[syslog-ng] filter logger tags from syslog

Jose Sanchez josesan311 at yahoo.com
Thu Nov 26 18:18:08 CET 2009


Sorry, forgot to add, this is my syslog-ng.conf file,

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
        sync (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_dns (no);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (no);
};

source s_sys {
        file ("/proc/kmsg" log_prefix("kernel: "));
        unix-stream ("/dev/log");
        internal();
        udp(ip(0.0.0.0) port(514));
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv) 
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news) 
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

source s_tcp{udp(port(514));};

destination d_test { file("/var/log/test.log"
template("$MSG\n")
); };

log {
source (s_tcp);
destination(d_test);
};

--- On Thu, 11/26/09, Jose Sanchez <josesan311 at yahoo.com> wrote:

> From: Jose Sanchez <josesan311 at yahoo.com>
> Subject: Re: [syslog-ng] filter logger tags from syslog
> To: syslog-ng at lists.balabit.hu
> Date: Thursday, November 26, 2009, 11:16 AM
> Hello Pallagi,
> 
> Thank you for the prompt response, very appreciated.
> Im running syslog at the client side and syslog-ng at the
> server side.
> Currently I have setup both and Im getting the following
> prefix into the log file on my syslog-ng server (this log is
> generated from apache on my client server),
> 
> "logger: XXX.XXX.XXX.XXX - - [26/Nov/2009:11:11:36 -0600]
> \"GET... "
> 
> The issue is how can I configure syslog-ng to remove the
> "logger:" prefix when logging.
> Basically I just want a clean log same way like if I had an
> access_log file configured on apache on the client.
> 
> Thank you in advance.
> 
> --- On Thu, 11/26/09, Pallagi Zoltán <pzolee at balabit.hu>
> wrote:
> 
> > From: Pallagi Zoltán <pzolee at balabit.hu>
> > Subject: Re: [syslog-ng] filter logger tags from
> syslog
> > To: "Syslog-ng users' and developers' mailing list"
> <syslog-ng at lists.balabit.hu>,
> josesan311 at yahoo.com
> > Date: Thursday, November 26, 2009, 6:40 AM
> > 
> > 
> > 
> >   
> >   
> > 
>> > Hi Jose,
> > 
> > 
> > 
> > Jose Sanchez írta:
> > 
> >   Hello,
> > 
> > I've been using classic syslog for centralizing
> apache
> > access logs from one server to a remote syslog server,
> the
> > thing is syslog adds some nasty tags before the lines
> in the
> > access logs and I cant get them off, ie:
> > 
> > "Nov 25 21:25:37 server1 logger:"
> > 
> > I would like to know if syslog-ng has the option to
> filter
> > this kind of stuff, I just want to have the logs sent
> to the
> > syslog server exactly like I was saving them in a
> local
> > access.log file.
> >   
> > 
> > I don't understand you completely where you use
> > syslog or syslog-ng on these hosts
> > 
> > 
> > 
> > If you use syslog-ng then yes the syslog-ng can do
> it.
> > There is an
> > example of the possible solutions if both sides are
> > syslog-ng:
> > 
> > 
> > 
> > client side:
> > 
> > 
> > 
> > source s_file{file("/var/log/apache2/access.log"
> > 
> > flags(no-parse)
> > 
> > );};
> > 
> > 
> > 
> > destination d_tcp{tcp("10.30.0.32" port(666)
> > 
> > template("$MSG\n")
> > 
> > );};
> > 
> > 
> > 
> > log {
> > 
> > source(s_file);
> > 
> > destination(d_tcp);
> > 
> > };
> > 
> > 
> > 
> > 
> > 
> > server side:
> > 
> > source s_tcp{tcp(port(666)
> > 
> > flags(no-parse)
> > 
> > );};
> > 
> > 
> > 
> > destination d_test { file("/var/log/test.log"
> > 
> > template("$MSG\n")
> > 
> > ); };
> > 
> > 
> > 
> > log {
> > 
> > source (s_tcp);
> > 
> > destination(d_test);
> > 
> > };
> > 
> > 
> > 
> > 
> > 
> > if you use syslogd on client side and syslog-ng on
> the
> > server side you
> > need to use a config like this (but I am not sure in
> this
> > case):
> > 
> > 
> > 
> > source s_tcp{udp(port(514));};
> > 
> > 
> > 
> > destination d_test { file("/var/log/test.log"
> > 
> > template("$MSG\n")
> > 
> > ); };
> > 
> > 
> > 
> > log {
> > 
> > source (s_tcp);
> > 
> > destination(d_test);
> > 
> > };
> > 
> > 
> > 
> > 
> > 
> > 
> >   
> > Thanks in advance.
> > 
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> > 
> > 
> >   
> > 
> > 
> > 
>> > 
> > 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 


More information about the syslog-ng mailing list