[syslog-ng] individual files

Balazs Scheidler bazsi at balabit.hu
Mon Aug 11 08:49:41 CEST 2008 

On Sun, 2008-08-10 at 21:42 -0300, Ryan Eldridge wrote:
> Hello all.
>  
> After playing around with syslog-ng all afternoon, needless to say I'm
> a little confused and frustrated. I have managed to get it running on
> most of my Linux boxes and it to accept data from a couple of them
> still running syslog which is what I want. The issue I'm facing is the
> config file I found do to the wonders of Google is splitting the
> information based on host but not into separate files like I'm use to
> with syslog aka cron, messages, syslog etc.. what i'm looking for
> output is the following:
>  
> ls -shl /var/log/HOSTS/peter.domain.com/2008/08
> 4.0K -rw------- 1 root root  866 2008-08-10 20:46 auth.log
>    0 -rw-r--r-- 1 root root    0 2008-08-10 17:22 cron.log
>    0 -rw-r--r-- 1 root root    0 2008-08-10 17:22 daemon.log
> 4.0K -rw------- 1 root root 2.8K 2008-08-10 18:26 debug
> 8.0K -rw-r--r-- 1 root root 6.6K 2008-08-10 14:36 dmesg
>    0 -rw-r----- 1 root root    0 2002-04-06 19:13 maillog
>  12K -rw------- 1 root root 8.2K 2008-08-10 20:05 messages
>    0 -rw-r--r-- 1 root root    0 2008-08-10 18:22 ntpd
>    0 -rw-r----- 1 root root    0 1994-05-09 03:06 secure
>    0 -rw-r----- 1 root root    0 2002-03-09 00:29 spooler
>  12K -rw------- 1 root root 8.6K 2008-08-10 20:05 syslog
> 
>  
> Currently i'm getting the following:
> ls -shl /var/log/HOSTS/peter.domain.com/2008/08
> 12K -rw------- 1 root root 11K 2008-08-10 21:31 10
> 
> which contains all the results. I'll post the file I'm using below any
> help would be useful
>  
> ###############################################################
> # First, set some global options.
> 
> options { 
> use_fqdn(yes); 
> use_dns(yes); 
> dns_cache(yes); 
> keep_hostname(yes); 
> long_hostnames(off); 
> sync(1); 
> log_fifo_size(1024); 
> };
> 
> ###############################################################
> #
> # Logs may come from unix stream, and UDP:514
> #
> source src { 
> pipe("/proc/kmsg"); 
> unix-stream("/dev/log"); 
> internal(); 
> udp(ip("192.168.2.3") port(514)); 
> tcp(ip("192.168.2.3") port(514) keep-alive(yes)); 
> };
> 
> ###############################################################
> # First some standard logfile
> #
> 
> destination authlog { file("/var/log/auth.log"); };
> destination syslog { file("/var/log/syslog"); };
> destination cron { file("/var/log/cron.log"); };
> destination daemon { file("/var/log/daemon.log"); };
> destination user { file("/var/log/user.log"); };
> #destination debug { file("/var/log/debug"); };
> destination messages { file("/var/log/messages"); };
> 
> ##########################################
> # Here's the filter options. With this rules, we can set which 
> # message go where.
> 
> filter f_authpriv { facility(auth, authpriv); };
> filter f_syslog { not facility(auth, authpriv) and not
> facility(mail); };
> filter f_cron { facility(cron); };
> filter f_daemon { facility(daemon); };
> filter f_kern { facility(kern); };
> #filter f_mail { facility(mail); };
> filter f_user { facility(user); };
> #filter f_news { facility(news); };
> #filter f_debug { not facility(auth, authpriv, news, mail); };
> filter f_messages { level(info .. warn) 
>        and not facility(auth, authpriv, cron, daemon, mail, news); };
> filter f_emergency { level(emerg); };
> filter f_info { level(info); };
> filter f_notice { level(notice); };
> filter f_warn { level(warn); };
> filter f_crit { level(crit); };
> filter f_err { level(err); };
> 
> ###############################################################
> #
> # log statements actually send logs somewhere, to a file, across the
> network, etc
> #
> 
> log { source(src); filter(f_authpriv); destination(authlog); };
> log { source(src); filter(f_authpriv); destination(std); };
> log { source(src); filter(f_syslog); destination(std); };
> log { source(src); filter(f_cron); destination(std); };
> log { source(src); filter(f_daemon); destination(std); };
> log { source(src); filter(f_daemon); destination(std); };
> log { source(src); filter(f_kern); destination(std); };
> log { source(src); filter(f_user); destination(std); };
> #log { source(src); filter(f_debug); destination(std); };
> log { source(src); filter(f_messages); destination(std); };
> 
> ## set up logging to loghost
> #destination loghost {
> # tcp("10.0.0.1" port(514));
> #};
> 
> # send everything to loghost, too
> #log { 
> # source(src); 
> # destination(loghost); 
> #};
> 
> #
> # automatic host sorting (usually used on a loghost)
> #
> # set it up
> destination std { 
> file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$FACILITY_$HOST_$YEAR_$MONTH_
> $DAY" 
> owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
> ); 
> };

The underscore becomes part of the macro name, and $FACILITY_ does not
exist, only $FACILITY

Use braces like in the shell: ${FACILITY}_${HOST} and so on.

> 
-- 
Bazsi

More information about the syslog-ng mailing list