("^syslog-ng");
>   match("Log statistics;");
>  };
> 
>  log {
>   source(s_local);
>   filter(f_stats);
>   destination(d_firewall);
>  };
> --8<--
> 
> Caution: this is untested -- I just hacked it together.

Good solution, however moving the internal() into separate source is
more optimal, especially when the host syslog-ng is running on generates
a lot of logs.

-- 
Sandor Geller
wildy at balabit.hu

More information about the syslog-ng mailing list